Version 1.0 — in force as of 13 June 2026. The latest version published on the website prevails. This English page is provided for the convenience of international travellers; the French-language policy remains the legally binding reference.
This policy explains how WHEVO, the company operating the Lyon VTC booking platform, handles personal data, in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) and French Law no. 78-17 of 6 January 1978 (Data Protection Act). Lyon VTC is a booking platform that connects you with a network of vetted, independent partner chauffeurs; it does not operate a vehicle fleet.
1. Data controller
The data controller is:
WHEVO, SAS, société par actions simplifiée, registered office 229 rue Saint-Honoré, 75001 Paris, RCS Paris no. 937 966 216.
For any question about your personal data, please use the contact tools available when you make a booking on the Platform.
Data Protection Officer (DPO): [to be completed].
2. What data we process
2.1 Customer data
- Identity and contact: first and last name, email address, phone number;
- Booking data: pick-up point, destination, date and time, number of passengers, vehicle category, special instructions;
- Payment data: processed by Stripe (WHEVO has no access to full card details); transaction data (amount, status, identifier);
- Relationship data: ride history, messages, complaints, reviews;
- Technical data: IP address, connection data, browsing data (see our cookie information).
2.2 Partner Chauffeur data
- Identity and contact: name, business name, contact details;
- Professional and compliance data: VTC professional card number, registration on the VTC operators’ register, professional liability insurance certificate, vehicle inspection, driving licence, social/tax documents, and criminal-record information strictly to the extent permitted and necessary to verify eligibility;
- Payment / KYC data: processed by Stripe (identity verification, IBAN);
- Activity data: rides performed, fees, ratings.
Sensitive data (criminal record). Processing information about convictions falls under Article 10 GDPR and Article 46 of the French Data Protection Act. WHEVO does not retain the detailed content of criminal-record extracts: it limits itself to a documented eligibility check, without archiving beyond what is necessary.
3. Purposes and legal bases
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6.1.b) |
| Matching Customer / Partner Chauffeur and performing the ride | Performance of a contract (Art. 6.1.b) |
| Processing payments and the Service Fee | Performance of a contract (Art. 6.1.b); legal obligation (Art. 6.1.c) |
| Verifying Partner Chauffeur eligibility | Legal obligation as a booking platform (Art. 6.1.c); legitimate interest (Art. 6.1.f) |
| Handling complaints and mediation | Performance of a contract; legal obligation; legitimate interest |
| Invoicing and accounting/tax obligations | Legal obligation (Art. 6.1.c) |
| Fraud prevention and platform security | Legitimate interest (Art. 6.1.f) |
| Audience measurement and service improvement | Consent or legitimate interest depending on the tool (see cookie information) |
| Marketing communications | Consent (Art. 6.1.a) or legitimate interest for existing customers |
4. Who receives your data
Data may be shared with:
- authorised internal teams of WHEVO;
- the chosen Partner Chauffeur, to perform the ride (the Partner is then a data controller for the transport);
- technical providers acting as processors (hosting provider o2switch, payment provider Stripe, audience-measurement tools), bound by an Article 28 GDPR-compliant contract;
- the competent authorities where required by law.
WHEVO does not sell your personal data.
5. Stripe’s role
For payment processing, Stripe acts, depending on the case, as a processor (for operations carried out on behalf of WHEVO) and/or as an independent or joint controller (for its own regulatory obligations: KYC, anti-money-laundering, legal retention). Stripe’s processing is governed by its own privacy policy, available on stripe.com. The exact classification (processor vs. joint controller) depends on the Connect scope and remains [to be completed].
6. How long we keep your data
| Data | Retention |
|---|---|
| User account | Duration of the relationship + deletion or anonymisation afterwards |
| Booking / ride data | Duration of the relationship, then intermediate archiving in line with limitation periods |
| Accounting records and invoices | 10 years (legal obligation, Art. L123-22 French Commercial Code) |
| Partner Chauffeur eligibility documents | Duration of the relationship + reasonable evidence period |
| Marketing data | 3 years from the last contact (CNIL recommendation) |
| Anti-money-laundering data (Stripe) | As per the provider’s applicable legal obligations |
| Cookies | See our cookie information (max. 13 months for trackers requiring consent) |
After these periods, data is deleted or anonymised, unless a legal retention obligation or evidential need in a dispute applies.
7. Transfers outside the European Union
Some providers (including Stripe) may involve processing outside the European Union. In that case, WHEVO ensures that appropriate safeguards under Articles 44 et seq. GDPR are in place (adequacy decision, European Commission standard contractual clauses, or another recognised safeguard). The actual location of each processor’s operations remains [to be completed].
8. Your rights
Under Articles 15 to 22 GDPR, you have the following rights:
- right of access;
- right to rectification;
- right to erasure (“right to be forgotten”);
- right to restrict processing;
- right to object (including to marketing);
- right to data portability;
- right to withdraw consent at any time, without retroactive effect;
- right to set directives on what happens to your data after death.
You can exercise these rights through the contact tools on the Platform. WHEVO may request proof of identity in case of reasonable doubt. A response is provided within one month (extendable by two months for complex requests).
If a problem arises, you may lodge a complaint with the French data-protection authority, the CNIL (3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07 — www.cnil.fr), or with your local EU supervisory authority.
9. Security
WHEVO implements appropriate technical and organisational measures to protect data against loss, unauthorised access, alteration or disclosure (access control, encryption of data flows, secure hosting). Payments are secured by Stripe (PCI-DSS compliant).
10. Changes
WHEVO may amend this policy. The version that applies is the one published on the Platform. In case of a substantial change, account holders are informed.
Book with confidence
When you book a vetted partner chauffeur through Lyon VTC, only the data needed for your ride is shared. Indicative prices start from a “from …” rate in euros (€) and your final price is always confirmed before the ride.
See also our Terms & Conditions.
This policy was drafted in French, the language that prevails over any translation.