This Privacy Policy (the "Policy") describes how Transitica (transitica.com, hereinafter "Administration", "we", "us") collects, processes, stores, and protects the personal data of users of the website transitica.com (the "Website", "Platform") and its related services.
The Policy applies to all forms of interaction with the Platform: browsing pages, registration, booking, subscribing to the newsletter, contacting support, and data collected automatically when you visit the Website.
By using the Platform, you confirm that you have read this Policy and accept its terms. If you do not agree, please refrain from using the Website.
This Policy forms part of the Terms of Use of Transitica and should be read together with that document.
For the purposes of this Policy, the data controller is:
| Detail | Information |
|---|---|
| Name | Transitica (transitica.com) |
| Website | transitica.com |
| privacy@transitica.com | |
| Role | Data Controller |
Transitica is not a carrier and does not provide transport services. The Platform acts as an information intermediary: it receives booking requests and passes passenger data to the Carrier or Partner as necessary for the performance of the contract of carriage. In respect of the data it receives, the Carrier acts as an independent data controller and bears its own corresponding responsibilities.
3.1. Data you provide directly
When making a booking:
- First and last name of the passenger(s);
- Date of birth (mandatory for children and infants; optional for adults);
- Identity document series and number (passport, national ID card);
- Nationality;
- Contact phone number;
- Email address (optional);
- Selected route, date, number and categories of passengers;
- Booking comment (if provided).
When registering an account:
- First and last name;
- Email address;
- Phone number;
- Password (stored in hashed form — not accessible to the Administration).
When subscribing to the newsletter:
- Email address;
- Consent to receive marketing communications (with date and method of capture).
When contacting support:
- Name and contact details provided in the enquiry;
- Content of the correspondence and any attached files.
3.2. Data collected automatically
- Technical data: IP address, browser type and version, operating system, browser language, screen resolution;
- Usage data: pages viewed, time on site, navigation paths, search queries entered in the route search form;
- Cookies and similar technologies (see §8 for details);
- UTM parameters and referral source (referral URL).
3.3. Data from third-party sources
If you log in via a third-party service (Google, Facebook, Apple — where available), we receive basic profile data from them: name, email address, and account identifier. No other data is requested without your explicit consent.
Special categories of data: We do not request or process special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, biometric data, health data) except where expressly required by law or strictly necessary to fulfil a request (e.g. disability information for reserving an accessible seat).
We process personal data only where a valid legal basis exists. The table below summarises all processing activities:
| Purpose | Data categories | Legal basis | Retention period |
|---|---|---|---|
| Processing and fulfilling bookings | Full name, contact details, identity document, route, date | Contract | 3 years from travel date |
| Transmitting data to Carrier / Partner | Passenger names, documents, contact details | Contract | Until completion of carriage |
| Processing payments (intermediary services) | Contact details, amount, currency | Contract | 5 years (accounting retention) |
| Sending booking confirmations and notifications | Email, phone | Contract | 3 years from booking date |
| Customer support | Contact details, correspondence history | Legitimate interest | 2 years |
| Analytics and service improvement | Anonymised behavioural data | Legitimate interest | 26 months |
| Email newsletter (news, offers) | Email, preferences | Until consent is withdrawn | |
| Content personalisation and recommendations | Search history, cookies | Until consent withdrawn / 12 months | |
| Fraud prevention and security | IP address, user agent, logs | Legal obligation | 6 months |
| Compliance with legal requirements | Booking data, payment data | Legal obligation | As required by law |
Important: Where consent is the legal basis, you have the right to withdraw it at any time without any negative consequences. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
5.1. Carriers and Partners
To fulfil the contract of carriage, we are required to transmit passenger personal data (full name, identity document details, contact information) directly to the Carrier or Partner. Data is shared only to the minimum extent necessary and solely for purposes connected with the fulfilment of the booking. The Carrier acts as an independent controller of the data it receives and is obliged to comply with applicable data protection law.
5.2. IT Service Providers (Data Processors)
We may engage trusted technical subcontractors who process data solely on our instructions and on our behalf (as processors, not independent controllers):
- Hosting and infrastructure — server providers ensuring the operation of the website;
- Payment systems — processing companies for online payment acceptance;
- Email services — platforms for transactional and marketing communications;
- Analytics services — traffic statistics tools (see §11);
- Customer support — helpdesk systems for handling enquiries.
All subcontractors are bound by Data Processing Agreements (DPAs) and are required to maintain appropriate protection standards.
5.3. Public Authorities and Law Enforcement
We may disclose personal data in response to a lawful request from a competent authority (court order, regulatory directive, judicial decision). In such cases we disclose only the minimum necessary data and, where permitted by law, notify the affected user.
5.4. Business Reorganisation
In the event of a merger, acquisition, or asset transfer, personal data may be transferred to a successor entity, provided that the level of protection is maintained at no less than that established by this Policy. Users will be notified in advance.
5.5. What we never do
- We do not sell personal data to advertisers or any other third parties;
- We do not share data for unintended purposes or third-party profiling without your explicit consent;
- We do not grant access to data beyond what is strictly necessary for the specific purpose.
Given the international nature of the Platform's operations (routes to Poland, Germany, Czech Republic, and other countries), passenger personal data is necessarily transmitted to Carriers located outside the user's country of residence.
6.1. For users in the EU / EEA
When transferring data to countries outside the EU/EEA, we apply the following safeguards:
- Adequacy decisions adopted by the European Commission;
- Standard Contractual Clauses (SCCs) approved by the European Commission;
- For transfers to the United States — additional technical and organisational measures in accordance with the Schrems II requirements.
6.2. For users in Ukraine
Cross-border data transfers are carried out in accordance with Article 29 of the Ukrainian Law on Personal Data Protection. Data is transferred to countries with an adequate level of protection or subject to appropriate contractual safeguards. In cases where a Carrier is located in a country without a recognised adequate level of protection, the transfer is carried out on the basis of contractual necessity (Article 6 of the Law).
6.3. For users in other jurisdictions
International data transfers are carried out in compliance with the requirements of the national law of the user's country of residence, including applicable data protection legislation.
7.1. Retention periods
We retain personal data for no longer than is necessary to achieve the purposes for which it was collected, or as required by applicable law. Upon expiry of the retention period, data is permanently deleted or irreversibly anonymised.
| Data type | Retention period | Basis |
|---|---|---|
| Booking data (completed trips) | 3 years | Contractual limitation period |
| Financial and payment records | 5 years | Tax / accounting legislation |
| Account data (active account) | For the duration of the account | Contract |
| Account data (after deletion) | 30 days (buffer), then deleted | User's interests |
| Support correspondence history | 2 years | Legitimate interest |
| Newsletter data | Until consent withdrawn + 1 year | Consent |
| Security logs (IP, user agent) | 6 months | Fraud prevention |
| Anonymised analytics | Up to 26 months (Google Analytics) | Legitimate interest |
7.2. Technical security measures
- Encryption in transit: all data is transmitted over TLS 1.2 / TLS 1.3 (HTTPS). Unencrypted connections are automatically redirected;
- Encryption at rest: databases and file storage are encrypted at disk level;
- Password hashing: passwords are stored as bcrypt hashes and are never retained in plain text;
- Payment data: card numbers and CVV codes are not stored on the Platform's servers; processing is handled by a PCI DSS-certified payment gateway;
- Access segmentation: access to personal data is restricted to authorised personnel on a least-privilege basis.
7.3. Organisational measures
- Regular staff training on data protection rules;
- Internal security and confidentiality policies;
- Mandatory confidentiality agreements for all employees and subcontractors;
- Periodic security audits.
7.4. Data breach response
In the event of a security breach posing a risk to the rights and freedoms of data subjects, we will:
- Notify the supervisory authority within 72 hours (GDPR Art. 33; equivalent Ukrainian and other applicable requirements);
- Promptly notify affected users where there is a high risk to their rights;
- Take immediate steps to remediate the vulnerability and minimise harm.
Cookies are small text files stored on your device when you visit the website. We use cookies and similar technologies (localStorage, pixels) to ensure the website works correctly, for analytics, and — with your consent — for personalisation.
8.1. Types of cookies
| Type | Purpose | Examples | Duration | Consent required |
|---|---|---|---|---|
| Authentication, CSRF protection, saving form/cart state, load balancing | session_id, csrf_token, lang | Session / up to 1 year | Not required | |
| Visitor statistics and anonymised user behaviour analysis | _ga, _gid, _gat (Google Analytics) | Up to 26 months | Required | |
| Retargeting and serving relevant ads on third-party platforms | _fbp, ads/ga-audiences | Up to 90 days | Required |
8.2. Managing cookies
A cookie consent banner is displayed on your first visit. You may accept only necessary cookies or grant extended consent. Your preferences can be changed at any time via the "Cookie Settings" link in the website footer.
Regardless of your on-site settings, you can manage cookies through your browser: block new cookies, delete existing ones, or receive notifications. Please note that disabling necessary cookies may impair certain website features.
For EU users: in accordance with the ePrivacy Directive and the GDPR, marketing and analytics cookies are only set after you have given your explicit consent via the banner.
Depending on your jurisdiction, you have the following rights:
How to exercise your rights
To submit a request, send an email to privacy@transitica.com with the subject line "Personal Data Request", including:
- Your first and last name;
- The contact details used during registration / booking;
- The specific action requested and the reason for it.
We will review the request and respond within 30 days (which may be extended to 90 days with notice where necessary). In some cases, additional identity verification may be required.
Supervisory authorities
EU users may also use the European Commission's online dispute resolution platform: ec.europa.eu/consumers/odr.
The Platform's services are intended for individuals aged 18 or over (or the age of majority under applicable law). Persons under 18 may use the Platform only with the consent and under the supervision of a legal guardian (parent or guardian).
When booking for children (passengers in the "child" and "infant" categories), the child's personal data — first name, last name, and date of birth — is collected and processed solely for the purpose of performing the contract of carriage. The child's legal guardian confirms their consent to such processing at the time of booking.
If you become aware that a child under the age of 13 has independently, without adult supervision, provided us with personal data, please notify us immediately at privacy@transitica.com — we will delete such data without delay.
11.1. Google Analytics
We use Google Analytics (Google LLC) to collect anonymised traffic statistics. IP addresses are anonymised by Google before being recorded in the database. Data is used only in aggregated form to analyse traffic and improve the service. You can opt out of Google Analytics data collection by installing the official browser add-on.
11.2. Email marketing
Newsletters, special offers, and promotional communications are sent only where you have given your explicit consent (opt-in). Every email contains a one-click unsubscribe link. Unsubscribe requests are processed promptly — you will stop receiving marketing emails within 10 business days (transactional booking notifications will continue regardless of subscription status).
11.3. Third-party links
The website may contain links to third-party resources (Carrier websites, travel agencies, information portals). This Policy does not apply to third-party websites. We recommend reviewing the privacy policies of any sites you visit.
11.4. Social media and share buttons
Blog and article pages may include social media share buttons. Clicking them may transmit data to the relevant platform. We recommend reviewing the privacy policies of those services.
Our data protection obligations are built on the requirements of the following legal instruments:
| Jurisdiction | Key legislation |
|---|---|
| 🇪🇺 European Union / EEA | EU Regulation 2016/679 (GDPR); ePrivacy Directive 2002/58/EC; national implementation laws of EU member states |
| 🇺🇦 Ukraine | Law of Ukraine on Personal Data Protection (2010, as amended); Constitution of Ukraine, Art. 32; Civil Code of Ukraine provisions on personal data protection |
| 🇧🇾 Belarus | Law of the Republic of Belarus on Personal Data Protection (2021) |
| 🇰🇿 Kazakhstan | Law of the Republic of Kazakhstan on Personal Data and Their Protection (2013) |
| 🌍 Other countries | National personal data and information protection laws of the respective states |
Where the laws of different jurisdictions conflict, the provision affording the highest level of protection to the data subject shall apply.
We reserve the right to make changes to this Privacy Policy. For material changes (new processing purposes, new categories of recipients), we will notify you by:
- Publishing the updated version at transitica.com/privacy with a revised date in the header;
- Sending an email notification where an account exists (for significant changes);
- Displaying a notification banner on your next visit to the website.
Continued use of the Platform after changes take effect constitutes acceptance of the revised Policy. Previous versions are available upon request.
The current version of the Policy is always available at: transitica.com/privacy. Date of last update: May 1, 2026.
For all questions relating to the processing of personal data, the exercise of data subject rights, or this Policy, please contact us:
Response time for personal data requests: 30 days from receipt (may be extended to 90 days for complex requests, with notice). To help us process your request promptly, please use the subject line: "Data Subject Request — [your name]".
Related documents: Terms of Use · Cookie Settings