Aroute Privacy Policy

§1. Data Controller

The data controller is:

§2. Definitions

1. Aroute Platform – a web application (PWA) and iOS mobile application for maintaining vehicle mileage records.
2. Organisation – a business entity that has entered into a service agreement with the Controller.
3. Driver – a user assigned to an Organisation, recording trips.
4. UK GDPR – the retained EU GDPR as incorporated into UK law by the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
5. Data Protection Act 2018 – the UK Data Protection Act 2018, which supplements the UK GDPR.
6. PECR – the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended.

§3. Roles in Data Processing

3.1. Controller as Data Controller

The Controller (Emversa) is the data controller within the meaning of UK GDPR with respect to:

• data of Organisation Administrators (management accounts),
• Organisation contact data,
• marketing data (newsletter, consents),
• contact form data.

3.2. Controller as Data Processor

The Controller (Emversa) acts as a data processor within the meaning of Art. 28 UK GDPR with respect to:

• Driver data processed on behalf of the Organisation,
• Driver trip and location data.

In this scope, the Organisation is the data controller for its Drivers' personal data, and Emversa processes data based on the Data Processing Agreement (DPA).

3.3. Organisation's Information Obligation

The Organisation, as the data controller for Drivers' personal data, is obligated to fulfil the information obligation towards Drivers pursuant to Art. 13 UK GDPR before they start using the Platform.

§4. Categories of Processed Data

4.1. User Account Data

4.2. Organisation Data

4.3. Trip Data

4.4. GPS Checkpoints

When GPS points are collected:

• At trip start
• Every 5 minutes during active trip
• Every 250 metres of movement
• At trip end
• Backbuffer (up to 5 minutes before trip confirmation in auto-trip mode)

Note: GPS points are NOT collected in manual entry mode.

§5. Purposes and Legal Bases for Processing

5.1. Contract Performance (Art. 6(1)(b) UK GDPR)

• Creating and managing user accounts
• Recording trips and maintaining mileage records
• Managing vehicles and drivers
• Generating reports (Vehicle Mileage Log, Reimbursement Summary) and exports
• Processing reimbursement claims
• Subscription management
• Customer support
• Sending email invitations
• Sending authentication emails

5.2. Legal Obligation (Art. 6(1)(c) UK GDPR)

• Tax documentation (UK VAT, Company Number)
• Invoice data retention (5 years from end of tax year per Polish tax law). UK customers should retain their copies for 6 years per HMRC requirements.
• Mileage records for VAT purposes
• VAT verification data retention

5.3. Legitimate Interest (Art. 6(1)(f) UK GDPR)

• Abandoned registration recovery (lead capture)
• Service improvement and analytics
• Security monitoring and fraud prevention
• Fleet map visualisation (paid feature)
• Speed analytics and trip statistics (paid feature)
• Mileage gap and discrepancy detection

5.4. Consent (Art. 6(1)(a) UK GDPR, PECR compliant)

• Marketing email communication (optional checkbox)
• Analytics cookies (cookie banner)
• GPS checkpoint collection
• Auto-trip detection
• Contact form processing

§6. Data Processors (Sub-processors)

The Controller uses the following data processors:

§7. International Data Transfers

Some data processors may transfer data outside the United Kingdom:

All international data transfers are carried out with appropriate safeguards in accordance with UK GDPR requirements.

§8. Data Retention Periods

8.1. Active Accounts

8.2. After Subscription End

Voluntary cancellation:

• Grace period: 90 days from end of paid period
• During grace period: All data preserved, export available
• After grace period: Organisation deactivated, data preserved per legal requirements

Non-payment:

• Immediate access suspension
• Data preserved for 30 days
• After 30 days: Organisation deactivated

8.3. Account Deletion (UK GDPR Right to Erasure)

• Personal data: Deleted
• Trip and GPS data: Deleted
• Invoice data (VAT, Company Number, address): Retained 5 years from end of tax year (Polish tax law). UK customers should retain their copies for 6 years per HMRC requirements.

8.4. Registration Leads

• Completed registrations: Converted to user account
• Abandoned registrations: 30 days, then soft delete

8.5. Contact Inquiries

• Active: Until inquiry resolution
• Resolved: Deleted after resolution

§9. Data Subject Rights

Under UK GDPR, you have the following rights:

9.1. Rights Implemented in Platform

9.2. Rights Requiring Manual Process

9.3. Special Notes

• Invoice data: Retained 5 years from end of tax year per Polish tax law, even after account deletion request. UK customers should retain their copies for 6 years per HMRC requirements.
• Anonymisation: Preferred over deletion when legal retention is required
• Response time: We will respond to your request within one month

§10. Data Security

10.1. Technical Measures

• Encryption in transit: TLS/HTTPS for all communication
• Encryption at rest: Database encryption (Supabase)
• Password hashing: bcrypt via Supabase Auth
• Data isolation: Row-Level Security (RLS) at database level
• Access control: RBAC (Driver < Administrator)

10.2. Organisational Measures

• Least privilege policy: Users have access only to necessary data
• Webhook verification: Stripe and Supabase signature verification
• Rate limiting: Implemented at edge level (Vercel)

§11. Cookies

Detailed information about cookies is contained in the Cookie Policy available at: aroute.co.uk/cookies.

§12. Data Breach

12.1. Supervisory Authority Notification

In case of a personal data breach that may pose a risk to the rights and freedoms of individuals, the Controller will notify the Information Commissioner's Office (ICO) within 72 hours of breach detection.

12.2. Data Subject Notification

If the breach may pose a high risk to the rights and freedoms of individuals, the Controller will notify affected individuals without undue delay.

§13. Children's Data

1. The Aroute Platform is intended exclusively for business users (B2B). Organisation account registration and the Administrator role requires being of legal age (18 years old).
2. A Driver on the Platform may be a minor (16-17 years old) if they are legally employed by the Organisation and hold appropriate driving licences in accordance with applicable law.
3. In the case of minor Drivers, the Organisation (as the data controller for its employees' personal data) is responsible for:
   • obtaining all required consents from parents or legal guardians in accordance with labour law provisions,
   • fulfilling the information obligation towards the minor and their legal guardians,
   • ensuring data processing compliance with regulations concerning the employment of minors.
4. Under UK GDPR, the age of consent for data processing is 13 years old. Emversa does not direct marketing services or direct communication to children under 13.

§14. Do Not Track Signals

The Platform does not respond to "Do Not Track" (DNT) signals sent by web browsers. Users may manage their tracking preferences through cookie settings available in the Platform and in the cookie policy.

§15. Automated Decision-Making

The Platform does not use automated decision-making, including profiling, as referred to in Article 22(1) and (4) of UK GDPR, which produces legal effects or similarly significantly affects users. All decisions regarding trip approvals, reimbursement claims, and similar matters are made by authorised users (Organisation Administrators), not by algorithms.

§16. Changes to Privacy Policy

1. The Controller reserves the right to change this Privacy Policy.
2. Users will be notified of changes by email at least 14 days before the changes take effect.
3. The current version of the Privacy Policy is always available at: aroute.co.uk/privacy.