Privacy Policy (Personal Data Processing Policy)
Last updated: November 9, 2025
1. Introduction
This Privacy Policy (the “Policy”) explains how personal data is collected and processed in the CarryWay mobile application
for Android and iOS (the “App”) and on the website at https://carryway.tech (the “Website”,
together the “Service”).
The Service is operated by Aleksandr Vasilyevich Dolgov (the “Operator”, “we”, “us”, “our”), a citizen of the Russian Federation,
residing at 2704 Ocean Ave, Brooklyn, NY 11229, USA.
This Policy applies to all processing of personal data in the Service, regardless of whether the data was obtained before or after
the effective date of this Policy. The current version is always available at:
https://carryway.tech/about-us/privacy-policy.
In case of discrepancies between versions, the version published on the Website at the time of your request prevails.
The Service is intended for users aged 18 and over and enables registered users to publish trip listings with the possibility of
carrying packages. The Operator is not a party to any agreements between users and is not responsible for the items carried,
but strictly prohibits the use of the Service for transporting illegal items (such as drugs, weapons, dangerous goods or other
items prohibited by law).
2. Applicable Data Protection Laws
We aim to comply with relevant data protection and privacy laws, including in particular:
- the Russian Federal Law No. 152-FZ “On Personal Data” for users located in Russia;
- the EU General Data Protection Regulation (GDPR) for users in the European Union/EEA;
- the California Consumer Privacy Act and its amendments (CCPA/CPRA) and other relevant US state privacy laws;
- Brazil’s General Data Protection Law — Lei Geral de Proteção de Dados (LGPD);
- Turkey’s Law on the Protection of Personal Data No. 6698 (KVKK/LPPD);
- Thailand’s Personal Data Protection Act (PDPA);
- Indonesia’s Personal Data Protection Law No. 27 of 2022 (PDP Law);
- Vietnam’s Decree No. 13/2023/ND-CP on Personal Data Protection and related cybersecurity regulations;
- Morocco’s Law No. 09-08 on the protection of individuals with regard to the processing of personal data;
- Tunisia’s Law No. 2004-63 on the protection of personal data;
- other applicable national and international data-protection and e-commerce laws in South American countries,
Turkey, Thailand, Vietnam, Indonesia, North African states, the EU and the USA.
Where legal regimes conflict, mandatory provisions of the country where the data subject is located prevail.
For users in Russia, Russian law has priority to the extent it does not contradict mandatory rules of another jurisdiction.
3. Definitions
- Personal data means any information relating to an identified or identifiable natural person.
- Processing means any operation performed on personal data, such as collection, recording, storage, use, disclosure or erasure.
- Data subject means the natural person to whom the personal data relates.
- User means an individual aged 18 or over who has registered in the App and uses the Service in accordance with the Terms of Use.
- Listing means information about a trip published by a User, including routes, dates, types and categories of packages, and weight/size limits.
- Chat means the in-app messaging function between Users regarding a specific Listing.
- Cookies and similar technologies mean small files and/or local storage mechanisms on your device used to operate the Service, perform analytics and remember preferences.
4. Categories of Data We Process
- Account data: name, surname, date of birth, email address (for email registration), unique Apple ID/Google Account identifiers, registration date, internal ID, authentication tokens.
- Profile and content: name and surname, profile photo, information in Listings (routes, dates, package types and categories, weight/size limits).
- Communication data: messages in the Chat (including local cache for offline access), communications via support forms.
- Technical data: IP address, device type, operating system, app version, language code, platform (Android/iOS), internal DB version, log and error data, cookies and similar identifiers.
- Analytics and improvement data: aggregated usage statistics, page-view data, performance and crash reports.
We do not intentionally process special categories of personal data (such as health or religious beliefs) or biometric data.
5. Purposes and Legal Bases
We process personal data only for specified, explicit and legitimate purposes and on one or more legal bases
(such as consent, performance of a contract, legitimate interest or compliance with legal obligations).
Detailed mappings of purposes and legal bases may be maintained in internal appendices to this Policy.
Main purposes include:
- creating and managing User accounts;
- providing the Service’s core functionality (Listings, search, Chat);
- ensuring security and preventing abuse or unlawful activities;
- handling requests and providing support;
- conducting analytics, improving the Service and its performance;
- complying with applicable laws (including AML/CFT, sanctions, consumer-protection and cybersecurity rules);
- sending Service-related news and updates, where allowed and subject to consent where required.
6. Storage and Security
We store personal data in a form which permits identification of data subjects no longer than is necessary
for the purposes for which the data are processed, or for as long as required by applicable law
(for example, for investigations or legal claims).
Afterwards, data will be deleted or anonymised.
Data are stored on servers or leased infrastructure under our control.
We do not sell personal data or share them with third parties for their own marketing purposes.
We implement appropriate technical and organisational security measures, including:
- designation of a person responsible for data protection;
- internal policies and procedures on data processing and security;
- access controls and the “need-to-know” principle;
- encryption of communications (HTTPS, WSS) and sensitive data (such as tokens);
- regular risk assessments and security audits;
- incident detection, response and data-recovery plans.
7. Cookies and Similar Technologies
We use cookies on the Website and similar local storage mechanisms in the App to:
- enable the Service to function (strictly necessary cookies);
- remember your settings and language (functional cookies);
- collect anonymised statistics about how the Service is used (analytics cookies).
You can control cookies through your browser or device settings.
Disabling cookies may affect certain functionalities of the Service.
8. Sharing and Cross-Border Transfers
We may engage third-party processors to handle personal data on our behalf (for example, hosting providers,
analytics services, Apple/Google authentication). These processors act on our instructions and are bound
by appropriate contractual safeguards.
In some cases, we may disclose personal data to independent controllers (for example, public authorities, courts or law-enforcement agencies) where required by law.
Because our servers and service providers may be located in different countries (including Russia, the USA, EU member states,
South American countries, Turkey, Thailand, Vietnam, Indonesia, Morocco, Tunisia and others), personal data may be transferred
across borders. Where we transfer data internationally, we:
- assess the level of data protection in the destination country;
- use appropriate safeguards, such as standard contractual clauses or equivalent mechanisms, where required;
- provide notifications to supervisory authorities where local law requires it (for example, Roskomnadzor for transfers from Russia).
9. Retention and Cessation of Processing
We stop processing personal data when:
- the purposes for which the data were collected have been achieved;
- the consent on which processing is based expires or is withdrawn and no other legal ground applies;
- processing is found to be unlawful and cannot be made compliant;
- the Operator ceases its activities.
When you delete your account, we will anonymise or delete your personal data within a reasonable period
(typically within 30 days), except for data that must be retained under applicable law
(for example, for investigations or legal defence).
10. Data Subject Rights
Depending on your location and applicable law, you may have the following rights:
- right to be informed about the processing of your personal data;
- right of access to your personal data;
- right to rectification of inaccurate or incomplete data;
- right to erasure (“right to be forgotten”) where applicable;
- right to restriction of processing and/or to object to processing in certain cases;
- right to data portability where technically feasible and applicable (e.g. under GDPR/LGPD);
- right to withdraw consent at any time where processing is based on consent;
- right to lodge a complaint with a competent supervisory authority in your country
(for example, Roskomnadzor, an EU DPA, Brazil’s ANPD, Turkey’s KVKK Board, Thailand’s PDPC, relevant regulators in Indonesia,
Vietnam, Morocco, Tunisia or other states).
To exercise your rights, you may contact us using the details provided below or via the support forms on the Website.
We will respond within the time limits required by applicable law and may request additional information to verify your identity.
11. Limitations to Rights
In certain situations, we may limit the scope of information provided or the exercise of specific rights
where this is expressly permitted by law (for example, to protect national security, prevent crime,
comply with AML/CFT rules, protect the rights of others or preserve confidentiality of investigations).
12. Contact Details
If you have any questions about how we process personal data or if you wish to exercise your rights,
you can contact us at:
By using the Service, you confirm that you have read and understood this Policy.