Privacy policy

Effective date: May 13, 2026

1. Who we are

This site, worldcup2026shuttles.com, is operated by Run With Jarvis LLC (doing business as “World Cup 2026 Shuttles”), a Texas limited liability company with mailing address 1168 W Pioneer Parkway, Arlington, TX 76013, USA. We are the “data controller” for the purposes of the EU/UK General Data Protection Regulation and the “business” for the purposes of the California Consumer Privacy Act, as amended by the CPRA (collectively, “CCPA”).

Throughout this policy, “we,” “us,” and “our” refer to Run With Jarvis LLC. “You” means any visitor, alert subscriber, contact-form sender, or paid partner who interacts with the site.

2. Scope & independence disclaimer

This is an independent visitor transportation guide and is not affiliated with FIFA, the FIFA World Cup, AT&T Stadium, the City of Arlington, or any official event organizer.

3. Information we collect

3.1 Information you give us directly

• Contact details: name, email address, telephone number, business name and role (paid partners).
• Route preferences: pickup location, destination, travel date, passenger count, and any free-text notes you choose to add.
• Partner inquiry details: partner type, city, and notes you provide on /partners.
• Payment information (paid partners only): collected and processed by Stripe Payments Inc. on Stripe's own infrastructure. We never see your full card number, CVC, or expiry — Stripe returns only a customer ID, subscription ID, and the last four digits of the card.

3.2 Information collected automatically

• Server logs generated by our hosting provider (Vercel): IP address, user-agent string, referrer URL, and request timestamps. Used for security, fraud-prevention, and operational debugging.
• Aggregated analytics via Vercel Analytics: page URLs, referrers, and a daily-rotated anonymous visitor hash. Vercel Analytics is cookieless and does not build a cross-site profile of you.

3.3 What we do not collect

• Precise location coordinates from your device.
• Government-issued identification numbers.
• Biometric data.
• Information about your race, religion, sexual orientation, health, or political opinions (“sensitive personal information” under CCPA and “special categories” under GDPR).
• Information from children. The site is not directed at children under 13, and we do not knowingly collect data from them (Children's Online Privacy Protection Act, 15 U.S.C. § 6501). If you believe a child has submitted data, email contact@thekeybot.com and we will delete it within 10 business days.

4. Why we use your information (lawful basis)

For visitors in the EU/UK, the lawful basis under GDPR Article 6 is shown in brackets:

• To send transportation alerts you have requested [consent — Art. 6(1)(a)].
• To match you with shuttle, parking, or hotel partners you ask us about [performance of pre-contractual steps — Art. 6(1)(b)].
• To respond to your contact and partner inquiries [legitimate interests — Art. 6(1)(f); responding to people who write to us].
• To bill paid partner subscriptions and meet Texas record-keeping obligations [contract performance and legal obligation — Art. 6(1)(b) and (c)].
• To detect, prevent, and investigate abuse, fraud, and security incidents [legitimate interests — Art. 6(1)(f)].
• To improve the site experience using aggregated, non-identifying analytics [legitimate interests — Art. 6(1)(f)].

5. Sub-processors

We share personal data with the following third-party processors who operate under written data-processing terms and only act on our documented instructions. Each is independently responsible for the security of data on its own systems.

We do not sell, rent, or license your personal information to third-party advertisers, data brokers, or list resellers. We do not participate in any “cross-context behavioural advertising” as defined by CCPA.

6. International data transfers

We are based in Texas, USA, and our sub-processors are US entities. If you access the site from the EU, UK, or another jurisdiction outside the United States, your personal data will be transferred to and processed in the United States. For transfers from the EU and UK, we rely on the European Commission's Standard Contractual Clauses (and the UK addendum) entered into with each sub-processor in their respective data-processing terms.

7. How long we keep your data (retention)

• Lead-form submissions (transportation alerts, contact, partner inquiry): 24 months from last interaction, then deleted.
• Email-alert subscribers: Until you unsubscribe (one-click in every email).
• Paid partner records (Stripe subscriptions): Duration of subscription + 7 years (Texas tax record-retention requirement).
• Server logs (IP, user agent): 30 days, then automatically rotated.
• Aggregated analytics (no personal identifiers): Indefinite.

8. Cookies and similar technologies

We do not set tracking cookies. Our analytics provider (Vercel Analytics) is cookieless and uses an aggregated daily-rotated hash in place of persistent identifiers. Our hosting provider may set short-lived first-party functional cookies for security (e.g. rate-limit tokens, CSRF protection); these are not used for advertising and have no third-party recipients. When you pay for a partner listing through Stripe, Stripe's own checkout page is served from stripe.com and sets cookies subject to Stripe's cookie policy.

9. Your rights

Regardless of where you live, we honour the following rights as a matter of policy. To exercise any of them, email contact@thekeybot.com from the address associated with your data, or write to us at the mailing address above. We respond within 30 days (45 days for CCPA requests, extendable once by 45 additional days where reasonably necessary).

• Access: request a copy of the personal data we hold about you.
• Correction: ask us to fix inaccurate or incomplete data.
• Deletion: ask us to erase your data, subject to legal retention obligations (e.g. Texas tax record-keeping for subscription billing).
• Portability: receive your data in a structured, machine-readable format.
• Opt-out of marketing: every alert email includes a one-click unsubscribe link.
• Object / restrict processing (GDPR): object to processing based on legitimate interests, or request that we restrict processing while a complaint is reviewed.
• Do Not Sell or Share My Personal Information (CCPA/CPRA): we do not sell or share personal information for cross-context behavioural advertising, so there is nothing to opt out of — but you may confirm this in writing at any time.
• Limit use of sensitive PI (CCPA/CPRA): we do not collect sensitive personal information.
• Non-discrimination: we will not deny service, charge different prices, or provide a different level of quality because you exercise any of these rights.
• Authorised agent: you may designate someone to submit a request on your behalf; we will require reasonable proof of authorisation.
• Lodge a complaint: EU/UK residents may complain to their national data-protection authority; California residents may complain to the California Privacy Protection Agency.

10. Security & breach notification

We use industry-standard safeguards including TLS in transit, encrypted backups at rest with our hosting provider, restricted internal access, audit logging, and prompt patching. No system is perfectly secure, however, and we cannot guarantee that unauthorised access will never occur.

If we discover a breach of unencrypted sensitive personal information that materially compromises your privacy, we will notify affected Texas residents as soon as practicable and within sixty (60) days of discovery, as required by Tex. Bus. & Com. Code § 521.053. EU/UK residents will be notified without undue delay where the breach is likely to result in a high risk to rights and freedoms (GDPR Art. 34). California residents will be notified in the most expedient time possible consistent with Cal. Civ. Code § 1798.82.

11. Marketing email & CAN-SPAM

If you sign up for transportation alerts, we send commercial email to the address you provide. Every message identifies the sender, describes itself as an advertisement where applicable, includes our valid postal address (1168 W Pioneer Parkway, Arlington, TX 76013, USA), and offers a one-click unsubscribe. We honour unsubscribe requests within 10 business days as required by the CAN-SPAM Act, 15 U.S.C. § 7704.

12. WhatsApp & SMS

The site offers a WhatsApp click-to-chat button. Tapping it opens WhatsApp on your device with a pre-filled message; the conversation, your phone number, and any messages you send are governed by WhatsApp's privacy policy. We do not initiate outbound WhatsApp marketing from the site.

SMS alerts are opt-in only and require an affirmative tick of the SMS consent box on /alerts. When you opt in we send a one-time confirmation text via Twilio Inc. and, thereafter, transportation alerts you have requested. Message frequency varies (typically 1–4 per month leading up to and during the FIFA World Cup 2026). Reply STOP to opt out at any time or HELP for support; both are honoured by Twilio at the carrier level immediately. Message and data rates may apply. We do not send SMS to anyone who has not affirmatively opted in, and we do not share your phone number with third parties for their own marketing.

13. Automated decision-making

We do not make decisions about you that produce legal or similarly significant effects using solely automated processing (GDPR Art. 22). Lead-form submissions are reviewed by humans before partners receive any introduction.

14. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the “Effective date” at the top and, for material changes affecting how we use information you have already given us, we will provide reasonable advance notice by email to active subscribers and a prominent on-site banner for at least 30 days before the change takes effect.

15. Contact

For any privacy question, request, or complaint, email contact@thekeybot.com or write to Run With Jarvis LLC, 1168 W Pioneer Parkway, Arlington, TX 76013, USA.