Privacy Policy

Last updated: July 2026

1. Who we are

RouteRelay is a UK vehicle logistics platform that connects motor trade dealers with approved drivers and transport companies. The platform is operated by RouteRelay Ltd, a company registered in England and Wales (Companies House number: pending — to be updated on confirmation).

RouteRelay Ltd is the data controller for personal data processed through the platform. References to "RouteRelay", "we", "us", or "our" in this policy refer to RouteRelay Ltd as the operator of routerelay.co.uk.

Data controller contact: support@routerelay.co.uk

RouteRelay is registered with the Information Commissioner's Office as a data controller. Our registration number is ZC185771.

2. What data we collect

Account details (all users)

  • Full name, email address, phone number
  • Account role (dealer, driver, fleet/transport company)
  • Account creation date and login history

Company and dealer details

  • Company legal name, Companies House number, registered address
  • VAT number (where provided), payment terms preference
  • Account verification and approval status
  • Invite reference used at signup

Driver and transporter verification documents

Stored in a private, access-controlled storage bucket. Drivers can only access their own folder. Admins can access all folders for verification purposes.

  • Driving licence (front and back)
  • Proof of address
  • Driver photo — used for manual identity verification against the driving licence. Not processed by any automated facial recognition or biometric software.
  • Trade plate certificate, trade plate number, expiry date
  • Recovery vehicle document, transporter document

Insurance documents

  • HGV / transporter insurance document, policy number, insurer, expiry date
  • Trade plate insurance document, policy number, insurer, expiry date

Vehicle and job details

  • Vehicle registration, make, model, fuel type, colour
  • Full collection and delivery addresses including postcode
  • Job type (trade plate, recovery, transporter), status, and full status history
  • Collection window (date and time slot), special instructions, job notes
  • Auction collection reference and site details where applicable

Proof photos

  • Pre-collection and post-delivery vehicle condition photos
  • Upload timestamp and uploader identity for each photo

Proof photos are stored in a private, access-controlled bucket. Only the assigned driver, the job's dealer, and RouteRelay admin can access photos for a given job.

Location data

When a driver records key job status events (such as on route to collection, arrived at collection, vehicle collected, in transit, arrived at delivery, and delivered), RouteRelay may capture a single location fix from the driver's browser at that moment. This is not continuous tracking — we do not record movement between events, build route replays, or track the driver outside of job actions.

What is captured: latitude and longitude, accuracy radius in metres, the time of the fix, and which job status it relates to.

Location permission is optional. If the driver declines or the fix is unavailable, the status update proceeds normally without GPS data.

Driver bank account (payout) details

  • Account holder name, UK sort code, UK account number, bank name
  • Verification status

Bank details are encrypted at rest and used solely to process driver payouts. Full sort code and account number are never returned to the driver's screen after entry. Access to unmasked bank details is restricted to authorised admin and finance users, and every access is audit-logged. Bank details are never accessible to dealers.

DVLA and DVSA data

  • Vehicle data from the DVLA VES API (make, model, colour, fuel type, tax and MOT status)
  • MOT history, advisories, and defects from the DVSA MOT History API

Signup and security metadata

  • At signup/application we process technical metadata — IP address, approximate country (derived from your IP), browser user-agent and referrer, and the email domain — to prevent fraudulent or abusive signups and to confirm eligibility for our UK service.
  • We keep the raw IP address only for a limited period; a one-way hashed form may be kept longer solely to detect repeat abuse, without retaining the raw address.
  • This signup security data is visible only to authorised RouteRelay administrators and is not used for advertising or profiling. We do not collect more than we need for these purposes.
  • If an application is declined or held for review on these grounds, you can contact RouteRelay to ask about the decision.

Platform events and audit data

  • Every job status change with timestamp, actor, and optional note
  • Failed collection reasons and timestamps
  • Payment and payout release events
  • Admin actions on jobs and accounts (immutable audit log)

3. Why we collect it — purposes and legal bases

Under UK GDPR Article 6, we rely on the following lawful bases for processing your personal data:

PurposeLegal basis
Creating and managing your accountContract (Article 6(1)(b)) — necessary to provide the service
Matching and managing vehicle transport jobsContract (Article 6(1)(b))
Verifying drivers hold valid licences and insuranceLegitimate interests (Article 6(1)(f)) — ensuring safety and regulatory compliance
Processing driver payouts after confirmed job completionContract (Article 6(1)(b))
Maintaining a job status audit trail for dispute resolutionLegitimate interests (Article 6(1)(f)) — fraud prevention and dispute resolution
Location capture at status events (presence verification)Legitimate interests (Article 6(1)(f)) — verifying presence at collection/delivery; fraud prevention
Detecting and acting on suspicious or fraudulent activityLegitimate interests (Article 6(1)(f)) — protecting the platform and its participants
Signup fraud prevention and UK service-eligibility checks (IP, country, metadata)Legitimate interests (Article 6(1)(f)) — preventing abuse and confirming eligibility (subject to legal review)
Complying with UK tax, VAT, and data protection lawLegal obligation (Article 6(1)(c))
Improving the platform based on how participants use itLegitimate interests (Article 6(1)(f)) — developing a better service

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your interests or fundamental rights. We do not sell your data or share it with third parties for marketing purposes.

4. Who can see your data

Dealers

Dealers can see their own company data, their own jobs, and the name and phone number of the driver assigned to their job (phone number visible after dealer account is verified). Dealers can see proof photos and the activity timeline for their own jobs. On the timeline, dealers may see a "Location captured" indicator for events where the driver shared their location — they do not see GPS coordinates.

Dealers never see: driver payout amounts, platform margin, driver bank details, GPS coordinates, or any other dealer's data.

Drivers and transport companies

Drivers can see their own profile, documents, and bank details (masked — no full sort code or account number is ever shown after entry). They can see jobs available to them and details of jobs they have accepted. They can upload documents and proof photos for their own jobs.

Drivers never see: other drivers' profiles or documents, dealer payout breakdowns, or any other driver's bank details.

RouteRelay admin

Admin users have access to data required to manage the platform, verify users, and resolve disputes. Access to sensitive data (bank details, GPS coordinates) is restricted to authorised admin roles and is audit-logged to an immutable log.

Third-party processors

We use the following third-party processors to operate the platform. Each is engaged under a Data Processing Agreement:

  • Supabase (Supabase Inc.) — database, authentication, and file storage. Servers in EU-West.
  • Vercel Inc. — application hosting. Edge network with EU regions.
  • Resend Inc. — transactional email notifications. Only recipient email address and notification content are shared.
  • Sentry Inc. — error monitoring. When an unhandled application error occurs, an error report is sent to Sentry containing the error message, stack trace, and anonymous user ID (no name or email). This is used solely to identify and fix technical issues. No session recordings or behavioural data are captured.
  • DVLA VES API — vehicle registration lookup. Only the registration plate is shared; no personal data about drivers or dealers is transmitted.
  • DVSA MOT History API — MOT history lookup. Only the registration plate is shared.

No personal data is shared with any party not listed above without explicit consent. We do not sell your data.

International transfers

Supabase and Vercel operate infrastructure in the UK and EU. Where data is processed outside the UK or EEA, transfers are protected by the UK's International Data Transfer Agreement (IDTA) or equivalent adequacy decision.

5. How long we keep it

Data categoryRetention periodReason
Active accountsDuration of active relationshipOperational necessity
Completed job records6 years from completionUK tax and VAT obligations
Proof photos6 years from job completionUK Limitation Act 1980 s.5 — 6-year limitation period for contract / property-damage claims; aligned with the job record so evidence is retained for the full claim window
Driver verification documents6 years from end of active driver statusDue diligence for insurance claims or legal action
Insurance documents6 years from policy expiryClaims may be lodged after policy end date
Status history and audit log6 yearsDispute resolution and regulatory enquiries
Payment and payout records6 yearsUK tax and VAT obligation
Driver bank account detailsActive relationship + 6 yearsEvidence of correct payment for accounting
Location captures6 years from job completionRetained with job record — same schedule as status history
Rejected applications6 months from rejectionHandling disputes about rejection decisions

Any data subject to an active dispute, insurance claim, legal proceedings, or fraud investigation is placed on hold and retained until the matter is formally closed, regardless of the standard schedule above.

6. Your rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access (Article 15) — request a copy of the personal data we hold about you. We will respond within one calendar month.
  • Right to rectification (Article 16) — ask us to correct inaccurate or incomplete personal data.
  • Right to erasure (Article 17) — request deletion of your personal data. This right is subject to our legal obligations to retain certain records (see Section 5).
  • Right to restriction of processing (Article 18) — ask us to restrict how we use your data in certain circumstances.
  • Right to data portability (Article 20) — request your data in a structured, machine-readable format where processing is based on contract or consent and carried out by automated means.
  • Right to object (Article 21) — object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights related to automated decision-making (Article 22) — RouteRelay does not make decisions about you using solely automated processing that produce legal or similarly significant effects.

To exercise any of these rights, email support@routerelay.co.uk with the subject line "Data subject request". We will respond within one calendar month of receiving your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint, or by calling 0303 123 1113. We would, however, appreciate the opportunity to address any concern before you contact the ICO.

7. Cookies and browser storage

Strictly necessary — authentication cookies

RouteRelay uses session cookies set by Supabase (our authentication provider) to keep you signed in. These cookies are named with the prefix sb- and contain an encrypted session token. They are strictly necessary — without them, sign-in does not work.

These cookies are set server-side and are scoped to routerelay.co.uk. No third-party tracking data is attached to them.

Strictly necessary — booking progress storage

When you create a job as a dealer, your in-progress booking data is saved in sessionStorage under the keys routerelay_booking and routerelay_delivery_booking. This keeps the form intact if you navigate between steps. sessionStorage is cleared automatically when you close the browser tab.

Consent record storage

Your cookie preferences are stored in localStorage under the key routerelay_cookie_consent. This record contains your choices, the timestamp, and a version number. It is stored on your device only and is never sent to our servers.

Google Fonts (Geist)

The RouteRelay interface uses the Geist typeface, loaded via Google Fonts. Your browser may make a request to Google's servers (fonts.googleapis.com and fonts.gstatic.com) when you first load a RouteRelay page. Google may log this request. No cookie is set by this request and it does not track you across sites. You can block these domains in your browser settings — the interface will fall back to system fonts.

Analytics and marketing

RouteRelay does not use analytics, advertising, or cross-site tracking cookies or scripts. We do not use Google Analytics, Meta Pixel, TikTok Pixel, Hotjar, PostHog, Microsoft Clarity, or any equivalent behavioural tracking service. Sentry (listed in Section 4) operates server-side for error monitoring only and does not set cookies or track user behaviour. If we add any optional tracking technologies in future, we will update this policy, increment the consent version, and ask for your consent before loading them.

Changing your preferences

You can review or update your cookie choices at any time using the Cookie settings link in the footer, or by clearing localStorage for routerelay.co.uk (which will cause the consent banner to reappear).

8. Security

We implement technical and organisational measures to protect your personal data, including:

  • AES-256-GCM encryption at rest for bank account fields
  • HTTPS for all data in transit (TLS 1.2 minimum)
  • Row-level security on the database — every query is scoped to the authenticated user
  • Private, access-controlled storage for documents and photos
  • Multi-factor authentication required for all admin accounts
  • Immutable audit log for all sensitive admin actions
  • Role-based access controls — sensitive data visible only to authorised admin roles

To report a security vulnerability, email security@routerelay.co.uk or see our security disclosure policy at /.well-known/security.txt.

9. Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. For significant changes, we will notify active users by email.

Continued use of the RouteRelay platform after a policy update constitutes acceptance of the revised policy.

10. Contact

For any privacy or data protection question, or to exercise your rights, contact us at: support@routerelay.co.uk

RouteRelay Ltd, England and Wales.

This policy has not yet been reviewed by a qualified data protection solicitor. A formal review is recommended before any wider public or commercial launch.