Home · Privacy
Privacy Policy
Last updated: 20 May 2026
This policy explains what BDcabs collects from you, where the data lives, how long we keep it, who we share it with, and the rights you have under applicable data-protection law (the platform launched from a UK-GDPR-compliant codebase, so its strict defaults carry over). We aim for plain English; if any of it doesn’t land, write to us via the contact form.

What we collect
When you sign up: your email, your name, and a phone number that we verify once with a six-digit SMS code. If you list yourself as a partner (a driver or fleet owner), we also collect your base area, the vehicle types you cover, your coverage radius, an optional profile photo, and the documents our team sights during verification.
When you use the platform: the details of any booking request you post (route, dates, notes, budget, photos); the price and pitch of any offer a partner sends; the messages exchanged after an offer is accepted; and a record of when you reveal a partner’s phone number. We never store the six-digit OTP itself — only a hash and the verified-at timestamp.
Where the data lives
Your account, booking requests, offers, messages, and reveal events live in an Aurora Serverless v2 Postgres database hosted in AWS’s London region (eu-west-2). Profile photos and booking images are stored in AWS S3, also in eu-west-2. The web application runs on Vercel, which routes traffic from edge regions but does not persist your personal data.
How long we keep it
We keep your data while your account is active. If you deactivate your account, we hide your profile immediately and keep your data for 30 days in case you change your mind. Sign back in within that window and everything is restored. After 30 days, your data is purged. Messages on accepted bookings are kept as long as the booking exists so both sides have a record of what was agreed.
Who we share it with
We do not sell your data and we do not share it with advertisers. We rely on a small set of service providers to make the product work:
- Resend — sends the magic-link sign-in email, the transactional emails (new offer, offer accepted, new message, daily digest, email-change verification), and the contact-form replies.
- Twilio — sends the SMS with your one-time phone verification code.
- AWS — runs the Aurora Postgres database and S3 storage in eu-west-2.
- Vercel — runs the website and serves it to your browser.
- postcodes.io — turns a location into coordinates so we can match partners to nearby booking requests.
- PostHog and Sentry — when wired, PostHog records two product events (page view, phone revealed) and Sentry records application errors. Both run with PII scrubbed from payloads.
Cookies
We use essential cookies only — the session cookie set by Auth.js that keeps you signed in. No tracking cookies, no third-party advertising cookies.
Your rights
You can ask us to do any of the following, per applicable data-protection law. We respond within 30 days.
- Access. Request a copy of your data from /account/data-export. A person on our team puts the file together by hand for now.
- Rectify.Correct anything that’s wrong — most fields are editable from your account; for anything else, write to us via the contact form.
- Erase. Deactivate your account. Your profile is hidden immediately and your data is purged 30 days later unless you sign back in.
- Data portability. Use the same data-export route above or the contact form to request the file in a portable format.
Children
BDcabs is not for under-18s. We don’t knowingly collect data from children. If you believe we have, write to us and we’ll remove it.
Changes to this policy
If we change this policy in a way that affects you, we’ll say so on this page and update the “Last updated” date at the top.
Get in touch
Privacy questions, data requests, or anything else — use the contact form.