Privacy Policy | Getcovery

1. Introduction and Data Controller

This Privacy Policy explains how Getcovery Ltd ("Getcovery", "we", "us", or "our") collects, uses, stores, shares, and protects your personal data when you use our vehicle recovery and transport platform, including our website at getcovery.com, our mobile applications, and any related services (collectively, the "Platform").

We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and the Data (Use and Access) Act 2025.

Data Controller:

Getcovery Ltd

Company Number: [to be added upon registration]

Registered Address: Unit 5, 399-405 Oxford Street, Office 195, London W1C 2BU

Email: privacy@getcovery.com

Data Protection Contact: dpo@getcovery.com

If you have any questions about this Privacy Policy or our data practices, please contact us at the addresses above.

2. Personal Data We Collect

We collect different categories of personal data depending on how you interact with our Platform. We only collect data that is necessary for the purposes described in this Policy.

2.1 Data You Provide Directly

Data you provide directly to Getcovery
Category	Data Elements	When Collected
Identity Data	Full name	Registration, booking, partner application
Contact Data	Email address, telephone number	Registration, booking, partner application, business inquiry
Address Data	Pickup and dropoff addresses, company address	Booking creation, business registration
Vehicle Data	Vehicle registration number (VRM), make, model, year, body type, gearbox type, vehicle condition	Booking creation (VRM lookup is optional)
Visual Data	Vehicle condition photographs	During booking (optional pre-collection, mandatory at pickup and delivery)
Account Data	Email address, password (hashed)	Account registration
Payment Data	Payment method selection (full or deposit). Card details are collected and processed directly by Stripe and never reach our servers.	Booking payment
Business Data	Company name, Companies House number, VAT number, fleet size, vehicle types, coverage area, insurance details	Partner application, B2B customer registration
Communication Data	Chat messages, booking notes, location notes	In-app chat between customer and driver, booking creation
Feedback Data	Star rating (1-5), review tags, tip amount	Post-delivery rating

2.2 Data We Collect Automatically

Data collected automatically by the Platform
Category	Data Elements	Purpose
Location Data (Drivers)	Real-time GPS coordinates during active jobs	Job dispatch, live tracking for customers, safety
Location Data (Customers)	Pickup and dropoff coordinates	Route calculation and service delivery
Device Data	IP address, browser type, operating system	Security, rate limiting, fraud prevention
Usage Data	Pages visited, features used, booking flow progress	Service improvement
Session Data	Authentication tokens (in secure cookies)	Maintaining your logged-in session

2.3 Data We Receive from Third Parties

Data received from third-party sources
Source	Data	Purpose
DVLA Vehicle Enquiry Service	Vehicle make, colour, fuel type, date of first registration, tax and MOT status	Auto-populating vehicle details during booking to reduce manual entry
MOT History API	Vehicle model, MOT history	Enriching vehicle data for accurate service matching
Google Maps Platform	Geocoded addresses, route distances, estimated journey times	Route calculation and pricing
Stripe	Payment confirmation, card brand and last 4 digits (for display purposes only)	Payment processing confirmation and receipt generation

2.4 Data We Do NOT Collect

We do not store payment card numbers, CVVs, or full card details. All payment processing is handled directly by Stripe.
We do not use any analytics tracking cookies or advertising cookies.
We do not collect biometric data.
We do not process special category data (health, religion, political opinions, etc.) unless you voluntarily provide it in free-text fields such as booking notes.

3. Lawful Basis for Processing

Under UK GDPR Article 6, we process your personal data only where we have a valid lawful basis. The table below sets out the lawful basis for each processing activity.

Lawful basis for each processing activity
Processing Activity	Lawful Basis	Explanation
Creating and fulfilling bookings	Contract (Article 6(1)(b))	Processing is necessary to perform the vehicle recovery or transport service you have requested.
Processing payments	Contract (Article 6(1)(b))	Payment processing is integral to delivering our service.
Sending booking confirmations, status updates, and receipts	Contract (Article 6(1)(b))	Transactional communications are necessary for service delivery.
Real-time GPS tracking of drivers during active jobs	Legitimate Interest (Article 6(1)(f))	Enables customers to track their vehicle and ensures driver safety. Drivers are informed of tracking in their onboarding.
Driver identity and document verification	Legal Obligation (Article 6(1)(c))	Road haulage and transport operators must verify driver licensing and insurance under UK law.
Generating invoices and financial records	Legal Obligation (Article 6(1)(c))	HMRC requires retention of financial records for a minimum of 6 years.
Rate limiting and fraud prevention	Legitimate Interest (Article 6(1)(f))	Protecting the Platform and its users from abuse, automated attacks, and fraudulent bookings.
Vehicle lookup via DVLA/MOT	Legitimate Interest (Article 6(1)(f))	Reducing manual data entry for customers and ensuring accurate service matching. Registration numbers are not stored beyond the booking.
Sending marketing communications	Consent (Article 6(1)(a))	We will only send promotional messages where you have given explicit opt-in consent via a clear, affirmative opt-in checkbox (not pre-ticked). You may withdraw consent at any time by clicking the unsubscribe link included in every marketing email, or by contacting us at dpo@getcovery.com. We comply with PECR Regulation 22 for email marketing and Regulation 23 for any future SMS marketing — we will never send unsolicited marketing messages without prior consent.
Responding to legal claims or regulatory requests	Legal Obligation (Article 6(1)(c))	Compliance with court orders, regulatory investigations, or statutory obligations.

4. How We Use Your Data

We use your personal data for the following purposes:

Service Delivery: Creating bookings, matching you with a recovery or transport driver, calculating quotes, processing payments, providing real-time tracking, facilitating in-app communication between you and your driver, and generating receipts.
Account Management: Creating and maintaining your account, authenticating your identity, managing your booking history, and saving booking drafts so you can resume incomplete bookings.
Safety and Security: Verifying driver credentials, monitoring platform usage for fraudulent or abusive behaviour, enforcing rate limits, and maintaining audit logs for security incidents.
Communication: Sending booking confirmations, driver assignment notifications, delivery completion notifications, and push notifications related to your bookings via email and in-app notifications.
Legal Compliance: Maintaining financial records as required by HMRC, responding to data subject access requests, and complying with law enforcement or regulatory obligations.
Platform Improvement: Analysing anonymised and aggregated usage patterns to improve our service, fix technical issues, and develop new features. We do not use your personal data for profiling or automated decision-making that produces legal effects.

5. Data Sharing and Third-Party Processors

We share your personal data only where necessary to deliver our service, and only with the categories of recipients described below. We do not sell your personal data to any third party.

5.1 Service Delivery Partners

Recovery and Transport Drivers: When you create a booking, the assigned driver receives your name (masked to initials until job acceptance for privacy), pickup and dropoff addresses, vehicle details, and contact telephone number (visible only after driver assignment). Drivers are independent operators or employees of partner companies, not Getcovery employees.
Partner Companies: If you book through a business account, your company administrator can view booking details associated with your company.

5.2 Technology Service Providers (Data Processors)

We use the following third-party service providers who process data on our behalf under Data Processing Agreements (DPAs):

Technology service providers acting as data processors
Provider	Purpose	Data Processed	Location
Supabase Inc.	Database hosting, user authentication, file storage, real-time event delivery	All Platform data including user accounts, bookings, vehicle photos, chat messages	EU-West (London, United Kingdom)
Stripe Inc.	Payment processing, authorisation holds, driver payouts via Stripe Connect	Payment amounts, card brand and last 4 digits, booking reference. Full card details are processed by Stripe directly and never enter our systems.	Global (US headquarters; GDPR-compliant under Standard Contractual Clauses)
Google LLC (Google Maps Platform)	Address geocoding, route calculation, distance and ETA estimation, map display, address autocomplete	Pickup and dropoff addresses, GPS coordinates for map display	Global (US headquarters; UK adequacy decision and Standard Contractual Clauses)
Resend Inc.	Transactional email delivery	Recipient email address, email content (booking confirmations, verification emails, invitation links)	United States (Standard Contractual Clauses)
Google LLC (Firebase Cloud Messaging)	Push notifications to mobile applications	Device tokens, notification content (booking status updates, chat message alerts)	Global (US headquarters; Standard Contractual Clauses)
Upstash Inc.	Distributed rate limiting for API endpoints	IP addresses (stored ephemerally in sliding windows, typically for seconds to minutes, then automatically deleted)	Global (Standard Contractual Clauses)
Vercel Inc.	Website hosting and content delivery	HTTP request metadata (IP address, user agent) for serving web pages	Global with edge locations (Standard Contractual Clauses)
Fly.io Inc.	Backend API hosting	All API request data in transit (processed in memory, not persisted by Fly.io)	London, United Kingdom (lhr region)

5.3 Government and Regulatory Bodies

DVLA (Driver and Vehicle Licensing Agency): We query the DVLA Vehicle Enquiry Service to look up vehicle details by registration number. The DVLA is a data controller in its own right.
HMRC: We retain financial records (invoices, payment amounts) for the statutory period of 6 years as required by UK tax law.
Law Enforcement: We may disclose personal data if required by law, court order, or to protect the rights, property, or safety of our users or the public.

5.4 International Data Transfers

Our primary database is hosted in London, United Kingdom, ensuring that the majority of your data remains within the UK. However, some of our third-party service providers process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place:

UK Adequacy Decisions: Where the UK Government has determined that a country provides an adequate level of data protection.
Standard Contractual Clauses (SCCs): We use International Data Transfer Agreements (IDTAs) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office (ICO).
Supplementary Measures: Where necessary, we implement additional technical measures such as encryption in transit (TLS 1.3) and access controls to protect your data during transfer.

You may request a copy of the relevant safeguards by contacting us at dpo@getcovery.com.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The table below sets out our retention periods.

Data retention periods
Data Category	Retention Period	Legal Basis / Rationale
Completed booking records	6 years from completion	Contract limitation period under the Limitation Act 1980; HMRC financial record requirements
Financial records (invoices, payments)	6 years from transaction	HMRC statutory requirement
Driver GPS location data	90 days from collection	Legitimate interest (dispute resolution, service quality). Automatically deleted by scheduled database cleanup.
Vehicle condition photographs	Duration of booking + 90 days	Evidence for dispute resolution. Automatically deleted by scheduled database cleanup.
Chat messages	90 days from booking completion	Evidence for dispute resolution. Automatically deleted by scheduled database cleanup with associated file attachments.
Booking drafts (incomplete bookings)	7 days from last update	Legitimate interest (user convenience). Automatically deleted by scheduled database cleanup every 6 hours.
Rate limiting data (IP addresses)	Seconds to minutes	Automatically expired by sliding window algorithm. No permanent storage.
Account data	Until account deletion	You may request deletion at any time. See Section 7 (Your Rights).
Marketing consent records	Duration of consent + 2 years	GDPR accountability principle (Article 5(2))
Driver employment and verification records	Duration of engagement + 6 years	Employment law requirements
Failed login attempts	90 days	Security monitoring and fraud prevention

When data reaches the end of its retention period, it is either securely deleted or anonymised so that it can no longer be associated with you.

7. Your Rights Under UK GDPR

You have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exemptions as set out in the UK GDPR and Data Protection Act 2018.

Your data protection rights
Right	Description	How to Exercise
Right of Access (Article 15)	You have the right to obtain confirmation of whether we process your personal data, and to request a copy of that data.	Email dpo@getcovery.com with the subject line "Data Subject Access Request".
Right to Rectification (Article 16)	You have the right to request correction of inaccurate personal data, or completion of incomplete data.	Update your details in your account settings, or email dpo@getcovery.com.
Right to Erasure (Article 17)	You have the right to request deletion of your personal data where it is no longer necessary, or where you withdraw consent.	Use the "Delete Account" feature in your account settings, or email dpo@getcovery.com. Note: we may retain certain data where we have a legal obligation (e.g., financial records for HMRC).
Right to Restrict Processing (Article 18)	You have the right to request that we limit how we use your data in certain circumstances.	Email dpo@getcovery.com.
Right to Data Portability (Article 20)	You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV).	Email dpo@getcovery.com with the subject line "Data Portability Request".
Right to Object (Article 21)	You have the right to object to processing based on legitimate interest, including for direct marketing purposes.	Email dpo@getcovery.com, or use the unsubscribe link in any marketing email.
Rights related to Automated Decision-Making (Article 22)	You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.	We do not use automated decision-making that produces legal or similarly significant effects on you. Our pricing is algorithmically calculated based on objective factors (distance, vehicle type, and service tier), but this does not constitute a decision with legal or significant effect because: (a) you are shown the price before booking and can choose not to proceed, (b) you may request an auction where multiple drivers offer competing prices, and (c) you can contact our support team to discuss pricing. A human driver always decides whether to accept a job.

We will respond to all valid requests within one calendar month of receipt. In exceptional circumstances, we may extend this by a further two months, in which case we will inform you of the extension and the reasons for it.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Telephone: 0303 123 1113

Website: ico.org.uk

8. Cookies and Similar Technologies

Our Platform uses a minimal set of cookies, all of which are strictly necessary for the operation of our service. We do not use any advertising, analytics, or tracking cookies.

Cookies used by Getcovery
Cookie Name	Purpose	Type	Duration
sb-*-auth-token	Authenticates your session after you log in. Set automatically by our authentication system (Supabase). Without this cookie, you would need to log in on every page visit.	Strictly Necessary	Session-based with refresh
getcovery_tracking_token	Allows you to track your booking after payment. This cookie is httpOnly (cannot be read by JavaScript for security), Secure (only transmitted over HTTPS), and SameSite: Strict (never sent in cross-site requests).	Strictly Necessary	24 hours

Because all our cookies are strictly necessary for the provision of the service you have requested, explicit consent is not required under PECR Regulation 6(4). We do not need to display a cookie consent banner for these cookies.

8.1 Local Storage

We use browser local storage (not a cookie) to save your incomplete booking form data so you can resume it later. This data is stored locally on your device, is never transmitted to our servers, contains no sensitive personal data, and is automatically cleared after 24 hours or when you complete or dismiss the booking.

8.2 Third-Party Cookies

Some of our third-party service providers may set their own cookies when you interact with their services on our Platform:

Google Maps: May set cookies when displaying interactive maps on our booking and tracking pages. These cookies are necessary for the functioning of the map service. For details, see Google's Privacy Policy at policies.google.com/privacy.
Stripe: May set cookies during the payment checkout process. These cookies are strictly necessary for fraud prevention and secure payment processing. For details, see Stripe's Privacy Policy at stripe.com/privacy.

We do not control cookies set by third parties. Please refer to their respective privacy policies for information about their cookie practices.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include:

Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (HTTPS). WebSocket connections for real-time tracking are also encrypted.
Encryption at Rest: Our database is hosted on Supabase with encryption at rest enabled by default.
Access Controls: We use Row-Level Security (RLS) policies in our database to ensure that users can only access data they are authorised to see. Multi-tenancy isolation prevents partner companies from accessing each other's data.
Authentication Security: Passwords are hashed using industry-standard algorithms. Authentication sessions use secure, httpOnly cookies that cannot be accessed by JavaScript.
Payment Security: We never store, process, or have access to your full payment card details. All card data is handled directly by Stripe, which is certified to PCI DSS Level 1 — the highest level of payment security certification.
Rate Limiting: All public-facing API endpoints are protected by distributed rate limiting to prevent brute force attacks and abuse.
Content Security Policy: Our website implements a strict Content Security Policy (CSP) with 11 directives to prevent cross-site scripting (XSS) and other injection attacks. CSP violations are reported and monitored.
PII Masking: Customer phone numbers are masked (hidden) from drivers until a job is accepted, preventing misuse of personal contact details.
Audit Logging: All sensitive operations are logged for security monitoring. Logs are subject to PII sanitisation to prevent accidental exposure of personal data in log files.
GDPR Automated Cleanup: Scheduled database tasks automatically delete expired data (GPS locations after 90 days, chat messages after 90 days, booking photos after 90 days, booking drafts after 7 days) in accordance with our retention schedule.

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. If you become aware of any security vulnerability, please report it to security@getcovery.com.

10. Data Security Breach Notification

In the event of a personal data breach, we will comply with our obligations under UK GDPR Articles 33 and 34.

10.1 Notification to the ICO (Article 33)

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Our notification will include:

The nature of the breach, including the categories and approximate number of individuals and personal data records affected.
The name and contact details of our Data Protection Contact (dpo@getcovery.com).
The likely consequences of the breach.
The measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

10.2 Notification to Affected Individuals (Article 34)

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay. Our notification will:

Describe, in clear and plain language, the nature of the breach.
Explain the likely consequences and the measures we have taken to address the breach.
Provide the contact details of our Data Protection Contact for further information.
Advise you on steps you can take to protect yourself (e.g., changing passwords, monitoring for suspicious activity).

10.3 Breach Reporting

If you believe your personal data has been compromised or you have discovered a security vulnerability on our Platform, please report it immediately to security@getcovery.com. We take all reports seriously and will investigate promptly.

11. Children's Privacy

Our Platform is not intended for use by children under the age of 18. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at dpo@getcovery.com and we will take steps to delete such data.

12. GPS Tracking and Location Data

GPS tracking is a core part of our service. This section provides full transparency about how we handle location data.

12.1 Customer Location Data

We collect your pickup and dropoff addresses when you create a booking. These addresses are sent to Google Maps for route calculation and distance estimation.
During an active booking, you can see the real-time location of your assigned driver on an interactive map. This location data is transmitted via encrypted WebSocket connections.
We do not track your personal device location unless you explicitly grant location permission to use the "current location" feature during booking.

12.2 Driver Location Data

Drivers' GPS coordinates are collected in real-time during active jobs only (from job acceptance to delivery completion).
GPS data is transmitted every 5 seconds via encrypted WebSocket connections and temporarily cached for display to the customer.
GPS location data is retained for 90 days for dispute resolution and service quality purposes, then automatically deleted by a scheduled database cleanup.
Drivers are fully informed of GPS tracking requirements during onboarding and must consent before using the Platform.
We do not perform speed analysis, route analysis, or driver surveillance. Location data is used solely for job dispatch, customer tracking, and safety.

12.3 Public Tracking Links

Customers may generate a public tracking link to share their booking's live tracking status with third parties (e.g., a friend or family member waiting at the dropoff location). These links:

Expire after 24 hours and are automatically cleaned up.
Show only the driver's current location, estimated arrival time, and booking status.
Do not display the dropoff address (data minimisation).
Do not require the recipient to create an account.
Are accessible via a token-based URL — no authentication cookies are set for link recipients.

13. Account Deletion

You can request deletion of your account at any time:

Mobile App Users: Navigate to your profile or settings screen and select "Delete Account". Your account and associated personal data will be permanently deleted.
Web Users: Email dpo@getcovery.com with the subject line "Account Deletion Request".

Upon account deletion, we will:

Permanently delete your user account and authentication credentials.
Delete your profile data (name, email, phone number).
Delete your booking drafts.
Retain completed booking records and financial records for 6 years as required by law (HMRC statutory obligation). These records will be anonymised where possible.
Revoke any third-party authentication tokens (e.g., Apple Sign In token revocation).

Account deletion is irreversible. If you wish to use our Platform again after deletion, you will need to create a new account.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

Update the "Last Updated" date at the top of this Policy.
Notify you by email (if you have an account) or by a prominent notice on our website.
Where required by law, obtain your consent before applying changes that affect how we process your data.

We encourage you to review this Policy periodically to stay informed about how we protect your data.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Getcovery Ltd

Unit 5, 399-405 Oxford Street, Office 195, London W1C 2BU

Email: privacy@getcovery.com

Data Protection Contact: dpo@getcovery.com

Website: getcovery.com

For complaints about our data handling, please contact us first so we have the opportunity to resolve the issue. If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.