PRIVACY POLICY (GDPR)

Identification and contact: name, email, phone.

Trip data: pickup and drop-off locations, addresses, date and time, passenger and luggage count, flight number, child seats, free-text notes.

Payment data: processed by Stripe — we receive the payment status, payment method type and a transaction ID. We do not see or store card numbers.

Technical data: IP address, browser and device information, basic security metrics. We use strictly necessary functional cookies for session management and website protection. The Platform does not use targeting or third-party tracking marketing cookies without your explicit consent.

Communications: copies of emails, chats or call notes you exchange with our team.

Performance of contract — to process, confirm and complete your booking, dispatch the driver and issue invoices.

Legal obligation — tax, accounting and transport-regulation requirements.

Legitimate interest — fraud prevention, security, internal control and dispute resolution.

Consent — optional marketing emails. You may withdraw consent at any time.

Bookings, payments and invoices: 10 years (Bulgarian accounting law).

Marketing contacts: until you unsubscribe.

Support correspondence: 24 months after the last interaction.

Server logs and security data: up to 12 months.

Authorised Arrivo staff (dispatch, accounting, support) on a need-to-know basis.

The assigned driver or one of our trusted commercial partners (subcontractors) — solely and exclusively the data minimally necessary for the physical performance of the transfer (passenger name, contact phone, location/address and flight number). These persons may not use the data for any other purpose.

Processors acting on our instructions: Stripe (payments), Resend (email), Supabase / Cloudflare (hosting and database), Google (Maps and addresses).

Public authorities only where required by law.

We do not sell your personal data. Transfers outside the EEA take place only through providers offering GDPR-compliant safeguards (Standard Contractual Clauses).

You have the right to: access, rectification, erasure ("right to be forgotten"), restriction or objection to processing, data portability and withdrawal of consent at any time.

To exercise your rights, please send an email to office@arrivo.bg from the email address with which you are registered or with which you made a booking on the Platform (for reliable identification of the data subject). The Lessor does not require copies of official identity documents. We respond within 30 days.

You also have the right to lodge a complaint with the Bulgarian Commission for Personal Data Protection (CPDP) — www.cpdp.bg.

Data is transmitted over HTTPS and stored in encrypted databases hosted in the EU. Access is restricted by role, audited and protected by strong authentication.

Our services are intended for customers aged 18+. Trips may include minors as passengers, but the booking must be made by an adult who provides their own details.

Data controller:

PREMIUM TRANSFER LTD

UIC: 208631674

Operating under the Arrivo Transfers / Arrivo brand

Sofia, Bulgaria

Email: office@arrivo.bg

Phone: +359 896 833 662