Privacy Policy
Last updated: 1 May 2026
1. Who we are
SquadCars ("we", "us", "our") is a carpooling coordination service for sports teams and activity groups. We help families organise rides for children's events.
Contact: privacy@squadcars.app
2. What data we collect
| Data | Why | Shared with |
|---|---|---|
| Name, email | Account identity, login, notifications | Other parents in your carpools |
| Phone number | So drivers/parents can contact you on event day | Drivers of cars your children are booked into |
| Home address + coordinates | Door-to-door pickup routing, distance calculations | Drivers of cars your children are booked into |
| Children's names | Identify which child needs a ride | Other parents in your carpools |
| Children's notes (allergies, medical) | Safety information for drivers | Drivers picking up your child |
| Event history (bookings, changes) | Audit trail for transparency | Members of that carpool |
| Push notification token | Deliver push notifications to your device | Firebase Cloud Messaging (Google) |
3. Legal basis (GDPR)
- Consent — You provide your data voluntarily when creating your account and setting up your profile.
- Legitimate interest — We process data to coordinate rides safely, which is the core purpose you signed up for.
- Contract — Processing is necessary to provide the carpooling service you requested.
4. Children's data
We store children's names and optional safety notes (allergies, medical conditions) as entered by their parent or guardian. Children do not have their own accounts. All children's data is managed by the parent who created the family.
We do not collect data directly from children. If you believe a child's data has been added without parental consent, contact us and we will remove it.
5. Who can see your data
- Your carpool members — can see your name and your children's names.
- Drivers — when your child is booked into a car, the driver can see your phone number, address, and your child's safety notes.
- No one outside your carpools — your data is not visible to users who are not in the same carpool as you.
- We do not sell your data — ever.
6. Third-party services
| Service | Purpose | Data sent |
|---|---|---|
| Authentication provider | Sign-in (Google OAuth, email codes) | Email, name |
| Mapbox | Address autocomplete, geocoding, and static / interactive maps | Address text you type, geographic coordinates of saved addresses |
| Push notification service | Deliver push notifications to your device | Device token, notification content |
| Email delivery service | Send email notifications | Email address, notification content |
| Cloud database | Data storage | All user data (encrypted at rest) |
| Cloud hosting | Application hosting | Request logs (no personal data stored) |
| Firebase Analytics (Google) — opt-in only | Anonymous usage analytics | Pseudonymous device ID, event names and bucketed parameters |
| GlitchTip (self-hosted) — opt-in only | Crash and error reporting | Error stack traces, browser/OS, app version, error-session replay (DOM with form inputs masked) |
7. Data retention
- Events and rides — automatically deleted 90 days after the event date.
- Account data — kept until you delete your account.
- Push notification tokens — refreshed on each app visit, old tokens overwritten.
8. Your rights
Under GDPR, you have the right to:
- Access — request a copy of your data.
- Rectification — correct inaccurate data (you can do this directly in Settings → Profile).
- Erasure — request deletion of your account and all associated data.
- Portability — receive your data in a structured format.
- Objection — object to processing based on legitimate interest.
To exercise these rights, email privacy@squadcars.app.
9. Cookies and local storage
We use browser local storage for these essential purposes (no consent needed):
- Authentication token — keeps you logged in.
- User preferences — 24-hour time, home screen layout.
- Offline cache — cached carpool data for faster loading.
We also offer opt-in anonymous analytics and crash reporting (Firebase Analytics and GlitchTip — see section 6). When you choose to enable these, Firebase Analytics sets _ga/_ga_* cookies; until you opt in, no analytics or crash-reporting cookies are set. You can change your choice at any time in Settings → Preferences → Help improve SquadCars.
10. Security
- All data transmitted over HTTPS (TLS 1.3).
- Database encrypted at rest (Neon PostgreSQL).
- Authentication via JWT with 15-minute expiry and refresh tokens.
- Admin access verified against the database on every request.
- No passwords stored — we use passwordless email codes and OAuth.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notification. The "last updated" date at the top reflects the most recent revision.