Privacy Policy

1. Introduction

David Ewins, trading as Takeover Software ("we," "us," or "our"), is the data controller responsible for the personal information processed under this policy. We operate the SELLERS, VOID, and RIDERS mobile applications and the website at takeover.software (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use them.

Please read this policy carefully. By using our Services, you agree to the collection and use of information in accordance with this policy.

Where we process personal data on behalf of a seller (for example, the seller's customer order history), the seller is the controller of that data and we act as their processor; see the Data Processing section in our Terms of Service.

2. Information We Collect

2.1 Personal Information

We collect personal information that you voluntarily provide when registering for our Services, including:

• Account Information: Name, email address, phone number, and password
• Profile Information: Profile photo, business name (for sellers), delivery preferences
• Payment Information: Processed securely through Stripe Connect. We do not store your full card details on our servers
• Identity Verification: For sellers and riders, government-issued ID and business documentation as required by Stripe for KYC/AML compliance
• Location Data: Delivery addresses, storefront locations, and real-time location for riders during active deliveries

2.2 Automatically Collected Information

• Device information (device type, operating system, unique device identifiers)
• Log data (access times, pages viewed, app features used)
• Location information (with your consent)
• Usage analytics and crash reports

3. How We Use Your Information and Our Lawful Basis

Under the GDPR (Art 6), every processing purpose requires a lawful basis. We use the information we collect for the following purposes, on the following bases:

• Account creation, order processing, payouts, rider-to-order matching — performance of a contract with you (Art 6(1)(b))
• Identity verification for sellers and riders (via Stripe Identity) — compliance with our KYC/AML legal obligations (Art 6(1)(c))
• Tax records, invoicing, financial recordkeeping — compliance with legal obligations under Irish tax law (Art 6(1)(c))
• Fraud prevention, abuse detection, Cloudflare Turnstile bot protection — legitimate interest in keeping the Services secure and free of abuse (Art 6(1)(f))
• Service analytics, crash reporting (Sentry), product improvement — legitimate interest in understanding and improving the Services (Art 6(1)(f))
• In-app chat (Stream), transactional emails (Resend), push notifications for orders (OneSignal) — performance of a contract with you (Art 6(1)(b))
• Marketing emails, advertising cookies, behavioural analytics — your consent (Art 6(1)(a)), which you may withdraw at any time

4. Information Sharing

We may share your information in the following circumstances:

4.1 With Other Users

• Customers: Sellers see your name, delivery address, and order details
• Sellers: Customers see your storefront information, location, and contact details
• Riders: See pickup/delivery addresses and customer first name

4.2 With Service Providers (Sub-processors)

The following sub-processors process personal data on our behalf under written data processing agreements. Items marked "consent-gated" only fire after you accept the relevant category in our cookie preferences.

• Stripe (US/IE): payment processing, Stripe Connect payouts, and identity verification
• Supabase (EU): database, authentication, and file storage
• Fly.io (EU/US): application hosting and edge compute
• Stream (US): in-app real-time chat
• OneSignal (US): transactional push notifications
• Resend (US): transactional emails
• Sentry (US): application error tracking (configured with PII suppression)
• Axiom (US): server log aggregation
• Google Maps (US): mapping and geocoding
• Cloudflare Turnstile (US): bot protection on signup, checkout, and lead forms. Cloudflare receives limited diagnostic data (IP address, browser metadata, interaction signals) to determine whether a request is human. Subject to the Cloudflare Turnstile Privacy Addendum.
• PostHog (EU): product analytics — consent-gated
• Google Analytics 4 (US): website analytics — consent-gated
• Meta Pixel (US): advertising attribution and remarketing — consent-gated

4.3 For Legal Reasons

We may disclose information if required by law, legal process, or government request, or to protect the rights, property, or safety of Takeover Software, our users, or others.

5. Data Retention

We retain personal information only as long as needed for the purpose it was collected, or longer if required by law. Our default retention periods are:

• Order, payment, payout, and invoice records: 6 years from the end of the relevant tax year (Irish Revenue recordkeeping requirement)
• Seller and rider KYC documentation: 5 years after the account is closed (Irish AML obligations)
• Active account profile data: for as long as the account is open
• Closed / deleted accounts: profile data is soft-deleted within 30 days of your deletion request and hard-deleted (or anonymised) within a further 30 days, except where retention is required by law (above)
• Server and access logs: 30 days, then deleted
• In-app chat history: retained for the lifetime of the associated order, then 90 days for dispute resolution, then deleted
• Marketing email lists: until you unsubscribe or request deletion

6. Your Rights (GDPR)

Under the General Data Protection Regulation (GDPR), if you are a resident of the European Economic Area, you have the following rights:

• Right to Access: Request a copy of your personal data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure: Request deletion of your data ("right to be forgotten")
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing of your data
• Right to Withdraw Consent: Withdraw consent at any time where we rely on consent

To exercise these rights, please contact us at privacy@takeover.software.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information, including:

• Encryption of data in transit (TLS/SSL)
• Encryption of data at rest
• Row-level security in our database
• Regular security audits and updates
• Access controls and authentication
• Secure payment processing through PCI-DSS compliant Stripe

8. International Data Transfers

Several of our sub-processors (notably Stripe, Cloudflare, Stream, OneSignal, Resend, Sentry, Axiom, Google, Meta, and Fly.io regions outside the EEA) process personal data in the United States or other third countries. Where this happens, we rely on the European Commission's Standard Contractual Clauses (SCCs), the EU-U.S. Data Privacy Framework where applicable, and each provider's published transfer impact assessment, to provide GDPR-equivalent safeguards.

9. Children's Privacy

Our Services are not intended for children under 16. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately.

10. Cookies and Tracking

Our website uses three categories of cookies and similar technologies. You can change your choices at any time through the cookie preferences link in our site footer.

• Strictly necessary — required for the site to function (authentication session, CSRF protection, Cloudflare Turnstile). Always on; no consent required under ePrivacy.
• Analytics — PostHog and Google Analytics 4, used to understand how the site is used. Only set after you accept the analytics category.
• Advertising — Meta Pixel, used for remarketing and ad attribution. Only set after you accept the advertising category.

Our mobile apps do not use browser cookies but use device identifiers (Apple IDFV, Android ID) for crash reporting and analytics, subject to your in-app permissions.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

12. Data Protection Officer

We have not appointed a Data Protection Officer. Our processing does not meet the thresholds in GDPR Art 37 that would require one (we are not a public authority, and our core activities do not consist of large-scale systematic monitoring of data subjects or large-scale processing of special-category data). Privacy queries are handled directly by the data controller using the contact details below.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

14. Supervisory Authority

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local data protection authority. In Ireland, this is the Data Protection Commission (DPC):