Legal

Privacy Policy

We process personal data so fleets can deliver and customers can track. This page explains what we collect, why, and what control you have.

Last updated: May 1, 2026Questions? Contact us

1. Who we are

This Privacy Policy is issued by P. MAVRAKIS & SIA E.E. (“MyNext One”, “we”, “us”, “our”), a Greek limited partnership with registered office at Thessalia, Volos 38446, Greece. We are the data controller for personal data processed through our website, our admin and dispatch platform, our iOS/Android driver apps, and our customer tracking experience (together, the “Service”).

For privacy questions or to exercise your rights, contact us at privacy@mynext.one or write to our Data Protection Officer at dpo@mynext.one.

2. Personal data we collect

We collect the minimum personal data needed to operate the Service. The categories below depend on which part of the Service you use.

From customers (fleet operators & their staff)

  • Account data: name, email address, phone number, role, organisation, hashed password or federated-login identifier.
  • Usage data: log-in events, pages viewed, features used, in-app actions, performance and error telemetry.
  • Billing data (when applicable): invoice contacts and payment metadata. Card details are handled by our payment processors and never stored by us.

From drivers using the mobile apps

  • Identity: phone number (for sign-in via Firebase Authentication), display name, vehicle identifier.
  • Location: precise GPS coordinates while a route is active, used for ETA calculation, dispatch awareness, and stop-arrival detection. Location capture stops when the route ends.
  • Proof-of-delivery artefacts: recipient name, signature image, photos of packages and delivery context, scanned barcodes, free-text notes.
  • Device data: device type, OS version, app version, push notification token, crash and performance diagnostics.

From recipients (the people receiving deliveries)

  • Provided by our customer: name, delivery address, phone number, email, and order metadata that the fleet operator has uploaded so we can carry out the delivery on their behalf.
  • Tracking-page interactions: when you open a tracking link we log a minimal page-view event; we do not set advertising cookies.
  • Contract — to provide the Service to our customers and their drivers.
  • Legitimate interests — to keep the Service secure, prevent abuse, debug issues, and improve product quality. We balance these interests against your rights and freedoms.
  • Legal obligation — to keep tax and accounting records and to respond to lawful requests from authorities.
  • Consent — for non-essential cookies and for any marketing communications.

For recipients whose data is uploaded by a fleet operator, that operator is the data controller and we act as a processor on their behalf under a Data Processing Agreement.

4. How we use personal data

  • Authenticate users and enforce role-based access.
  • Plan, dispatch, optimise and complete deliveries, pickups, service jobs, and ride-hailing tasks.
  • Generate proof of delivery and share tracking links with recipients.
  • Send transactional notifications (push, email, SMS).
  • Detect and prevent fraud, abuse, and security incidents.
  • Produce aggregated analytics that help us improve the product and report uptime to customers.

5. Who we share data with

We do not sell personal data. We share data with vetted processors who operate under written agreements and, where relevant, EU Standard Contractual Clauses:

ProcessorPurposeRegion
Microsoft AzureHosting, database, blob storageMultiple regions worldwide; customer can request EU residency
Google FirebaseAuthentication, push notifications (FCM), crash analyticsGlobal (SCCs where applicable)
PostmarkTransactional email deliveryUS (SCCs)
Apple & GoogleApp distribution, push notification routingGlobal

We may also disclose data to professional advisors, auditors, or authorities where strictly required by law.

6. International transfers

We host the Service across multiple Microsoft Azure regions worldwide. Customers can request that their tenant be provisioned in a specific region (for example the EU) to meet data-residency requirements. Some processors above operate from the United States; transfers to those processors are governed by the European Commission's Standard Contractual Clauses and supplementary safeguards. A copy of the relevant safeguards is available on request.

7. Retention

  • Account & usage data: kept for the duration of your account, then deleted or anonymised within 90 days of account closure.
  • Driver location: retained for the duration of the active delivery cycle plus up to 90 days for dispute resolution and analytics, then anonymised.
  • Proof of delivery (signatures, photos, notes): kept for the duration of the customer's subscription plus the retention period required by their commercial agreement (typically 12–24 months) for invoicing and dispute purposes.
  • Tax & accounting records: retained for the period required by Greek tax law (currently 5 years).

8. Security

We protect personal data with encryption in transit (TLS 1.2+), encryption at rest for database backups and blob storage, role-based access controls, audit logging, infrastructure hosted in enterprise-grade data centres, hardened authentication using Firebase, and a defined incident-response process. Despite these controls, no system can be guaranteed 100% secure.

9. Your rights

Subject to GDPR, you have the right to:

  • Access the personal data we hold about you;
  • Rectify inaccurate or incomplete data;
  • Erase your data, where applicable;
  • Restrict or object to certain processing activities;
  • Receive your data in a portable format;
  • Withdraw consent at any time, where consent is the legal basis;
  • Lodge a complaint with the Hellenic Data Protection Authority (HDPA) at www.dpa.gr.

To exercise any of these rights, email privacy@mynext.one. We will respond within one month. If your data was uploaded by a fleet operator, we will forward your request to them as the controller.

10. Cookies

Our public website uses only strictly-necessary cookies by default. See our Cookie Policy for the full breakdown.

11. Children

The Service is not directed at people under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

12. Changes to this policy

When we update this policy we revise the date at the top of the page and, for material changes, notify customers in-product or by email at least 14 days before the change takes effect.

13. Contact

P. MAVRAKIS & SIA E.E.
Thessalia, Volos 38446, Greece
Email: privacy@mynext.one
DPO: dpo@mynext.one