Privacy Policy

1. Who we are

Rydway is a trade name (DBA) operated by Ocampo Tours, a transportation service provider based in Texas, United States. This Privacy Policy describes how we collect, use, and share information when you visit rydwaybus.com or book a ride with us.

2. Information we collect

We collect only the information we need to deliver our service and keep your booking working. Specifically:

• Account & booking information: name, email address, mobile phone number (optional), and the names of passengers traveling with you.
• Payment information: we do not store or have access to your full card number. Payments are processed by Stripe, a PCI-DSS Level 1 service provider. We retain only the booking ID, the amount charged, and the last 4 digits of the card for reconciliation and support.
• Trip details: which tour you purchased, the assigned seat number(s), and the QR code(s) used to board the bus.
• Technical data: IP address, browser type, device type, and basic analytics about how you navigate the site, collected through standard web logs.
• Communications: copies of emails and SMS messages we send you, plus any messages you send back to our support address.

3. How we use your information

We use the information described above to:

• process your booking and issue your QR-code tickets;
• send transactional confirmations and trip-day reminders by email and, if you opted in, by SMS;
• contact you about urgent operational changes (pickup adjustments, delays, cancellations);
• provide customer support and resolve disputes or chargebacks;
• prevent fraud, abuse, and unauthorized access to our service;
• comply with legal obligations (tax records, law-enforcement requests, accident records).

We do not sell your personal information. We do not use your phone number or email for third-party marketing.

4. Service providers we share data with

We only share your personal information with the third-party providers we need to run the service, and only the minimum necessary:

• Stripe — payment processing. Receives card details (directly, not through our servers), name, email, billing address, and the amount.
• Supabase — managed PostgreSQL database where bookings, passenger names, and account information are stored.
• Vercel — web hosting and CDN for rydwaybus.com.
• Resend — sends our transactional emails (booking confirmations, password resets). Receives your email address and the message body.
• Twilio — sends our transactional SMS messages on our toll-free number. Receives your phone number and the message body. See our SMS Terms.
• Google Analytics — aggregate website analytics (GA4). Receives pageviews and device/approximate (city-level) location data via cookies; does not receive your name, email, or payment details.

Each of these providers is bound by their own privacy policy and a data-processing agreement with us. We do not authorize them to use your data for their own marketing.

5. Cookies and tracking

We use a minimal set of first-party cookies and local storage to:

• keep you signed in to your account;
• remember your booking-in-progress and seat hold while you complete checkout;
• preserve UI preferences (e.g. theme, dismissed banners).

We use Google Analytics (GA4) to understand, in aggregate, how visitors use the site — pages viewed, device and browser type, and approximate (city-level) location. Google sets its own cookies to provide this measurement; see Google's Privacy Policy. You can opt out using the Google Analytics Opt-out Browser Add-on. We do not use cross-site advertising cookies and we do not sell your personal information.

6. Data retention

We keep your personal data only as long as needed:

• Booking and trip records: retained for at least 4 years to comply with tax and accounting obligations.
• Account information: retained while your account is active. If you ask us to delete your account, we will remove your account data within 30 days, except data we must keep for legal reasons (e.g. paid invoices).
• Communications logs: kept for up to 12 months for support and dispute resolution.
• Web logs: kept for up to 90 days for security and abuse prevention.

7. Data security

We use industry-standard safeguards to protect your information: encrypted transport (HTTPS/TLS), encrypted database at rest, hashed passwords, scoped access for our internal team, and audit logging. No method of transmission or storage is 100% secure; if we discover a breach affecting your data, we will notify you in accordance with Texas law.

8. Your rights

You can, at any time:

• request a copy of the personal data we hold about you;
• ask us to correct or update inaccurate information;
• ask us to delete your account (subject to legal retention requirements described above);
• opt out of SMS messages by replying STOP to any of our messages (see SMS Terms);
• opt out of non-essential email marketing using the unsubscribe link in any such message.

To exercise any of these rights, email us at help@rydwaybus.com from the address associated with your account. We will respond within 30 days.

9. Children's privacy

Our service is intended for adults age 18 and over. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, contact us and we will delete it.

10. International users

Rydway operates in the United States. If you access the service from outside the U.S., your information will be transferred to and processed on servers located in the United States, where data protection laws may differ from those in your country.

11. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page with an updated “Last updated” date and, where appropriate, by email or SMS to active customers.