Tachora

Privacy Policy

Last updated: May 18, 2026

This privacy policy informs you, in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR), § 5 of the German Digital Services Act (DDG, successor to the former TMG) and § 25 of the German Telecommunications and Digital Services Data Protection Act (TDDDG, successor to the former TTDSG), about how personal data is processed when you use the website tachora.app, the Tachora Hub platform and the TachoPlus mobile application (Android / iOS). The legally binding version of this policy is the German one; this English translation is provided for convenience.

1. Controller (Art. 4(7) GDPR)

Dmytro Bezrukov
Tachora — sole proprietorship (Einzelunternehmen)
Neue Grabenstraße 24, 32657 Lemgo, Germany
Email: support@tachora.app

A VAT identification number and, where applicable, an economic identification number will be added to the Impressum once issued.

2. Data Protection Officer

A data protection officer is not currently required under Art. 37 GDPR in conjunction with § 38 of the German Federal Data Protection Act (BDSG): we do not regularly employ more than 20 persons engaged in automated processing and we do not carry out large-scale processing of special categories of data within the meaning of Art. 9 GDPR. Please direct privacy-related enquiries to the email address in Section 1.

3. Processing activities, purposes and legal bases

We process personal data only to the extent necessary to provide the respective feature. The following overview sets out, for each feature: what data is processed, for what purpose, on what legal basis, and how long it is retained.

3.1 Standalone use of the TachoPlus driver app

  • Data processed: shift start/end, driving and rest periods, manual activity entries, optional vehicle notes.
  • Processing: solely local on your device (SQLite). No account is required.
  • Purpose: compliance with EU driving-time rules (Reg. (EC) 561/2006 and 165/2014); personal overview of work and rest times.
  • Legal basis: since no data is transmitted to us, we are not the controller for this processing — you process your own data on your own device.
  • Retention: until you uninstall the app or delete the data manually.

3.2 Connection with a fleet (Tachora Hub)

  • Data processed: current driving status, remaining driving and rest times, GPS position, speed, battery level, activity status (driving, break, work, available).
  • Recipient: only the fleet operator you have actively connected to via QR code. No cross-fleet processing.
  • Purpose: performance of the employment or contractor relationship between driver and fleet, dispatch and compliance monitoring.
  • Legal basis: Art. 6(1)(b) GDPR (contract) between you and the fleet operator; we act as the fleet operator's processor within the meaning of Art. 28 GDPR.
  • Retention: connection data is deleted immediately when you disconnect from the fleet or the operator removes you.

3.3 Fleet account (Tachora Hub Web)

  • Data processed: email address, password hash, company name, invoicing address, VAT number (optional), language.
  • Purpose: provision of the Tachora Hub platform, billing, support.
  • Legal basis: Art. 6(1)(b) GDPR (contract), Art. 6(1)(c) GDPR (statutory retention duties under German commercial and tax law, § 147 AO, § 257 HGB).
  • Retention: account data for the duration of the contract plus 90 days. Invoicing and bookkeeping data 10 years under statutory retention duties.

B2B note: Where you process your drivers' data as a fleet operator via Tachora Hub / TachoFleet, a separate Data Processing Agreement (DPA) under Art. 28 GDPR may be required between your company (controller) and Tachora (processor). A template is available on request.

3.4 Social / Friends feature (TachoPlus mobile app)

If you accept friend requests in the TachoPlus app, the following data is shared between you and accepted friends only:

  • Location and movement: GPS coordinates, speed, activity status. Transmission occurs at intervals depending on your activity (1–15 minutes).
  • Direct messages: text messages between accepted friends (table friend_messages).
  • Profile: display name, optional profile picture, language.
  • Ghost mode: you can disable location and status sharing at any time in app settings, without ending friendships. In ghost mode nothing is transmitted except the indication that you are invisible.
  • Purpose: social feature on the user's express request (mutual confirmation of friendship required).
  • Legal basis: Art. 6(1)(a) GDPR (consent through active acceptance of the friendship and enabling location sharing).
  • Retention: last location data is overwritten (no historical movement profile). Messages remain until you delete them or delete your account.

3.5 CV (résumé) and job applications

  • Data processed: name, contact details (email, phone, optional Telegram / WhatsApp), date of birth, nationality, place of residence, driving licence categories, ADR / Code 95 certificates, employment history, language skills, salary expectation, preferred countries, optional photograph.
  • Publication: your CV is not public by default. You may choose whether your profile is visible in the public candidate catalogue for registered employers (is_public setting); you may withdraw that visibility at any time.
  • Consent to sharing: when creating the CV, your explicit consent is required ("Tachora may use my CV and contact details to find work and forward them to transport companies for the sole purpose of recruitment"). The date of consent is recorded for evidentiary purposes (driver_profiles.data_sharing_consent_at).
  • Direct application: if you apply for a specific job, your application is sent directly by email to the respective employer (email provider: Resend, see Section 4).
  • Optional Telegram publication: with your consent, an excerpt of your CV may be posted to a public Telegram channel. This feature can be switched off; on withdrawal, the entry will be removed to the extent technically possible.
  • Purpose: recruitment intermediation within the meaning of § 296 SGB III; provision of the application platform.
  • Legal basis: Art. 6(1)(a) GDPR (explicit consent for publication and sharing); Art. 6(1)(b) GDPR (pre-contractual steps at the applicant's request).
  • Retention: your CV remains active until you delete it, close your account or withdraw your consent. On withdrawal, the CV is promptly anonymised or deleted. Transmitted application emails reside with the respective employer; we have no access to them.
  • Paid placement: Tachora may propose or feature CVs to employers for a fee (for example "Featured CV"). Paid placement uses only CVs whose owner has given the consent described above. No transmission is made without that consent.

3.6 Push notifications

  • Data processed: device tokens from Apple Push Notification Service (APNs) or Firebase Cloud Messaging (FCM), platform identifier (iOS / Android), last-activity timestamp.
  • Purpose: sending transactional notifications (new task, message, driving-time warning) and occasional service notices (e.g. new version).
  • Legal basis: Art. 6(1)(b) GDPR for contract-related notifications; Art. 6(1)(a) GDPR (operating system consent) for the right to display push messages.
  • Opt-out:you may disable push notifications in your device's system settings at any time. Inactive tokens (no activity for > 60 days) are removed automatically.

3.7 Advertising in the TachoPlus app (in-app ads)

  • Data processed: pseudonymised device identifier, routed tier slot, ad impressions and clicks. No personalised advertising profile is built.
  • Purpose: display of paid advertising slots, frequency capping per device, billing of advertisers.
  • Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating a viable free app); no cross-site or cross-device trackers.
  • Retention: daily frequency counters are deleted after 24 hours; click and impression logs retained anonymised for 90 days as proof of billing.

3.8 Anonymous parking data (TachoPlus mobile app)

The TachoPlus app may submit anonymised parking data points to help other drivers find truck parking spots more easily. Only the following is transmitted:

  • coordinates rounded to ~11 m,
  • stay duration in minutes,
  • hour of day and day of week,
  • a non-reversible hash used to count distinct users.

No identities, exact timestamps or movement traces are sent. The feature is enabled by default and can be disabled at any time in app settings under "Privacy / Share parking anonymously". Legal basis: Art. 6(1)(f) GDPR (improvement of the app for the user community; no personal evaluation).

3.9 Contact / support

  • Data processed: contents of your message, contact details you provide, IP address, browser and device information of the chat widget.
  • Purpose: answering your enquiry.
  • Legal basis: Art. 6(1)(b) GDPR (pre-contractual / contractual measures); Art. 6(1)(f) GDPR for purely informational enquiries.
  • Retention: 12 months after the matter is closed, then deletion — subject to commercial or tax-law retention obligations.

4. Recipients / processors

We use carefully selected service providers with whom data processing agreements under Art. 28 GDPR (or equivalent contractual basis) are in place. Personal data is shared only to the extent necessary to provide the respective function.

ProviderPurposeHostingDPA
Supabase Inc.Database, authentication, storageEU (Frankfurt)DPA
Vercel Inc.Hosting of the website and server functionsEU (Frankfurt)DPA
Stripe Payments Europe Ltd.Payment processingEU / US (SCC)DPA
Google LLC — Firebase Cloud MessagingPush delivery (Android and partially iOS)EU / US (SCC)Google Cloud DPA
Apple Inc. — APNsPush delivery (iOS)US (SCC)Privacy
Functional Software, Inc. (Sentry)Error logs, stacktracesEUDPA
Resend, Inc.Transactional emails (job applications, notices)US (SCC)DPA
Crisp IM SASLive chat support on the websiteEU (France)Privacy
Telegram FZ-LLCOptional sending of public CV excerpts to a channelUAE / internationalPrivacy

5. Transfers to third countries

Where processing takes place outside the European Economic Area (EEA) — in particular with Stripe, Google (Firebase), Apple, Resend and Telegram — this is based on:

  • European Commission adequacy decisions (Art. 45 GDPR), where applicable;
  • European Commission Standard Contractual Clauses (Art. 46(2)(c) GDPR) for the US providers listed above;
  • supplementary technical measures (transport encryption, minimisation of transmitted data categories).

For publication of CV excerpts via Telegram we expressly point out that no adequacy decision exists; transmission only occurs if you have explicitly consented to this feature.

6. Retention overview

Detailed retention periods are stated in Section 3. In summary:

  • Local driver-app data: until uninstall.
  • Account and master data: contract duration + 90 days; thereafter deletion, save for commercial / tax retention obligations (10 years).
  • Friend messages and CVs: until deleted by you.
  • GPS position (friends): only latest snapshot; no historical movement profile.
  • Push tokens: max. 60 days after last activity, then deletion.
  • Sentry error logs: 90 days.
  • Crisp chat transcripts: 12 months.
  • Resend delivery logs: 30 days.
  • Ad impressions / clicks: 90 days anonymised.
  • Anonymous parking data: pseudonymised; not personally identifiable.

7. Your rights as a data subject

Under Articles 15–22 GDPR you have the following rights regarding personal data concerning you:

  • Access (Art. 15 GDPR),
  • Rectification (Art. 16 GDPR),
  • Erasure ("right to be forgotten") (Art. 17 GDPR),
  • Restriction of processing (Art. 18 GDPR),
  • Data portability (Art. 20 GDPR),
  • Object to processing based on legitimate interest (Art. 21 GDPR),
  • Withdraw consent at any time with effect for the future (Art. 7(3) GDPR).

Exercising these rights is free of charge. Please contact support@tachora.app. We will respond within one month (Art. 12(3) GDPR). We may request appropriate identity verification to prevent abuse.

8. Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement. For the controller's seat (Lemgo, North Rhine- Westphalia), the competent authority is:

State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW)
Kavalleriestr. 2–4, 40213 Düsseldorf, Germany
Email: poststelle@ldi.nrw.de

9. Cookies and similar technologies (§ 25 TDDDG)

Tachora normally uses only technically necessary cookies and similar storage technologies. Consent under § 25(2)(2) TDDDG is therefore not required.

The Jobs and Business / Marketing areas additionally show paid advertising slots. Delivery is performed without personalised tracking or cross-site cookies. As a precaution we still ask for your choice on first visit ("Accept" or "Essential only"). Your choice is stored in a long-lived cookie tachora_cookie_consent for 12 months and can be reset by clearing browser cookies.

  • Authentication cookie (Supabase Auth session) — required for sign-in; session lifetime.
  • Language cookie (NEXT_LOCALE) — stores your language choice; lifetime 12 months.
  • Crisp chat sets its own technically necessary identifiers only when you open the chat widget.

We do not use tracking, advertising or analytics cookies that build usage profiles.

10. Security of processing (Art. 32 GDPR)

We take technical and organisational measures under Art. 32 GDPR taking into account the state of the art, cost of implementation, and the likelihood and severity of risks. In particular:

  • Transport encryption (TLS 1.2+) for all transmissions;
  • Password hashing with state-of-the-art algorithms (bcrypt / Argon2 via Supabase Auth);
  • Row-level security on the database layer to isolate tenant data;
  • Regular security reviews (code reviews, dependency scans);
  • Multi-factor authentication for administrative access.

11. Automated decision-making and profiling

Decisions based solely on automated processing producing legal or similarly significant effects in the sense of Art. 22 GDPR do not currently take place. In particular, we do not rank CVs algorithmically for selection to employers.

12. Obligation to provide data

Provision of your data is neither legally nor contractually required. However, certain data must be provided in order to use the feature you request (e.g. email for sign-up). Without that data, the respective feature cannot be used.

13. Changes to this policy

We update this policy upon material changes in our processing. Registered users will be notified by email at least 14 days in advance. The current version is available at tachora.app/en/privacy. Effective date of this version: May 18, 2026.