Privacy Policy

Last updated: 25 March 2026

1. Who we are (Data Controller)

RideRoots Limited ("we", "us", or "our") is the data controller responsible for your personal data. We are registered in England and Wales [Company Number: XXXXXXXX].

ICO Registration: We are registered with the Information Commissioner's Office (ICO) under registration number [ZxxxxxxX].

Data Protection Officer: If you have any questions about this Privacy Policy or our data protection practices, please contact our Data Protection Officer at dpo@motisure.com.

2. What personal data we collect

We collect and process the following categories of personal data:

Account data: Your name, email address, and phone number.
Financial data: Payment card details (last 4 digits only, processed securely by our payment provider), bank account details (for processing payouts), and wallet transaction history.
Journey data: Your tap-in and tap-out stations, journey times, fare amounts, and transport modes used on the TfL network.
Location data: Tap-in/out geolocation (latitude/longitude), but only if you explicitly grant permission within the app.
Device data: User agent, IP address, and device identifiers (used primarily for fraud prevention and security).
Communications: Claims correspondence, support messages, and any other communications you have with us.

3. How we use your data

We process your personal data for the following purposes, relying on the specified lawful bases under the UK GDPR:

To provide our insurance service: Setting up your account, managing your subscription, and monitoring your registered routes. (Lawful basis: Performance of a contract).
To process claims and payouts: Automatically verifying disruptions against TfL data and crediting your wallet or bank account. (Lawful basis: Performance of a contract).
For fraud prevention and security: Monitoring for suspicious activity, verifying identity, and protecting our platform. (Lawful basis: Legitimate interests).
To send billing and service reminders: Notifying you of upcoming charges, failed payments, or policy changes. (Lawful basis: Performance of a contract).
For marketing communications: Sending you promotional offers and updates about RideRoots. (Lawful basis: Consent — you must opt-in, and you can withdraw consent at any time).
For analytics and service improvement: Analyzing usage patterns to improve our app and insurance models. This data is aggregated and anonymised wherever possible. (Lawful basis: Legitimate interests).

4. Who we share your data with

We do not sell your personal data. We only share it with trusted third parties necessary to provide our service:

Transport for London (TfL): We query TfL's open data APIs to check for disruptions on your route. We do not share your personal data with TfL. Our queries are anonymous.
Payment Processors (e.g., Stripe): We share necessary card data and payment amounts to process your premiums and payouts. This processing is governed by the processor's Data Processing Agreement (DPA).
Pension Providers: If you enable the pension contribution feature, we will share your name and National Insurance number with your chosen provider, strictly based on your explicit consent.
Cloud Infrastructure Providers (Firebase/Google Cloud): Our application and database are hosted on Google Cloud. Your data is stored securely in the EU/UK region.
Email Delivery Services (e.g., SendGrid): We share your email address and message content solely for the purpose of delivering transactional and marketing emails.

5. Data retention

We retain your personal data only for as long as necessary to fulfill the purposes we collected it for, including satisfying any legal, regulatory, tax, accounting, or reporting requirements.

Account data: Retained for the duration of your active account, plus 7 years after closure (to comply with FCA record-keeping requirements).
Journey/trip data: Retained for 3 years.
Claims data: Retained for 7 years (FCA requirement).
Financial transaction data: Retained for 7 years (HMRC requirement).
Deleted accounts: If you request account deletion, your profile data is anonymised after 90 days. Essential audit logs are retained for 7 years for regulatory compliance.

6. Your rights under UK GDPR

Under the UK GDPR, you have the following rights regarding your personal data:

Right of access: You can request a copy of the personal data we hold about you (Subject Access Request). We will respond within 30 days.
Right to rectification: You can ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten"): You can request that we delete your data, subject to our legal and regulatory retention requirements (e.g., FCA rules).
Right to restriction of processing: You can ask us to suspend the processing of your data in certain scenarios.
Right to data portability: You can request your data in a structured, commonly used, machine-readable format.
Right to object: You can object to processing based on legitimate interests or for direct marketing.
Rights related to automated decision-making: You have rights regarding decisions made solely on automated processing (e.g., our parametric claim approvals) that produce legal or significant effects.

To exercise any of these rights, please email us at privacy@motisure.com.

7. Cookies

We use cookies and similar tracking technologies to ensure our app functions correctly and to analyze usage.

Strictly necessary cookies: We use Firebase Auth session cookies to keep you logged in securely. These are essential and do not require your consent.
Analytics cookies: We use Firebase Analytics to understand how users interact with our app. These are optional and require your explicit consent via our Cookie Banner.
Advertising cookies: We do not use third-party advertising or tracking cookies.

You can manage your cookie preferences at any time by visiting our Cookie Policy page.

8. International transfers

Your personal data is primarily stored and processed within the UK and the European Economic Area (EEA) using Google Cloud (Firebase) infrastructure. The UK recognizes the EEA as providing an adequate level of data protection.

If we ever transfer your data outside the UK/EEA to a country not deemed to have adequate data protection laws, we will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum.

9. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us directly at privacy@motisure.com.

If you remain dissatisfied with how we have handled your data or your complaint, you have the right to complain to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113
Website: https://ico.org.uk

10. Changes to this policy

We keep our Privacy Policy under regular review. If we make material changes to how we process your personal data, we will notify you by email or via an in-app notification at least 30 days before the changes take effect.

11. Google API Services User Data Policy

RideRoots's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Data Accessed

When you sign in to RideRoots using your Google account, our application accesses and collects your basic Google profile information, specifically your email address, name, and profile picture URL.

Data Usage

We use this Google user data solely to create and manage your RideRoots account, authenticate your login securely, personalize your dashboard, and communicate with you regarding your account, payouts, and service updates. We do not use your Google data for any other purpose.

Data Sharing

We do not share your Google user data with any third parties, except as strictly necessary to provide the RideRoots service (e.g., sharing your name and email with our regulated payment processors to facilitate your automatic payouts). We do not sell your Google user data, nor do we share it for advertising or marketing purposes.

Data Storage & Protection

Your Google user data is stored securely in our encrypted database hosted on Google Cloud (Firebase). We employ industry-standard security measures, including encryption at rest and in transit, strict access controls, and regular security audits to protect your data from unauthorized access, alteration, or disclosure.

Data Retention & Deletion

We retain your Google user data only for as long as your RideRoots account remains active. You can request the deletion of your data at any time by navigating to the "Settings" section of the RideRoots app and selecting "Delete Account", or by contacting our support team at privacy@motisure.com. Upon deletion, your Google user data will be permanently removed from our active databases within 30 days, subject to any overriding legal or regulatory retention requirements (e.g., FCA financial record-keeping).