Legal

Privacy Policy

Last updated April 11, 2026

This Privacy Policy ("Policy") describes how Black Million ("we," "us," or "our") collects, uses, discloses, retains, and protects your personal information when you visit our website at blkmillions.com, create an account, book a ride, submit a contact form, or otherwise interact with our Service. We are committed to protecting your privacy and handling your data with transparency and care. By using the Service, you consent to the data practices described in this Policy.

1. Information We Collect

We collect several categories of personal information depending on how you interact with the Service:

Account Information

When you create an account, we collect your full name, email address, and authentication credentials. If you sign in using Google Sign-In, we receive your name, email address, and profile photograph from Google's OAuth 2.0 authentication service. We store a unique user identifier (UID) assigned by Firebase Authentication to manage your session and link your bookings to your account.

Booking and Ride Information

When you place a booking, we collect: your pickup address, destination address, preferred arrival date and time, phone number (including country code), full name, and email address. We also generate and store the calculated route distance (in miles), estimated drive time (in minutes), and the quoted price for your ride. Each booking is assigned a unique booking reference identifier.

Payment Information

All payment transactions are processed by Stripe, Inc., a PCI DSS Level 1 certified payment processor. When you make a payment, your credit card number, debit card number, CVV, and billing address are transmitted directly to Stripe's servers and are never sent to, received by, processed by, or stored on Black Million' servers or databases. After a successful transaction, Stripe returns to us only: the card brand (e.g., Visa, Mastercard, American Express), the last four digits of the card number, the payment intent identifier, and the transaction status. This limited information is stored solely for the purpose of generating your booking receipt and for our accounting and dispute resolution records.

Location Data

We collect the pickup and destination addresses you provide in the booking form. These addresses are processed through the Google Maps Places API for address validation and autocomplete, and through the Google Maps Routes API to calculate driving distance, travel time, and pricing. We store the resolved addresses and their associated Google Place IDs. We do not access, track, or collect your real-time GPS location, device location services, or background location data at any time.

Communications

If you contact us through the website's contact form, we collect your name, email address, and the content of your message. Contact form submissions are processed securely through our self-hosted email system.

Verification and Security Data

We use Cloudflare Turnstile on our booking and contact forms to prevent automated bot submissions and abuse. Turnstile analyzes browser-level signals to determine whether a visitor is human. This process does not use traditional CAPTCHA challenges, does not track users across websites, and does not use cookies for advertising purposes. Turnstile may collect technical data such as browser type, screen resolution, and interaction patterns solely for the purpose of bot detection.

Technical and Usage Data

When you visit the Service, our hosting provider (Vercel, Inc.) may automatically collect standard server log information, including: your IP address, browser type and version, operating system, referring URL, pages and resources accessed, timestamps of requests, and HTTP status codes. This data is collected for security monitoring, error diagnosis, performance optimization, and abuse prevention. Vercel may also collect minimal performance analytics data through its Speed Insights feature.

2. How We Use Your Information

We use the personal information we collect for the following specific purposes:

  • Account management: To create, authenticate, and manage your user account; to verify your identity; to enable password resets and email verification; and to protect your account from unauthorized access.
  • Booking fulfillment: To receive and process your ride request; to calculate your route, distance, and price; to generate a booking confirmation and reference number; to assign a chauffeur; and to coordinate your pickup and drop-off.
  • Payment processing: To authorize, capture, and settle payment for your booking through Stripe; to generate a receipt with payment details; and to process refunds when applicable.
  • Transactional communication: To send you booking confirmations, account verification emails, password reset links, and other service-related notifications directly tied to actions you have taken on the Service.
  • Customer support: To receive, review, and respond to inquiries you submit through the contact form or by email.
  • Security and fraud prevention: To detect, investigate, and prevent fraudulent transactions, unauthorized access, spam, automated abuse, and other illegal or harmful activity on the Service.
  • Service improvement: To monitor the performance, reliability, and usability of the Service; to identify technical issues and bugs; and to inform improvements to the booking, payment, and account management experience.
  • Legal compliance: To comply with applicable laws, regulations, legal processes, governmental requests, tax reporting requirements, and law enforcement inquiries.

We do not use your personal information for advertising, marketing, profiling, automated decision-making, or any purpose not described in this Policy.

3. Third-Party Services

We rely on the following third-party service providers to operate the Service. Each provider has its own privacy policy governing its handling of data, and we encourage you to review them:

  • Firebase (Google Cloud): We use Firebase Authentication for user account creation, sign-in, email verification, and session management. We use Cloud Firestore (Firebase's NoSQL database) to store booking records, user profile information, and operational data. Firebase is operated by Google LLC and is subject to Google's Privacy Policy and data processing terms.
  • Stripe, Inc.: We use Stripe for all payment processing. Stripe is PCI DSS Level 1 certified, the highest level of compliance in the payment card industry. Your card data is transmitted directly to Stripe via their client-side SDK and never passes through our servers. See Stripe's Privacy Policy.
  • Google Maps Platform: We use the Google Maps Places API (New) for address autocomplete and place resolution, and the Google Maps Routes API for driving route calculation, distance measurement, and travel time estimation. Address data you enter in the booking form is transmitted to Google's servers for processing. See Google's Privacy Policy.
  • Cloudflare, Inc.: We use Cloudflare Turnstile for bot prevention on forms, and Cloudflare DNS for domain resolution and DDoS protection. See Cloudflare's Privacy Policy.
  • Vercel, Inc.: Our website is hosted on Vercel's serverless platform. Vercel processes all incoming HTTP requests and may collect server-side logs including IP addresses for security and performance monitoring. See Vercel's Privacy Policy.
  • Resend, Inc.: We use Resend to deliver transactional emails including booking confirmations, refund notifications, and account verification messages. See Resend's Privacy Policy.

4. Information Sharing and Disclosure

We do not sell, rent, lease, or trade your personal information to any third party for any purpose. We do not share your data with third-party advertisers, data brokers, or marketing companies.

We may disclose your personal information only in the following limited circumstances:

  • Service providers: We share data with the third-party service providers identified in Section 3 above, strictly to the extent necessary for them to perform their services on our behalf (e.g., processing payments, hosting the website, delivering contact form submissions).
  • Legal requirements: We may disclose your information if required to do so by law, regulation, subpoena, court order, or other legal process, or if we reasonably believe that disclosure is necessary to comply with a legal obligation.
  • Safety and protection: We may disclose information when we believe in good faith that it is necessary to protect the rights, property, or personal safety of Black Million, our users, our chauffeurs, or the public.
  • Business transfers: In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.

5. Cookies and Tracking Technologies

Black Million uses minimal cookies and browser storage. We do not use advertising cookies, retargeting pixels, social media tracking widgets, or cross-site tracking technologies of any kind.

  • Authentication session: Firebase Authentication uses browser localStorage to maintain your signed-in session across page loads and browser tabs. This is essential for the Service to function and cannot be disabled without losing account functionality.
  • Bot prevention: Cloudflare Turnstile may set first-party cookies or use browser storage as part of its human verification process. These are strictly functional and are not used for tracking.
  • Performance monitoring: Vercel Speed Insights may collect anonymous performance metrics (page load times, resource timing) to help us monitor site performance. This does not involve tracking individual users.

We do not use Google Analytics, Facebook Pixel, LinkedIn Insight Tag, or any other third-party analytics or advertising tracking services on this website.

6. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law:

  • Booking records: Booking details (route, date, price, payment reference, customer information) are retained for up to seven (7) years following the booking date, as required for accounting, tax reporting, insurance, and dispute resolution purposes.
  • Account data: Your account information (name, email, UID) is retained for as long as your account remains active. If you delete your account, your profile data will be removed. Associated booking records may be retained separately as described above.
  • Payment records: Transaction records processed through Stripe are retained by Stripe in accordance with their own data retention policies and applicable financial regulations. Our records of card brand and last four digits are retained alongside the associated booking record.
  • Server logs: Technical server logs collected by Vercel are typically retained for 30 to 90 days and are automatically purged thereafter.
  • Contact form submissions: Messages submitted through the contact form are retained for as long as necessary to respond to and resolve your inquiry, after which they may be archived or deleted.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, destruction, and loss. These measures include:

  • All data transmitted between your browser and our servers is encrypted in transit using HTTPS (TLS 1.2 or higher).
  • User authentication is managed by Firebase Authentication, which provides secure, token-based session management with automatic token refresh and expiration.
  • All payment data is processed by Stripe, which maintains PCI DSS Level 1 certification and never exposes raw card data to our systems.
  • Form submissions are protected against automated abuse by Cloudflare Turnstile.
  • Our website is served through Vercel's global edge network with Cloudflare DNS, providing DDoS protection, rate limiting, and edge-level security.
  • Server-side API endpoints implement rate limiting, input validation, authentication verification, and authorization checks.

Despite these measures, no method of electronic transmission or digital storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security against all potential threats.

8. Your Rights Under California Law (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), grants you specific rights regarding your personal information. These rights include:

  • Right to know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to delete: You have the right to request that we delete any personal information we have collected from you, subject to certain legal exceptions (e.g., completing a transaction, detecting security incidents, complying with legal obligations).
  • Right to correct: You have the right to request that we correct any inaccurate personal information we maintain about you.
  • Right to opt out of sale: You have the right to opt out of the "sale" or "sharing" of your personal information. Black Million does not sell or share your personal information as defined under the CCPA.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge different prices, provide a different quality of service, or suggest that you will receive different treatment for exercising your rights.

To exercise any of these rights, please submit a verifiable consumer request to us at [email protected]. We will verify your identity before processing your request and will respond within forty-five (45) days of receiving your request, as required by law. You may also designate an authorized agent to make a request on your behalf.

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email, phone, IP address), commercial information (booking history, transaction records), internet activity (pages visited, browser type), and geolocation data (pickup and destination addresses).

9. Your General Rights and Choices

Regardless of your location, you have the following options for managing your personal information:

  • Access: You can view your booking history, account details, and payment references through the My Bookings section of the website when signed in to your account.
  • Profile updates: You can update your display name through Account Settings. To update your email address, use the Change Email feature in Account Settings, which requires email re-verification.
  • Account deletion: You can permanently delete your account through the Account Settings page. This will remove your profile information. Booking records may be retained separately as described in Section 6.
  • Booking receipts: You can delete individual booking receipts from your My Bookings dashboard.
  • Sign out: You can sign out at any time to end your authenticated session.
  • Data requests: For any other data access, correction, or deletion requests, contact us at [email protected].

10. Children's Privacy

The Service is not directed to, and is not intended for use by, children under the age of eighteen (18). We do not knowingly collect, solicit, or maintain personal information from anyone under 18. If we learn that we have inadvertently collected personal information from a child under 18, we will take prompt steps to delete that information from our records. If you are a parent or guardian and believe that your child has provided personal information to us without your consent, please contact us immediately at [email protected].

11. International Users

Black Million is based in the United States and our Service is primarily offered within Southern California. If you access the Service from outside the United States, please be aware that your personal information will be transferred to, processed, and stored in the United States, where data protection laws may be different from those of your country or jurisdiction. By using the Service, you consent to the transfer of your information to the United States as described in this Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we make changes, we will revise the "Last updated" date at the top of this page. For material changes that significantly affect how we handle your personal information, we may also provide additional notice through email or a prominent banner on the Service. Your continued use of the Service following the posting of changes constitutes your acceptance of the revised Policy. We encourage you to review this page periodically.

13. Contact Us

If you have any questions, concerns, complaints, or requests regarding this Privacy Policy, our data practices, or the exercise of your rights, please contact us at:

Black Million
Email: [email protected]
Website: blkmillions.com

We will make every reasonable effort to address your inquiry promptly and thoroughly.