Legal

Privacy Policy

What data we collect, how we use it, and your rights as a NiteFlyer user.

Last updated: June 9, 2026

Version: 1.0

This Privacy Policy explains how Toglelabs LLC (“we”, “us”, “the Company”) collects, uses, shares and protects personal data when you use the Nite Flyer Driver mobile application. It is designed to comply with UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and with Google Play User Data and Data Safety requirements. Please read it together with our Terms & Conditions.

1. Who We Are and Our Role

1.1 The Application and the Nite Flyer platform are owned and operated by Toglelabs LLC, a company licensed and registered in the Sharjah Media City Free Zone, with registered office at Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, United Arab Emirates (“we”, “us”, “our”). 1.2 The Application is provided to drivers on behalf of the fleet operator or employer that subscribes to the Nite Flyer platform (the “Client”). In most processing activities the Client is the data controller that determines why and how your personal data is processed, and we act as the data processor acting on the Client’s instructions. For certain limited activities (such as account security, fraud prevention, service improvement and legal compliance) we act as controller. 1.3 If you have questions about how your employer uses your data, please also contact your Client directly. Contact details for us are in Section 15.

2. Personal Data We Collect

2.1 Account and identity data

  • name, mobile phone number, email address (where provided);
  • account credentials (passwords are stored only as salted, hashed values — we never store them in plain text);
  • driver profile, role, status, and the Client/organisation you are associated with.

2.2 Compliance and document data

  • driving licence number and expiry, Emirates ID, ITC permit numbers and related vehicle/permit documents;
  • uploaded files and images of such documents and their validity dates.

2.3 Location data (precise, including background)

  • precise GPS latitude/longitude collected periodically and in batches while you are on an active shift, including when the Application is running in the background or the screen is off;
  • a history of location points and your latest known position, used for live fleet tracking, dispatch, routing, proof of service and operational reporting.

2.4 Photographs and media

  • shift check-in and check-out photographs (which may include timestamp and location coordinates);
  • trip completion proof photographs that you capture and upload.

2.5 Trip and operational data

  • trips assigned to you, pickup/drop-off addresses and coordinates, scheduled times, status updates, shift check-in/out times and durations, and customer details associated with a trip (such as customer name and phone number provided by the Client).

2.6 Device, technical and usage data

  • device identifier, push-notification token (Firebase Cloud Messaging), platform (iOS/Android), app version and OS version;
  • IP address, user-agent, request identifiers, log and diagnostic data, and notification preferences.

We do not intentionally collect special categories of data beyond the compliance documents listed above, and we do not use the Application for advertising or to build advertising profiles. We do not knowingly sell personal data.

3. How We Collect Data

3.1 Directly from you — when you complete onboarding, set a password, update your profile, upload documents or photographs, and perform trips and shifts. 3.2 From your device — location, push token and technical data via the operating-system permissions you grant (location, camera, notifications). 3.3 From your Client — your invitation, role, assignments, and customer trip details entered by dispatchers. 3.4 From third-party services — such as routing data from mapping providers and status data from the ITC platform.

4. Why We Use Your Data and Legal Bases

We process your personal data for the following purposes and on the following PDPL legal bases:

  • to create and manage your account and authenticate you — performance of a contract / the Client’s legitimate interest;
  • to enable trip dispatch, acceptance, navigation, shift management and proof of service — the Client’s legitimate fleet-management interest and contract;
  • to collect and transmit location for live tracking, safety and operational reporting — your consent (granted via device permissions and starting a shift) and the Client’s legitimate interest;
  • to verify compliance documents and generate ITC references — compliance with a legal/regulatory obligation and contract;
  • to send operational notifications (push, in-app, email) — contract and legitimate interest, subject to your preferences;
  • to maintain security, prevent fraud and misuse, and enforce our Terms — our legitimate interest and legal obligation;
  • to provide support, diagnose problems and improve reliability — our legitimate interest;
  • to comply with law and respond to lawful requests from authorities — legal obligation.

5. Location Data — Specific Disclosure

5.1 The Application collects precise location data in the foreground and in the background while you are on an active shift. Background collection continues when the app is not visible so that your Client can track active vehicles and dispatch trips in real time. 5.2 Location is collected periodically and in batches and is shared with your Client and used as described in Section 4. Location collection is designed to require an open shift; ending your shift stops shift-based location collection. 5.3 You can disable location permissions at any time through your device settings. Disabling location may prevent you from performing trips and may not meet your Client’s operational requirements.

6. How We Share Your Data

6.1 With your Client (employer/fleet operator) — your profile, location, shifts, trips, photographs, documents and compliance data are made available to your Client for fleet-management, payroll, safety, dispute-resolution and compliance purposes. 6.2 With the Integrated Transport Centre (ITC), Abu Dhabi — driver, vehicle and trip data may be transmitted to ITC to obtain permits and reference numbers and to meet regulatory requirements, using the Client’s ITC API credentials. ITC processes such data under its own policies and we are not responsible for ITC’s processing. 6.3 With sub-processors and service providers that help us run the service, including: cloud hosting and database providers; S3-compatible object storage for documents and photographs; Google Firebase Cloud Messaging for push notifications; Google Maps Platform for directions and places; and email-delivery providers. These providers process data on our behalf under appropriate contractual safeguards. 6.4 For legal and safety reasons — where required by law, regulation, court order or a competent authority, or to protect the rights, property or safety of any person, or to investigate fraud or security incidents. 6.5 In a business transfer — in connection with a merger, acquisition, financing or sale of assets, subject to this Policy. 6.6 We do not sell your personal data and do not share it for third-party advertising.

7. International Transfers

7.1 Your data is primarily processed on infrastructure intended to serve the UAE region. Some sub-processors (for example Google services) may process data outside the UAE. Where data is transferred outside the UAE, we take steps to ensure an adequate level of protection consistent with the PDPL, including appropriate contractual safeguards and, where required, your consent.

8. Data Retention

8.1 We retain personal data for as long as necessary to provide the service to your Client, to comply with legal, tax, accounting and regulatory obligations (including ITC requirements), to resolve disputes and to enforce our agreements. 8.2 Retention periods vary by data type — for example, audit and operational logs and location history may be retained on a rolling basis (location history is partitioned and periodically purged), while compliance documents may be kept for the period required by law and by your Client. 8.3 Where we act as processor, we retain and delete data according to the Client’s instructions and our agreement with the Client. When data is no longer required, we delete or irreversibly anonymise it.

9. Data Security

9.1 We implement technical and organisational measures appropriate to the risk, including: encryption of data in transit; hashing of passwords (argon2id) and tokens; tenant data isolation enforced by database row-level security; access controls and least-privilege roles; rate limiting; audit logging; and routine backups and maintenance. 9.2 No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for safeguarding your credentials and device (see Terms & Conditions). We are not responsible for loss arising from credential sharing, device compromise or unauthorised third-party access not solely caused by our proven gross negligence. 9.3 In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify the relevant Client and, where required, the UAE Data Office and affected individuals in accordance with the PDPL.

10. Your Rights

Subject to the PDPL and applicable law, and noting that your Client may be the controller for much of your data, you may have the right to:

  • access the personal data we hold about you and obtain information about its processing;
  • request correction of inaccurate or incomplete data;
  • request deletion of your data in certain circumstances;
  • object to or request restriction of certain processing;
  • withdraw consent where processing is based on consent (this does not affect prior lawful processing, and may affect your ability to use the Application);
  • request portability of data you provided, where applicable;
  • lodge a complaint with the UAE Data Office. 10.1 To exercise these rights, contact us using the details in Section 15, or contact your Client. We may need to verify your identity and may consult your Client before acting where the Client is the controller. We will respond within the period required by applicable law.

11. Account and Data Deletion

11.1 Nite Flyer is a business-to-business (B2B) software-as-a-service product. Driver accounts are created, owned and managed by the Client (your employer / fleet operator). Because of this, the Application does not provide an in-app self-service account-deletion button; deletion of a Driver account requires the approval and instruction of the Client’s account owner. 11.2 You may submit a deletion request, and review what data is collected and how to have it deleted, via our deletion-request page at https://www.niteflyer.com/legal/account-deletion, or by emailing [email protected]. On receipt we will, where required, refer the request to your Client’s account owner for approval. You may also ask your Client’s account owner to initiate deletion directly. 11.3 Because your data is processed on behalf of your Client and may be subject to legal, regulatory (including ITC), tax and dispute-retention obligations, certain data may be retained after a deletion request for the minimum period required by law or by the Client’s instructions, after which it is deleted or anonymised. We will inform you what will be deleted and what must be retained, and why.

12. Children’s Privacy

12.1 The Application is intended solely for use by professional drivers aged eighteen (18) or older. It is not directed to children, and we do not knowingly collect personal data from anyone under 18. If we learn that we have collected such data, we will delete it.

13. Automated Processing and Notifications

13.1 We may use automated processing to detect conflicts in trip scheduling, enforce rate limits, expire pending trip responses, and send operational notifications. These do not produce legal effects concerning you without human involvement by your Client. You can manage notification channels in the Application’s preferences.

14. Changes to This Policy

14.1 We may update this Privacy Policy from time to time. The updated version will be posted with a revised effective date and, where the change is material, we will provide notice through the Application or by other reasonable means. Your continued use after the effective date constitutes acceptance.

15. Contact Us

For privacy questions, requests or complaints, contact:

  • Company: Toglelabs LLC (data controller / processor as applicable; owner and operator of Nite Flyer)
  • Email: [email protected] (privacy & support) · [email protected] (company)
  • Address: Shams Business Center, Sharjah Media City Free Zone, Al Messaned, Sharjah, United Arab Emirates
  • Phone: +971 55 553 5784
  • Data deletion: https://www.niteflyer.com/legal/account-deletion You may also lodge a complaint with the UAE Data Office (the federal data-protection regulator).