CheckPod CheckPod Back to Site
Legal · Document v1.2

Privacy Policy

How Traction Solutions Ltd collects, uses, stores and protects personal data when you use the CheckPod service.

Last updated: 16 May 2026 Effective: 16 May 2026 Version: 1.2

1.Introduction

This Privacy Policy explains how Traction Solutions Ltd ("we", "us", "our") collects, uses, stores, and protects personal data when you use the CheckPod service ("CheckPod", "the Service"), accessed via app.checkpod.co.uk and the marketing site checkpod.co.uk.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 ("PECR").

This policy applies to:

  • Drivers using CheckPod Driver as a sole user (e.g. self-employed or owner-drivers)
  • Fleet customers (transport operators) using CheckPod Fleet to manage a fleet of drivers
  • Drivers within a fleet, whose data is processed on instructions from their employing operator (typically via their Transport Manager)
  • Visitors to checkpod.co.uk

If you do not agree with this Policy, please do not use the Service.

2.Who we are (Data Controller)

Traction Solutions Ltd is the controller of personal data processed through CheckPod, except where stated otherwise in section 4 below.

Company nameTraction Solutions Ltd
Company number17075841
Registered office86–90 Paul Street, London, EC2A 4NE
ICO registration numberZC133272
Privacy contactlegal@tractionsolutions.co.uk
Postal address for data mattersTraction Solutions Ltd, 86–90 Paul Street, London, EC2A 4NE

3.The data we collect

We collect the following categories of personal data, depending on how you use CheckPod.

3.1 Account data (all users)

  • Full name
  • Email address
  • Telephone number
  • Password (stored only as a hash by our EEA-resident authentication system)
  • User role (Driver, Transport Manager, Admin, Tester)
  • Profile photograph (optional, uploaded by user)
  • Account creation date, last login date

3.2 Driver-specific data

  • UK driving licence number
  • Driving licence categories and entitlements (returned from DVLA)
  • DVLA endorsement and conviction history (returned from DVLA at the time of a licence check)
  • D906 consent records (timestamp, version of consent text, IP address at time of consent)
  • Photographs and digital signatures captured during vehicle checks and deliveries

3.3 Operational data

  • Vehicle registration numbers and vehicle details (make, model, type, MOT and tax status from DVLA open data)
  • Vehicle check records: timestamps, defect reports, photographs, GPS location at point of submission, digital signature
  • Delivery / Proof of Delivery records: customer name, delivery address, items delivered, GPS location, photographs, digital signature, delivery timestamp and duration
  • Defect records: descriptions, photographs, severity, resolution status

3.4 Location data

  • GPS coordinates captured at the point of submission of a vehicle check or delivery
  • GPS coordinates captured during active fleet tracking (Fleet customers only, where enabled by the operator)
  • Location data is not captured continuously when the app is closed, except where the operator has explicitly enabled active tracking and the driver has been notified

3.5 Payment data

  • Subscription tier (Driver monthly, Driver annual, Fleet)
  • Subscription status, billing dates, renewal dates
  • DVLA check usage records (count of checks, dates, fleet attribution)
  • Stripe Customer ID

We do not store card numbers, CVV, or full bank details. All payment card data is processed directly by Stripe Payments UK Ltd. We receive only a reference token.

3.6 Technical data

  • IP address (collected during authentication for security)
  • Device type, operating system, browser type
  • App version, crash reports, error logs

Map tiles. When a vehicle check or delivery record includes GPS coordinates, the app renders an interactive map using OpenStreetMap (OSM) tile imagery. Tile images are fetched directly from tile.openstreetmap.org. This means your device's IP address is transmitted to the OpenStreetMap Foundation servers in order to load the map — the same as visiting any website that embeds OSM tiles. The GPS coordinates themselves are not sent to OpenStreetMap; only the tile grid coordinates (which roughly correspond to the visible map area) are implied by which tiles are requested. OpenStreetMap Foundation is a UK-registered charity and processes this data under their own Privacy Policy. Map tiles are only loaded when you open a check or delivery record that has GPS data — they are not loaded in list views or summary screens.

3.7 Marketing site data (checkpod.co.uk)

We do not currently use any analytics, tracking, or marketing technologies on our marketing site. Your visit is not tracked, and no third-party scripts collect data about you. Standard server logs (held by our hosting provider) record technical information needed to deliver the site, retained for a short period for security and operational reasons.

3.8 Waitlist signups

If you sign up to be notified when CheckPod launches, we collect your email address, the timestamp of your signup, your IP address, the version of this Privacy Policy you saw at the time, and basic technical information about your browser. This data is used solely to send you one launch announcement email. After that, we will either delete the record or, with your further explicit consent, retain it for occasional product news. You can request deletion at any time by emailing legal@tractionsolutions.co.uk.

4.When CheckPod is a Processor (Fleet customers)

When a Fleet customer subscribes to CheckPod Fleet and adds drivers to their fleet, that operator (acting through its Transport Manager or other authorised personnel) becomes the Data Controller for those drivers' operational data, and Traction Solutions Ltd becomes the Data Processor.

In this scenario:

  • The operator decides what data to collect, why, and for how long
  • We process that data only on the documented instructions of the operator
  • The terms of this processing are set out in the Data Processing Agreement which forms Schedule 1 of the CheckPod Fleet Terms of Service, available at checkpod.co.uk/dpa.html
  • Drivers in a Fleet should direct most data subject requests (access, deletion, etc.) to their operator (typically via their Transport Manager) in the first instance, although we will assist where we can

For account data, billing data, and platform-level technical data, Traction Solutions Ltd remains the Data Controller in all cases.

5.Why we collect this data and our legal basis

We process personal data on the following lawful bases under Article 6 UK GDPR.

5.1 Performance of a contract (Article 6(1)(b))

To provide the CheckPod Service to you, including:

  • Creating and maintaining your account
  • Storing and retrieving vehicle checks, deliveries, and defect records
  • Processing your subscription payments
  • Generating PDF reports and exports
  • Notifying you of compliance events (defects, expiring documents)

5.2 Legitimate interest (Article 6(1)(f))

For our or our customers' legitimate business interests, including:

  • Fleet GPS tracking (the operator's legitimate interest in fleet management, asset protection, and compliance — see our Legitimate Interest Assessment, held internally and available on request to legal@tractionsolutions.co.uk from regulators, prospective customers under DPA audit rights, and affected data subjects)
  • Fraud prevention and account security
  • Improving the Service (anonymised usage analysis)
  • Responding to support requests

In each case, we have balanced our interest against your privacy rights and concluded that our processing is proportionate.

5.3 Legal obligation (Article 6(1)(c))

To comply with our legal obligations, including:

  • Retention of vehicle check records to support DVSA roadworthiness compliance (Statutory Document)
  • Retention of financial records for HMRC purposes
  • Responding to lawful requests from regulators or law enforcement

5.4 Consent (Article 6(1)(a))

For specific processing where consent is required, including:

  • D906 consent for DVLA Access to Driver Data licence checks
  • Marketing communications via email (where you have opted in)
  • Waitlist signups via the marketing site

You can withdraw consent at any time. Withdrawal does not affect processing carried out before withdrawal.

5.5 Special category data

Driving licence endorsement data may include limited information about offences (criminal convictions data — Article 10 UK GDPR). We process this:

  • On the basis of explicit consent (D906) for licence checks
  • Only for the purpose of verifying the driver's right and entitlement to drive
  • With additional safeguards: encrypted at rest, restricted access, retained for the minimum period necessary

6.Who we share your data with (Sub-processors)

We do not sell your personal data. We share it only with the following sub-processors, all engaged under written contracts with appropriate data protection terms.

Sub-processor Purpose Region Transfer safeguard
Convex (Convex Inc.)Database and backend infrastructureIreland (EU)None required — within EEA
Stripe Payments UK LtdPayment processingUnited KingdomNone required — within UK
Resend (Resend Inc.)Transactional email deliveryIreland (EU)None required — within EEA
Vercel Inc.Frontend application hosting (edge delivery, EEA preference)EEA / global edgeUK Addendum to EU SCCs
Fasthosts Internet LtdMarketing site hostingUnited KingdomNone required — within UK
Driver and Vehicle Licensing Agency (DVLA)Licence verification (Access to Driver Data)United KingdomUK public authority
Fly.io Inc.Tachograph parser microservice (DDD file parsing)Frankfurt (EEA)UK Addendum to EU SCCs
OpenStreetMap FoundationMap tile imagery (when viewing records with GPS coordinates)United Kingdom (registered charity)Recipient (not contracted sub-processor) — see section 3.6
Authentication & data residency: Authentication and session management are handled within our own EEA-resident infrastructure (issued from and verified against systems hosted in Ireland, within the European Economic Area), and the associated data is held in our Convex database in Ireland. There is no routine transfer of your authentication or account data outside the EEA.
†OpenStreetMap note: OpenStreetMap Foundation is listed for completeness because rendering map tiles transmits your device's IP address to their servers (see section 3.6). They are a data recipient under their own privacy policy, not a contracted sub-processor of CheckPod. No contract with the Foundation is in place because tile usage is governed by their public Tile Usage Policy.

We may also share your data with:

  • Regulators (ICO, HMRC, DVSA, traffic commissioners) where legally required
  • Law enforcement in response to a valid legal request
  • Professional advisers (accountants, lawyers, auditors) under duties of confidentiality
  • Successors in the event of a merger, acquisition, or insolvency, where the recipient agrees to be bound by terms at least as protective as this policy

We will never sell your data to advertisers, data brokers, or third parties for their own marketing purposes.

7.International data transfers

The vast majority of your personal data remains within the UK or the European Economic Area (EEA), where data protection laws are equivalent to the UK GDPR.

One transfer currently occurs outside the UK/EEA:

  • Authentication metadata (email, hashed password, session tokens) is processed within our EEA-resident authentication infrastructure and stored in our Convex database in Ireland (EEA). It is not routinely transferred outside the EEA.

You can request a copy of the safeguards applied by emailing legal@tractionsolutions.co.uk.

8.How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes set out in this policy and for the periods set out in our Data Retention Schedule. A summary follows.

Data type Retention period Reason
Account dataDuration of subscription + 30 daysService delivery, possible re-subscription
Vehicle check records18 months from check dateDVSA compliance (15 months minimum + buffer)
Delivery / POD records7 years from deliveryHMRC and contractual evidence
Defect recordsLifetime of vehicle in fleet + 18 monthsAudit trail, vehicle history
DVLA licence check results12 months from check dateDVLA guidance on minimum necessary retention
GPS location (granular trail)90 daysOperational and investigative use
GPS location (point-of-submission)Retained as part of associated check/delivery recordInseparable from the record
Payment / subscription records7 years from end of subscriptionHMRC requirement
DVLA check usage records (for invoicing)7 years from invoice dateHMRC requirement
Driver data after leaving a fleetRemoved from fleet visibility immediately. If no personal subscription: deleted within 30 days. If personal subscription: retained per other categories.GDPR data minimisation
Support correspondence24 monthsService improvement, dispute resolution
Account data after cancellation (no re-subscription)Anonymised or deleted within 30 days, except where legal retention appliesGDPR storage limitation
Waitlist signupsUntil launch email sent + 30 days, unless further consent givenPurpose-specific consent

After the retention period expires, data is either deleted or fully anonymised so it can no longer be associated with you.

9.Your rights

Under the UK GDPR you have the following rights. To exercise any of them, email legal@tractionsolutions.co.uk or write to our registered office. We will respond within one month (extendable to three months for complex requests, with notification).

9.1 Right of access

You can request a copy of all personal data we hold about you and information about how we process it.

9.2 Right to rectification

You can ask us to correct inaccurate or incomplete data.

9.3 Right to erasure ("right to be forgotten")

You can ask us to delete your data, subject to our legal obligations to retain certain records (financial, DVSA compliance). Where we cannot delete, we will explain why and restrict processing instead.

9.4 Right to restrict processing

You can ask us to suspend processing of your data while a query is resolved.

9.5 Right to data portability

You can request your data in a structured, machine-readable format (JSON or CSV) for transfer to another service.

9.6 Right to object

You can object to processing based on legitimate interests, including GPS tracking. We will stop processing unless we have compelling legitimate grounds that override your rights.

9.7 Right to withdraw consent

Where processing is based on consent, you can withdraw it at any time without affecting prior lawful processing.

9.8 Rights related to automated decision-making

We do not currently make any decisions about you using solely automated means. If this changes, we will update this policy and notify you.

9.9 If you are a driver in a fleet

For most of your data, your employing operator is the controller (see section 4). Address requests to your operator (typically via your Transport Manager) first. If you cannot resolve the matter with them, contact us and we will assist.

9.10 Right to complain to the ICO

You have the right to complain to the Information Commissioner's Office:

  • Website: ico.org.uk/make-a-complaint
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would prefer to address your concerns directly first. Please contact us before going to the ICO if you can.

10.How we keep your data secure

We take data security seriously and implement technical and organisational measures appropriate to the risk, including:

  • Encryption in transit — all traffic to and from CheckPod uses TLS 1.2 or higher
  • Encryption at rest — data stored by Convex and Stripe is encrypted at rest by those providers
  • Access controls — internal access is restricted on a need-to-know basis with multi-factor authentication
  • Role-based access within the app — drivers, transport managers, and admins each see only the data appropriate to their role
  • Audit logging — significant actions (DVLA checks, role changes, data exports) are logged
  • Secure authentication — EEA-resident authentication with support for multi-factor authentication (2FA)
  • Sub-processor due diligence — we review sub-processors' security practices and data protection compliance
  • Vulnerability monitoring — we monitor for and patch security vulnerabilities promptly
  • Backup and recovery — operational data is backed up regularly with tested recovery procedures
  • Anomaly detection — automated detection of unusual access or export patterns, with alerts to a responsible person for human-in-loop review (no automated lockout)
  • Cyber insurance — we hold dedicated cyber and data liability insurance with Hiscox Insurance Company Limited (policy PL-PSC10003939353/00 · £250,000 cover for own losses, claims, investigations, and business interruption · £50,000 cyber crime cover), with 24/7 breach response via Hiscox CyberClear

No system can be guaranteed 100% secure. If a security incident occurs, we will follow our Personal Data Breach Procedure — our internal operational runbook for breach response, held internally with a summary available on request. The Procedure commits us to:

  • Notifying affected Fleet Customer Controllers within 24 hours of becoming aware (tighter than the statutory 72-hour ICO requirement, set in our Data Processing Agreement);
  • Notifying the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights and freedoms;
  • Notifying affected individuals without undue delay where the risk to their rights and freedoms is high.

11.Cookies and similar technologies

CheckPod uses only strictly necessary cookies and similar storage required for the Service to function (session tokens, authentication state, user preferences, offline caching). These do not require consent under PECR.

We do not use any analytics, advertising, or other non-essential cookies on either the marketing site or the application.

For full details, see our Cookie Policy.

12.Children's data

CheckPod is not intended for use by anyone under the age of 17 (the minimum age to hold a UK driving licence for relevant categories). We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without verified parental consent, we will delete it promptly.

13.Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page shows when the most recent change was made. Where changes are material (for example, a new sub-processor, a new category of data, or a new purpose), we will notify you by email and/or via an in-app notice at least 14 days before the change takes effect.

A version history of this policy is available on request from legal@tractionsolutions.co.uk.

14.Contact us

For any privacy or data protection matter:

Email
legal@tractionsolutions.co.uk
Post
Traction Solutions Ltd, 86–90 Paul Street, London, EC2A 4NE
Company number
17075841
ICO registration
ZC133272

We aim to respond to all enquiries within 5 working days, and to formal data subject requests within one month as required by law.

This Privacy Policy was last reviewed on 16 May 2026. We recommend re-reading it from time to time.