Privacy Policy

This Privacy Policy explains what information Nubly ("Nubly," "we," "our," "us") collects when you use the Nubly app and website, why we collect it, who we share it with, and the choices you have. Nubly is a real-time, dynamic carpooling platform for commuters. This document also serves as our Notice at Collection under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA").

Nubly is operated by Nubly, with a mailing address at 1968 S. Coast Hwy #1789, Laguna Beach, CA 92651. You can reach us at [email protected].

1. What we collect

To match riders with drivers and run the platform, Nubly collects only what we need:

• Account info. First name, email address, phone number, role (rider, driver, or both), and gender (optional, used only if you ask to be matched with same-gender carpoolers). We do not collect your last name or any government-issued identifier.
• Vehicle info (drivers only). Make, model, color, and license plate. Required so riders can identify the vehicle at pickup.
• Location. Real-time GPS while you are using the app for matching, in-trip tracking, and pickup confirmation. Riders' location is shared with the matched driver only during the MATCHED → ARRIVED window; drivers' location is shared with the matched rider during the same window. We do not collect or require your home address or office address. We recommend (and the app is designed around) using intersections for pickup and drop-off rather than precise addresses.
• Payment data (riders) and payout data (drivers). Handled exclusively by Stripe. We store only the card brand, last four digits, and expiration, plus a Stripe Connect account reference for drivers. We never see or store full card numbers or bank account details.
• Trip records. Pickup and drop-off intersections, timestamps, route polyline, distance, contribution amount, pro-rata toll share, and ratings exchanged after the trip.
• Sign-in identity.
  • Pilot launch and beyond: sign-in is via LinkedIn only. We receive only the OpenID Connect basic profile you authorize when you sign in (first name, email, LinkedIn member ID) — nothing beyond the scope you approve on LinkedIn's consent screen. LinkedIn separately verifies its members through third-party providers (including CLEAR). We rely on LinkedIn's verification; we do not receive or store the underlying verification artifacts, and LinkedIn verification confirms identity at a point in time — it does not predict future conduct (see Section 7).
  • Sign-in: community members sign in with LinkedIn. Nubly administrators use email plus multi-factor authentication for internal access.
• Device identifiers. A per-install push notification token for trip alerts, and basic device type for diagnostics.
• Website analytics. Our marketing website (nubly.ai) may set first-party cookies for basic analytics and to remember preferences. We do not use ad-tracking pixels or sell visitor data.

Sensitive personal information

Under CPRA, precise geolocation is "sensitive personal information." We collect it solely to provide the matching and trip-tracking services you sign up for. We do not use, sell, or share precise geolocation for any purpose other than to provide and maintain the service, so the CPRA "right to limit use of sensitive personal information" does not apply to our processing. You retain all other CPRA rights described in Section 6.

We do not knowingly collect other categories of sensitive personal information (Social Security numbers, government IDs, financial account credentials, precise health data, racial or ethnic origin, religious beliefs, union membership, genetic or biometric data, sex life, or sexual orientation).

2. How we use it

The data above is used solely to:

• Match riders with available drivers along compatible commute routes.
• Render real-time location, ETA, and route on the map during a trip.
• Compute and process the rider's contribution and the driver's reimbursement via Stripe. Contributions are calculated at or below the IRS standard business mileage rate (currently $0.725 per mile for 2026), prorated across riders on a trip, plus each rider's pro-rata share of tolls if any.
• Send transactional notifications about trip status (matched, arrived, completed, cancelled) and account events.
• Operate the rating and feedback system that helps members trust each other.
• Diagnose crashes, monitor security events, and improve reliability.
• Comply with legal obligations and respond to lawful requests.

We do not sell or share your data for advertising. We do not use your data to train third-party machine-learning models. We do not sell or share personal information as those terms are defined under CCPA/CPRA.

3. Who we share it with

Nubly relies on a small set of service providers, each receiving only the data it needs to do its job — payment processing (Stripe), maps and routing (Mapbox), email and SMS delivery, push notifications, identity sign-in (LinkedIn), and hosting and content delivery. Card and bank details are handled exclusively by our payment processor and are never stored by Nubly. We maintain data-processing terms with each provider, and we may add, replace, or remove providers as the platform evolves — updating this policy when our providers materially change.

Sharing with the matched counterparty

To complete a trip, we share trip-relevant data with the matched driver and rider:

• The driver sees: the rider's first name, contact handle (in-app messaging), pickup intersection, drop-off intersection, and (if the rider opted in) gender preference for matching.
• The rider sees: the driver's first name, vehicle make, model, color, license plate, real-time location during the MATCHED → ARRIVED window, and rating average.

Counterparties do not see each other's email, phone number, payment details, or any other account information.

Sharing with employers and their commuter-benefits administrators

If your employer partners with Nubly to subsidize or administer commuter benefits, and you use Nubly through that employer-sponsored access, your participation is disclosed in the Terms of Service as a condition of that access. In that case, Nubly will periodically share your carpooling history with the employer or its third-party benefits administrator (TPA) — specifically: trip dates, mileage, contribution amounts, and a confirmation that the trip was a verified commute. The employer or TPA does not receive GPS traces, route polylines, the other party's identity, or any ratings. If you do not use Nubly through an employer-sponsored channel, this section does not apply to you.

Other disclosures

We may disclose information if required by law, court order, or other valid legal process, or where we believe in good faith that disclosure is necessary to protect the safety of a person or to investigate fraud or platform abuse. Where lawful, we will notify the affected member.

If Nubly is involved in a merger, acquisition, or sale of assets, member data may transfer to the successor entity. We will notify you and continue to honor this Privacy Policy or provide notice of any material changes.

Other than as described in this section, we do not share or sell trip history or any other member data.

4. Where it lives and how it's protected

Account and trip data are stored on U.S.-based infrastructure operated by established hosting providers chosen for security, redundancy, and fault tolerance. Real-time location is held only in temporary memory during a trip and discarded shortly after it ends. Data is encrypted in transit using HTTPS for app traffic and TLS between services.

We restrict access to member data to Nubly personnel who need it, require multi-factor authentication for administrative access, and log access events. No system is perfectly secure; we work to maintain reasonable safeguards but cannot guarantee against all unauthorized access. If a security incident affects your personal information, we will notify you without undue delay as required by California Civil Code § 1798.82 and other applicable laws.

5. How long we keep it

• Account info: retained while your account is active. Inactive accounts (no sign-in for 24 consecutive months) are deleted or anonymized.
• Trip and payment records: retained for the period required by tax and accounting rules, generally seven years in the U.S.
• Rating comments: retained indefinitely as part of the platform's reputation system, but tied to a pseudonymous identifier once an account is deleted (see below).
• Live location data: discarded within minutes of a trip ending.
• Audit and security logs: retained up to 18 months unless needed for a longer period for an ongoing investigation.

When you delete your account, we cascade the deletion across user, trip, payment, and audit services. Trip records linked to a counterparty's history are anonymized rather than fully deleted — your name, contact details, and account references are stripped, and the trip is preserved under a pseudonymous identifier so the counterparty's trip history and rating average remain intact. Anonymization is a one-way operation; the original identifiers cannot be recovered.

6. Your rights and choices

You can:

• Access your data — email [email protected] for a copy.
• Correct inaccurate info — most fields are editable in the app's Account section.
• Delete your account and personal data — email [email protected], or use the in-app deletion flow when available. We will respond within 45 days as required by CCPA/CPRA (with one possible 45-day extension if reasonably necessary, and notice to you).
• Opt out of notifications — toggle in your device's notification settings, or in the app's Preferences.
• Withdraw consent for any optional data (such as gender for matching) — adjust in the app's Account section.

If you live in California, you also have, under CCPA/CPRA:

• The right to know the categories and specific pieces of personal information we collect.
• The right to delete personal information.
• The right to correct inaccurate personal information.
• The right to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information.
• The right to non-discrimination for exercising these rights.
• The right to designate an authorized agent to make a request on your behalf; we will require reasonable verification.

If you live in the EU, EEA, or UK, you have additional rights under GDPR, including portability and the right to lodge a complaint with your data protection authority.

"Do Not Track" signals

Our marketing website does not respond to "Do Not Track" browser signals because there is no industry consensus on how to interpret them. We honor the CCPA/CPRA opt-out signals (Global Privacy Control) for California residents on the marketing website.

7. Verification and what we do not do

We want to be clear about what Nubly does and does not verify:

• We confirm member identity at sign-in through LinkedIn, which independently verifies its members through providers including CLEAR. This is a point-in-time identity confirmation, not a guarantee of future conduct.
• We do not run independent criminal background checks.
• We do not run driving-record checks.
• We do not inspect vehicles, verify vehicle insurance directly, or confirm a driver's license is currently valid.
• We do not verify employment or income beyond what an employer-partner shares with us directly.

You acknowledge that interaction with another Nubly member carries the kinds of risks any in-person meeting carries, and you agree to use reasonable judgment.

8. Children

Nubly is intended only for users 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has signed up, contact [email protected] and we will delete the account.

9. International users

Nubly is operated from the United States, and all data is stored in the United States. If you access Nubly from outside the U.S., you understand that your information will be transferred to and processed in the U.S., which may have different data protection laws than your home country. Where required by GDPR or similar regimes, we rely on standard contractual clauses or other lawful transfer mechanisms with our service providers.

10. Changes to this policy

If we make material changes, we will notify members via email and update the date at the top of this page. The current and prior versions are available on request.

11. Contact

Questions, requests, or complaints — reach us at [email protected] or by mail at:

We aim to respond within five business days for general inquiries, and within the statutory window for formal privacy-rights requests.