1. Overview
RDTech Services Ltd takes data protection seriously. CoachHub is designed and operated in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This statement explains our commitments under data protection law — both as a data controller (for our own use of personal data) and as a data processor (when processing personal data on behalf of our customers).
- We are established in the UK
- We process the personal data of individuals in the UK
- We are registered with the Information Commissioner's Office (ICO)
2. Data controller
RDTech Services Ltd acts as a data controller for:
- Account holder and user data (names, email addresses, roles)
- Platform usage and security logs
- Data processed for our own legitimate business purposes (e.g. billing records)
3. Data processor
When CoachHub customers use the platform to store and process data about their employees, drivers, customers and passengers, RDTech Services Ltd acts as a data processor on behalf of the customer (who is the data controller).
As a data processor, we:
- Process personal data only on documented instructions from the customer
- Ensure all persons authorised to process the data are bound by confidentiality obligations
- Implement appropriate technical and organisational security measures
- Do not engage sub-processors without the customer's prior written consent (or as set out in our sub-processor list below)
- Assist customers in meeting their own GDPR obligations, including in relation to data subject rights requests
- Delete or return all personal data at the end of the service relationship
- Provide customers with all information necessary to demonstrate compliance with GDPR Article 28
A Data Processing Agreement (DPA) is available on request. Please email privacy@rdtechservices.co.uk.
4. Our data protection principles
In everything we do with personal data, we apply the seven principles of UK GDPR:
- Lawfulness, fairness and transparency — we always have a lawful basis for processing and are open about how we use data
- Purpose limitation — data is collected for specified, explicit and legitimate purposes and not further processed in incompatible ways
- Data minimisation — we collect only the data that is necessary for the stated purpose
- Accuracy — we take reasonable steps to keep data accurate and up to date
- Storage limitation — data is kept only as long as necessary for the purpose for which it was collected
- Integrity and confidentiality — data is processed securely to protect against unauthorised access, loss or destruction
- Accountability — we take responsibility for demonstrating compliance with these principles
5. Lawful basis for processing
The following table sets out the lawful basis we rely on for each category of processing:
| Processing activity | Lawful basis |
|---|---|
| User authentication and account management | Contract performance |
| Storing booking, job and route data | Contract performance |
| Driver compliance record keeping | Contract performance / Legal obligation |
| Vehicle inspection and fault records | Contract performance / Legal obligation |
| Invoice and quote generation | Contract performance |
| Security logging and fraud prevention | Legitimate interests |
| Platform improvement (aggregated analytics) | Legitimate interests |
| Legal and regulatory compliance | Legal obligation |
6. Categories of data subjects
CoachHub processes personal data relating to the following categories of individuals:
- Platform users — managers, operations staff, accounts staff and drivers employed by our customers
- Drivers — whose compliance documents (licence, CPC, DBS etc.) are tracked in the platform
- Customers — individuals or organisations that book coach hire services from our customers
- Passengers — individuals whose names and contact details are added to booking manifests
Our customers (the coach hire operators) are responsible as data controllers for informing their own employees, customers and passengers about how their data is processed. We recommend including a reference to CoachHub data processing in your own privacy notice.
7. Individual rights
Under UK GDPR, individuals whose data is processed have the following rights. Where RDTech Services Ltd is the data controller, we will handle these requests directly. Where we are a data processor, we will assist the relevant customer (data controller) in responding.
| Right | How to exercise it | Timescale |
|---|---|---|
| Access — obtain a copy of your personal data | Email privacy@rdtechservices.co.uk | Within 30 days |
| Rectification — correct inaccurate data | Email or update via the platform | Within 30 days |
| Erasure — request deletion of your data | Email privacy@rdtechservices.co.uk | Within 30 days |
| Restriction — limit how we process your data | Email privacy@rdtechservices.co.uk | Within 30 days |
| Portability — receive your data in a machine-readable format | Email privacy@rdtechservices.co.uk | Within 30 days |
| Object — object to processing based on legitimate interests | Email privacy@rdtechservices.co.uk | Within 30 days |
You also have the right to complain to the Information Commissioner's Office (ICO):
8. International data transfers
All personal data processed by CoachHub is stored on servers located in the United Kingdom. We do not transfer personal data outside the UK except in the following circumstances:
- PayPal — if your customers click a PayPal payment link on an invoice, they interact directly with PayPal Inc. (US). This transfer is governed by PayPal's own privacy policy and standard contractual clauses. CoachHub does not transmit personal data to PayPal — it is the customer's action that initiates this interaction.
- Email — if you share invoice PDFs or documents via email, your email provider's terms apply to that transfer.
We will always ensure any international transfer is subject to appropriate safeguards in accordance with UK GDPR Chapter V before it takes place.
9. Sub-processors
We use the following third-party sub-processors to deliver the CoachHub service:
| Sub-processor | Purpose | Location |
|---|---|---|
| UK Web Hosting Provider | Server infrastructure and data storage | United Kingdom |
| Google Maps Platform | Address autocomplete on booking forms (no personal data transmitted) | USA (SCCs in place) |
| jQuery CDN (CDNJS / jQuery.com) | JavaScript library delivery (no personal data transmitted) | USA (SCCs in place) |
We will update this list if we engage new sub-processors and will notify affected customers in advance.
10. Data breach notification
In the event of a personal data breach, RDTech Services Ltd will:
- Assess the breach immediately upon discovery
- Where required, notify the ICO within 72 hours of becoming aware of the breach
- Notify affected individuals "without undue delay" where the breach is likely to result in a high risk to their rights and freedoms
- Notify affected customers (data controllers) without undue delay so that they can meet their own notification obligations
- Document all breaches, including those that do not require notification
To report a suspected breach or security concern, contact us immediately at privacy@rdtechservices.co.uk.
11. Data protection contact
We have designated a data protection contact point for all privacy and GDPR-related enquiries. While we are not currently required to appoint a formal Data Protection Officer (DPO), we take data protection governance seriously.
Email: privacy@rdtechservices.co.uk
Website: rdtechservices.co.uk
For subject access requests, erasure requests or any UK GDPR enquiry, please use the email above with the subject line "Data Protection Request". We will acknowledge your request within 3 working days and respond in full within 30 calendar days.