Transit Mesh ("Transit Mesh," "we," "us," "our") is a technology platform that operates a peer-to-peer rideshare marketplace. We provide software tools that allow authorized, independently licensed drivers to bid on trip requests posted by riders. Transit Mesh is a technology intermediary β we do not provide transportation services, employ drivers, or process payments between riders and drivers.
Platform contact: privacy@transit-mesh.net Β· transit-mesh.net
We collect only the minimum data required to operate the platform safely and lawfully. The table below lists every category of personal data we collect.
| Category | Specific Data | Why We Need It | Legal Basis |
|---|---|---|---|
| Identity (basic) | First name, last name | Account identification; displayed to matched ride partners | Contract performance |
| Contact | Phone number (hashed in storage) | Account authentication (OTP); ride coordination | Contract performance |
| Location | Pickup / drop-off coordinates (bucketed ~1 km grid) | Match riders with nearby available drivers | Contract performance; legitimate interest |
| Trip data | Route, distance estimate, time, bid amounts, trip status | Platform operations; safety audit trail | Contract performance; legitimate interest |
| Device metadata | Browser type, OS, screen resolution, timezone (no persistent ID) | Platform compatibility; fraud prevention | Legitimate interest |
| Verification status | Pass/fail result of driver identity check; masked licence last-4 | Safety β confirm drivers hold valid licences before operating | Legal obligation; contract performance |
| Consent records | Timestamp, jurisdiction, IP hash of biometric consent | Legal compliance (BIPA, GDPR, PIPEDA, AU Privacy Act) | Legal obligation |
| Safety contacts | Emergency contact name & phone (optional, user-provided) | In-app safety feature; not used for any other purpose | Consent |
All raw biometric images (driver's licence photo, selfie) are stored for a maximum of 90 days for verification purposes and then permanently deleted. See Section 6 for full biometric data details.
We use personal data only for the following purposes:
We do not use your data for: advertising, credit scoring, insurance pricing, profiling for sale, cross-context behavioral advertising, or any purpose not listed above.
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Account data (name, phone hash) | Duration of account; deleted within 30 days of closure request | Permanent deletion from all systems |
| Trip records (anonymized) | 24 months from trip date | Individual identifiers removed; aggregate data retained |
| DL image & selfie photograph | Maximum 90 days from verification date | Permanently deleted β automated nightly purge |
| Facial geometry score | Maximum 90 days from verification date | Permanently deleted |
| Masked licence last-4 | Duration of driver account | Deleted on account closure |
| Verification status | Duration of driver account | Deleted on account closure |
| Biometric consent records | Account duration + 1 year (legal audit) | Permanently deleted |
| Safety / emergency contacts | Until deleted by user | Permanently deleted on user request |
| OTP codes | 10 minutes (automatic expiry) | Auto-purged from memory |
Illinois drivers: biometric data destroyed within 90 days of last use OR within 3 years of collection, whichever is sooner β in compliance with BIPA (740 ILCS 14/15(a)).
To protect the safety of all platform members, drivers must complete a one-time identity verification before bidding. This involves processing biometric data as defined under applicable law. This section applies to drivers only β riders are not subject to biometric data collection.
| Data | Purpose | Retained |
|---|---|---|
| Driver's licence image (front) | OCR: verify name, expiry, jurisdiction-specific format | 90 days β permanently deleted |
| Selfie photograph | Facial comparison with DL photo to confirm identity | 90 days β permanently deleted |
| Derived facial geometry score | Numeric match confidence β not a facial template | 90 days β permanently deleted |
| Licence number (masked) | Format validation β last 4 digits only retained | Duration of account |
| Verification outcome | Allow/block driver access to bidding features | Duration of account |
| Consent timestamp & jurisdiction | Legal audit record (BIPA/GDPR/PIPEDA compliance) | Account + 1 year |
Full details: Biometric & Identity Data Consent Notice β
In the event of a data breach affecting your personal information, we will notify affected users and relevant regulatory authorities within the timeframes required by applicable law (72 hours under UK GDPR; without unreasonable delay under PIPEDA; as required under applicable US state breach notification laws).
The only circumstances where we may disclose data are:
Your privacy rights depend on where you are located. Find your jurisdiction below. To exercise any right, contact privacy@transit-mesh.net β we respond within 30 days (or the shorter deadline required by your jurisdiction's law).
California residents have the following rights under the CCPA as amended by the California Privacy Rights Act (CPRA, effective January 1, 2023):
Response deadline: 45 days (extendable 45 days with notice). To opt out: privacy@transit-mesh.net
Illinois residents have specific biometric data rights under BIPA:
BIPA private right of action: $1,000β$5,000 per intentional violation. We take Illinois compliance seriously.
Texas residents have the following rights under the TDPSA:
Response deadline: 45 days. Enforcement by Texas Attorney General only (no private right of action).
Texas biometric data: We collect biometric identifiers from drivers as defined under Tex. Bus. & Com. Code Β§ 503.001 (Texas Capture or Use of Biometric Identifier Act). Such data is used solely for identity verification and not sold or disclosed to third parties.
Residents of these states have similar privacy rights under their respective state consumer data protection laws, including rights to access, correct, delete, and opt out of sale or targeted advertising. All such requests are honored within 45 days.
We do not sell personal data, engage in targeted advertising, or use profiling for decisions with significant legal effects. Residents of all these states benefit from these baseline protections regardless of whether their specific state law has a private right of action.
Washington State residents: Additional protections apply under the Washington My Health MY Data Act (SB 1155, eff. March 2024) for any health-related data. Transit Mesh does not collect health data.
Federal baseline: All U.S. residents are protected by the Driver's Privacy Protection Act (18 U.S.C. Β§ 2721) regarding driver's licence information, which is used solely for the permissible purpose of identity verification.
Canadian residents have the following rights:
Quebec residents (Law 25): Additional rights include the right to data portability (eff. Sept 2024), the right to be de-indexed, and the right to object to automated decision-making. Biometric data is considered "sensitive information" under Law 25 and receives the highest level of protection.
A Privacy Impact Assessment (PIA) is maintained as required by Quebec Law 25 for systems involving biometric data. Contact the Privacy Officer for a summary: privacy@transit-mesh.net
Lawful basis for processing:
Your rights under UK GDPR:
Response deadline: 1 month (extendable 2 months for complex requests). Complaint: Information Commissioner's Office (ICO)
Data is processed and stored on servers located in the United States (AWS US-East). We rely on standard data transfer provisions for UK-to-US transfers as permitted under the UK-US Data Bridge (eff. Oct 2023).
Australian residents have rights under the Australian Privacy Principles (APPs):
Complaint: Office of the Australian Information Commissioner (OAIC) at oaic.gov.au
For biometric data, we comply with the OAIC's guidance on biometric technologies and the applicable APPs. Sensitive information (including biometric data) is handled with a higher duty of care.
Note on state/territory laws: Australian state and territory privacy laws (e.g., NSW Privacy and Personal Information Protection Act 1998; Information Privacy Act 2009 (Qld)) apply to state government agencies, not private companies. The federal Privacy Act 1988 governs our operations.
Regardless of where you are located, we apply the following baseline protections to all users:
If your jurisdiction has specific privacy laws not listed here, contact privacy@transit-mesh.net and we will advise on applicable rights.
Transit Mesh is not directed at, and does not knowingly collect personal information from, anyone under the age of 18. Use of the platform β whether as a driver or rider β requires that you are 18 years of age or older and legally authorized to enter into binding agreements in your jurisdiction.
We comply with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. Β§ 6501 et seq.) in the United States, and equivalent laws in other jurisdictions. If you believe a person under 18 has created an account, contact us immediately at privacy@transit-mesh.net and we will delete the account and associated data promptly.
We may update this Privacy Policy as the platform evolves or as legal requirements change. When material changes are made, we will:
Continued use of the platform after the effective date of a material change constitutes acceptance of the updated policy, except where law requires affirmative re-consent.
You may exercise your rights (access, correction, deletion, portability, consent withdrawal, opt-out) at any time by emailing the address above. Please include your registered phone number (so we can locate your account) and specify the right you wish to exercise. We may ask for additional information to verify your identity before processing certain requests.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority:
Related documents: Terms of Service Β· Biometric & Identity Data Consent Notice