Privacy Policy
1. Data controller
Medrejse (placeholder: [Company name, CVR, address]) is the data controller for personal data processed through the service. Data-protection contact: privacy@medrejse.dk (placeholder).
2. What we collect
- Account data — name, email, phone, sign-in method (email, Google, Apple, Facebook).
- Identity verification — the result of MitID verification (a verified status and a stable identifier). We do not use your CPR number as an account key.
- Driver & vehicle data — licence verification status, vehicle details, and (for DAC7) tax information.
- Journeys & bookings — routes, approximate pick-up/drop-off areas, times, seats, cost contributions, booking history.
- Payments — platform-fee orders, status and receipts (card data is handled by our payment provider, not stored by us).
- Communications — in-app messages between members, ratings and reports.
- Technical data — device/usage information and essential cookies (see our Cookie Policy).
3. Why we process it, and our legal basis
| Provide the service (accounts, matching, bookings, messaging) | Performance of a contract |
| Identity verification & safety (MitID, ratings, moderation, fraud prevention) | Legitimate interests; consent for MitID verification |
| Payments & receipts | Contract; legal obligation (bookkeeping) |
| Tax reporting (DAC7) | Legal obligation |
| Optional analytics | Consent |
4. Who we share data with
We share only what is necessary, with:
- Other members — the details needed to arrange a shared ride (e.g. your name, approximate route, rating; exact pick-up is shared only when needed).
- Processors acting on our instructions — MitID broker, payment provider, hosting, email and mapping providers.
- Authorities — the Danish tax authority (DAC7) and others where legally required.
5. Where your data is stored
We host data within the EU/EEA. Where a provider processes data outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
6. How long we keep it
We keep personal data only as long as needed for the purpose it was collected, then delete or anonymise it. Financial and tax records are kept for the statutory period; messages and notifications follow shorter operational retention. Final retention periods are set with our DPO before launch.
7. Your rights
Under the GDPR you have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent at any time. You can export or delete your data from your profile. Some data may be retained where we have a legal obligation or a legal hold. You may complain to the Danish Data Protection Agency (Datatilsynet).
8. Security
We use encryption in transit, access controls, audit logging and least-privilege access to protect your data, and separate handling for sensitive identity and financial data.
9. Children
The service is for adults (18+). We do not knowingly process data of children.
10. Changes & contact
We will post updates here with a revised date. Questions: privacy@medrejse.dk (placeholder).