Privacy Policy
Note: The German version of this document is the legally binding version. This English text is provided for convenience only.
Last updated: July 5, 2026
1. Scope
This Privacy Policy explains how Pablo Thiermann processes personal data in connection with the Ride Assignment website, web application, customer workspaces, billing flows, support, and related communications.
Ride Assignment is software for planning group transportation and ride assignments. The service includes account creation, authenticated organization workspaces, event and participant management, route planning, mapping, imports and exports, subscription billing, email-related features, and legal and security documentation.
2. Controller and Roles
For the Ride Assignment website, account administration, login and session handling, subscription billing, support, security, abuse prevention, legal compliance, and similar operator-controlled purposes, Pablo Thiermann is the controller within the meaning of the GDPR.
For customer content that organizational customers and their authorized users enter into the service, Pablo Thiermann generally acts as a processor on behalf of the relevant customer organization. This typically applies to event data, driver and passenger records, route planning data, communications prepared by the customer, and imports and exports generated from customer workspace content. In those cases, the relevant customer organization is responsible for the applicable legal basis, transparency obligations, and handling of data subject requests, unless mandatory law requires otherwise.
Where Pablo Thiermann processes customer data as a processor, this is done on the basis of a separate data processing agreement with the relevant customer organization.
Where Pablo Thiermann acts as processor, workspace content is processed only to provide, secure, maintain, and support Ride Assignment and in accordance with documented instructions of the customer organization. Personal workspace content is not used for Pablo Thiermann's own analytics, training, or product-improvement purposes except in anonymized or aggregated form that cannot be linked back to persons, organizations, or specific events.
If you are a driver, passenger, or other person whose data was entered into Ride Assignment by an organization using the service, you should generally contact that organization first. Pablo Thiermann may nevertheless assist where legally required or where contractually appropriate.
3. Controller Contact
- Pablo Thiermann, Hollandstraße 11, 80805 München
- Email: support@ride-assign.com
- Phone: +491606763434
- Website: https://www.ride-assign.com
4. Categories of Personal Data
Depending on how Ride Assignment is used, the following categories of personal data may be processed:
- Account and membership data, such as user ID, name, email address, phone number, organization memberships, roles, and account settings.
- Authentication and session data, such as Supabase authentication records, session-related data, login confirmations, password reset flows, and related security information.
- Organization and project data, such as organization name, slug, contact email, event names, dates, destination details, arrival windows, planning settings, constraint policies, branding settings, and internal notes.
- Pickup point, driver, and passenger data, such as names, email addresses, phone numbers, addresses, geocoded coordinates, seat capacity, availability windows, accessibility fields, needs fields, group identifiers, pinned-driver relationships, external roster identifiers, and notes.
- Matching and routing data, such as generated route proposals, assignments, route stops, travel distances, travel durations, route metrics, optimization parameters, and related outputs.
- Import and export data, such as CSV and JSON data imported by users, project export bundles, and PDF or ZIP exports generated from workspace content.
- Billing and transaction data, such as selected plan, Stripe customer references, subscription status, price references, invoice-related data, billing portal activity, checkout activity, and synchronized Stripe subscription metadata. Payment card details are processed by Stripe and are not intended to be stored by Pablo Thiermann outside Stripe's systems except for billing metadata and references made available through Stripe and its sync tooling.
- Communication data, such as support messages, email outbox entries, recipient addresses, subjects, rendered message bodies, locale values, scheduling metadata, delivery status information, and provider message identifiers.
- Newsletter consent data, such as newsletter subscription status, double-opt-in request and confirmation timestamps, unsubscribe timestamps, consent statement version, locale, source, token hashes, and minimal request metadata needed to document consent and suppression.
- Technical, device, and security data, such as timestamps, request metadata, IP-related request information, browser and device information, BotID challenge and bot-detection signals or outcomes where enabled, organization-scoped audit log entries, usage records, and operational error and security logs.
- Preference, consent, analytics, and device-storage data, such as the locale cookie, the preview access cookie used for protected preview deployments, the cookie-consent cookies, sidebar state cookies, selected-project cookies, table sorting cookies, browser-side local storage entries for export preferences and table column visibility, and PostHog browser identifiers, page and feature usage data, session-related metadata, and client-side error information where analytics consent has been granted.
- Server-side product and security analytics data, such as account and subscription lifecycle events, authentication and feature-usage events, the associated account identifier and the account holder's email address, and related diagnostic metadata, captured server-side and sent to PostHog independently of cookie consent on a legitimate-interest basis (see Purposes and Legal Bases).
Customer-entered notes, accessibility fields, and needs fields may contain sensitive or special-category information if customers choose to include it. Where that occurs, the responsible customer organization must ensure that a valid legal basis, including any additional requirements under Article 9 GDPR, exists before using the service for that data. Such data may only be processed where required for the relevant use case; unnecessary sensitive information must be avoided.
5. Sources of Personal Data
We obtain personal data:
- Directly from you when you visit the website, create an account, log in, subscribe to a paid plan, contact us, change settings, or otherwise use the service.
- From customer organizations and their authorized users when they create workspace records about drivers, passengers, events, pickup points, or other participants.
- From your browser or device when technically necessary cookies are read or written, when optional preference storage is used after consent, when BotID bot protection is enabled for protected routes, and when PostHog analytics or client-side error tracking is enabled after consent.
- From integrated service providers when billing, routing, geocoding, map display, bot protection, optional Google sign-in, user-initiated Google Maps route links, route-solver, or email-related functions are used.
- From imported files and structured uploads submitted by users, including CSV imports and JSON project imports.
If we did not receive your data directly from you, the source is usually the customer organization or its authorized users who entered or imported the data into Ride Assignment.
6. Purposes and Legal Bases
Where Pablo Thiermann acts as controller, personal data is processed for the following purposes and legal bases:
- To provide the website and application, create and administer accounts, authenticate users, maintain sessions, provide organization workspaces, and deliver requested product functions. Legal basis: Article 6(1)(b) GDPR.
- To provide mapping, route planning, address search and geocoding, routing, assignment generation, route-solver based optimization, project imports, and project or route exports requested by users. Legal basis: Article 6(1)(b) GDPR.
- To manage subscriptions, create or reconcile Stripe customer records, provide checkout and billing portal access, administer invoices, and handle billing-related support. Legal basis: Article 6(1)(b) GDPR and Article 6(1)(c) GDPR where tax, accounting, or invoicing obligations apply.
- To send transactional communications, account-related notices, security notices, support replies, and customer-requested email workflows. Legal basis: Article 6(1)(b) GDPR and, where appropriate, Article 6(1)(f) GDPR.
- To send newsletters and marketing emails about Ride Assignment product news, practical planning content, offers, promotions, and customer stories, but only after separate newsletter consent and double opt-in confirmation. Legal basis: Article 6(1)(a) GDPR and the applicable rules for electronic direct marketing. Consent can be withdrawn at any time.
- To secure the service, prevent misuse, perform BotID verification on protected routes where enabled, investigate incidents, enforce contractual or legal rights, document administrative actions in audit logs, and maintain the integrity, confidentiality, and availability of the service. Legal basis: Article 6(1)(f) GDPR.
- To comply with statutory retention duties and other legal obligations. Legal basis: Article 6(1)(c) GDPR.
- To store or access information on user devices where this is strictly necessary to provide the digital service expressly requested by the user, such as language selection, authenticated sessions, and optionally enabled preview access control. Legal basis: applicable ePrivacy rules, including Section 25(2) TDDDG where applicable, and Article 6(1)(b) or Article 6(1)(f) GDPR for any related personal-data processing.
- To store user-selected preference settings inside the authenticated application, such as sidebar state, selected project, table sorting, export options, and table column visibility, but only after the user has granted consent to the preferences category. Legal basis: Section 25(1) TDDDG where applicable and Article 6(1)(a) GDPR.
- To measure website and product usage, understand navigation and feature usage, and capture client-side exceptions and related browser error context through PostHog in the browser, but only after the user has granted consent to the analytics category. Legal basis: Section 25(1) TDDDG where applicable and Article 6(1)(a) GDPR.
- To capture server-side product and security analytics events through PostHog — such as account and subscription lifecycle events, authentication events, feature and match-run usage, and server-side error diagnostics — together with the associated account identifier and the account holder's email address, in order to understand and improve product usage, secure the service, and prevent misuse. This server-side processing does not itself store information on your device and does not require cookie consent; where a PostHog analytics cookie is already present following analytics consent, it may be read to correlate these server-side events and error diagnostics with your browser session. Legal basis: Article 6(1)(f) GDPR (our legitimate interests in operating, securing, analyzing, and improving the service). You may object to this processing at any time on grounds relating to your particular situation under Article 21 GDPR by contacting support@ride-assign.com.
- To use non-essential device storage or similar technologies only where legally required consent has been obtained in advance. Legal basis: Section 25(1) TDDDG where applicable and Article 6(1)(a) GDPR.
Where Pablo Thiermann acts as processor for customer workspace content, the relevant customer organization determines the legal basis for the processing carried out in that workspace content.
7. Device Storage, Cookies, and Similar Technologies
Ride Assignment uses device-side storage for necessary service functions and, after consent where required, for optional preference storage and analytics.
This includes in particular:
- a locale cookie for language selection;
- Supabase authentication and session cookies for sign-in and server-side session continuity;
- a site access cookie for password-protected preview deployments, only when that preview protection is enabled;
- BotID challenge and verification signals for protected routes where first-party bot protection is enabled;
- cookie-consent cookies that store the user's consent decision and a pseudonymous consent subject identifier after a choice has been made;
- sidebar state cookies for remembering the sidebar layout explicitly chosen by the user, but only after consent to the preferences category;
- selected-project and table-sorting cookies for restoring user-selected application context and table order, but only after consent to the preferences category;
- local storage entries for user-selected export preferences and table column visibility preferences inside the authenticated application, but only after consent to the preferences category; and
- a PostHog browser cookie and related browser-side analytics state, but only after consent to the analytics category, for web analytics, product analytics, and client-side error tracking.
Further details are set out in the Cookie Policy.
8. Recipients and Processors
Personal data may be disclosed to the following categories of recipients where necessary for the relevant purpose:
- Supabase, for authentication, session handling, and managed Postgres database services.
- Stripe, for subscription billing, checkout, customer records, invoices, billing portal access, and webhook-based billing synchronization.
- PostHog, for web, product, and error analytics. Browser-based analytics and client-side error tracking run only after analytics consent; server-side product and security analytics events, including account identifiers and the account holder's email address, are sent on a legitimate-interest basis as described in the Purposes and Legal Bases section.
- Mapbox, for browser-based map display, server-side routing, route metrics, matrix calculations, route optimization, and static map images included in exports. Where browser-based maps are used, the user's browser may communicate directly with Mapbox.
- Photon geocoding providers, currently the configured Photon endpoint, for address search, address autocomplete, and geocoding.
- Route-solver and Valhalla routing infrastructure, for optimization objectives that use the remote route-solver service instead of Mapbox for route computation.
- Google services, for optional Google sign-in through Supabase Auth and for user-initiated Google Maps route links generated in the application or exports.
- Vercel BotID and Kasada, where enabled, for bot protection, challenge verification, and abuse prevention on protected routes.
- Email delivery providers engaged by Pablo Thiermann, where email sending or email status tracking is enabled.
- Amazon Simple Email Service, where enabled, for sending transactional emails, newsletter confirmation emails, and newsletter-related unsubscribe messages.
- Hosting, infrastructure, logging, monitoring, and security providers engaged by Pablo Thiermann as necessary to operate Ride Assignment.
- Authorized users within the relevant customer organization workspace, to the extent customer content is shared inside that workspace.
- Public authorities, courts, advisors, or enforcement bodies where disclosure is legally required or necessary for the establishment, exercise, or defense of legal claims.
We do not share personal data with recipients beyond what is necessary for the relevant purpose.
The current list of subprocessors and key recipients is described in the Subprocessors and Key Recipients list.
9. International Data Transfers
Some of the processors and service providers used in connection with Ride Assignment may process personal data outside the European Union or the European Economic Area, including in countries that may not provide an equivalent level of protection by default.
Where such transfers take place, Pablo Thiermann will rely on an adequacy decision, the European Commission's Standard Contractual Clauses, or another valid transfer mechanism under Chapter V GDPR, together with any supplementary measures required by law.
10. Retention
We retain personal data only for as long as necessary for the relevant purpose and for as long as required by law or justified by legitimate operational needs.
In general:
- account, membership, and workspace administration data are retained for the duration of the customer relationship and are deleted or anonymized after account deletion or contract termination unless billing, security, consent, audit, or legal records must be retained.
- customer workspace content is retained until deleted by the customer, until the relevant workspace or account is deleted, or until another documented retention event applies. After deletion from the active system, technical backups may persist until they are overwritten in the ordinary backup cycle.
- billing, invoicing, and accounting data are retained for the statutory retention periods applicable to Pablo Thiermann.
- audit logs, security logs, and operational records are retained as long as needed for security, traceability, abuse prevention, dispute handling, and compliance. Where possible, they are deleted or retained only with minimized identifiers once the original purpose has been fulfilled.
- email outbox records and delivery-status data are retained as long as needed to operate communications, investigate delivery issues, and document message history.
- newsletter consent and unsubscribe records are retained as long as needed to document consent history and prevent accidental newsletter sending after withdrawal, unless a shorter retention period is legally required.
- imported data becomes part of the relevant workspace records once the import is completed. Temporary import staging data is retained only as long as needed for processing, troubleshooting, and abuse prevention.
- exported JSON, PDF, or ZIP files are generated and downloaded at the user's request. Any server-side temporary files are retained only temporarily for delivery and are then deleted or discarded by short-lived runtime environments.
- cookies and local storage entries remain until they expire, are overwritten, or are deleted by the user, except where shorter technical retention applies. Specific durations are described in the Cookie Policy.
- consent records are retained as long as needed to document consent decisions and legal-document versions for accountability and compliance.
11. Security
Pablo Thiermann implements appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, loss, misuse, or disclosure.
These measures include authenticated access controls, organization-scoped authorization, row-level restrictions in the database, transport security, audit logging, and role-based access restrictions. No system is completely secure, so users should also protect their credentials and avoid entering unnecessary personal or sensitive information.
12. Data Subject Rights
Subject to the applicable legal requirements, you may have the following rights:
- access to your personal data;
- rectification of inaccurate or incomplete data;
- erasure;
- restriction of processing;
- objection to processing based on Article 6(1)(f) GDPR;
- data portability, where applicable;
- withdrawal of consent at any time with effect for the future, where processing is based on consent;
- the right not to be subject to a decision based solely on automated processing with legal or similarly significant effects, subject to the conditions of Article 22 GDPR;
- the right to lodge a complaint with a competent supervisory authority.
To exercise your rights in relation to controller-side processing by Pablo Thiermann, contact support@ride-assign.com.
If your data was entered into Ride Assignment by a customer organization and Pablo Thiermann acts only as processor for that data, the relevant customer organization remains primarily responsible for handling your request. Pablo Thiermann may forward your request to the customer organization or assist it in responding, as appropriate.
A data protection officer has not currently been appointed. Pablo Thiermann regularly reviews whether a data protection officer must be appointed under the applicable legal requirements. Without prejudice to the right to lodge a complaint with any competent data protection supervisory authority, the Bayerisches Landesamt für Datenschutzaufsicht is generally competent for Pablo Thiermann as a non-public body established in Bavaria.
13. Automated Decision-Making
Ride Assignment can generate route suggestions, assignment proposals, transit-support recommendations, and similar planning outputs based on the data entered into the service. These features are intended as decision-support tools for users and organizations.
Pablo Thiermann does not intend these features to constitute solely automated decision-making that produces legal effects or similarly significant effects within the meaning of Article 22 GDPR. Final operational decisions remain with the responsible human user or organization.
14. Requirement to Provide Data
Certain data is required to create and maintain accounts, provide workspace functions, authenticate sessions, process subscriptions, deliver communications, and respond to support requests. If required data is not provided, some or all of the service may not be available.
15. Changes to This Privacy Policy
Pablo Thiermann may update this Privacy Policy to reflect legal, technical, operational, or product-related changes. The current version will be made available through the website and application.