| Data Controller | Contact |
| Gophr Technologies Limited Unit C1 Nutgrove Office Park Nutgrove Avenue, Rathfarnham Dublin 14, Ireland |
DPO: [email protected] Supervisory Authority: Data Protection Commission (DPC) https://www.dataprotection.ie |
1. INTRODUCTION
Gophr Technologies Limited (“we”, “us”, “our”) operates a same-day courier marketplace connecting customers who need items delivered with couriers who fulfil those deliveries (the “Gophr Marketplace”). The Gophr Marketplace is accessible via our website at gophr.com (and subdomains), the “Gophr” app for customers, and the “Gophr Work” app for couriers.
This Privacy and Cookies Policy (“Policy”) explains how we collect, use, store and share your personal data, and sets out the rights you have over that data. We are committed to handling personal data fairly, transparently, and in accordance with the EU General Data Protection Regulation (EU 2016/679) (“GDPR”) and the Data Protection Act 2018 (collectively, “Data Protection Law”).
We are the data controller of the personal data described in this Policy except where we act as a data processor on behalf of a customer (see Section 3.1 below). The supervisory authority responsible for overseeing our compliance is the Data Protection Commission (“DPC”).
Age restriction: Our platform is not directed at children under the age of 18. We do not knowingly collect personal data from individuals under 18. If you believe we have inadvertently collected data from a minor, please contact us at [email protected] and we will delete it promptly.
2. DATA PROTECTION OFFICER
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing our data protection compliance. If you have any questions about this Policy or about how we handle your personal data, you can contact our DPO at:
- Email: [email protected]
- Post: Data Protection Officer, Gophr Technologies Limited, Unit C1 Nutgrove Office Park, Nutgrove Avenue, Rathfarnham, Dublin 14
3. PERSONAL DATA WE COLLECT
We collect personal data from four groups of people: customers who use our platform, couriers who fulfil deliveries, recipients of the delivery, and business contacts we engage with for sales and marketing purposes. The data we collect depends on how you interact with us.
3.1 Customers
When you register as a customer on the Gophr Marketplace, or use it to book a delivery, we collect:
- Registration details: full name, email address, telephone number(s), home or business address, company name and billing address, industry sector, and whether your account is for personal or business use.
- Login credentials: either a password-protected account or, if you register via a social media account (Facebook, LinkedIn, or Google), your name and email address from that platform.
- Profile information: profile photo, favourite addresses and saved contacts.
- Payment information: card type, last four digits, expiry date, and a tokenised reference linking our records to those of our payment provider. We do not store your full card number.
- Booking data: collection and delivery addresses, contact names, delivery instructions, and records of all bookings made and their status.
- Communications: records of correspondence between you and us, or between you and a courier via the Gophr Marketplace messaging function.
- Survey responses: if you choose to participate in surveys we use for service improvement research.
- Website and app usage data: IP address, device type, operating system, browser type, pages visited, session duration, and navigation paths.
Social login: If you register or log in using a Facebook, LinkedIn or Google account, you are sharing data with that platform and with us simultaneously. Please review that platform’s privacy policy for information on how they process your data. We process only the data you share with us via social login.
3.2 Recipients of Delivery
When a customer uses our platform to book a courier, the customer provides us with following:
- Delivery details: full name, phone number, and delivery address.
3.3 Couriers
When you register as a courier on Gophr Work, or in the course of providing delivery services through the Gophr Marketplace, we collect:
- Registration details: full name, email address, telephone number(s), and home address.
- Identity documents: copy of your driving licence, and photo identification (passport or national identity document).
- Right-to-work documentation: Irish Residence Permit (IRP) card or equivalent evidence of your right to work in Ireland, where required by law.
- Vehicle documentation: Motor insurance documentation.
- Business information: VAT certificate (if applicable) and company name and address (if operating through a company).
- Insurance: information about your commercial insurance, including your Zego policy ID if applicable.
- Photograph: a photograph for your courier profile, displayed to customers during and after a delivery.
- Delivery preferences: information about categories of items you are willing and unwilling to deliver (for example, alcohol or certain food items). This is optional. We explain how we handle this data in Section 5 below.
- Job records: list of jobs offered, accepted, declined, and completed, including ratings and delivery performance data.
- Location data: GPS location data collected automatically from your device while you are active on Gophr Work and have accepted an active delivery session. We collect location data only during active delivery sessions (from acceptance to completion of a job). We do not track your location when you have marked yourself unavailable for work, and do not have an active delivery in progress. Location data is used to match you to nearby delivery requests and to show customers live tracking of their delivery.
- Background check results: where applicable, we may receive the outcome of pre-engagement checks carried out by an approved third-party provider.
3.4 Business Contacts
Our sales team collects names and business email addresses of contacts at potential customer organisations for the purpose of marketing and business development. This information may be obtained through professional networking platforms (such as LinkedIn), online searches, referrals, or industry events.
Article 14 notice: Where we collect your contact information from a source other than directly from you (for example, from LinkedIn or a referral), we are required by Article 14 GDPR to inform you of how we process your data. We do this by providing a link to this Policy in the first communication we send you, or by directing you to this Policy at gophr.com/privacy. You have the right to object to this processing at any time without cost (see Section 11).
3.5 Data from Third-Party Sources
We may also receive personal data from the following third-party sources:
- Social media platforms: if you register using a Facebook, LinkedIn, or Google account, we receive your name and email address from that platform.
- Background check providers: we may receive the outputs of pre-engagement checks where these are conducted.
- Insurance providers: we may receive information about a courier’s insurance policy directly from Zego or another insurer.
4. WHY WE PROCESS YOUR DATA AND OUR LAWFUL BASIS
GDPR requires us to have a lawful basis for each processing activity. The table below sets out what we do with your personal data, why, and which lawful basis we rely upon. Where we process special category data (such as data that may reveal religious beliefs), we also identify the additional condition required under Article 9 GDPR.
Key to lawful bases:
| Contract (Art. 6(1)(b)) | Processing is necessary to perform our contract with you or to take steps at your request before entering into a contract. |
| Legal obligation (Art. 6(1)(c)) | Processing is necessary to comply with a legal obligation to which we are subject (e.g. tax law, employment law, right-to-work checks). |
| Legitimate interests (Art. 6(1)(f)) | Processing is necessary for our legitimate interests (or those of a third party), provided those interests are not overridden by your rights and freedoms. |
| Consent (Art. 6(1)(a)) | You have given us clear, freely given, specific, informed and unambiguous consent to process your data for a stated purpose. You may withdraw consent at any time. |
4.1 Customer Processing
| Processing Activity | Data Categories | Lawful Basis | Art. 9 Condition |
| Registering and managing your account | Name, email, address, login credentials | Contract (Art. 6(1)(b)) | — |
| Processing and fulfilling delivery bookings | Booking data, addresses, payment token | Contract (Art. 6(1)(b)) | — |
| Maintaining financial and booking records | Payment records, booking history | Legal obligation (Art. 6(1)(c)) — accounting and tax | — |
| Communicating with you about your account or bookings | Name, email, correspondence | Contract (Art. 6(1)(b)) | — |
| Sharing your information with the courier you have booked | Name, contact details, delivery address | Contract (Art. 6(1)(b)) | — |
| Notifying you about changes to our services | Email address | Contract (Art. 6(1)(b)) | — |
| Responding to queries and complaints | Correspondence, account data | Legitimate interests (Art. 6(1)(f)) — customer service | — |
| Improving our services and platform (analytics) | Usage data, device data | Legitimate interests (Art. 6(1)(f)) — service development | — |
| Electronic marketing to existing customers (email/SMS) | Name, email, phone | Consent (Art. 6(1)(a)) | — |
| Fraud detection and security | Account data, usage data | Legitimate interests (Art. 6(1)(f)) — security | — |
4.2 Courier Processing
| Processing Activity | Data Categories | Lawful Basis | Art. 9 Condition |
| Registering and managing your courier account | Name, email, address, login credentials | Contract (Art. 6(1)(b)) | — |
| Verifying your identity | Driving licence, passport/ID photo | Contract (Art. 6(1)(b)) | — |
| Right-to-work verification | IRP card, work permit documentation | Legal obligation (Art. 6(1)(c)) | — |
| Verifying vehicle compliance and insurance | NCT cert, insurance documentation | Contract (Art. 6(1)(b)) | — |
| Live GPS location tracking during active delivery sessions only | Location data (device GPS) | Contract (Art. 6(1)(b)) | — |
| Job dispatch — matching you to delivery requests (algorithmic) | Location, job records | Contract (Art. 6(1)(b)) — see also Section 8 | — |
| Sharing your information with customers who have booked you | Name, photo, rating, vehicle type | Contract (Art. 6(1)(b)) | — |
| Recording delivery performance and ratings | Job records, GPS timestamps | Legitimate interests (Art. 6(1)(f)) — service quality | — |
| Processing payments and maintaining financial records | Bank/payment details, VAT cert | Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) | — |
| Pre-engagement background checks | Check outcomes | Legitimate interests (Art. 6(1)(f)) — platform safety | — |
| Processing delivery preferences (where consent is given) | Dietary/item delivery preferences | Consent (Art. 6(1)(a)) | Art. 9(2)(a) — Explicit consent |
| Fraud detection and platform security | Account, location, usage data | Legitimate interests (Art. 6(1)(f)) — security | — |
4.3 Business Contact Processing
| Processing Activity | Data Categories | Lawful Basis | Art. 9 Condition |
| B2B sales outreach and prospecting | Name, business email, job title | Legitimate interests (Art. 6(1)(f)) — marketing and business development | — |
| Following up with prospective customers | Correspondence, contact history | Legitimate interests (Art. 6(1)(f)) — business development | — |
Right to object: If you are a business contact and do not wish to receive sales communications from us, you have the right to object at any time. We will communicate this right to you in our first contact with you. You may also contact us at [email protected] to object at any time. We will then cease processing your data for sales and marketing purposes and add you to our suppression list.
5. SPECIAL CATEGORY AND SENSITIVE DATA
5.1 Delivery Preferences and Religious Beliefs
When registering as a courier, you may optionally tell us about categories of items you are willing or unwilling to deliver — for example, whether you are happy to deliver alcohol, pork, or beef. Some of these preferences may suggest your religion or beliefs.
Because this data may reveal information about your religion or beliefs, it is classified as “special category data” under Article 9 GDPR, which attracts additional legal protections.
Lawful basis: We will only collect and process delivery preference data with your explicit, freely given consent. You can give or withdraw this consent at any time through the Gophr Work app settings.
Providing delivery preference information is entirely optional. If you choose not to share your preferences, or if you withdraw consent, no preference data will be recorded. You will continue to receive job offers on the same basis as any courier who has not provided preferences, and your decision will have no adverse effect on the volume or type of jobs offered to you.
If you do share preferences, we use them only to filter job offers in accordance with your stated choices. We will never infer, store, or share your religious beliefs. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
5.2 Identity Documents
We collect copies of couriers’ passports, driving licences and national identity documents for identity verification and right-to-work purposes.
We retain copies of identity documents only for as long as necessary (see Section 9) and restrict access to authorised personnel. We may use facial recognition technology on these images.
6. WHO WE SHARE YOUR DATA WITH
We share personal data only where necessary and in accordance with this Policy. We do not sell personal data to third parties.
| Recipient Category | Purpose | Safeguards |
| Couriers (for customers) / Customers (for couriers) | Sharing the information necessary to fulfil a delivery (e.g. customer’s delivery address shared with the booked courier; courier’s name and photo shared with the customer). | Governed by our platform terms; limited to what is necessary. Data Processing Agreement (DPA) in place with courier. |
| Payment processors | Processing payments on our behalf. | Data Processing Agreement (DPA) in place; PCI-DSS compliant. |
| Cloud infrastructure provider (Google Cloud Platform) | Hosting our platform and databases on servers in the UK and EEA (Ireland and Netherlands). | DPA in place. Data on EEA servers is within the EEA and protected by GDPR directly — no transfer mechanism is required. Data on UK servers is covered by the European Commission’s adequacy decision for the UK (December 2025). |
| Analytics and service improvement providers | Understanding how our platform is used and improving it. | DPA in place; data pseudonymised where possible. |
| Customer communications providers (e.g. email/SMS platforms) | Sending transactional messages, notifications and (with your consent) marketing communications. | DPA in place. |
| Background check / vetting providers | Carrying out pre-engagement checks on couriers. | DPA in place; data minimised to check outcome only. |
| Insurance providers (e.g. Zego) | Verifying courier insurance and managing claims. | As necessary for the provision of insurance services. |
| Professional advisers (lawyers, accountants, auditors) | Legal, financial and compliance advice. | Subject to professional confidentiality obligations. |
| Law enforcement and regulatory authorities (including the DPC) | Where required by law, court order or regulatory authority. | Disclosed only to the extent required by applicable law. |
| Prospective buyers of our business | In the event of a merger, acquisition or sale of assets. | Data transferred subject to equivalent confidentiality protections; data subjects notified where required. |
| Members of our corporate group | Internal administration and reporting, as defined under the Irish Companies Act 2014. | DPA in place. |
7. INTERNATIONAL TRANSFERS OF PERSONAL DATA
Our primary data storage is on Google Cloud Platform servers located in the United Kingdom (UK) and the European Economic Area (EEA). Data stored on EEA servers (Ireland and Netherlands) remains within the EEA and is governed by GDPR directly — this means that no separate transfer mechanism is required.
Where data is stored on UK servers, the transfer is covered by the European Commission’s adequacy decision in respect of the UK (adopted June 2021 and renewed in December 2025).
In some circumstances, personal data may be transferred to or accessed by staff or service providers outside the EEA and UK — for example, for the provision of technical support. Where we transfer data to a country that does not benefit from an EU adequacy decision, we ensure appropriate safeguards are in place, including the 2021 EU Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).
You may request a copy of the safeguards we have put in place for international transfers by contacting us at [email protected].
8. AUTOMATED DECISION-MAKING AND JOB DISPATCH
For the majority of job assignments, we use an automated algorithmic system to match delivery requests from customers to available couriers. This system takes into account factors including your current GPS location, your vehicle type, your delivery preferences (where you have consented to share them), your availability status in Gophr Work, and your historical delivery performance data.
This automated matching process influences which delivery jobs are presented to you and in what order. You have the right to accept or decline a delivery job. It may therefore have an effect on your earning opportunities as a courier.
Regardless of the legal characterisation of our system, if you believe that a decision made by our job dispatch algorithm has affected you unfairly, you have the right to:
- Request a human review of the decision.
- Express your point of view in relation to any such decision.
- Request an explanation of how the algorithm weighted the factors that led to a particular outcome.
To exercise any of these rights, please contact us at [email protected]. We aim to respond within 30 days.
9. HOW LONG WE KEEP YOUR PERSONAL DATA
We retain personal data only for as long as necessary for the purpose for which it was collected, and in accordance with our legal obligations. The table below sets out our retention periods.
| Data Category | Retention Period | Basis for Period |
| Account and booking records (customers) | 6 years from last transaction | Statute of Limitations Act 1957; Companies Act 2014; Revenue requirements |
| Account and payment records (couriers) | 6 years from end of engagement | Statute of Limitations; Companies Act 2014; Revenue / VAT obligations |
| Courier identity documents (licence, passport) | Duration of engagement + 1 year | Operational need; right to verify for disputes |
| Courier profile photograph | Duration of engagement + 6 months | Operational need; removed from active profile on end of engagement; deleted within 6 months thereafter |
| GPS location data (active delivery sessions) | 13 months from date of collection | DPC guidance on proportionality; operational dispute resolution |
| Background check results | Duration of engagement + 1 year | Legitimate interests; platform safety |
| Delivery preferences (religious belief data) | Held while consent is active; deleted within 30 days of consent withdrawal | Consent-based processing |
| B2B contact and marketing data | 2 years from last communication, or until objection | Legitimate interests; DPC guidance on marketing retention |
| Customer marketing data | Held as long as consent is active | Consent-based processing |
| Website and app usage / analytics data | 13 months from date of collection | DPC guidance on proportionality; analytics purposes. Please see our cookies policy for more information |
| Customer communications and correspondence | 6 years from resolution of matter | Statute of Limitations Act 1957, s.11 — 6-year limitation period for contract claims |
If you close your account or we terminate our relationship with you, we may retain certain data for longer periods where required by law or where necessary to resolve disputes, enforce agreements, or comply with our legal obligations but we will never hold it for longer than necessary.
You may update your personal information at any time through the Gophr Marketplace or Gophr Work app, or by contacting us at [email protected]. We will endeavour to update our records within seven working days.
10. SECURITY
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration or disclosure. These include encryption of data in transit and at rest, strict access controls, regular security assessments, and staff training.
We have a data breach response procedure in place. If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the DPC within 72 hours of becoming aware and notify you without undue delay where required under Article 34 GDPR.
Whilst we take all reasonable steps to protect your data, transmission of data over the internet is not completely secure and any transmission is at your own risk. Once we receive your information, we use strict procedures and security features to prevent unauthorised access.
Our platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies before sharing personal data with them.
11. YOUR DATA PROTECTION RIGHTS
Under GDPR, you have the following rights in relation to the personal data we hold about you. Most rights are free of charge. We will respond to your request within one month, although we may extend this by a further two months in complex cases (and will notify you if we do so).
| Right | When it applies | How to exercise it |
| Access (Art. 15) | You can ask us to confirm whether we process your personal data and to provide you with a copy of that data, together with supplementary information. | Contact us at [email protected] with proof of identity. |
| Rectification (Art. 16) | You can ask us to correct inaccurate data or to complete incomplete data we hold about you. | Contact us at [email protected] or update your profile directly in the app. |
| Erasure (Art. 17) | You can ask us to delete your personal data in certain circumstances — for example, where we no longer need it, or where you withdraw consent. | Contact us at [email protected]. Note: we may be unable to delete data we are required to retain by law. |
| Restriction (Art. 18) | You can ask us to restrict our processing of your data in certain circumstances, such as while a dispute about accuracy is being resolved. | Contact us at [email protected]. |
| Portability (Art. 20) | Where processing is based on your consent or on our contract with you, and carried out by automated means, you can ask us to provide your data in a structured, commonly used and machine-readable format, or to transfer it directly to another controller. | Contact us at [email protected]. |
| Object (Art. 21) | You can object at any time to processing of your data based on legitimate interests or for direct marketing purposes. You also have the right to object to processing for profiling purposes to the extent it relates to direct marketing. We must stop unless we can demonstrate compelling legitimate grounds. | Contact us at [email protected] or unsubscribe from marketing communications using the link in any email. |
| Automated decisions (Art. 22) | You can request human review of, and an explanation for, any automated decision that significantly affects you — including our job dispatch algorithm. | Contact us at [email protected]. See also Section 8. |
| Withdraw consent (Art. 7) | Where processing is based on your consent, you can withdraw consent at any time. Withdrawal does not affect the lawfulness of prior processing. | For marketing: unsubscribe link in emails or contact us. For delivery preferences: update in Gophr Work app or contact us. |
| Compensation (Art. 82) | You may claim compensation for damage caused by a breach of Data Protection Law. | Seek independent legal advice. |
To exercise any right, please email us at [email protected]. We may need to verify your identity before fulfilling your request — we may ask for information sufficient to confirm who you are (such as your registered email address or account ID). We will not request disproportionate identification documentation.
12. HOW TO COMPLAIN
If you have a concern about how we handle your personal data, please contact us first at [email protected] and we will try to resolve the matter. We aim to respond within 30 days.
You have the right to lodge a complaint with a supervisory authority. As an Irish entity, our lead supervisory authority is:
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Website: https://www.dataprotection.ie
Contact form: https://forms.dataprotection.ie/contact
You also have the right to complain to the supervisory authority in the EU Member State where you live, work, or where an alleged infringement occurred.
13. CHANGES TO THIS POLICY
We may update this Policy from time to time to reflect changes in our processing activities, legal requirements, or regulatory guidance. We will publish any updated version on our website and update the date at the top of this Policy.
Where changes are material — for example, where we introduce a new processing purpose, a new category of data, or a new type of recipient — we will notify you by email or via an in-app notification at least 30 days before the changes take effect. We will explain what has changed and why. For non-material changes, we may notify you only by publishing the updated Policy on our website.
We encourage you to review this Policy periodically.
14. COOKIES AND SIMILAR TECHNOLOGIES
14.1 What Are Cookies?
Cookies are small text files placed on your device by our website. They allow the website to remember your actions and preferences over time.
14.2 Cookies We Set and Your Consent
We use four categories of cookies. We will only set cookies that are not strictly necessary for the operation of our website if you have actively consented to them through our cookie preference centre. Strictly necessary cookies are set automatically and do not require your consent.
| Category | Purpose | Examples | Consent required? |
| Strictly necessary | Essential for the website to function. These cannot be switched off. | Cloudflare — We use Cloudflare to protect our site from bots and to maintain consistent, secure sessions. These cookies are short-lived (session or 1 hour) and do not track you across other sites. Duration: 1 hour. | No — set automatically |
| Analytical / performance | Help us understand how visitors use our site so we can improve it. | Google Analytics — collects information about site usage, including the number of visitors, where they came from, and the pages they visited. Duration: 1 year, 1 month, 4 days.
Mixpanel — tracks how users interact with our site so we can understand what's working and where we can do better. Duration: 1 year. HubSpot — tracks visitor sessions and form submissions to help us avoid creating duplicate contact records in our CRM. Duration: 6 months. HandL UTM Grabber — records traffic source information such as how you arrived at our site, which campaign or referral link brought you here, and which page you landed on first. Duration: 1 month. |
Yes — opt-in only |
| Targeting / marketing | Used to deliver advertising relevant to you and to measure campaign effectiveness. Information may be shared with third-party advertising platforms. | Facebook (Meta) — a cookie set by Meta that tracks interactions with our site. This is used in connection with our Facebook advertising activity. Duration: 3 months.
HandL (advertising) — several HandL cookies feed into our advertising attribution, helping us understand which campaigns are driving traffic and enquiries. Duration: 1 year, 1 month, 4 days. |
Yes — opt-in only |
14.3 Mobile App Device Tracking
Our Gophr and Gophr Work mobile apps do not use browser cookies. However, we use similar device-based technologies (such as device identifiers, local storage, and push notification tokens) for equivalent operational and analytics purposes within the apps. This is governed by your device operating system’s permission settings (iOS or Android). You can manage these permissions through your device settings at any time.
The GPS location tracking described in Section 3.2 is enabled separately and only operates during active delivery sessions, as described above.
14.4 How to Manage Your Cookie Preferences
When you first visit our website, you will be shown a cookie preference banner. You can choose to accept all cookies, reject all non-essential cookies, or customise your preferences by category.
You can also control cookies through your browser settings. Most browsers allow you to block or delete cookies. Note that blocking strictly necessary cookies may prevent some parts of the website from functioning. Your browser’s help function will guide you on cookie management.
Please note that third parties (such as analytics or advertising providers) may also set cookies through our website. We aim to control this through our consent management platform, but we have limited control over cookies set by third parties directly.
15. CONTACT US
If you have any questions, comments or requests relating to this Policy or the handling of your personal data, please contact us:
Gophr Technologies Limited
Data Protection Officer: [email protected]
Post: Unit C1 Nutgrove Office Park, Nutgrove Avenue, Rathfarnham, Dublin 14, Ireland
