# Privacy Notice — Tachoparser Compliance Report Service

> **Service-specific notice.** This document covers the *Tachoparser*
> service. For the general Fleet Transport Consultants Ltd company
> privacy policy (website cookies, contact form, client engagement
> data), see [theftc.co.uk/privacy-policy](https://www.theftc.co.uk/privacy-policy/).

**Last updated:** 1 May 2026
**Data Controller:** Fleet Transport Consultants Ltd (Companies House 15032561)
**ICO registration:** ZB733088
**Contact:** privacy@fleettransportconsultants.co.uk

---

## 1. Who we are

Fleet Transport Consultants Ltd ("FTC", "we", "us") provides automated
tachograph compliance analysis under the Tachoparser brand. We are a UK
limited company (Companies House 15032561). Our information security
management system is **certified to ISO/IEC 27001:2022** under certificate
MIAL/UK/18022025/27FTCL.

---

## 2. Who this notice is for

This notice describes how we process personal data when an operator (you)
sends us tachograph download (DDD) files for analysis. The personal data
inside those files relates primarily to **your drivers**, not to you. Where
we process driver personal data we act as a **Data Processor** under
UK GDPR; the operator (you) is the **Data Controller**.

This notice also describes how we handle your own contact data (email,
billing details) where we act as **Data Controller**.

---

## 3. What personal data we process

### From DDD files (we are Processor)

- Driver full name
- Driver smart-card number
- Driver activity records (drive / work / rest / available periods, with timestamps)
- Vehicle registration mark (VRM) and vehicle identification number (VIN)
- Vehicle odometer readings
- Speeding events
- Card insertion / withdrawal events

### From the operator account (we are Controller)

- Contact name, email address, phone number
- Billing address
- Payment metadata (Stripe handles card details — we never see them)

---

## 4. Why we process it (lawful bases)

| Purpose | Lawful basis |
|---|---|
| Run the compliance analysis you commissioned | Article 6(1)(b) UK GDPR — performance of contract |
| Bill you and keep accounting records | Article 6(1)(b) + 6(1)(c) — contract + legal obligation (Companies Act, HMRC) |
| Defend against legal claims | Article 6(1)(f) — legitimate interests |

For driver personal data, our processing is performed entirely on your
documented instructions (Article 28 UK GDPR) — you remain the Controller
and the legal basis for that processing is yours to establish (typically
Article 6(1)(c) for tachograph regulatory compliance).

---

## 5. How long we keep it

| Data | Retention |
|---|---|
| DDD files (raw uploads) | **30 days** after report delivery, then permanently deleted |
| Generated Excel reports | **30 days**, then permanently deleted |
| Activity / driver / vehicle data extracted from DDDs | **30 days**, then permanently deleted along with the source files |
| Operator contact data | Duration of business relationship + 6 years (Companies Act) |
| Billing records | 6 years (Companies Act / HMRC) |

You may request earlier deletion at any time (see section 8).

---

## 6. Where it lives and who can access it

- **UK-only data residency**. Our infrastructure runs in UK regions; no
  data leaves the UK.
- **Encrypted in transit** (TLS 1.2+) and at rest (AES-256).
- **Access controls**: only named, vetted personnel of FTC can access
  customer data, audited under our ISO 27001-certified ISMS.
- **Sub-processors**:

  | Sub-processor | Purpose | Location |
  |---|---|---|
  | Stripe Payments Europe Ltd | Payment processing | Ireland (UK adequacy) |
  | Google Cloud (europe-west2 — London) | Hosting & data storage | UK |
  | Google Workspace | Operator email correspondence | UK / EU |

  We will give 30 days' notice of any change to this list. Latest version is
  always available on request.

---

## 7. We do not

- Sell, share, or commercially exploit your driver data
- Use driver data to train AI / ML models
- Use driver data for any purpose beyond delivering your report
- Combine your driver data with any third-party dataset

---

## 8. Your rights

Under UK GDPR you (or any data subject whose data you have provided) have
the right to:

- Request a copy of personal data we hold (subject access request)
- Request correction of inaccurate data
- Request deletion ("right to be forgotten")
- Restrict or object to processing
- Data portability
- Lodge a complaint with the Information Commissioner's Office (ICO) at
  https://ico.org.uk

Contact privacy@fleettransportconsultants.co.uk for any of the above. We
respond within 30 days.

---

## 9. Data Processing Agreement

For corporate customers, a Data Processing Agreement (DPA) compliant with
UK GDPR Article 28 is available on request. The DPA includes:

- Detail of processing
- Sub-processor list and notification commitments
- Security measures
- Breach notification timelines (within 72 hours of awareness)
- Audit rights
- Data return / deletion at end of contract

---

## 10. Security incidents

If we become aware of a personal data breach affecting your data, we will
notify you within **72 hours** with the information available, and report
to the ICO where required. Our incident response procedures are audited
under ISO 27001 Annex A.16.

---

## 11. Updates to this notice

We may update this notice from time to time. The date at the top reflects
the most recent change. Substantive changes will be communicated by email
to active customers with at least 30 days' notice before they take effect.

---

## 12. Contact

**Fleet Transport Consultants Ltd**
11 Ouchthorpe Lane, Wakefield, WF1 3HS
Email: privacy@fleettransportconsultants.co.uk
Phone: 0113 534 8006
Companies House: 15032561
ICO registration: ZB733088
ISO/IEC 27001:2022 certificate: MIAL/UK/18022025/27FTCL