Drop-In Logo

Privacy Policy

Effective date: 16th September 2025

Drop-in Surf Ltd. ("Drop-in", "we", "us", or "our") values your privacy. We are committed to safeguarding your personal data and handling it with transparency, integrity, and care. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website, mobile application, and services (together, the "Platform").

We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, which set the standards for data protection in the United Kingdom. Our aim is to give you clear and comprehensive information about how your data is handled, as well as your rights under the law.

By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

1. Introduction & Purpose

1.1 This Privacy Policy describes the personal data that Drop-in collects, how we process it, the purposes for which we use it, and the legal bases under which we do so.

1.2 The Policy applies to all users of the Platform, including those who register for accounts, browse our website, join our waitlist, or otherwise interact with our services, whether as a Driver or a Passenger.

1.3 This Privacy Policy does not form part of any contract of employment, consultancy, or service provision. It is a statement of how we process personal data in compliance with UK data protection law.

2. Key Definitions

For clarity, in this Privacy Policy:

"Personal data" means any information relating to an identified or identifiable natural person.

"Processing" means any operation performed on personal data, such as collection, storage, use, disclosure, or deletion.

"Controller" means the organisation that determines the purposes and means of processing personal data. For the Platform, Drop-in Surf Ltd. is the controller.

"Processor" means a third party that processes personal data on behalf of the controller. Examples include Stripe (for payments) and Firebase (for authentication).

"UK GDPR" means the retained EU law version of the General Data Protection Regulation as it applies in the United Kingdom.

3. Data Controller & Contact Information

3.1 Drop-in Surf Ltd. is the controller of your personal data. We determine the purposes and means of processing your data in connection with the operation of the Platform.

3.2 Our registered details are as follows: Drop-in Surf Ltd. 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ Email: hello@drop-in.surf

3.3 If you have questions about this Privacy Policy or the way we handle your data, you may contact us using the details above. If you are dissatisfied with our response, you have the right to raise a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

4. Types of Personal Data Collected

We collect and process the following categories of personal data:

Account Data: name, email address, phone number, date of birth, gender, profile photo, passwords.

Driver-Specific Data: bank account details, tax information, and financial onboarding information processed via Stripe Connect.

Location Data: GPS coordinates, base locations, surf spots, and real-time tracking during rides.

Identity Verification Data: government-issued ID documents and selfie images, if you opt for enhanced identity verification.

Communications Data: in-app messages, feedback, ratings, and reporting information.

Surf-Related Data: skill level, transport preferences, favourite surf locations.

Device Data: IP addresses, device identifiers, app usage logs, and push notification tokens.

Payment Data: transaction records, method of payment, amounts paid/received. Full payment card details are collected and stored securely by Stripe, not by Drop-in.

5. How We Collect Personal Data

We collect data in the following ways:

Directly from you: when you create an account, complete onboarding, update your profile, book or offer a ride, submit verification documents, or contact us.

Automatically: when you use the Platform, including location tracking, app usage analytics, and device identifiers.

Through third parties: when you interact with services integrated into the Platform, such as Stripe (payments and ID verification), Firebase (authentication, database), and Google Maps (location services).

6. Purposes of Processing

We process your personal data for the following purposes:

Service Delivery: to create and manage your account, match Drivers and Passengers, process bookings, and facilitate Rides.

Payment Processing: to collect payments from Passengers and transfer funds to Drivers through Stripe.

Safety & Trust: to provide GPS tracking, enable gender-based ride filters, and support optional ID verification.

Communications: to send transactional emails, notifications, and updates regarding your account and bookings.

Community Features: to enable ratings, reviews, reporting, and other trust-building mechanisms.

Fraud Prevention & Security: to detect and prevent fraudulent activities, abuse, or breaches of our Terms and Conditions.

Marketing & Promotions: if you have opted in, to send you promotional offers, newsletters, or updates about the Platform.

7. Legal Bases for Processing

Under UK GDPR, we rely on the following legal bases to process your personal data:

Contract: processing necessary to perform the contract with you (e.g., processing bookings, facilitating payments, providing access to the Platform).

Consent: processing based on your consent, such as for optional ID verification, location tracking, and marketing communications. You may withdraw consent at any time.

Legitimate Interests: processing necessary for our legitimate interests, such as ensuring the safety and integrity of the Platform, preventing fraud, and improving our services.

Legal Obligations: processing necessary to comply with legal requirements, such as tax reporting, regulatory compliance, and responding to lawful requests by authorities.

8. Payment Processing via Stripe

8.1 All payments on the Platform are processed securely through Stripe, an independent payment service provider.

8.2 When you provide payment details (such as debit/credit card information), this data is transmitted directly to Stripe. Drop-in does not collect or store full payment card details on its own systems.

8.3 Stripe acts as a separate data controller for payment data. Users should review Stripe's privacy policy for further details on how payment data is processed.

8.4 Drop-in retains only transaction records necessary for accounting, dispute resolution, and compliance with applicable laws.

9. Location Data

9.1 The Platform collects and processes real-time GPS location data to:

  • Facilitate ride matching and routing.
  • Provide real-time tracking during journeys.
  • Support safety features and surf spot recommendations.

9.2 Location data is collected only while the Platform is active or running in the background, depending on device permissions.

9.3 Users may disable location services in their device settings, but this may impair or disable certain features of the Platform.

10. Identity Verification Data

10.1 Users may choose to undergo optional enhanced verification through Stripe Identity, which may involve submission of government-issued identification and a selfie photograph.

10.2 This verification is intended to build trust between Users but does not constitute a guarantee of identity, safety, or reliability.

10.3 Verification data is collected and processed by Stripe, acting as a data processor. Drop-in does not permanently store copies of identity documents unless required by law.

11. Communications & Messaging

11.1 The Platform facilitates direct messaging between Users for the purpose of arranging and managing Rides.

11.2 Messages are stored securely on Drop-in's systems. They may be monitored or reviewed where necessary to investigate reports of abuse, fraud, or breaches of these Terms.

11.3 Users must not use the messaging system for unsolicited marketing, harassment, or illegal activities.

12. Marketing & Opt-Outs

12.1 With your consent, Drop-in may send you marketing communications, including newsletters, promotions, and updates about new features.

12.2 You may withdraw consent and opt out of marketing at any time by following the unsubscribe link in our emails or by adjusting settings within the Platform.

12.3 Even if you opt out of marketing, we may still send you service-related communications (e.g., booking confirmations, safety alerts, changes to our Terms).

13. Cookies & Tracking Technologies

13.1 Our website and mobile application use cookies and similar technologies to:

  • Ensure core functionality of the Platform.
  • Improve user experience.
  • Analyse usage patterns (e.g., via Firebase Analytics).

13.2 Cookies fall into the following categories:

  • Strictly Necessary Cookies – required for basic functions of the Platform.
  • Functional Cookies – enhance performance and customisation.
  • Analytics Cookies – help us understand usage and improve features.

13.3 You may manage cookie preferences through your browser or device settings. For full details, please refer to our Cookie Policy.

14. Sharing of Data with Third Parties

14.1 We share personal data only when necessary to provide our services. Third-party integrations include:

  • Stripe – payment processing and ID verification.
  • Firebase – authentication, push notifications, and database services.
  • Google Maps – geolocation, routing, surf spot data.
  • SendGrid – email delivery.

14.2 These third parties act as processors or independent controllers. They are contractually bound to process data in compliance with applicable data protection laws.

14.3 Drop-in does not sell, rent, or trade personal data to advertisers or unrelated third parties.

15. International Data Transfers

15.1 Some of our third-party service providers process personal data outside the UK and EEA, for example in the United States.

15.2 Where such transfers occur, we ensure that appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office, or reliance on adequacy decisions where available.

15.3 By using the Platform, you acknowledge that your personal data may be transferred internationally in accordance with these safeguards.

16. Data Retention

16.1 We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law.

16.2 General retention rules include:

  • Account data: retained for the life of your account, deleted upon closure (subject to 16.3).
  • Transaction records: retained for a minimum of six (6) years in compliance with UK tax laws.
  • Identity verification data: retained only as long as required for verification or legal compliance.
  • Communications data: retained as necessary for dispute resolution and fraud prevention.

16.3 We may retain limited data after account closure where required by law or for legitimate business purposes (e.g., fraud prevention).

17. User Rights Under UK GDPR

Under the UK GDPR, you have the following rights in relation to your personal data:

  • Right of Access – to obtain a copy of the data we hold about you.
  • Right to Rectification – to correct inaccurate or incomplete data.
  • Right to Erasure – to request deletion of your data where it is no longer necessary.
  • Right to Restrict Processing – to request suspension of data use in certain circumstances.
  • Right to Data Portability – to receive a copy of your data in a structured, commonly used format.
  • Right to Object – to object to processing carried out on the basis of legitimate interests.
  • Rights related to Automated Decision-Making – to not be subject to decisions based solely on automated processing which have legal or significant effects.

18. Exercising Your Rights

18.1 To exercise any of your rights, please contact us at: hello@drop-in.surf.

18.2 We may request verification of your identity before responding to a request.

18.3 We aim to respond within one (1) month, as required under the UK GDPR. Where requests are complex, this may be extended by a further two (2) months, and you will be informed accordingly.

19. Security Measures

19.1 Drop-in employs appropriate technical and organisational measures to secure personal data, including:

  • Encryption of data in transit and at rest.
  • Secure authentication and access controls.
  • Regular system monitoring and vulnerability testing.

19.2 Despite our efforts, no system is completely secure. Users acknowledge that transmission of data over the internet carries inherent risks outside Drop-in's control.

20. Children's Data

20.1 The Platform is not intended for individuals under the age of eighteen (18).

20.2 We do not knowingly collect or process personal data relating to children. If we become aware that data has been collected in error, it will be deleted promptly.

21. User-Generated Content

21.1 Ratings, reviews, feedback, and profile content submitted by Users may be visible to other Users.

21.2 Such content is treated as personal data and processed in accordance with this Privacy Policy.

21.3 Drop-in reserves the right to moderate, edit, or remove User-generated content that breaches our Terms & Conditions.

22. Profiling & Automated Decision-Making

22.1 The Platform uses algorithms to match Drivers with Passengers based on preferences, surf spots, and location data.

22.2 These processes do not constitute automated decision-making that produces legal or significant effects on Users. Human intervention is always available in case of disputes or issues.

23. Complaints & Regulatory Rights

23.1 If you have concerns about how your data is being handled, you may contact us at hello@drop-in.surf.

23.2 You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: www.ico.org.uk

Telephone: +44 (0)303 123 1113

24. Changes to This Privacy Policy

24.1 We may update this Privacy Policy from time to time to reflect changes in law, regulation, or business practice.

24.2 Where changes are material, we will notify you via the Platform or email.

24.3 Continued use of the Platform following changes constitutes acceptance of the updated Privacy Policy.

25. Contact Information

25.1 If you have questions or concerns about this Privacy Policy or our data processing practices, you may contact us at:

Drop-in Surf Ltd

71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

Email: hello@drop-in.surf