On demand apps collect continuous location data, personal identity information, and payment details from both customers and providers. This creates material privacy and security obligations that must be designed into the platform from the beginning — not added as afterthoughts. GDPR applies to any platform serving EU users. PCI DSS compliance is required for payment card handling. Privacy by design, data minimisation, secure data transmission, and robust authentication are the foundational practices that protect users, reduce regulatory risk, and build the trust that drives platform loyalty.
- GDPR fines can reach €20 million or 4% of global annual turnover — the financial risk of non-compliance is material, and enforcement has increased significantly, with approximately $1.4 billion in GDPR fines issued in 2025 alone.
- Privacy by design is now a legal requirement under GDPR Article 25, not a best practice — data protection must be considered during the design phase, not added after the platform is built.
- On demand apps collect three of the most sensitive data categories: real-time location, payment data, and personal identity — each with specific security and compliance requirements.
- Data minimisation — collecting only what is genuinely needed to deliver the service — is both a legal requirement and a security practice that reduces the impact of any potential breach.
- GDPR applies to any platform that processes personal data of EU residents, regardless of where the platform company is registered or headquartered.
The Data On Demand Apps Collect — and Why It Matters
| Data Category | What Is Collected | Privacy/Security Implication |
|---|---|---|
| Customer identity | Name, phone number, email, profile photo, payment method reference | Personal data under GDPR; requires consent, secure storage, and deletion on request |
| Provider identity | Name, phone number, email, government ID, professional credentials, banking details | Special category personal data in some jurisdictions; KYC compliance; secure document storage |
| Real-time location (provider) | Continuous GPS coordinates during active jobs; last known location | Highly sensitive personal data; strict retention limits; encrypted transmission required |
| Real-time location (customer) | Pickup and delivery addresses; location for service matching | Personal data; must be collected only for service delivery; should not persist longer than needed |
| Transaction data | Service prices, platform fees, payment timestamps, booking history | PCI DSS compliance for card data; financial data retention requirements |
| Behavioural data | App usage patterns, booking history, ratings given and received | Analytics data with profiling implications; requires disclosure in privacy policy |
| Communication data | In-app chat messages between customers and providers | May be subject to specific communication privacy laws; encryption required; retention policy needed |
GDPR: What On Demand Platforms Must Do
The General Data Protection Regulation (GDPR) is the world’s most stringent data privacy framework. It applies to any platform that collects or processes personal data of EU residents — regardless of where the platform company is headquartered.
The Seven GDPR Principles for On Demand Platforms
- Lawfulness, fairness, and transparency: Users must be informed of what data is collected, why, and how it is used. Privacy policies must be clear, accessible, and specific.
- Purpose limitation: Data collected for booking a service cannot be repurposed for advertising or sold to third parties without fresh, explicit consent.
- Data minimisation: Collect only what is genuinely necessary for the service. If you do not need the user’s date of birth to process a booking, do not collect it.
- Accuracy: Personal data must be kept accurate and up to date. Provide users with tools to update their own data.
- Storage limitation: Define and enforce data retention policies. Location data from completed bookings should not be retained indefinitely.
- Integrity and confidentiality: Appropriate technical and organisational security measures must protect personal data against unauthorised access, loss, or destruction.
- Accountability: The platform must be able to demonstrate compliance through privacy impact assessments, consent records, vendor agreements, and security documentation.
User Rights Under GDPR
GDPR grants users eight rights over their personal data. Every on demand platform serving EU users must have processes to fulfil these rights:
- Right to be informed: Users know what data is collected and how it is used
- Right of access: Users can request a copy of all personal data (DSAR must be fulfilled within 30 days)
- Right to rectification: Users can correct inaccurate personal data
- Right to erasure (‘right to be forgotten’): Users can request deletion of their personal data
- Right to restrict processing: Users can limit how their data is used in certain circumstances
- Right to data portability: Users can receive their data in a portable format
- Right to object: Users can object to processing based on legitimate interests or for direct marketing
- Rights related to automated decision-making: Users can request human review of automated decisions
Build DSAR (Data Subject Access Request) handling into the admin panel from the beginning. Receiving a DSAR and having no mechanism to retrieve and compile all data for a specific user creates both operational chaos and legal risk.
Privacy by Design: Building Compliance Into the Platform
GDPR Article 25 requires ‘data protection by design and by default’ — data protection must be considered during the design phase of the platform, not added after it is built. This is not a best practice recommendation; it is a legal requirement.
Consent Management
- Consent for location tracking must distinguish between ‘while using the app’ and ‘background location’ — two distinct permission requests on both iOS and Android. Do not request background location unless your use case genuinely requires it.
- Consent for analytics tracking must be granular — users should be able to decline analytics tracking without losing access to core app functionality.
- Consent records must be timestamped and linked to the specific privacy policy version the user accepted.
Secure Data Transmission
- All API communications between mobile apps and backend servers must use TLS 1.2 or higher (HTTPS for REST APIs, WSS for WebSocket connections)
- GPS location data transmitted in real time must use encrypted WebSocket connections (WSS)
- Payment data must never be transmitted through custom code — use Stripe’s hosted payment elements or equivalent
- Implement certificate pinning for sensitive API endpoints to prevent man-in-the-middle attacks
Secure Data Storage
- Never store raw payment card data — only Stripe’s tokenised payment method references
- Store passwords and authentication tokens using industry-standard hashing (bcrypt, Argon2)
- Encrypt sensitive personal data fields at rest (government ID documents, banking details for providers)
- Implement database access controls that restrict data access to the minimum required for each service or team member
- Back up data regularly with encrypted backups stored in separate geographic locations
Authentication Security
- Implement multi-factor authentication (MFA) for admin panel access — this is non-negotiable given the sensitivity of the data the admin panel can access
- Use OTP (One-Time Password) via SMS for user registration and login verification
- Set appropriate session timeout policies — financial apps and on demand platforms should not maintain indefinite sessions
- Implement rate limiting on authentication endpoints to prevent brute force attacks
PCI DSS Compliance for Payment Data
PCI DSS (Payment Card Industry Data Security Standard) applies to any platform that processes, stores, or transmits cardholder data. For on demand platforms using Stripe with hosted payment forms: your platform qualifies for SAQ A compliance — the lowest burden level — because you never directly handle card data. Stripe’s hosted elements tokenise card data before it reaches your servers.
Never store raw card numbers, CVV codes, or full expiry dates on your servers. This immediately escalates your PCI scope and liability. Ensure your Stripe integration uses the current recommended API version and hosted payment components. Document your PCI compliance status and review it annually as part of your security programme.
Location Data: The Most Sensitive Category
Real-time GPS tracking is the most sensitive data that on demand platforms routinely collect. Best practices for responsible location data management:
- Collect location data only when a booking is active — never track provider or customer location outside an active job session
- Inform providers clearly that their location is tracked during active bookings and display this prominently in the provider app
- Store location data only for the period necessary for operational purposes (dispute resolution, ETA calculation) — implement automatic deletion after the retention period
- Do not aggregate or sell historical location data to third parties under any circumstances
- For EU providers and customers, apply heightened safeguards when location tracking can reveal sensitive patterns
Data Breach Response Plan
GDPR requires platforms to report significant data breaches to the relevant supervisory authority within 72 hours of becoming aware of the breach. Every on demand platform must have a documented breach response plan before going live:
- Detection: How will a breach be identified? (monitoring tools, security alerts, user reports)
- Containment: Who is responsible for immediate containment? What are the first steps to limit exposure?
- Assessment: What data was affected? How many users? What is the likely impact?
- Notification: If the breach poses a risk to affected individuals, EU users must be notified within 72 hours. Users in markets with local notification requirements must be notified according to local law.
- Remediation: What security improvements prevent recurrence?
- Documentation: Full incident log for regulatory accountability purposes.
Frequently Asked Questions
Yes. GDPR applies to any platform processing personal data of EU residents, regardless of where the company is based. If you have users in the EU, GDPR applies to their data.
Up to €20 million or 4% of global annual turnover, whichever is higher. In 2025, approximately $1.4 billion in GDPR fines were issued globally, demonstrating that enforcement is active and significant.
Implement privacy by design from development start, use layered consent flows, minimise data collection, encrypt sensitive data in transit and at rest, build DSAR fulfillment capability into the admin panel, and document your compliance programme.
Yes, if it processes card payments. Using Stripe with hosted payment elements reduces your obligation to SAQ A level — the lowest burden. Never store raw card data on your servers under any circumstances.
Most platforms retain location data from completed bookings for 90 days (for dispute resolution) and delete it automatically thereafter. Background or ambient location tracking data should not be retained beyond the active session.
