Your privacy matters

BootHop Ltd ("BootHop", "we", "us") is a company registered in the United Kingdom. We operate the peer-to-peer delivery platform available at boothop.com and its associated applications.

BootHop acts as the data controller for the personal information you provide when using our platform.

If you have questions about how we handle your data, please contact us at privacy@boothop.com.

We collect the following categories of personal data:

• Identity data: full name, date of birth, government ID (for KYC verification)
• Contact data: email address
• Transaction data: delivery listings, matched trips, payment records
• Profile data: ratings, reviews, delivery history
• Technical data: IP address, browser type, device identifiers, usage logs
• Communications: messages sent through the BootHop platform
• Location data: cities you travel to and from (not real-time GPS)

We do not collect sensitive personal data (such as health, religion, or political views) unless legally required.

We use your personal data to:

• Create and manage your BootHop account
• Match you with compatible Booters or Hoopers
• Process payments and manage escrow
• Verify your identity through KYC checks
• Send transactional emails (match notifications, payment receipts, OTP codes)
• Investigate complaints, disputes, or safety incidents
• Improve our platform through analytics and usage data
• Comply with legal obligations, including fraud prevention and customs reporting

We will never sell your personal data to third parties for marketing purposes.

We process your data under the following legal bases (UK GDPR Article 6):

• Contract performance: to provide our platform services to you
• Legal obligation: identity verification, fraud prevention, compliance with UK and international law
• Legitimate interests: platform safety, dispute resolution, analytics to improve our service
• Consent: for any marketing communications (you may withdraw consent at any time)

We may share your data with the following categories of third parties, strictly as necessary:

• Stripe Inc. — payment processing and escrow management
• Supabase — secure cloud database and authentication infrastructure
• Resend — transactional email delivery
• Identity verification providers — for KYC/AML compliance
• Law enforcement or regulatory authorities — when legally required
• Other platform users — limited profile information is visible to your matched counterpart (name, ratings)

All third-party processors are bound by data processing agreements and must comply with applicable data protection law.

Some of our service providers are based outside the UK or EEA. Where your data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK ICO or equivalent mechanisms.

For example, Stripe and Supabase are US-based services. Data transfers to the US are covered by their respective Data Processing Agreements incorporating SCCs.

We retain personal data only for as long as necessary:

• Account data: retained for the lifetime of your account plus 6 years after closure (for legal and financial record-keeping)
• Transaction records: 7 years (UK financial regulation requirements)
• KYC documents: 5 years after last transaction (AML regulations)
• Messages: 2 years from the date of the match
• Technical / server logs: 90 days

You may request deletion of your data at any time (subject to legal retention obligations).

Under UK GDPR, you have the following rights:

• Right to access: request a copy of the personal data we hold about you
• Right to rectification: ask us to correct inaccurate or incomplete data
• Right to erasure: request deletion of your data (subject to legal retention obligations)
• Right to restriction: ask us to limit how we process your data
• Right to data portability: receive your data in a structured, machine-readable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: for any processing based on your consent

To exercise any of these rights, email privacy@boothop.com. We will respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

BootHop uses essential cookies required for the platform to function (session management, authentication). We do not use advertising or tracking cookies.

• Session cookies: maintain your login state (deleted when you close your browser)
• Preference cookies: remember your settings (30-day expiry)
• Analytics cookies: anonymous, aggregated usage data to improve the platform (opt-out available)

You can control cookie preferences through your browser settings. Note that disabling essential cookies may prevent you from using the platform.

We take the security of your personal data seriously. Our security measures include:

• All data transmitted over TLS/HTTPS encryption
• Database encryption at rest
• Row-level security (RLS) policies ensuring users can only access their own data
• Magic link / OTP authentication — no passwords stored
• Payment card data handled exclusively by Stripe (we never see or store raw card numbers)
• Regular security reviews and penetration testing

In the event of a data breach affecting your rights, we will notify you and the ICO within 72 hours as required by law.

For all privacy-related enquiries, please contact:

We aim to respond to all privacy enquiries within 30 days. For urgent data protection concerns, mark your email with "URGENT – Data Protection".