1. Who controls your data
Fare 1 Limited is the data controller, registered in England and Wales, company number 16106393, registered office 26 Coleman Street, Southampton SO14 1GS.
Privacy queries: privacy@fare1.co.uk.
2. What we collect
To dispatch a journey, we collect:
- Name and contact details (phone, email).
- Pickup and dropoff addresses, intermediate stops.
- Travel date and time, passenger count, luggage count.
- Flight number on airport pickups (for delay tracking).
- Vehicle category and any special requests.
To process payment, Stripe collects card details directly — see section 5.
To improve the service, we collect anonymous web-analytics data — see /cookies.
Guest bookings. You can book without creating an account at book.fare1.co.uk. We still collect the same booking details listed above. To prove the email belongs to you, we send a one-time 6-digit verification code at checkout. We also create a 30-day "Track your booking" magic-link token so you can reopen the booking on any device. Guest data is retained on the same schedule as account-holder data (section 6).
3. Why we collect it
We process personal data on these legal bases:
- Contract — to deliver the journey you booked, contact you about it, and handle billing.
- Legal obligation — HMRC record-keeping, council licensing audits, anti-fraud checks.
- Legitimate interest — service operations (dispatch, driver matching, safety incident review).
- Consent — marketing emails (only if you opt in; withdraw any time).
4. Who sees it
Inside Fare 1: dispatch, accounts, customer support staff on a need-to-know basis.
The driver assigned to your trip sees your name, phone, pickup, dropoff, vehicle category, and flight number (if airport pickup). They do not see card details, address history, or other bookings.
Third parties:
- Stripe — payment processing.
- Google Maps — route calculation and address autocomplete.
- Google OAuth (Sign in with Google) — verifies your identity when you choose to sign in with a Google account. Google receives the fact that you signed into Fare 1, the time, and your IP address. Fare 1 receives only your name, email, and a Google identifier so we can link future sign-ins. You can disconnect at any time at myaccount.google.com/permissions.
- Hostinger — email delivery (booking confirmations, receipts, sign-in links).
- Firebase (Google) — phone OTP verification (SMS).
- auth.fare1.co.uk — Fare 1's own sign-in subdomain. Stores your active session token in our UK-hosted database for up to 30 days; deletes it when you sign out.
- HMRC, police, council licensing authorities — only when legally required.
5. Payments — Stripe
Payments are processed by Stripe, a PCI-DSS Level 1 certified payment processor. When you book, your card details are sent directly to Stripe over an encrypted connection — Fare 1 Ltd does not see or store full card numbers, CVV codes, or payment credentials. For Stripe's own data practices see https://stripe.com/privacy.
6. How long we keep it
- Booking records: 6 years (HMRC + Limitation Act)
- Payment metadata (last 4 digits, transaction IDs): 6 years
- Marketing opt-in: until consent withdrawn + 12 months after last interaction
- Customer-driver journey location data: 30 days post-journey
- Account login data: until deletion request + 30 days grace
- In-vehicle CCTV (if any): 31 days
7. Your rights
Under UK GDPR you can:
- Ask for a copy of the data we hold about you.
- Correct data that's wrong.
- Have data deleted (subject to legal retention requirements — section 6).
- Restrict or object to processing.
- Withdraw marketing consent at any time.
- Receive your data in a portable format.
To exercise any of these, email privacy@fare1.co.uk. We respond within 30 days.
If you're not satisfied with our response, you can complain to the UK's Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
8. International transfers
We keep customer data inside the UK and EU. Stripe, Google, and Firebase may process data in countries outside the UK — they operate under UK-recognised adequacy frameworks (UK-US Data Bridge, EU-US Data Privacy Framework) which keep the protection equivalent.
9. Security
HTTPS everywhere. Card data tokenised at Stripe. Internal systems on encrypted storage with access controls. Drivers see only what they need for the trip in front of them.
10. Changes to this notice
The date at the top of this page changes when we update it. Material changes will be notified by email to account holders.
