Legal

Privacy notice.

Last updated 17 June 2026. Version 1.2.

Written in plain English. If anything here is unclear, WhatsApp me on 07927 302 987 and I will explain it in person.

1. Who I am

Whiterose Airport Transfers is operated by Towhid Ahmed, a sole trader and Leeds-licensed private hire driver. I am the data controller for the personal information you share when you book a journey or use this website.

You can reach me on WhatsApp or by phone on 07927 302 987, or through the form on the contact page. Leeds City Council holds my private hire operator licence and is the local authority responsible for my conduct.

For the purposes of UK GDPR and the Data Protection Act 2018, I am classed as a small private hire operator and have not been required to register with the Information Commissioner's Office. I will register if my circumstances change and the ICO requires it.

2. What information I collect

The information I hold falls into four small buckets.

When you book a journey

  • Your name
  • A contact number for the day of the journey
  • The pickup postcode, and address if you give it to me
  • The destination (airport, terminal, hospital, station, etc.)
  • The date and time of the journey
  • The number of passengers travelling and any luggage notes
  • Flight number, if you choose to give it so I can track delays
  • Any special requirements you tell me (baby seat, mobility, allergies, etc.)

This is the minimum information Leeds City Council requires me to record for every booking under operator licence Condition 15.

When you pay

  • The fare amount
  • The payment method (card, cash, or bank transfer)
  • A reference number from the card terminal if you pay by card

I do not see, store, or have access to your full card number. The terminal handles all card data and sends it directly to the payment processor.

When you message me on WhatsApp

  • The WhatsApp number you message from
  • Your display name and profile photo as visible to me in WhatsApp
  • The full content of our messages

When you visit this website

This site sets no cookies of its own, and I do not run Google Analytics, so I keep no record of how many people visit or what pages they read. The site does load the Google Ads tag so I can measure whether my ads lead to enquiries. By default that tag is held in a no-advertising state: advertising storage, advertising user data, and ad personalisation are set to denied, and analytics storage is denied too, so no advertising cookies or identifiers are set unless you accept advertising measurement in the banner. The hosting platform (Cloudflare Pages) may set a strictly-functional security cookie. See section 9 below and the cookies page for the full story.

3. Why I collect it

Every piece of information I keep has one of these purposes:

  • To deliver the service you booked. I need a pickup address and a time to drive to. I need a phone number to reach you if traffic moves the plan.
  • To send you a written quote. The fare I send back to you on WhatsApp is the price you pay. The message is the evidence of the agreement.
  • To meet my legal obligations. Leeds City Council require me to keep booking records under Condition 15. HMRC require me to keep accounting records for my self-assessment tax return.
  • To deal with a complaint or dispute. If something goes wrong, the message thread and booking record are how we sort it out.
  • To pay tax correctly. The fare and the date make up my income records.
  • To track your flight, if you give me the flight number. So I know whether your plane is on time.

4. Lawful basis under UK GDPR

I rely on the following lawful bases:

  • Performance of a contract. When you book a journey, you and I have a contract for me to drive you. I need the booking details to perform that contract.
  • Legal obligation. Holding booking records for 12 months is a condition of my operator licence. Holding accounting records for 6 years is required by HMRC.
  • Legitimate interests. Holding the message thread between us so we can both refer back to the agreed price and pickup details.

I do not rely on consent as my lawful basis for any of this, because consent would imply you could withdraw it and still expect me to drive you. If you do not want me to hold the booking details, I cannot accept the booking.

5. Who I share information with

I am a one-person operation. I do not run a customer database. I do not export your details to any marketing list or third-party service. The very short list of who might see your information:

HMRC

For my annual self-assessment, in aggregate. They see the income, not the individual passenger names.

Leeds City Council Licensing Authority

If they ask to inspect my booking records (which they can, under Condition 15), they may see the booking entries for the period requested.

Payment processor (Sumup or similar)

Card payments are processed by a regulated payment provider. They receive the card details directly from the terminal in the car. They do not receive your journey details.

My motor insurer

Only if an incident occurs that involves a claim. Insurers have a legal right to claim-relevant data.

A trusted replacement driver

If I am ill or the car is in for service and we have agreed I will arrange a like-for-like replacement, that driver will receive only the pickup, destination, time, and your contact number. They will be a Leeds-licensed driver I personally know. I will name them to you before they arrive.

Police or other lawful authority

If they ask for specific information in connection with an investigation, I will provide what I am legally required to provide and nothing more.

I do not sell, swap, or hand your information to anyone for marketing or advertising. I do not work with any data broker, lead generator, or affiliate.

6. Where information is stored

  • WhatsApp and SMS messages live on my phone. WhatsApp is end-to-end encrypted between us. WhatsApp's parent company, Meta, may process metadata about the message (sender, recipient, time) on servers in the United States and elsewhere under their own privacy policy.
  • The paper booking diary stays in the car and at my home address in Leeds.
  • Card terminal records are held by the payment processor under their own terms.
  • This website is served from Cloudflare's UK and EU edge network. The website does not store any personal information of its own.

I do not transfer your information outside the UK myself. The only international transfer that happens is the WhatsApp message metadata noted above, which is part of WhatsApp's own service.

7. How long I keep information

  • Booking records: 12 months from the date of the journey. This is the period required by Leeds City Council operator licence Condition 15. After 12 months I delete them.
  • Accounting records (income, fares, dates only, no personal details): 6 years, as required by HMRC for self-assessment.
  • WhatsApp messages: I clear out old conversations after 12 months unless the booking has ongoing relevance (recurring customer, open complaint, dispute).
  • Dashcam footage: overwrites itself on a loop every 24 to 72 hours. See section 8.

8. In-car dashcam

The car has a forward-facing dashcam that records video of the road and audio of conversation inside the vehicle. The camera is signposted on the dashboard. I use it for insurance and safety purposes only.

  • Footage overwrites itself on a continuous loop, typically every 24 to 72 hours.
  • I review footage only if there has been an incident (a collision, a complaint, or an alleged offence).
  • If there is no incident, the footage is overwritten without ever being viewed.
  • If you would prefer the in-cabin audio not be recorded for your journey, tell me before we set off. I can switch the in-cabin microphone off. The forward-facing video stays on for insurance reasons.

9. Cookies on this site

This site sets no cookies of its own. I do not run Google Analytics and there is no Facebook pixel. I do run Google Ads, so the site loads Google’s advertising tag (AW-18245558685) to measure whether my ads lead to enquiries.

The tag loads using consent mode. By default, advertising storage, advertising user data, and ad personalisation are all set to denied, and analytics storage is denied, so the tag does not set or read advertising cookies or similar identifiers. It may still send Google a basic signal that a page loaded, but without cookies or identifiers that single you out. If you accept advertising measurement in the small banner, the tag may then set or read Google advertising cookies or identifiers, so Google can match an enquiry to one of my ads. Declining changes nothing about how the site works for you.

It stores small first-party values in your browser’s local storage: a random booking reference, a marker for how you arrived, and your Google Ads measurement choice. The booking reference and source note are added to the WhatsApp message or email you choose to send, so I can tell which enquiries came from advertising. They hold no personal information and clear when you clear your browser data. See the cookies page for the full story.

The hosting platform (Cloudflare Pages) may set a strictly-functional security cookie (commonly named __cf_bm) to distinguish humans from bots. It carries no personal information and expires at the end of your browser session.

10. How I keep your information secure

  • The phone is protected by a biometric lock and a long PIN.
  • WhatsApp messages are end-to-end encrypted in transit.
  • The paper diary is kept in a locked compartment in the car or in my home.
  • I have an Enhanced DBS check, renewed within the last three years.
  • I have not had a data breach. If one occurred, I would notify affected customers and the ICO within 72 hours, as required by UK GDPR.

11. Marketing

I do not send marketing messages. I will not text you offers, newsletters, or promotions. If a returning customer messages me, my reply is a quote and nothing else.

If I ever introduce something like a once-a-year text reminder for regulars, it will be opt-in only and you will be able to reply STOP to remove yourself instantly.

12. Your rights under UK GDPR

You have the following rights over the information I hold about you.

  • Right of access: You can ask me to show you what I hold about you. I will reply within 30 days, free of charge.
  • Right to rectification: You can ask me to correct any wrong details (a postcode I noted down badly, a misspelled name).
  • Right to erasure: You can ask me to delete your information, subject to the limits below.
  • Right to restrict processing: You can ask me to stop using your information for any purpose other than what the law requires.
  • Right to data portability: You can ask me to give you your information in a portable format (a copy of your message history, for example).
  • Right to object: You can object to processing based on legitimate interests.
  • Right not to be subject to automated decision-making: No automated decisions are made about you on this site.

Limits on erasure: I cannot delete booking records inside the 12-month Condition 15 window, and I cannot delete accounting entries inside the 6-year HMRC window. Outside those windows, deletion is on request.

To exercise any of these rights, WhatsApp me on 07927 302 987. I will reply within 30 days.

13. Children

I do not knowingly collect personal information from under-13s through this site. Children travel as passengers all the time, of course (a hospital run, a family airport trip), but the booking is always made by a parent, guardian, or other adult. Their information is recorded under the adult's booking and treated under the same retention rules.

14. Changes to this notice

I will update this notice if the way I handle information changes (a new payment processor, a change in legal requirements, etc.). The "Last updated" date at the top of the page always reflects the current version.

For material changes (anything that affects what I collect or who I share it with), I will tell regular customers by WhatsApp and update the notice at least 14 days before the change takes effect.

15. Complaints

If you think I have mishandled your information, please message me first on WhatsApp. I will look into it and reply within 30 days.

If you are not happy with my response, you can complain to the UK regulator, the Information Commissioner's Office.

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Helpline: 0303 123 1113

ico.org.uk