RideDrop.

Privacy Policy

Last updated: 15 May 2026

This policy will be finalised with legal counsel before public launch. It reflects the data RideDrop processes today.

1. Who we are

RideDrop is operated by RideDrop Ltd, a private limited company registered in England and Wales (company number 17274629). We are the data controller for the personal data we collect through ridedrop.co.uk. Contact us at privacy@ridedrop.co.uk.

2. What we collect, and why

We collect only what we need to run the marketplace, take payment, and resolve disputes.

  • Account data — email, name, phone, home city, role (sender / carrier). Lawful basis: contract performance.
  • Identity verification (carriers only) — a government ID document and selfie, processed by Stripe Identity. We do not store the ID document on our servers; we store only a verification status and Stripe session ID. Lawful basis: legal obligation (fraud prevention) and contract performance.
  • Payment details — processed by Stripe. We never see your card number. We store a Stripe payment-intent ID against each booking. Lawful basis: contract performance.
  • Delivery records — pickup and delivery photos, GPS coordinates captured at upload, handoff PINs, in-app messages, ratings and reviews. Lawful basis: contract performance and our legitimate interest in resolving disputes.
  • Waitlist signups — email, optional name and city. Lawful basis: consent (you ticked the signup box).
  • Technical data — IP address, browser type, cookies (see section 5). Lawful basis: legitimate interest in keeping the service running and secure.

3. Who we share data with

We share the minimum necessary with our data processors. They all act on our written instructions.

  • Supabase (database, auth, file storage) — hosted in the EU (London region). Standard contractual clauses in place.
  • Stripe (payments + identity verification) — global processor, UK and US data centres.
  • Resend (transactional emails).
  • Netlify (web hosting).

We will never sell your data, share it with advertisers, or use it to train AI models.

4. How long we keep it

  • Account data — until you delete your account.
  • Bookings, photos, messages — 6 years after the booking is closed, for tax + dispute resolution purposes.
  • Waitlist signups — until you unsubscribe, or 2 years from signup, whichever is sooner.
  • Server logs — 30 days.

5. Cookies

We use two categories of cookies. You can change your choice any time via the cookie banner at the bottom of the page.

  • Strictly necessary — Supabase auth cookies that keep you signed in. Cannot be turned off.
  • Analytics (optional) — anonymous, aggregated page-view data. Off by default until you accept.

6. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data erased ("right to be forgotten");
  • restrict or object to our processing;
  • have your data exported in a portable format;
  • complain to the ICO if you think we've got it wrong.

Email privacy@ridedrop.co.uk for any of the above. We'll respond within 30 days.

7. Security

All data is encrypted in transit (HTTPS) and at rest (Supabase's AES-256). Photos and ID documents are stored in private buckets accessible only to the booking participants. Database access is governed by row-level security policies.

8. Children

RideDrop is not for under-18s. We don't knowingly collect data from minors.

9. Changes to this policy

We'll notify you by email of material changes before they take effect. The "last updated" date at the top of this page always reflects the current version.

10. Complaints

You can complain to the UK Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

RideDrop uses a small number of cookies — strictly necessary ones for signing you in, and optional analytics so we can see what's working. Read more in our Privacy Policy.