top of page

Ridenuff Ltd Privacy and Data Protection Policy

("Privacy Policy")

 

 

1. Introduction, Important Information and Who We Are

 

Welcome to Ridenuff Ltd’s Privacy and Data Protection Policy (“Privacy Policy”).

At Ridenuff Ltd (“we”, “us”, or “our”) we are committed to protecting and respecting your privacy and Personal Data in compliance with the United Kingdom General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, and all other mandatory laws and regulations of the United Kingdom.

This Privacy Policy explains how we collect, process and keep your data safe. The Privacy Policy will tell you about your privacy rights, how the law protects you, and inform our employees and staff members of all their obligations and protocols when processing data.

The individuals from which we may gather and use data can include:

  • Customers (Riders)

  • Suppliers

  • Business contacts

  • Employees/Staff Members

  • Drivers and Riders who use our platform

  • and any other people that the organisation has a relationship with or may need to contact.

This Privacy Policy applies to all our employees and staff members and all Personal Data processed at any time by us.

 

1.1 Your Data Controller and Data Protection Officer

 

Ridenuff Ltd is your Data Controller and responsible for your Personal Data. We are registered with the Information Commissioner's Office (ICO) under the Data Protection (Charges and Information) Regulations 2018 with Registration Number: ZC021431.

We have appointed a data protection officer (“DPO”) who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights surrounding your Personal Data, please contact the DPO using the details set out below:

Name: Tayfun Keskin

Email: tayfun@ridenuff.com

Postal address: 310B Higham hill road E17 5RG London

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

 

1.2 Processing data on behalf of a Controller and processors’ responsibility to you

 

In discharging our responsibilities as a Data Controller we have employees who will deal with your data on our behalf (known as “Processors”). The responsibilities below may be assigned to an individual or may be taken to apply to the organisation as a whole. The Data Controller and our Processors have the following responsibilities:

  • Ensure that all processing of Personal Data is governed by one of the legal bases laid out in the GDPR (see 2.2 below for more information);

  • Ensure that Processors authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk associated with the processing of Personal Data;

  • Obtain the prior specific or general authorisation of the Controller before engaging another Processor;

  • Assist the Controller in the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights;

  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;

  • Maintain a record of all categories of processing activities carried out on behalf of a Controller;

  • Cooperate, on request, with the supervisory authority in the performance of its tasks;

  • Designate a data protection officer where required by the GDPR, publish their details and communicate them to the supervisory authority;

  • Support the data protection officer in performing their tasks by providing resources necessary to carry out those tasks and access to Personal Data and processing operations and to maintain their expert knowledge;

  • Ensure that any person acting under the authority of the Processor who has access to Personal Data does not process Personal Data except on instructions from the Controller; and

  • Notify the Controller without undue delay after becoming aware of a Personal Data Breach.

 

2. Legal basis for data collection

   2.1 Types of data / Privacy policy scope

 

“Personal Data” means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of Personal Data about you which we have grouped together below. Not all of the following types of data will necessarily be collected from you but this is the full scope of data that we collect and when we collect it from you:

Data CategoryDescription

Contact DataName, phone number, email address, physical address (for registration or saved locations).

Geolocation Data (CRITICAL)Precise location (GPS) data collected from your mobile device only when the app is running in the foreground or when a trip is active (from booking to drop-off). This includes pick-up and drop-off points, and the trip route.

Trip DataDetails of your journey, including date, time, distance travelled, fare charged, cancellation history, and usage of promotional codes.

Billing & Transaction DataPayment information (e.g., payment card type, last four digits of the card, and billing address). We receive transaction confirmation and amounts from our third-party payment processor, Stripe.

Driver/Vehicle DataFor drivers, this includes driver’s licence number, vehicle registration details, insurance information, and records relating to your right to work and regulatory compliance (e.g., confirmation of DBS checks conducted by Transport for London (TfL)).

Communications DataRecords of communications with our Customer Support team and in-app messages/calls between Riders and Drivers (which may be logged and recorded, where we have notified you).

Ratings and Feedback DataRatings, reviews, and compliments provided by you or other users (Riders and Drivers) about a specific trip or service experience.

Usage DataInformation about how you use our app and services, including access dates and times, app features or pages viewed, app crashes, and device IP address.

Marketing and Communications DataYour preferences in receiving marketing information and other information from us.

Financial DataThese are your banking details (e.g. your account number and sort code) used for driver payouts, which are securely passed to our payment processor, Stripe.

We also collect, use and share Aggregated Data such as Reporting dashboards built via encrypted data sources. Aggregated Data could be derived from your Personal Data but is not considered Personal Data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy.

We may also aggregate data to enable research or analysis so that we can better understand and serve you and others. Although this aggregated data may be based in part on Personal Data, it does not identify you personally. We may share this type of anonymous data with others, including service providers, our affiliates, agents and current and prospective business partners.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences, except as necessary to record the confirmation of regulatory compliance by TfL.

 

     2.2 The Legal Basis for Collecting That Data

 

There are a number of justifiable reasons under the GDPR that allow collection and processing of Personal Data. The main avenues we rely on are:

  • “Consent”: Certain situations allow us to collect your Personal Data, such as when you tick a box that confirms you are happy to receive email newsletters from us, or ‘opt in’ to a service.

  • “Contractual Obligations”: We may require certain information from you in order to fulfil our contractual obligations and provide you with the promised service (e.g. collecting Geolocation Data to complete a ride).

  • “Legal Compliance”: We’re required by law to collect and process certain types of data, such as fraudulent activity or other illegal actions, and compliance with our TfL Private Hire Operator Licence.

  • “Legitimate Interest”: We might need to collect certain information from you to be able to meet our legitimate interests - this covers aspects that can be reasonably expected as part of running our business, that will not have a material impact on your rights, freedom or interests. Examples could be using Ratings Data to ensure platform quality, or your name for customer service.

 

3. How we use your Personal Data

     3.1 Our data uses

 

We will only use your Personal Data when the law allows us to.

Set out below is a table containing the different types of Personal Data we collect and the lawful basis for processing that data. Please refer to section 2.2 for more information on the lawful basis listed in the table below.

Examples provided in the table below are indicative in nature and the purposes for which we use your data may be broader than described but we will never process your data without a legal basis for doing so and it is for a related purpose. For further inquiries please contact our Data Protection Officer.

Personal Data TypePurpose of ProcessingLawful Basis

Contact DataTo create and manage your account and communicate essential service updates.Contractual Obligations

Geolocation Data, Trip DataTo match you with a driver/rider, navigate the trip, ensure safety, and calculate the fare.Contractual Obligations

Billing & Transaction DataTo process payment for rides and handle any billing disputes.Contractual Obligations

Financial Data (Driver Payouts)To process weekly or monthly payouts to Drivers via our payment processor (Stripe).Contractual Obligations

Driver/Vehicle DataTo confirm driver and vehicle eligibility and compliance with TfL regulatory standards.Legal Compliance

Ratings and Feedback DataTo monitor and improve service quality, promote platform safety, and enforce platform rules.Legitimate Interest

Usage DataTo identify and fix software bugs, improve app functionality, and detect fraudulent activity.Legitimate Interest

All relevant data typesTo report information to TfL as legally required under our Operator Licence.Legal Compliance

All the selection of data needs to be processed to know whom do we provide service with and for whom, location data and transactional data for security purposes, Trip details for pricing estimations and financial - billing data is necessary to charge for our services.

 

     3.2 Sharing Data Between Riders and Drivers

 

In order to facilitate and perform the requested transportation service, we must share certain data between the Rider and the Driver. The lawful basis for this sharing is Performance of a Contract.

  • When a trip is matched, the Driver will receive the following Rider information: The Rider's first name, their Rider rating, the pick-up location, and (during the trip) the Rider's precise location. We facilitate communication using a masked number to protect your privacy.

  • When a trip is matched, the Rider will receive the following Driver information: The Driver's name, photograph, Driver rating, the vehicle make and model, and the vehicle registration plate number. The Rider will also receive the Driver's precise location and estimated time of arrival.

We do not share banking details, home addresses, or full contact numbers between the Rider and the Driver.

 

    3.3 Automated Decision-Making and Profiling

 

We use automated processes to manage and optimise our platform's safety, efficiency, and fairness. These automated processes constitute profiling and, in some cases, automated decision-making under the GDPR.

 

Decisions made automatically include:

 

  1. Driver and Rider Matching: The system automatically selects and assigns the nearest and most suitable driver to a Rider's request.

  2. Fare Calculations: The fare for a ride is automatically calculated based on factors like distance, time, and current demand (surge pricing).

  3. Account Suspension/Termination (CRITICAL DISCLOSURE): Our system automatically reviews specific metrics (e.g., consistently low Driver or Rider ratings, very high cancellation rates, or confirmed fraud flags). If these metrics fall below a set threshold, the system is programmed to automatically suspend or terminate the associated account without immediate human review.

 

Your Rights Regarding Automated Decisions:

 

As a user, you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. If your account is suspended or terminated based on an automated decision, you have the right to:

  • Request human intervention to review the decision.

  • Express your point of view and contest the decision.

To exercise this right, please contact our Data Protection Officer immediately at the contact details provided in this policy.

 

3.4 Marketing and content updates

 

You will receive marketing and new content communications from us unless you specifically request that you would not like to receive these communications. From time to time we may make suggestions and recommendations to you about goods or services that may be of interest to you.

 

3.5 Change of purpose

 

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact our Data Protection Officer. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your Personal Data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

 

4. Your rights and how you are protected by us

    4.1 Your legal rights

 

Under certain circumstances, you have the following rights under data protection laws in relation to your personal data:

  • Right to be informed. You have a right to be informed about our purposes for processing your personal data, how long we store it for, and who it will be shared with. We have provided this information to you in this policy.

  • Right of access. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it (also known as a "data subject access request"). See section 4.5 below for more details on how you can make a data subject access request.

  • Right to rectification. You have a right to request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

  • Right to erasure. You have the right to ask us to delete or remove personal data where there is no good reason for us continuing to process it, where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

  • Right to object. You can object to the processing of personal data we hold about you. This effectively allows you to stop or prevent us from processing your personal data. Note that this is not an absolute right and it only applies in certain circumstances, for example:

    • Where we are processing your personal data for direct marketing purposes.

    • Where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.

    • In some cases, we may continue processing your data if we can demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

  • Right to restrict processing. You have the right to request the restriction or suppression of their personal data. Note that this is not an absolute right and it only applies in certain circumstances:

    • If you want us to establish the data's accuracy.

    • Where our use of the data is unlawful but you do not want us to erase it.

    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.

    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

  • Right to data portability. You have the right to request the transfer of your personal data to you or to a third party. If you make such a request, we will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

  • If you wish to make a request under any of these rights, please contact us at tayfun@ridenuff.com.

 

  4.2 Your control over RIDENUFF LTD's use of your Personal Data

 

You may delete your account at any time – this will remove your account page from our systems and our related software.

We do not guarantee the ability to delete all stored data. If you would like us to delete/correct personally identifiable data, let us know and we will action your request as soon as practicable. You can access information associated with your account by logging into your account you created with us. Your account information will be protected by a password for your privacy and security. You need to prevent unauthorised access to your account and personal information by selecting and protecting your password appropriately and limiting access to your computer or device and by signing off after you have finished accessing your account.

 

5. How RIDENUFF LTD protects customers' Personal Data

 

We are concerned with keeping your data secure and protecting it from inappropriate disclosure. We implement a variety of security measures to ensure the security of your Personal Data on our systems, including partnering with industry leading partners and our amazing in-house team who integrates all systems to keep front leading status. Any Personal Data collected by us is only accessible by a limited number of employees who have special access rights to such systems and are bound by obligations of confidentiality. If and when we use subcontractors to store your data, we will not relinquish control of your Personal Data or expose it to security risks that would not have arisen had the data remained in our possession. However, unfortunately no transmission of data over the internet is guaranteed to be completely secure. It may be possible for third parties not under the control of Ridenuff Ltd to intercept or access transmissions or private communications unlawfully. While we strive to protect your Personal Data, we cannot ensure or warrant the security of any Personal Data you transmit to us. Any such transmission is done at your own risk. If you believe that your interaction with us is no longer secure, please contact us.

 

   5.1 Opting out of marketing promotions

 

You can ask us to stop sending you marketing messages at any time and we will stop sending promotional communications.

Where you opt out of receiving these marketing messages, we will continue to retain other Personal Data provided to us as a result of interactions with us not related to your marketing preferences.

 

   5.2 How to request your data and the process for
   obtaining it

 

You will not have to pay a fee to access your Personal Data (or to exercise any of the other rights). However, if your request is clearly unfounded, we could refuse to comply with your request. We may need to request specific information from you to help us confirm your identity and ensure you have the right to access your Personal Data (or to exercise any of your other rights). This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

 

6. Your data and third parties

 

 

    6.1 Regulatory Compliance and TfL Operator Licence

 

As a licensed Private Hire Operator in London, Ridenuff Ltd must comply with all requirements set out by Transport for London (TfL). These legal obligations require us to collect, process, and retain certain data in ways that may differ from standard commercial practice. The legal basis for this processing is Legal Obligation and Public Interest.

Data Upload to TfL:

We are legally required to provide TfL with data concerning the drivers and vehicles we use to fulfil private hire bookings. This data is uploaded on a weekly basis and typically includes:

  • Driver Name, Licence Number, and contact information.

  • Vehicle Registration Mark (VRM), make, and model.

  • Details of any customer complaints received.

Driver Documentation:

While TfL carries out the official criminal record checks (DBS), we are legally obliged to verify and maintain records of the documentation required for your licence, as noted under 'Driver/Vehicle Data'.

Data Retention for Regulatory Purposes:

We are required to retain certain records for longer periods than purely commercial necessity.

  • Data related to Driver and Vehicle records may be retained for up to six years after the expiry of the operator licence or longer if required by a legal dispute or TfL request.

 

    6.2 Sharing your data with third parties

 

We may share non-Personal Data with third parties. We may share your Personal Data with subcontractors or affiliates, subject to confidentiality obligations to use it only for the purposes for which we disclose it to them and pursuant to our instructions.

We may also share Personal Data with interested parties in the event that Ridenuff Ltd anticipates a change in control or the acquisition of all or part of our business or assets or with interested parties in connection with the licensing of our technology.

If Ridenuff Ltd is sold or makes a sale or transfer, we may, in our sole discretion, transfer, sell or assign your Personal Data to a third party as part of or in connection with that transaction. Upon such transfer, the Privacy Policy of the acquiring entity may govern the further use of your Personal Data. In all other situations your data will still remain protected.

 

7. International Transfer of Data

 

Ridenuff Ltd is a company based in the United Kingdom. We use the German company Hetzner for our main server hosting. As Germany is part of the European Economic Area (EEA), the UK considers this to be a safe and compliant transfer of personal data.

We will only transfer your Personal Data outside of the UK and EEA where we have a lawful basis and appropriate safeguards in place. This may include using a third-party service provider (e.g., for analytics or marketing) whose servers are outside these territories. In such cases, we ensure your data is protected by one of the following methods:

  • Transferring the data to countries deemed to provide an adequate level of protection for Personal Data by the UK government.

  • Using specific contracts approved for use in the UK which give Personal Data the same protection it has in the UK (the International Data Transfer Agreement (IDTA) or UK Addendum to the Standard Contractual Clauses (SCCs)).

© 2025 RIDENUFF LTD

bottom of page