This Privacy Policy explains what personal data Tosiu ("we", "us", "our") collects
about you, why we collect it, how we use it, with whom we share it, and the rights
you have over your data under the EU General Data Protection Regulation (GDPR) and
equivalent laws.
1. Who we are
Tosiu is a website hosting and publishing platform operated by PR Tosiu,
a company registered in the Republic of Serbia (PIB: 111600496, MB: 65530562),
contactable at contact@tosiu.com. PR Tosiu is
the data controller for the processing described in this policy.
2. Scope of this policy
This policy covers personal data we process when you:
Visit our marketing site at tosiu.com (browsing, reading, submitting the lead or contact form);
Register for and use our admin platform at app.tosiu.com (as an operator, a driver invited by an operator, or other staff);
Contact us by email, WhatsApp, or any other channel.
This policy does not cover personal data processed on the booking
websites we host on behalf of our customers (the transfer companies, called "Operators"
in this policy). Each Operator is the data controller for the visitors and passengers
of their own booking site, and each Operator publishes their own privacy policy on
that site. Tosiu only acts as a technical processor for that data, on the Operator's
instructions, under our Terms of Service and any data-processing agreement entered
into with the Operator.
3. Data we collect
3.1 If you are a visitor of tosiu.com
Lead form data — phone number first, then (if you continue to step two) name, company, and email. We use this to contact you about Tosiu.
Contact form data — name, email, and the content of your message.
Server / technical data — IP address, user-agent, browser language, approximate country (from our locally hosted MaxMind GeoIP database — your IP is not sent to MaxMind), pages visited, referrer, UTM campaign parameters, and timestamps.
Cookies for analytics and advertising — only if you consent through the cookie banner. See our Cookie Policy for the full list.
3.2 If you are a registered user of app.tosiu.com
Account data — email, password (stored only as a hash), full name, phone, company name, billing address, VAT or tax identification number, and the role you have on the account (operator, driver, staff).
Business configuration — routes, prices, vehicles, drivers, photos, logos, page content, FAQ entries, languages and any other Site configuration you enter.
Payment-processor credentials — when you connect Stripe, PayPal, SumUp, or another processor, we store the API credentials needed to call the processor on your behalf. Sensitive credentials are encrypted at rest. We do not retain card numbers, bank details, or other end-customer payment data ourselves — those stay with your processor.
Activity and audit logs — actions you take in the platform (logins, configuration changes, exports) and timestamps, retained for security, debugging, and abuse prevention.
Support communication — emails, WhatsApp messages, and any other correspondence you have with us.
Session and technical data — IP, user-agent, session identifiers, language preference, "remember me" tokens, CSRF tokens. See our Cookie Policy.
3.3 Passenger data on Operator booking sites
Where you are a passenger booking through a transfer company's site that happens to be
hosted on Tosiu's infrastructure, we are not the data controller for your booking. The
transfer company is. Please refer to that company's own privacy policy, available on
their site, for information about how they handle your booking data. If you are an
Operator, this means: you remain the data controller for your customers, and Tosiu
processes that data only on your instructions.
4. Why we use your data
To respond to your enquiry and contact you about Tosiu (for visitors who submit the lead or contact form).
To create, operate, secure, and support your account on app.tosiu.com.
To send transactional emails (account notifications, invoices, security alerts).
To invoice and collect Commission as set out in our Terms of Service.
To improve the platform — diagnosing bugs, analysing usage, measuring performance.
To protect the platform from fraud and abuse.
With your consent, to send product updates and marketing messages.
To comply with our legal obligations (tax, accounting, anti-fraud, lawful requests from authorities).
5. Legal basis (GDPR)
We process personal data on the following lawful bases:
Performance of a contract — to deliver the platform under our Terms of Service.
Pre-contractual steps at your request — when you submit the lead form or otherwise ask us to contact you.
Legitimate interests — to secure, maintain, and improve the platform, prevent fraud, and run direct outreach to potential business customers, where your rights don't override those interests.
Consent — for analytics cookies, advertising cookies, and marketing emails. You can withdraw consent at any time without affecting the lawfulness of prior processing.
Legal obligation — to comply with tax, accounting, or anti-fraud laws.
6. Who we share your data with
We do not sell your personal data. We share it only with the third-party providers
we need to run the platform, and only to the extent required for them to perform their
function. The current providers are:
Hosting and infrastructure — Tosiu's own VPS, located in the EU. Your account data, business configuration, and logs are stored on this server.
Email delivery — transactional emails are sent from our own mail server. We do not currently use a third-party email-delivery provider.
Payment processors — when you connect Stripe, PayPal, SumUp, or another processor to your Site, we transmit Booking data to that processor on your behalf so that it can charge your Customer. We never receive or store the Customer's card details.
Analytics (with your consent) — Google Analytics 4 (Google Ireland Ltd / Google LLC) and ContentSquare (ContentSquare SAS, France) for usage analytics on tosiu.com.
Advertising (with your consent) — Google Ads (Google Ireland Ltd / Google LLC) and Meta Pixel (Meta Platforms Ireland Ltd) for measuring advertising performance on tosiu.com.
AI translation and content generation — when you use the AI features in app.tosiu.com, the text being translated or generated is sent to a large-language-model provider (currently OpenAI and/or Anthropic). The providers do not retain the content for their own training where standard API terms apply.
Authorities — where disclosure is required by law, court order, or to establish, exercise, or defend legal claims.
We will tell you which provider is used for which function on reasonable request. If
you require a written data-processing agreement (for example, because you are an
Operator with your own GDPR obligations), we will enter into one with you on request.
7. International transfers
Most of our processing happens on our own infrastructure within the European Economic
Area. Where a third-party provider transfers data outside the EEA — for example,
Google or Meta to the United States — the transfer is covered by the EU-US Data
Privacy Framework (where the provider is certified) and/or by the European Commission's
Standard Contractual Clauses, in line with GDPR Article 46. ContentSquare is a French
company processing data within the EU. You can request copies of the relevant
safeguards.
8. How long we keep your data
Lead and contact-form data — up to 24 months from your last interaction, then deleted or anonymised, unless you became a customer (in which case the data is retained as account data, below).
Account and business data (app.tosiu.com) — for as long as your account is active. Within 48 hours of receiving an account-closure request, we email you a copy of your data; after delivery we delete or anonymise it on our standard schedule, except for records we must keep by law.
Invoices and accounting records — retained for as long as required by applicable tax and accounting law (typically up to 10 years).
Marketing-consent records — until you withdraw consent or unsubscribe; the record of consent itself is kept for as long as we need it to demonstrate lawful processing.
Server logs — up to 6 months, for security monitoring and understanding how visitors reach the platform.
9. Your rights
Under GDPR you have the right to:
Access your personal data and obtain a copy;
Rectify inaccurate or incomplete data;
Request erasure ("right to be forgotten");
Restrict or object to processing;
Data portability — receive your data in a machine-readable format;
Withdraw consent at any time;
Lodge a complaint with your local Data Protection Authority.
To exercise any of these rights, email contact@tosiu.com
and we will respond within 30 days. You can also use the self-service form below to
export or delete your data directly.
10. Security
We protect your data using industry-standard measures: encrypted connections (HTTPS
with modern TLS), passwords stored only as one-way hashes, payment-processor API
credentials and similar secrets encrypted at rest, restricted internal access on a
need-to-know basis, server-side firewalling, regular backups, and ongoing monitoring.
No system is 100% secure, so if you believe your account has been compromised, please
contact us immediately at contact@tosiu.com.
11. Children
The platform is intended for business use by adult professionals. It is not directed
at children under 16, and we do not knowingly collect data from children. If you
believe a child has provided us with personal data, please contact us so we can
delete it.
12. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email
to registered users or via a prominent notice on the platform. The "Last updated" date
at the top of this page always reflects the current version.
13. Manage your data
You can request a copy of all data we hold about you, or have it permanently deleted.
We will send a verification email to confirm your identity before processing the request.
Check your email
14. Contact
Questions about this policy or your data?
Email contact@tosiu.com or use the
.
Kontakt aufnehmen
Senden Sie uns eine Nachricht und wir melden uns in Kürze bei Ihnen.
Nachricht gesendet!
Wir melden uns in Kürze bei Ihnen. Prüfen Sie Ihren Posteingang für eine Bestätigung.
Kostenlos starten
Geben Sie Ihre Telefonnummer ein und wir kontaktieren Sie, um alles einzurichten.
Geben Sie Ihre Nummer ein und wir melden uns bei Ihnen.
Keine Kreditkarte. Keine Verpflichtung.
Fast geschafft
Noch ein paar Angaben, bevor es losgeht.
Sie sind dabei!
Wir melden uns innerhalb von 24 Stunden, um Ihre Plattform zu aktivieren und die beste Strategie für Ihr Geschäft zu besprechen.
Wir verwenden Cookies und ähnliche Tracking-Technologien von Drittanbietern, um unsere Dienste zu verbessern und Ihnen interessenbasierte Werbung anzuzeigen. Sie können zustimmen, Ihre Einstellungen anpassen oder Ihre Auswahl jederzeit ändern.
