Privacy Policy
Last updated: July 2026
This policy explains how TransitKit handles personal data across three distinct audiences: people who visit our website (transitkit.app), transit operators who subscribe to our service, and riders who use the branded apps we build for those operators. We designed the product to collect as little as possible, and this policy describes exactly what that means for each group. Governing law is Italy, and we honour data-protection rights under the GDPR, with equivalent rights extended to California residents under the CCPA.
Data controller and privacy contact
TransitKit is the data controller for its website and for the account and billing relationship with operator customers. For all data-protection matters — including access, copies, correction, or deletion — our dedicated privacy contact is andrea@transitkit.app. A formal Data Protection Officer is not required for an operation of this scale; this contact serves as the point of reference for every privacy request.
Website visitors
The website transitkit.app runs no analytics, tracking pixels, or advertising, and collects nothing about a visitor unless the visitor chooses to email us. Where someone does email us, we use their message and address only to reply and to keep a record of the exchange.
Operator customers and billing
For operators who subscribe, we process contact details (such as name and email) to provide the service, deliver support, and manage the account. Payment and billing data (billing name, email, and billing details) is collected and processed by Paddle.com as Merchant of Record, not stored on our servers.
Riders using the apps
A rider's favourite stops and lines stay on the device and are never sent to our servers. Push notifications work by topic subscription, so we never receive a rider's favourites or identity; we do not track riders and never sell passenger data.
Our role for rider data (processor)
By design, riders' favourites stay on the device and push works by topic, so very little rider personal data ever flows through the platform. Where any rider personal data is processed through the platform on behalf of an operator, TransitKit acts as a data processor and the operator as controller, under a data processing agreement (GDPR Art. 28). Business customers can request that agreement from the contact above.
Legal bases for processing
Each purpose has its legal basis. Providing the service and managing subscriptions rests on performance of a contract. Replying to enquiries and keeping the service secure rest on our legitimate interest. Tax and accounting duties tied to billing rest on compliance with a legal obligation. Where any processing depends on consent, it rests on that consent, which may be withdrawn at any time.
Payment processing via Paddle
Paddle.com is our Merchant of Record and acts as an independent controller for payment, invoicing, fraud-prevention, and tax data related to operator purchases. Purchases are also subject to Paddle's own buyer terms and privacy notice.
Sub-processors and third parties
We rely on Apple (App Store and push delivery), Google (Google Play and Firebase Cloud Messaging), Vercel (web hosting), Hetzner (real-time data proxy), GitHub (static schedule data), and Paddle (payment processing and billing). Each is used only for the function described and receives only the data needed for it.
International data transfers
Some of our sub-processors may process data outside the European Economic Area. Where that happens, we rely on appropriate safeguards, such as adequacy decisions or standard contractual clauses, to protect the data.
Data retention
We keep personal data only for as long as needed to provide the service, answer requests, and meet our legal and accounting obligations. When data is no longer needed, we delete it or render it anonymous.
Your rights
Under the GDPR you have the right to access, copy, correct, and delete your personal data, to restrict or object to processing, to data portability, and to withdraw consent where processing is based on it. To exercise any of these rights, write to andrea@transitkit.app. We also honour equivalent rights for California residents under the CCPA, including the right to know and to request deletion. We do not sell personal data.
Complaints to a supervisory authority
Anyone who believes their data has been handled improperly may lodge a complaint with a data-protection supervisory authority. In Italy this is the Garante per la protezione dei dati personali.
Cookies and tracking
Our website uses no cookies for analytics, advertising, or tracking, and sets no non-essential cookies. Because there are no non-essential cookies, no cookie-consent banner is required. We do not build profiles of visitors or riders, and we carry out no automated decision-making that produces legal or similarly significant effects.
Security
We apply reasonable technical and organizational measures to protect personal data against loss, misuse, and unauthorized access. Keeping riders' favourites on the device by design means there is no central store of that data to expose.
Children
Our service is not directed at children, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
Per-operator deployments
The apps we build are branded for individual transit operators, who may present their own additional terms or privacy notices to their riders. Those operator terms govern the operator's own relationship with its riders and are separate from this policy.
Changes to this policy
We may update this policy from time to time. When we do, we will revise the date shown above, and material changes will be reflected on this page.
Questions: andrea@transitkit.app