Privacy Policy

1. Who we are

The data controller for the personal data described in this policy is Swift Carbon UK Limited, trading as Blue Earth Cycling. We are registered in England and Wales under company number 12729743 and VAT number 357927061. Our registered office is at The Pinnacle Building A, 150-170 Midsummer Boulevard, Milton Keynes, Buckinghamshire, MK9 1FD. For any privacy-related question, including requests about your data, write to us using the contact details at the end of this policy.

2. What personal data we collect

When you book or contact us, we collect:

• Identity and contact details — your name, email address, and mobile or WhatsApp number.
• Booking details — the bike you choose, size, dates, pickup location, language preference, and any notes you add.
• Payment status and amount. We never see or store your card number, CVC, or expiry — those are handled directly by our payment processor (see section 4).
• Documents the partner location uploads in connection with your booking — for example, an identity document scan at pickup or a signed waiver, where applicable.
• Records of communications with us through email, WhatsApp, or the on-site chat, and their content.

3. Why we collect it and the legal basis

We use your personal data for the following purposes:

• Performing the rental contract — taking and confirming your booking, processing payment, coordinating pickup and return, and handling refunds. Legal basis: performance of a contract.
• Meeting our legal obligations — keeping records of bookings and payments for tax, accounting, and consumer-rights purposes. Legal basis: legal obligation.
• Running the service responsibly — preventing fraud, detecting abuse, keeping a record of customer-partner communications, and securing the platform. Legal basis: legitimate interests, balanced against your rights.
• On-site chat assistant — when you use the chat widget on our site, your messages are processed to generate a reply. Legal basis: your consent, which you can withdraw at any time by closing the widget.

4. Who we share your data with

We share personal data only with service providers that help us run the platform, and only as much as they need to do their job:

• Stripe — payment processor. When you pay, Stripe handles your card details directly; we receive only the payment status and a reference. Stripe's privacy notice is at stripe.com/privacy.
• Resend — email delivery. Sends your booking confirmation and other transactional emails.
• Vercel — hosts the website infrastructure.
• Anthropic — provides the on-site chat assistant. When you use the chat, your messages are sent to Anthropic to generate a reply. Conversations are not used to train Anthropic's models under the commercial terms we operate on (anthropic.com/legal/commercial-terms).
• The partner location you book with — receives your booking and contact details so it can prepare the bike and reach you if needed.

We do not sell your personal data and we do not share it for advertising purposes.

5. International transfers

Some of the providers above are based outside the UK or the European Economic Area (notably the United States). Where personal data is transferred outside the UK, we rely on Standard Contractual Clauses or the equivalent UK-approved transfer mechanism to protect it.

6. How long we keep your data

We keep booking records, invoices, and related financial data for 6 years after the end of the relevant tax year, in line with UK Companies Act and HMRC requirements. This retention is required by law and overrides individual erasure requests for those records (UK GDPR Article 17(3)(b) and (e)).

When you ask us to delete your data, we anonymise your customer record. Your name is replaced with a generic placeholder, your email is replaced with a non-reversible address ending in @deleted.local, and your phone number, notes, communication subjects and contents, and document filenames are redacted. Your booking rows themselves are kept in this anonymised state so the financial record remains intact for the retention period.

If a partner location uploaded documents related to your booking — for example a scanned waiver — the database row that points to those files is redacted by the same process, but the underlying file in our storage may not be deleted automatically. To request deletion of the underlying files, email us using the address in section 11 and we will handle it directly.

7. Cookies and similar technologies

We only set strictly-necessary or functional storage today:

• A session cookie (NextAuth) — keeps you signed in to the partner panel, if you have an account.
• A language preference cookie (NEXT_LOCALE) — remembers whether you have chosen English or Portuguese, so the site stays in your chosen language across pages.
• A cookie banner record (be-cookie-consent), stored in your browser's localStorage — records that you have seen the cookie banner so we do not show it again.

We do not use third-party analytics, advertising, or tracking cookies. If that ever changes, we will update this policy and the cookie banner will ask for your consent before any non-essential script runs.

8. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Rectify information that is inaccurate or incomplete.
• Erase your data, subject to the legal retention obligations described in section 6.
• Restrict how we use your data while a complaint or correction is being resolved.
• Object to processing based on our legitimate interests.
• Receive a copy of the data you provided in a portable, machine-readable form.

To exercise any of these rights, contact us using the details in section 11. We respond within 30 days.

We do not make automated decisions that have legal or similarly significant effects on you.

If you are unhappy with how we handle your personal data, you can lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

9. How we protect your data

All traffic between your browser and our site is encrypted in transit (HTTPS). Personal data is stored in encrypted databases. Partner staff can only access data for the locations they are authorised for — access is enforced at the application level on every request.

10. Changes to this policy

We may update this policy as the service evolves. The version date at the top of this page reflects the most recent change. For substantive changes that affect your rights, we will let you know in advance — for example, by email if you have an active booking.

11. Contact

For any privacy question, including data-rights requests, write to us at: ricardonogare@swiftbicycles.uk

Or by post to Swift Carbon UK Limited, The Pinnacle Building A, 150-170 Midsummer Boulevard, Milton Keynes, Buckinghamshire, MK9 1FD.