Gopaxo Privacy Policy

The controller of personal data collected on gopaxo.com is Gopaxo SAS, whose registered office is at 73 Rue Victor Hugo, 77340 Pontault-Combault, France. Contact details for our Data Protection Officer (DPO) are in the "DPO contact" section.

We collect only the data strictly necessary to operate the multimodal comparison engine and improve your experience. Depending on the case we process the following categories:

• Search data: departure city, arrival city, dates, number and age of passengers, discount cards where applicable.
• Contact data: first name, last name, e-mail address and message, voluntarily entered via the contact form or an incoming e-mail.
• Technical data: IP address, browser type and version, operating system, pages visited, timestamp, referrer, cookie identifiers.
• Booking data: as a comparison engine, Gopaxo does not collect your banking details or your named traveller identifiers at booking. These are entered directly on the partner site that issues your ticket.

Your data is processed in order to:

• display relevant train, bus, carpooling and plane comparison results for your search;
• redirect you to the selected partner's site to finalise the booking;
• reply to your requests via the contact form or support e-mail;
• measure performance and security (anonymised statistics, fraud detection, abuse prevention);
• improve user experience and comparison engine features;
• comply with our legal and regulatory obligations.

In accordance with Regulation (EU) 2016/679 (GDPR), each processing operation relies on a legal basis:

• Legitimate interest: providing the comparison service, aggregate audience measurement, fraud prevention.
• Consent: non-essential cookies, any newsletters, fine-grained personalisation.
• Contract performance: handling a support request attached to a ticket.
• Legal obligation: retention of invoices, handling of judicial requisitions.

Your data is intended for Gopaxo's internal teams who operate and improve the service. It may be shared with:

• Our partner carriers (rail, bus, carpooling platforms, airlines), only when you click an offer and are redirected to their booking site;
• Our technical sub-processors framed by GDPR contracts: hosting (Vercel), audience measurement, transactional messaging, supervision and security;
• Competent authorities in the context of a legal obligation or judicial requisition.

We do not sell or lease your personal data to third parties for commercial purposes.

• Route searches: retained 13 months in aggregate form for audience measurement.
• Contact data: 3 years from the last exchange, then intermediate archival for 5 years to handle any dispute.
• Technical and security logs: 6 to 12 months in line with CNIL recommendations.
• Cookies: lifetime compliant with the regulation (13 months max for consent-subject cookies).

Some of our technical sub-processors (including Vercel, our host) may process data outside the European Union. These transfers are framed by the European Commission's standard contractual clauses (art. 46 GDPR) and, where applicable, by additional encryption and pseudonymisation measures.

In accordance with GDPR and French data protection law, you have the following rights over your data:

• Right of access: obtain the list of data we hold about you.
• Right to rectification: correct any inaccurate or incomplete data.
• Right to erasure: request deletion of your data, except where legally required to retain it.
• Right to restriction: temporarily suspend the processing.
• Right to portability: retrieve your data in a structured, machine-readable format.
• Right to object: object to the processing on legitimate grounds.
• Right to withdraw consent at any time, without affecting the lawfulness of prior processing.
• Post mortem directives: determine what happens to your data after your death.

The site places several categories of cookies. Cookies strictly necessary to the operation of the service (session, consent, search preferences) do not require consent. Audience measurement and improvement cookies are only dropped after your explicit agreement via the consent banner.

You may change your choices at any time via the "Manage cookies" link in the footer or by resetting your browser settings.

We implement appropriate technical and organisational measures to guarantee a level of security matching the risk (TLS encryption, environment segregation, access management, logging, regular audits). In the event of a data breach likely to generate high risk to your rights and freedoms, we will inform you as soon as possible, in accordance with Article 34 GDPR.

To exercise your rights or ask any question about how your data is handled, write to our Data Protection Officer: dpo@gopaxo.com. You can also reach us at contact@gopaxo.com or via the contact form. We respond within a month; this may be extended by two months for complex requests.

If, after contacting us, you believe your data protection rights are not respected, you may lodge a complaint with the French Data Protection Authority (CNIL, www.cnil.fr), 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.