We use cookies.

What does it mean?

Captcha is invalid. Please attempt to accept cookies (in the bottom left corner), reload the page, switch to a different network, disable VPN, or contact support support@onde.app.

Oops, something go wrong, please try again later

The phone number you’ve added already exists. Please choose another phone number or contact support@onde.app.

English Español Portugês العربية Français

English

Privacy Policy  - ONDE EAST FZCO

Last Updated: January 27, 2026

1. General Provisions

This Privacy Policy ("Policy") describes how ONDE EAST FZCO, a company incorporated and acting under the laws of the United Arab Emirates. CBLS No 12080185, Legal Type: Free Zone Company, Est. Date: 26/04/2023, Legal Address: Premises Number: 29706 - 001, IFZA Business Park, Building A1, Dubai Digital Park, Dubai Silicon Oasis, Dubai, United Arab Emirates, email: hi@onde.app, hereinafter referred to as "Onde," "we," or "us," processes the personal data of visitors and users of the Website, which means the public marketing website available at onde.app and the pages used to request information, a demo, or a trial account (including /contact-us and /sign-up). The data controller for the processing described in this Policy is ONDE EAST FZCO.

This Policy does not govern personal data processed within Onde’s platform services (e.g., My Hub / Operator App / Driver and Customer Apps) where Onde typically acts as a Data Processor on behalf of its clients under a Data Processing Agreement. 

This Policy does not apply to data processing for which a separate policy is provided, but exclusively to the processing of personal data for which Onde acts as a Data Controller, namely:

  • Website Visitors: Any individuals browsing the pages of our Website to learn about our company and services. 
  • Potential Clients: Representatives of legal entities who contact us through the forms on the Website (e.g., to request a demo or a callback) or otherwise interact with us for business purposes via the Website. This includes individuals who subscribe to our newsletters or download informational materials.

2. Onde's Role in Data Processing

  • Onde as Data Controller: We are the Data Controller for the data we collect directly from you through our Website (as described in this Policy). This means we independently determine the purposes (why) and means (how) of processing this data. For instance, when we analyze Website traffic to improve the user experience, we act as a Data Controller. We bear full responsibility for the lawfulness of this processing, for its protection, and for upholding your rights in relation to it.
  • Onde as Data Processor: When our clients (e.g., taxi companies or delivery services) use the Onde platform to provide their services, they act as Data Controllers of their end-users' data (passengers, drivers). In this capacity, Onde acts exclusively as a Data Processor, strictly on behalf of and in accordance with our clients' documented instructions. Our role is to provide the technology; we do not decide how our clients use their customers' data. The processing of such data is governed by separate Data Processing Agreements (DPAs) concluded with each client, which legally obligate us to protect that data.

3. Data We Process: Purposes and Legal Bases

A. Data You Provide to Us Directly

  • Categories of Data: When you complete forms on the Website (including
    • Contact us and Sign up / Try for free), we may process: 
    • Identification data: first name, last name; 
    • Contact data: corporate email address, phone number; 
    • Professional and business context data: company name, job title, business type/industry, current order handling method, fleet size (number of vehicles), and similar qualification information you provide in the form fields; 
    • Consent choices: your opt‑in/opt‑out choices for marketing communications and personalised ads (where offered).
  • Purpose of Processing: To process your request. To contact you professionally. To provide information about Onde’s products. To organise a personalised demo.
  • Legal Basis (GDPR)
    • Article 6(1)(b) (pre-contractual steps): where you request a demo, trial account, pricing, or other specific information, and we need your details to respond.
    • Article 6(1)(f) (legitimate interests): to respond to general B2B enquiries, manage our relationship with potential clients, and keep a record of business communications. Our legitimate interests are balanced against your rights and expectations, and you may object at any time.
    • If you object to receiving communications, we will maintain a minimal record of your contact details and your objection (suppression list) to ensure we respect your request and do not contact you again.
  • Whether data is required, fields marked as mandatory are required to process your request (e.g., to contact you or set up a demo/trial). If you do not provide them, we may be unable to respond or provide the requested information.
  • Retention: See Section 6 for details.

B. Data We Collect Automatically

  • Categories of Data: Technical logs include IP addresses, timestamps, user agents, device and browser details, and request metadata. Usage events: pages viewed, referrers, clicks. Security/technical logs (server-side). Optional analytics/marketing cookies & pixels (client-side)
  • Purpose of Processing: We use technical logs to maintain the Website's stability, prevent abuse, and enhance security. We use optional analytics to understand how the Website is used and to improve navigation and content.
  • Legal Basis (GDPR and ePrivacy):
    • Security and technical logs: Article 6(1)(f) (legitimate interests) to ensure Website security, prevent abuse, and maintain stability.
    • Optional analytics and marketing technologies (including cookies/SDKs): Article 6(1)(a) (consent).
    • ePrivacy (cookies and similar technologies): We store or access information on your device only with your prior consent, except where strictly necessary to provide a service you request (e.g., essential security and load-balancing).

C. Data You Provide for Marketing Communications

  • C1. Marketing communications (email)
  • Purpose of Processing: send product updates and relevant business communications.
  • Legal basis:
    • Newsletter and marketing emails to Website visitors: Article 6(1)(a) (consent) + applicable national ePrivacy rules.
    • “Soft opt-in” for existing customer relationships (where permitted by applicable law): we may use your email obtained in the context of a sale to market our own similar services, provided you were offered a clear right to object at collection and in every message.
  • C2. Personalised advertising/remarketing
  • Purpose of Processing: measure campaign performance and show you more relevant ads on third-party platforms.
  • Categories of Data: online identifiers (e.g., cookie IDs) and, only where you opt-in, contact identifiers (such as email/phone). The contact identifiers are immediately hashed (a one-way transformation). We may then share these hashed contact identifiers with advertising platforms to create 'matched audiences' for personalized advertising.
  • Legal basis
    • Consent (Art. 6(1)(a)) plus ePrivacy consent where cookies/pixels are used. You can withdraw consent at any time.
    • Where you opt in to personalised ads, we will process relevant data for that purpose only based on your consent and in accordance with your cookie/consent settings.

4. Cookies and Similar Technologies

We use two types of technologies on this Website: necessary ones that keep the Website functioning, and optional ones (such as analytics or marketing) that help us improve. Our own first-party cookies have a maximum lifetime of 12-18 months in your browser.

On your first visit, our banner displays “Accept all”, “Reject all”, and “Manage choices”.We do not make access to core Website functionalities (such as submitting a contact request or signing up for a trial) conditional on consenting to optional analytics or marketing cookies. Where strictly necessary security technologies are required (e.g., anti-bot protection), they may operate without consent to the extent permitted by applicable law. Optional technologies never run before you choose. You can change your mind at any time using the Cookie settings link in the footer. If you turn off optional cookies, the Website remains accessible; however, certain features (such as submitting forms protected by anti-bot measures) may require strictly necessary security technologies to function. If you block all cookies in your browser, some features may not operate.

We only use optional cookies and similar tools after you have made a prior choice, as required by the ePrivacy Directive (Article 5(3)) and the GDPR consent standard.

If any cookie-based tool would transfer data outside the EEA, we describe the safeguards in Chapter 5. Optional tools won’t load until you consent and those safeguards are in place.

5. Data Transfers to Third Parties

We do not sell your personal data. We disclose personal data only to the extent necessary to operate the Site, handle enquiries, provide support, perform analytics (where enabled), and run consent‑based marketing.

We disclose personal data to (i) processors providing hosting, email, CRM, scheduling, form handling, and security services, and (ii) independent controllers such as advertising platforms (only where enabled and, where required, based on consent).

We maintain an up-to-date Recipient Register (including processing locations and transfer safeguards) available at https://onde.app/recipient-register

This Register forms part of this Policy by reference and includes a “last updated” date.

6. Data Retention and Security

We will retain your personal data no longer than is necessary for the purposes for which it was collected. Data from our "Contact Us" or "Request a Demo" forms is retained for the duration of our communications with you. We retain this data for up to 3 years after our last meaningful interaction. If you object, we will stop processing unless we demonstrate compelling legitimate grounds or the processing is needed for legal claims. Where erasure applies, we delete or anonymise the data unless retention is required by law or strictly necessary for legal claims.

Cookie data is retained for the periods specified in our cookie banner, which is easily accessible in the corner of every page on the Website. 

We implement appropriate technical and organisational measures, including encryption in transit and at rest, access control on a need-to-know basis, multi-factor authentication for administrative access, resilience and backup procedures, and regular testing and evaluation of security measures.

7. Your Rights as a Data Subject

  • Right of Access (Article 15): You have the right to request information from us about the data we process about you, for what purposes, and to receive a copy of it.
  • Right to Rectification (Article 16): If you find that your data is inaccurate or incomplete, you can demand its correction.
  • Right to Erasure (Article 17): You can request the complete deletion of your data if there are no longer legal grounds for its further processing (e.g., if you withdraw consent).
  • Right to Restriction of Processing (Article 18): In certain situations (e.g., while the accuracy of the data is being contested), you can request that we temporarily stop processing your data, except for storing it.
  • Right to Object (Article 21): You can object at any time to the processing of your data that is based on our legitimate interest. 
  • Right to Data Portability (Article 20): You have the right to receive the data you have provided to us in a structured, commonly used, and machine-readable format.
  • Right to Withdraw Consent: If data processing is based on your consent (e.g., for marketing cookies), you can withdraw it at any time.

If you believe your rights have been infringed, you may lodge a complaint with the Estonian Data Protection Inspectorate or with any supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or of the alleged infringement.

8. Policy Regarding Minors

Our Website and services are intended exclusively for corporate clients (B2B) and are not targeted at individuals under the age of 16. We do not knowingly collect or solicit personal data from children. If we become aware that we have accidentally collected such data, we will take immediate steps to delete it.

9. Automated Decision-Making and Profiling

Onde does not use your personal data collected from this Website for automated decision-making that produces legal effects concerning you or similarly significantly affects you (such as automated credit scoring or denial of service). While we use analytics and marketing tools to understand user behavior and personalize content, this activity constitutes profiling for statistical and marketing purposes only. This profiling is not intended to result in automated decisions that significantly impact your rights, and you retain the right to object to such profiling where it is based on our legitimate interests.

10. Changes to this Policy

We reserve the right to update this Policy from time to time to reflect changes in our practices or in the law. The current version will be available on the Website with the date of its last update. We will provide additional notice of significant changes that may affect your rights.

11. Data Protection Officer

While we use analytics tools on our Website to improve the user experience, we have assessed this ancillary processing and concluded that it does not currently constitute 'large-scale monitoring' as a core activity of our business, and thus does not mandate the appointment of a DPO. We continuously re-evaluate this position in line with regulatory guidance. Until such an appointment is mandated, our dedicated privacy team can be reached at hi@onde.app. We review this assessment periodically. If a DPO is appointed, we will publish the DPO’s contact details here.

12. Breach Notification Procedures:

We will notify the competent supervisory authority of a breach without undue delay, and where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. When a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we shall communicate the personal data breach to you, the data subject, without undue delay. This communication will describe, in clear and plain language, the nature of the breach, its likely consequences, and the measures we have taken or propose to take to address it.

13. Contact Information

For all questions related to the processing of your personal data or to exercise your rights, please contact our data protection team:

Email: hi@onde.app. Address: Tornimäe 7-36, 10145 Tallinn, Estonia

Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). You can contact them at Tatari 39, 10134 Tallinn, Estonia, or by email at info@aki.ee.

Publishing date: 27.01.2026 
Effective period: 27.01.2026 - now


Previous versions of the Policy 
Privacy Policy. Effective period: December 14, 2023 - 27.01.2026