Data Processing Agreement (DPA)

This Data Processing Agreement governs how Drivetrack processes personal data on behalf of our clients.

Agreement Overview

This Data Processing Agreement ("Agreement") is entered into by and between the Client (the "Data Controller") and Drivetrack (the "Data Processor") and is incorporated by reference into the Drivetrack Terms of Service.

1. Subject Matter and Duration

This Agreement governs the processing of personal data by Drivetrack on behalf of the Client as part of its provision of the Drivetrack platform. This Agreement remains in effect for the duration of the Client's subscription and until all data is deleted or returned upon termination.

2. Nature and Purpose of Processing

Drivetrack processes personal data to enable vehicle collection and delivery logistics, driver tracking, billing, invoicing, and related SaaS platform services as defined in the Terms of Service.

3. Types of Personal Data and Data Subjects

The types of personal data processed include:

  • Names
  • Email addresses
  • Phone numbers
  • Home and business addresses
  • GPS/location data
  • Vehicle registration and model/make
  • Driver licence numbers
  • Billing addresses

The data subjects may include the Client's employees, drivers, and other personnel involved in logistics operations.

4. Obligations of the Data Processor

Drivetrack shall:

  • Process personal data only on documented instructions from the Client
  • Ensure staff confidentiality
  • Implement appropriate technical and organisational measures to protect data
  • Assist the Client in responding to data subject requests
  • Delete or return data upon termination
  • Provide information necessary to demonstrate compliance with this Agreement

5. Obligations of the Data Controller

The Client shall:

  • Ensure a lawful basis for processing all personal data provided to Drivetrack
  • Inform its users and staff of their data rights
  • Comply with all relevant obligations under UK GDPR

6. Subprocessors

Drivetrack uses the following subprocessors:

  • Google Firebase (Hosting, Firestore, Authentication)
  • Vercel (Web hosting and edge functions)
  • Nodemailer (via Vercel Cron) for transactional email delivery

Drivetrack shall notify the Client of any intended changes concerning the addition or replacement of subprocessors.

7. Data Security

Drivetrack uses HTTPS encryption, Firebase Authentication, and role-based access controls. Data is stored in UK or Western EU data centres via Firebase.

8. International Transfers

All data is stored and processed within the UK or Western EU. Drivetrack does not transfer personal data outside the UK or EEA without appropriate safeguards.

9. Breach Notification

In the event of a personal data breach, Drivetrack shall notify the Client without undue delay after becoming aware of the breach.

10. Data Retention and Deletion

Personal data shall be deleted according to the following schedule:

  • Job records: after 3 years
  • Invoices and billing records: after 6 years

Clients may request data export or deletion upon account closure.

11. Audits and Inspections

Upon reasonable notice, Drivetrack shall provide all information necessary to demonstrate compliance and allow for audits or inspections conducted by the Client or an authorised representative.

12. Governing Law

This Agreement shall be governed by the laws of England and Wales, and any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Need More Information?

For questions about this Data Processing Agreement or our data processing practices, please contact our support team at support@drivetrack.co.uk