CabSmart Seru Ltd customer privacy policy

This privacy policy tells you what to expect us to do with your personal information.

Contact details

Email: seru@cabsmart.co.uk

What information we collect, use, and why

We collect or use the following information to provide services:

• Names and contact details
• Account information
• Website user information (including user journeys and cookie tracking)
• Payment and transaction information (including payment status, subscription or purchase details, and billing-related information handled through our payment providers)

We collect or use the following information for the operation of customer accounts and guarantees:

• Names and contact details
• Account information, including registration details
• Information used for security purposes
• Marketing preferences

We collect or use the following information to prevent, detect, investigate or prosecute crimes:

• Names and contact information
• Account information
• Information used for security purposes

We collect or use the following information for service updates or marketing purposes:

• Names and contact details
• Marketing preferences
• Website and app user journey information

We collect or use the following information to comply with legal requirements:

• Contact information
• Payment and transaction information where required for legal, tax, accounting, fraud prevention or regulatory purposes

We collect or use the following personal information for dealing with queries, complaints or claims:

• Names and contact details
• Account information

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

Your right to erasure – You have the right to ask us to delete your personal information. Read more about the right to erasure.

Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.

Your right to object to processing – You have the right to object to the processing of your personal data. Read more about the right to object to processing.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

You also have the right to object at any time to the processing of your personal information for direct marketing purposes.

If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details at the top of this privacy policy.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information to provide services and goods are:

Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

This may include processing payment and transaction information where necessary to provide paid services, manage subscriptions, verify payments, prevent fraud, and comply with legal or accounting obligations.

Our lawful bases for collecting or using personal information for the operation of customer accounts and guarantees are:

Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

Our lawful bases for collecting or using personal information to prevent, detect, investigate or prosecute crimes are:

Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.

Our legitimate interests are:

We collect and use personal information to ensure the security and integrity of our platform. This includes preventing unauthorized access, fraud, misuse, and suspicious activity, which ultimately protects our users and maintains a safe user experience. The benefits of this data collection, such as enhanced platform security and user trust, outweigh any potential privacy impact. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for service updates marketing purposes are:

Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.

Our legitimate interests are:

We collect and use personal information to provide service updates and relevant marketing communications. We obtain explicit consent from users before sending promotional content, ensuring that they are fully informed. Additionally, we use legitimate interest to keep users updated on important platform changes and features, balancing their needs with our commitment to transparency and privacy. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for legal requirements are:

Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability.

Our legitimate interests are:

We collect and use personal information to effectively handle user inquiries, complaints, and compliments. We obtain users’ consent when necessary and rely on legitimate interest to ensure that we can respond promptly and maintain a high standard of service. This approach helps us address user needs while protecting their rights and ensuring a positive experience. For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Where we get personal information from

• Directly from you

How long we keep information

We retain personal information for as long as it is necessary to provide our services and fulfill the purposes outlined in this privacy policy, including for legal, accounting, or reporting requirements.

Name and email address (used for account creation and verification):

Retained until the user deletes their account or requests removal. If a user opts out of marketing, their data will be marked as unsubscribed but retained for audit and record-keeping purposes unless deletion is requested.

Payment and transaction information:

Retained for as long as necessary to process payments, manage subscriptions or purchases, comply with tax, accounting, fraud prevention, and regulatory requirements, and resolve payment-related queries or disputes.

Analytics data (used for app progress tracking):

This is managed by third-party processors such as Amazon Web Services (AWS) and Google Firebase. We do not access this data directly. Retention is governed by the policies of those services.

Support queries or feedback:

Retained for up to 12 months from the last communication, unless required longer for customer support follow-up or legal compliance.

For more information about how long we store your personal information or the criteria we use to determine this, please contact us at: seru@cabsmart.co.uk

Who we share information with

Data processors

Amazon Web Services (AWS)

This data processor does the following activities for us:

Category: Cloud infrastructure and authentication provider

What they do:

• Hosts our backend database
• Manages secure login and user authentication
• Stores user profile information (e.g. name, email), account-related data, and progress data

Firebase (by Google)

This data processor does the following activities for us:

Category: Crash reporting and analytics

What they do:

• Monitors app crashes (Crashlytics)
• Collects app usage statistics and technical analytics data

Note: Firebase is used to help us monitor app performance and usage. We do not use Firebase to directly identify users.

ZeptoMail (by Zoho)

This data processor does the following activities for us:

Category: Transactional email delivery provider

What they do:

• Sends OTP emails for user verification
• Sends account-related service emails such as verification or password reset emails
• Supports secure delivery of transactional emails

Zoho

This data processor does the following activities for us:

Category: Business operations and communications provider

What they do:

• Supports internal business communications and administration
• May process contact details and related account or support information where relevant to our operations

Zoho Campaigns

This data processor does the following activities for us:

Category: Marketing email communications provider

What they do:

• Manages marketing email campaigns
• Stores marketing preferences and subscription information
• Helps us send promotional communications where users have given consent

Stripe

This data processor does the following activities for us:

Category: Payment processing provider

What they do:

• Processes payments and transactions
• Verifies and authorises payments
• Helps prevent fraud and protect payment security
• Stores and processes transaction-related records required for payment operations and compliance

Google Play

This data processor does the following activities for us:

Category: In-app payment and billing provider

What they do:

• Processes payments made through the Android app using Google Play billing
• Manages purchase, subscription, and billing-related records
• Helps verify and administer in-app payments

Sharing information outside the UK

Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Amazon Web Services (AWS)

Category of recipient: Cloud storage and computing services provider

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: The International Data Transfer Agreement (IDTA)

Organisation name: Google Firebase

Category of recipient: Cloud-based backend services provider

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: The International Data Transfer Agreement (IDTA)

Organisation name: Stripe

Category of recipient: Payment processing provider

Country the personal information is sent to: United States and other countries where Stripe or its sub-processors operate

How the transfer complies with UK data protection law: The International Data Transfer Agreement (IDTA) or other appropriate safeguards under UK GDPR

Organisation name: Zoho / ZeptoMail / Zoho Campaigns

Category of recipient: Email delivery and marketing communications provider

Country the personal information is sent to: Countries where Zoho or its service providers operate

How the transfer complies with UK data protection law: The International Data Transfer Agreement (IDTA) or other appropriate safeguards under UK GDPR

Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy policy.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Last updated : 15 February 2026