Privacy Policy

Learn how we collect, use, and protect your personal data to ensure your privacy and security

Last updated: 4 April 2026

1. Introduction

GP Way, Lda (trading as “GP Fleet”) is committed to protecting your privacy and the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information, in compliance with the General Data Protection Regulation (GDPR) and other applicable European data protection legislation.

Data Controller:
GP Way, Lda
VAT number: PT517778467
Rua Conde Ferreira, 16
2900-191 Setúbal, Portugal
Email: dpo@gpfleet.pt

Data Protection Officer (DPO):
Eduardo Pereira
Email: dpo@gpfleet.pt

2. What Information We Collect

2.1 Information You Provide to Us

When you create an account, use the platform, or contact us, we collect:

  • Account Data: Full name, email address, phone number, and where applicable, company name and VAT number
  • Professional Data (Drivers): Driving licence information, vehicle data, and other data required for transport activity
  • Fleet Management Data: Information about vehicles, drivers, and operations entered or imported into the platform, including trip records, schedules, and financial data; this data may include personal information of third parties (e.g., passenger names and contact details) entered by the Partner or imported from external platforms
  • Location Data: Trip departure and arrival addresses, used for geocoding and route generation
  • Payment Data: Processed securely through our payment processor (Revolut). We do not store full credit card details on our servers
  • Content Submitted for AI: Text pasted by the user into the Automatic Service Extraction feature (e.g., emails or messages from transport platforms), which may contain personal data of third parties, such as passenger names or addresses
  • Communications: Messages, queries, or feedback sent through our contact forms, email, or other communication channels

2.2 Information Collected Automatically

When you visit our website or use the platform, we automatically collect certain technical information:

  • Analytics Data: Through our Matomo analytics platform, hosted and managed internally, we collect: IP address (anonymised), browser type and version, device type, operating system, pages visited, time spent on pages, referral source, and approximate geographic location (country/city)
  • Technical Data: Log files containing IP addresses, browser information, and access timestamps

2.3 Mobile Applications

The GP Fleet platform is available as a native mobile application for Android and iOS. The applications do not collect additional data categories beyond those described in this policy. They may, however, request device permissions for specific features, such as sending push notifications about trips and operational alerts. We do not collect or track drivers’ GPS location in real time.

2.4 Calendar Export (ICS File)

The platform allows you to export trip schedules as an ICS file for import into calendar applications (Google Calendar, Apple Calendar, Outlook, and others). These files may contain personal information, such as the lead passenger’s name and trip notes. GP Fleet generates the file and makes it available for download, but does not send or synchronise data directly with any third-party calendar services. Responsibility for handling the file after export rests entirely with the user.

2.5 Information We Do NOT Collect

  • We do not use third-party tracking tools (no Google Analytics, Facebook Pixel, or similar)
  • We do not share your data with advertising networks or marketing platforms
  • We do not use third-party cookies
  • We do not track drivers’ GPS location in real time

3. How We Use Your Information

We use your personal data for the following purposes:

  • Creating and managing your GP Fleet platform account
  • Providing all contracted features, including financial management, trip management, and data processors
  • Geocoding and reverse geocoding of addresses for trip route generation
  • Processing subscription payments through our secure payment processor
  • Issuing subscription invoices for the platform
  • Sending communications related to your account, service updates, and operational notifications

Text submitted to the Automatic Service Extraction feature is transmitted to Mistral AI solely to process the request and return structured data. This content is not used to train artificial intelligence models, in accordance with Mistral AI’s API terms of use.

  • Responding to enquiries, questions, and feedback
  • Resolving issues or difficulties with the service
  • Providing technical assistance
  • Analysing website and platform usage through our internally hosted Matomo solution
  • Understanding how users interact with our services
  • Improving features, content, and user experience
  • Identifying and resolving technical issues
  • Complying with Portuguese and European legal obligations
  • Maintaining records for tax and accounting purposes
  • Responding to legitimate requests from competent authorities

4. Data Processing in a Business Context (B2B)

4.1 Data Controller vs. Data Processor

When business clients (“Partners”) use the GP Fleet platform to manage their fleet operations — including registering drivers, trips, and financial data — they act as data controllers for the personal data of their drivers and employees. In this context, GP Fleet acts as a data processor, processing that data solely according to the Partner’s instructions and for the purposes of service delivery.

4.2 Partner Obligations

Partners are responsible for:

  • Ensuring they have an adequate legal basis to process the personal data of their drivers and employees on the platform
  • Informing the individuals whose data is processed about the use of GP Fleet and this Privacy Policy
  • Complying with all obligations incumbent on them as data controllers under the GDPR

4.3 GP Fleet’s Commitments as Data Processor

In the context of processing data on behalf of Partners, GP Fleet commits to:

  • Processing data solely in accordance with the Partner’s documented instructions
  • Ensuring that personnel authorised to process the data are subject to confidentiality obligations
  • Implementing the technical and organisational security measures described in this policy
  • Supporting the Partner in fulfilling data subject rights
  • Not engaging additional sub-processors without prior notice
  • Deleting or returning personal data at the end of the service, as instructed by the Partner

GDPR compliance note: Article 28 of the GDPR requires the relationship between controller and processor to be formalised through a binding contract. Partners requiring a formal Data Processing Agreement (DPA) should contact dpo@gpfleet.pt.

5. How We Share Your Information

We respect your privacy and only share your personal data when strictly necessary:

5.1 Sub-processors

We work with carefully selected, Europe-based service providers who process data on our behalf:

ProviderCountry/HQRole
RevolutUnited Kingdom / EUSecure subscription payment processing
SweegoFrance (EU)Sending transactional emails and service communications
OVHFrance (EU)Website hosting, analytics platform, and auxiliary database
ScalewayFrance (EU)Main application and primary database hosting
Mistral AIFrance (EU)Text processing for the Automatic Service Extraction feature
TOC OnlinePortugal (EU)Issuing GP Fleet platform subscription invoices
HERE TechnologiesNetherlands (EU)Geocoding and reverse geocoding of trip addresses

All sub-processors are bound by data processing agreements and comply with GDPR requirements. Your data remains within the European Union.

5.2 Optional Integrations Enabled by Partners

The platform provides optional integrations with third-party services that Partners may activate for use in their own operations. When a Partner activates an integration, GP Fleet may transmit or collect relevant financial and operational data on the Partner’s behalf:

  • TOC Online — Invoicing integration for Partner operations
  • InvoiceXpress — Invoicing integration for Partner operations
  • Bolt — Upon the Partner providing API credentials, GP Fleet connects to the Bolt API on the Partner’s behalf to automatically import trip data from the platform
  • Additional integrations may be added in the future; the updated list will always be available in this policy

In this context, GP Fleet acts as the Partner’s (data controller’s) sub-processor, and the Partner’s use of these services is subject to the agreements they hold with each provider.

5.3 GP Fleet Extractor — Web Data Integration

GP Fleet optionally provides a browser extension (“GP Fleet Extractor”) that allows Partners to import trip data from third-party booking platforms that do not offer data export through other means. Installation and activation of the extension are entirely optional and depend on an active choice by the Partner.

When enabled, the extension operates exclusively in the user’s browser and uses the Partner’s session credentials on the configured platforms to access, on their behalf, the trip data available in their account. Data is processed locally in the browser before being transmitted to the GP Fleet platform. The extension does not access any data beyond what the Partner could manually view in their account on the third-party platform.

Imported data may include trip and passenger information (such as name, contact, and departure and arrival addresses) from the Partner’s account on the third-party platform. The Partner, as data controller of that data, is responsible for ensuring they have an adequate legal basis to import and process it in GP Fleet.

5.4 Sharing Between Partners and Drivers

As part of the fleet management service, certain data is shared between Partner and Driver accounts as required for operations. For example, a Partner may view the trips, revenues, and performance data of drivers in their fleet, and a Driver may access trip information assigned to them by the Partner. This sharing is inherent to how the platform works and is known to both parties at the time of registration.

5.5 Internal Operations

Our customer support team may access your information to provide assistance, with access limited to what is strictly necessary for each role.

We may disclose your information where required by law, court order, or governmental authority, or to protect our legal rights.

5.7 What We Do NOT Do

  • We do not sell, rent, or transfer your personal data to third parties
  • We do not share your data with marketing or advertising companies
  • We do not send marketing emails without your explicit consent
  • We do not transfer your data outside the European Union

6. Cookies and Tracking Technologies

6.1 Cookies We Use

Our website uses a minimal number of cookies:

  • Matomo Analytics Cookies: Our internally hosted analytics solution that tracks website usage to help us improve the service. These cookies store anonymised data and remain on your device for up to 13 months.
  • Session/Authentication Cookies: Required for the platform to function and to maintain your authenticated session.

6.2 What We Do NOT Use

  • No third-party tracking cookies (Google Analytics, Facebook, etc.)
  • No advertising or marketing cookies
  • No social media tracking pixels

You can control and delete cookies through your browser settings. Please be aware that disabling certain cookies may affect the functionality of the website or platform. For more information on managing cookies, visit www.allaboutcookies.org.

7. Data Retention and Account Deletion

7.1 Retention Periods

We retain your personal data for the following periods:

Data CategoryRetention Period
Account and contract dataWhile the account is active and for the legally required period after closure
Financial and billing dataMinimum 10 years, as required by Portuguese tax legislation
Correspondence and contact formsRetained indefinitely, unless a deletion request is made
Analytics data (Matomo)Up to 12 months
Payment dataNot stored on our servers; managed by Revolut in accordance with their policies

7.2 Right to Account Deletion

You have the right to request deletion of your account at any time. The scope of deletion depends on the account type:

Driver Account

Upon a driver account deletion request:

  • Data deleted: Email address, phone number, full contact details, profile information, driving licence data, and other personal identifiers
  • Data retained: First and last name (required for invoicing issued by the Partner), trip history (owned by the Partner’s account), vehicle information (belonging to the Partner), and financial and payment records (legally required tax documentation)
  • Legal basis for retention: Retained data is required to comply with legal obligations under Portuguese tax and accounting legislation, which requires retention of commercial transaction records for 10 years, as well as to safeguard the Partner’s legitimate interests in trip and vehicle records

Partner Account

Upon a Partner account deletion request:

  • Data deleted: All data associated with the Partner’s account, including contact details, company information, vehicle records, driver associations, trip history, and operational data
  • Data retained: Only billing information, issued invoices, and financial transaction records required by Portuguese tax legislation, retained for the legally required period of 10 years from the date of the last transaction
  • Legal basis for retention: Portuguese tax legislation requires businesses to maintain accounting and billing records for 10 years for audit and tax compliance purposes

7.3 How to Request Account Deletion

To request deletion of your account:

  1. Send an email to our Data Protection Officer: dpo@gpfleet.pt
  2. Provide your account email address and specify the account type (Driver or Partner)
  3. We will respond to your request within 30 days
  4. Upon approval, the deletion process will be completed within 2 to 3 business days, with confirmation by email

Data retained after account deletion will be used solely to fulfil legal obligations, and will not be used for any other purpose, including service provision or marketing communications.

8. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures:

  • Encryption: All information transmitted between your browser and our website is encrypted via SSL/TLS (HTTPS)
  • Secure Hosting: Our servers are hosted in secure EU data centres (OVH and Scaleway), with robust physical and network security measures
  • Access Controls: Only authorised personnel have access to personal data, limited to what is necessary for their role
  • Payment Security: Payment information is processed by PCI-DSS certified processors; we do not store full card details
  • Regular Updates: We keep our systems up to date with the latest security patches
  • Backups: Encrypted backups are performed regularly to prevent data loss

While we implement rigorous security measures, no method of internet transmission is 100% secure. We continuously monitor and improve our security practices.

9. Your Rights Under the GDPR

As a data subject in the European Union, you have the following rights:

9.1 Right of Access

You have the right to request a copy of the personal data we hold about you.

9.2 Right to Rectification

You may request that we correct inaccurate or incomplete personal data.

9.3 Right to Erasure (“Right to be Forgotten”)

You may request the deletion of your personal data, subject to certain legal exceptions (e.g., tax and accounting obligations).

9.4 Right to Restriction of Processing

You may request a temporary suspension of the processing of your data in certain circumstances.

9.5 Right to Data Portability

You may request a copy of your data in a structured, commonly used, and machine-readable format.

9.6 Right to Object

You may object to the processing of your personal data based on legitimate interests or for direct marketing purposes.

Where processing is based on your consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out prior to withdrawal.

9.8 How to Exercise Your Rights

To exercise any of these rights, contact our Data Protection Officer:

  • Email: dpo@gpfleet.pt
  • Subject: “Data Subject Request — [Your Name]”

We will respond to your request within one month. If your request is complex, we may extend this period by a further two months, notifying you in advance.

9.9 Right to Lodge a Complaint

If you believe your personal data has not been processed appropriately, you have the right to lodge a complaint with the Portuguese data protection authority:

CNPD — Comissão Nacional de Proteção de Dados
Website: www.cnpd.pt
Email: geral@cnpd.pt
Phone: +351 21 392 84 00

10. International Data Transfers

All your personal data is stored and processed exclusively within the European Union:

  • Our servers are located in EU data centres (OVH and Scaleway)
  • All sub-processors we use are based in the EU or are GDPR-compliant
  • We do not transfer your data to countries outside the EEA

Your data therefore benefits from the strong protections afforded by European data protection legislation.

11. Children’s Privacy

Our services are intended exclusively for users aged 18 or over. We do not knowingly collect personal data from children under the age of 16. If you are a parent or legal guardian and believe your child has provided personal data without your consent, please contact us at dpo@gpfleet.pt and we will delete that information.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. When we make significant changes:

  • We will update the “Last updated” date at the top of this policy
  • We will notify active account holders by email
  • We will publish a prominent notice on our website

We recommend that you review this Privacy Policy periodically. Continued use of our services after changes are published constitutes your acceptance of the updated policy.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

GP Way, Lda (GP Fleet)
Data Protection Officer: Eduardo Pereira
DPO Email: dpo@gpfleet.pt
General Enquiries: info@gpfleet.pt
Address: Rua Conde Ferreira, 16, 2900-191 Setúbal, Portugal
VAT number: PT517778467

We are committed to working with you to achieve a fair resolution of any privacy-related concern.

Ready to run a smarter fleet?

GP Fleet is more than a management tool — it's how fleet businesses operate faster, reduce overhead, and scale with confidence.

Get Started NowLearn More