GDPR Data Protection Policy - GR Airport Transfers

GR Airport Transfers Ltd

GR Airport Transfers Ltd (“we”, “us”, “our”) will be committed to protecting the privacy of our passengers, drivers, contractors and business partners, and to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all relevant UK data protection laws.

This policy explains how personal data will be collected, used, stored, shared and protected.

1. Legal Framework

GR Airport Transfers Ltd will operate in accordance with:

• UK Data Protection Act 2018 – governing the processing and protection of personal data in the UK.
• UK General Data Protection Regulation (UK GDPR) – setting out principles of lawfulness, fairness, transparency, and security.
• Transport for London (TfL) Private Hire Regulations – including requirements on record keeping, data submissions and weekly driver/vehicle data uploads where applicable.
• We are registered with the Information Commissioner’s O ice (ICO) under registration number ZC043853.

2. Data Collection and Use

We will collect and process personal data only where there is a lawful basis to do so, and only for specified, explicit and legitimate purposes. Data will be adequate, relevant, and limited to what is necessary.

2.1 Passenger and Booker Data

To provide private hire and chau eur services, we will collect and process the following categories of passenger/booker information:

• Name
• Contact details (address, mobile number, email address)
• Booking and travel details (pickup and drop-o locations, date and time, flight details, preferences, special requirements)
• Payment information (processed securely through our payment provider – we do not store full card details on our own systems)
• Communication history (emails, messages relating to bookings or complaints)

This information will be used to:

• Create and manage bookings
• Allocate drivers and vehicles
• Communicate confirmations, updates, and changes
• Handle cancellations, complaints and refunds
• Comply with legal and regulatory obligations

2.2 Employee and Driver Data

For drivers, sta and contractors, we will collect and process:

• Name
• Home address and contact details
• Licensing and compliance information (e.g. TfL PHV driver licence, PHV vehicle licence, insurance, MOT, right-to-work)
• Bank account details (for payments)
• National Insurance number
• Criminal record information (e.g. DBS certificate where required)
• Attendance, performance and complaint records relevant to their engagement

This information will be used to:

• Verify suitability and eligibility to work
• Comply with TfL and other regulatory requirements
• Process payments and maintain financial records
• Manage performance, safety and conduct

2.3 Purposes of Processing

Personal data may be used for:

• Delivering and managing journeys and related services
• Meeting TfL and legal record-keeping requirements
• Responding to enquiries, feedback, and disputes
• Ensuring safety, security and service quality (including GPS-based journey monitoring where applicable)
• Internal analysis and service improvements (using anonymised or minimised data where possible)

We will not sell personal data to third parties.

3. Data Protection Principles

GR Airport Transfers Ltd will follow the core principles of UK GDPR:

• Lawfulness, Fairness, Transparency – Data will be processed lawfully, fairly and in a transparent manner. Individuals will be informed about the purpose and legal basis for processing.
• Purpose Limitation – Data will be collected for clear, specified purposes and not further processed in a way that is incompatible with those purposes.
• Data Minimisation – Only data that is genuinely needed for the stated purpose will be collected and retained.
• Accuracy – Reasonable steps will be taken to keep personal data accurate and up to date. Individuals may request corrections.
• Storage Limitation – Data will not be kept longer than necessary, subject to legal and regulatory retention requirements.
• Integrity and Confidentiality – Appropriate technical and organisational measures will be implemented to safeguard data against unauthorised access, loss, alteration or disclosure.

4. Data Retention Policy

We will retain personal data for no longer than is necessary for the purposes for which it was collected, subject to legal and regulatory requirements. As a guide:

• Booking and journey records – retained for at least 12 months (in line with TfL requirements) and may be kept longer where needed for legal, regulatory or accounting purposes.
• Payment and invoicing records – retained for up to 7 years for tax and accounting purposes.
• Employee and driver records – retained for up to 12 months after the end of the working relationship, or longer where required by law or in connection with ongoing claims or investigations.
• GPS and journey tracking data – retained for approximately 12 months, unless required for dispute resolution or legal purposes.

Once the applicable retention period expires, personal data will be securely deleted or anonymised.

5. Data Sharing and Third Parties

We may share personal data with:

• Authorised personnel – such as drivers, controllers and administrative sta , where required for service delivery and safety.
• Regulatory authorities – including TfL, the police or other lawful authorities, where required by law or regulation.
• Service providers and processors – such as IT hosting providers, booking platforms (e.g. Logistifie), payment processors, email/SMS providers and professional advisers.
• Where third-party processors are used, we will ensure that appropriate data processing agreements are in place and that they comply with UK GDPR and maintain suitable security standards.
• We will not share personal data with any third party for marketing purposes without explicit consent.

6. Data Security

We will implement appropriate technical and organisational measures to protect personal data, including:

• Encryption and/or secure transmission of sensitive data where appropriate
• Password protection and access control on systems holding personal data
• Limiting access to personal data to authorised sta and contractors only
• Regular system checks, monitoring and updates to mitigate security risks
• Secure disposal of data and equipment at the end of its life

While we will take all reasonable steps to protect personal data, individuals should exercise caution when sharing sensitive information electronically.

7. Marketing Communications

We will only send direct marketing communications (for example, promotional emails or SMS messages) where we have a lawful basis, such as:

• Your explicit consent; or
• A soft opt-in where permitted by law (e.g. existing client relationship).
• You will be able to opt out of marketing communications at any time by using the unsubscribe option in the message or by contacting us at grairporttransfers@gmail.com.

Operational messages (e.g. booking confirmations, updates, safety information) are not considered marketing and will still be sent where necessary.

8. Your Rights Under UK GDPR

Individuals whose personal data we process have the following rights (subject to certain conditions and exemptions):

• Right of Access – to request a copy of the personal data we hold about you.
• Right to Rectification – to request correction of any inaccurate or incomplete data.
• Right to Erasure – to request deletion of data where there is no lawful reason for us to continue processing it.
• Right to Restriction – to request that we restrict how your data is used in certain circumstances.
• Right to Data Portability – to request that we provide your personal data in a structured, commonly used, machine-readable format, where applicable.
• Right to Object – to object to processing based on legitimate interests or to direct marketing.
• Right to Withdraw Consent – where processing is based on consent, you may withdraw that consent at any time.

To exercise any of these rights, please contact us at: grairporttransfers@gmail.com. We may need to verify your identity before responding.

9. GPS and Journey Monitoring

Where vehicles are tracked using GPS or similar technology, tracking data may be used to:

• Monitor real-time locations for operational and safety purposes
• Assist with route planning and e iciency
• Verify service quality and investigate complaints or incidents
• Comply with regulatory obligations

GPS and journey data will be handled securely, with access restricted to authorised personnel only, and retained in line with our data retention policy (normally up to 12 months unless required longer for legitimate reasons).

10. Complaints

If you have any concerns about how your personal data has been handled, you may:

• Contact us directly at grairporttransfers@gmail.com, and
• If you remain dissatisfied, lodge a complaint with the Information Commissioner’s O ice (ICO) via their website at: www.ico.org.uk.

We encourage individuals to contact us first so that we can try to resolve concerns promptly.

11. Updates to this Policy

This policy may be updated from time to time to reflect:

• Changes in legislation or regulatory guidance
• Operational or technological changes
• New or updated services

The latest version of this policy will be made available on our website or supplied on request. Significant changes may be communicated directly where appropriate.

12. Contact Information for Data Controller

The data controller for GR Airport Transfers Ltd is:
GR Airport Transfers Ltd
63 Warwick Crescent
Hayes
UB4 8RG
United Kingdom
Email: grairporttransfers@gmail.com
Phone: +44 7983 722454

13. Governing Law

This policy will be governed by and interpreted in accordance with the laws of England and Wales, including the UK Data Protection Act 2018 and UK GDPR.