Privacy Policy

Last updated: {{ DATE }} · Version {{ 1.0 }}

1. Who we are

Data controller

{{ Your registered company name, e.g. PeakPulse Ltd }}

Registered office

{{ Registered address }}

Companies House no.

{{ Company number }}

ICO registration

{{ ICO data protection register number }}

Privacy contact

{{ privacy@yourcompany.com }}

Data Protection Officer

{{ DPO name + email, or "DPO not appointed — see ICO guidance" }}

This Privacy Policy explains how we collect, use, and safeguard personal data when you use the PeakPulse fleet-management platform (the "Service"). It is written to satisfy our transparency obligations under the UK GDPR, the EU GDPR (where applicable), the Data Protection Act 2018, and PECR.

2. What personal data we collect

From you, when you sign up or use the Service

• Account data: name, work email address, hashed password, organisation name, role, country.
• Authentication data: sign-in attempts, IP address, user-agent string, multi-factor authentication secrets, registered passkeys, session tokens.
• Communications: alert emails sent to you, support enquiries.
• Billing data: organisation contact details, billing address, plan, invoice history. We do not store payment card details — payments are taken externally via {{ your payment processor }}.

From your fleet's vehicles and drivers

• Vehicle telematics: GPS positions, speed, heading, ignition state, odometer, recorded against the vehicle's IMEI.
• Driver assignment data: which driver was assigned to which vehicle and when.
• Driver behaviour metrics: harsh-braking events, speeding, idling, walkaround inspection results, driver hours.
• Documents you upload: MOT, insurance, V5C, walkaround photos, fuel receipts.

Data controller note: for vehicle/driver data, your organisation is the Data Controller and PeakPulse acts as Data Processor under a separate Data Processing Agreement (DPA). You are responsible for informing your drivers via your own privacy notice.

Automatically

• Diagnostic logs, error reports, and audit-log entries (login, password reset, plan changes, etc.).
• Cookies — see section 8 below.

3. How we use it (lawful bases)

We process personal data on the following UK GDPR Article 6 lawful bases:

• Performance of a contract (Art. 6(1)(b)) — providing the Service you've subscribed to: account creation, authentication, processing telematics, generating reports, sending you billing correspondence.
• Legal obligation (Art. 6(1)(c)) — keeping accounting records, responding to lawful requests from authorities, fraud prevention.
• Legitimate interests (Art. 6(1)(f)) — securing the Service against abuse (rate-limiting, account lockouts, audit logging), product improvement using aggregated/anonymised data, marketing to existing customers about closely-related services. You can object at any time; see section 7.
• Consent (Art. 6(1)(a)) — only where we explicitly ask for it, e.g. non-essential cookies (we currently use none), marketing emails to non-customers.

4. Who we share it with (sub-processors)

We share personal data only with the following categories of recipient:

• Cloud hosting: {{ AWS / Azure / Hetzner / your hosting provider }} — region: {{ UK / EU }}.
• Email delivery: {{ SendGrid / Postmark / SES / your SMTP provider }}.
• Payment processing (if applicable): {{ Stripe / GoCardless }}.
• Map tiles: CARTO / OpenStreetMap (Nominatim) — only the request URL is exposed; no account-level data is sent.
• DVLA for vehicle compliance lookups (if your plan includes it) — registration plate only.
• Anthropic for AI-generated reports (Enterprise Plus only) — anonymised report prompts, no driver names.
• Professional advisers, auditors, and authorities where legally required.

A current list of sub-processors is maintained at {{ /security/sub-processors }}. Each is bound by a Data Processing Agreement and undergoes due diligence before engagement.

5. International transfers

Where personal data leaves the United Kingdom or European Economic Area, transfers are protected using the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses, or another approved safeguard. Details are available on request.

6. How long we keep it

• Account data: retained while your account is active and for {{ X months }} after closure, then deleted or fully anonymised.
• Telematics positions: retained for {{ 12 months / 2 years / per your DPA }}, then aggregated to journey-summary records and the raw points are deleted.
• Audit logs: retained for {{ 12 months }} for security and compliance purposes (NIS2 / Cyber Essentials).
• Invoices: retained for at least 6 years per HMRC requirements.
• Backups: retained for {{ 30 days }} in encrypted form.

7. Your rights

Under the UK GDPR you have the right to:

• Access a copy of personal data we hold about you (Art. 15).
• Have inaccurate data corrected (Art. 16).
• Have data erased where applicable (Art. 17).
• Restrict processing (Art. 18) and port your data (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Withdraw consent at any time, where consent is the basis (Art. 7(3)).
• Not be subject to automated decision-making with legal effects (Art. 22) — we do not use automated decision-making in this sense.

To exercise any of these rights, email {{ privacy@yourcompany.com }}. We respond within one calendar month. If you're unhappy with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

PeakPulse uses a single strictly-necessary session cookie (name pp_session; HttpOnly; Secure in production; SameSite=Strict). It exists solely to keep you signed in; without it, sign-in would not work. Under PECR this cookie is exempt from prior consent.

We do not currently use analytics, advertising, or tracking cookies. If we ever add them, we will ask for your explicit opt-in consent through a clearly-worded banner and update this policy.

Browser localStorage may also be used to remember preferences such as theme (light/dark), unit (km/miles), and "you've seen the cookie notice" — none of which is sent to our servers.

9. Security

We protect personal data using the controls expected of a UK SaaS provider, including:

• Encryption in transit (TLS 1.2+) and at rest for databases and backups.
• Argon2id password hashing, multi-factor authentication, and passkey (WebAuthn) support.
• Role-based access control with branch-level scoping for users.
• Audit logging of privileged actions and impersonation events.
• Regular dependency patching, vulnerability scanning, and access reviews.

10. Children

The Service is intended for use by businesses and is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has signed up, contact us and we will delete the account.

11. Changes to this policy

We may update this Policy. Material changes will be communicated to account administrators by email at least 30 days before they take effect. The "Last updated" date at the top reflects the current version.

12. Contact

Questions or requests should go to {{ privacy@yourcompany.com }} or by post to the registered office above.