Privacy Policy
Effective Date: May 31, 2026
Cabai Ltd ("we," "our," or "us") is committed to protecting the privacy and personal data of our users, subscribing taxi operators ("Tenants"), their drivers, and passengers who use our dispatch technology. This Privacy Policy explains how personal data is collected, processed, shared, and protected in compliance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR, and the UK Data Protection Act 2018.
1. Data Processor vs. Data Controller Roles
1.1 Cabai as Data Processor: For passenger booking details, driver location tracking coordinates, call recordings, VoIP transcriptions, and driver compliance documents uploaded by a taxi fleet, the subscribing Taxi Operator (Tenant) is the Data Controller. Cabai Ltd processes this personal data strictly as a **Data Processor** on behalf of and according to the instructions of the Tenant.
1.2 Cabai as Data Controller: Cabai Ltd acts as a **Data Controller** solely for personal data collected from direct representatives of the subscribing taxi fleets (e.g. system login credentials, payment details of the fleet, support tickets, and general visitors of the cabai.co.uk website).
2. Personal Data We Process
To facilitate fleet dispatching operations, we process the following categories of data:
- Passenger Information: Name, phone number, email address, pickup and drop-off coordinates, journey travel histories, and feedback/ratings.
- Driver Information: Name, phone number, email, vehicle details (registration plate, model, color), real-time GPS location coordinates (tracked while online or on duty), compliance documents (driving license, private hire vehicle license, insurance policy certificates, PCO badges), and performance stats.
- VoIP Call & AI Data: Audio call recordings from Yay.com/VoIP endpoints, text transcriptions, and summaries generated during dispatch interactions with Voice AI, WhatsApp chatbots, or WebChat interfaces.
- Billing & Payments: Transaction details, fare costs, payment status (paid, pending, cash, card), stripe tokens, and terminal transaction receipts. Raw credit card numbers are never sent to or stored on Cabai servers.
3. Purposes and Lawful Bases of Processing
We process personal data under the following lawful bases:
- Performance of Contract: Processing is necessary to perform dispatch bookings, estimate fares, route drivers, and manage user accounts.
- Legitimate Interests: Running the platform, preventing double-bookings, verifying driver compliance limits, analyzing call center talk times, and monitoring operational wallboard statistics.
- Legal Obligation: Ensuring public safety by blocking non-compliant drivers (e.g. invalid license expiry limits) and retaining invoice records for tax compliance.
- Consent: When you voluntarily record support chat lines or enable location permissions on your mobile devices.
4. Subprocessors & Data Sharing
We share data with trusted third-party service providers (subprocessors) strictly as necessary to deliver our dispatch SaaS platform. The categories of subprocessors we utilize include:
| Subprocessor Category | Operational Purpose | Data Location |
|---|---|---|
| Cloud Infrastructure & Databases | Secure application hosting, files storage, PostgreSQL database engines, and real-time state synchronization. | United Kingdom / European Economic Area (EEA) |
| Telephony, SMS & Communications | Routing customer calls, dispatching automated SMS confirmation updates, and mailing receipts. | United Kingdom / Europe / Global (enforced via SCCs) |
| Automated Voice & NLP Processing | Powering interactive AI booking flows, telephone transcription, and customer support chatbot interfaces. | Global (enforced via SCCs) |
| PCI-DSS Payment Gateways | Securing pre-authorization transactions, credit card booking captures, and mobile contactless NFC payments. | United Kingdom / Europe / Global |
| Mapping & Route Estimations | Calculating address lookup coordinates, route distances, pricing quotes, and intelligent dispatcher ETA matrices. | Global |
5. Security & Data Retention
5.1 Security: All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database tenants are logically separated using Row Level Security (RLS) to prevent unauthorized cross-tenant access.
5.2 Retention: Passenger coordinates, booking history, and billing records are kept for the duration of the Tenant's account lifecycle, or up to 7 years to meet statutory tax auditing obligations in the UK. Call recordings and transcription records are retained for 90 days unless customized otherwise by the Tenant's compliance policies.
6. Your Rights
Under the GDPR, you have the right to access, rectify, delete, restrict, or object to the processing of your data, as well as the right to data portability.
To exercise these rights, passengers and drivers should contact the respective taxi fleet operator (the Data Controller). If you have compliance concerns regarding Cabai Ltd directly, email us at help@cabai.co.uk.