Privacy Policy : Driverstop

Privacy Policy

Privacy Policy (Updated January 2020)
As part of the operation of the website – https://driverstop.co.uk (hereinafter the “website”) and the DriverStop application (hereinafter the “Application”) for connecting natural or legal persons in need of a goods delivery service (hereinafter the “Business Owner”) with independent couriers available to provide such service (hereinafter the “Couriers”), operated by DriverStop Ltd whose registered office is at 23 Hyde Park Road, Leeds, LS6 1PY, with the company number 10652283 (hereinafter the “Company”); the latter is required to collect a certain amount of personal data (hereinafter “the Data”).

The purpose of this privacy policy is to inform the data subjects concerned by this Data processing and provide a framework for the use and protection of such Data by the Company in compliance with the provisions of European Regulation No. 2016/679 of 27 April 2016 on personal data protection (hereinafter the “GDPR”).

This privacy policy may be modified or supplemented by the Company, in particular in order to comply with any changes in legislation, regulations, case law or technology. In such an event, the update date will be specified at the beginning of this policy. As these changes are binding upon Business Owner and Couriers as soon as they are posted online, the Company encourages them to regularly consult this policy in order to become aware of any changes and to stay informed about personal data protection practices and their rights.

1. Contact details of the data controller and data protection officer The Data controller is the Company with the following contact details: DriverStop Ltd, 23 Hyde Park Road, Leeds, LS6 1PY The contact details of the data protection officer are as follows: Kameran Khan, 23 Hyde Park Road, Leeds, LS6 1PY

2. Data collected by the Company
The Data that may be collected during the operation of the Website and Application are detailed below.

2.1. Business Owner and Courier Data
2.1.1. When a Business Owner or Courier creates an account, the Company collects the following Data directly provided by them:

User Account:
o last name
o first name
o postal address (or of the company’s location)
o email address
o telephone number
o company name
o business sector
o username
o password

Courier Account:
o last name
o first name
o postal address (or of company’s location)
o email address
o telephone number
o username
o password
o profile photo
o date of birth
o identity card, passport or any other document that proves the Right to Work in the United Kingdom
o Drivers Licence

These data are imperative for the creation of an account to access the services via the Website or the Application and are a prerequisite for the signing of the General and Special Conditions of Use (GCU).

Save for as set out under 2.1.3 below, they are kept by the Company in an active database for a period of 12 months (twelve months) from the last login by the User or by the Courier into the Application and 48 (forty-eight) months in intermediate archiving (that is, restricted access, retention necessary to meet legal obligations or to invoke a right before the courts). With regard to the identity card, passport or any other document that proves the Right to Work in the United Kingdom, such documents are necessary for the Company to fulfil its legal obligations and to prove such fulfilment in the event of audit. They are to be kept in a database that is separate from the others, access to which is restricted and only for this purpose.

2.1.2. When a Business Owner or Courier uses the Website or Application, the Company collects:
- the IP address of the Business Owner or Courier
- the login data of the Business Owner or Courier
- the Website or Application navigation data (including timestamp information)

These data are to be retained by the Company in an active database for a period of 6 (six) months after the last login of the Business Owner or Courier into the Application and 6 (six) months in intermediate archiving.

- at the time of entering the goods pickup address, so that it can automatically suggest an address, the precise location of the Business Owner’s terminal by means of the Website or Application if the User authorises it to access the terminal’s location services
- the precise location of the Courier’s terminal throughout the duration of the delivery of goods using the Application owing to its authorisation to access the terminal’s location services pursuant to the GCU
- the history of the deliveries of goods carried out, including the date, with the history of the goods’ route possibly including the Business Owner’s location on a fixed date and time and including the Courier’s precise location during the delivery of goods
- a record of written messages and, if any, telephone conversations (in case of the recording of a telephone exchange, the person is accordingly informed and has the opportunity to refuse to continue the communication) among the Business Owner, the Courier and the Company in the event of a claim
- incidents occurring a delivery of goods
- statistics on the delivery of goods such as its duration, distance and transport method used/preferred
- the Business Owner’s signature if the latter is the sender or recipient
- the information provided by the Business Owner regarding the goods
- Courier performance data and metrics.

Save for as set out in clause 2.1.3 below, these data are to be retained by the Company in an active database for a period of 12 (twelve) months after the last login of the User or Courier into the Application and 48 (forty-eight) months in intermediate archiving.

By way of exception, the record of a telephone conversation is retained in an active database for a period of 6 (six) months after the concerned telephone conversation.

2.1.3 After a Courier’s last login, the Company will retain the data set out in clauses 2.1.1 and 2.1.2 for the periods set out above. In addition, the Company will retain the Courier’s name, email, driver ID and terms of departure for a period of 36 months in order to retain a record of former couriers for use in future hiring decisions.
This data will be held in a database that is separate from the others described in this policy, access to which is restricted and only for this purpose.

2.1.4. Invoicing of goods delivery operations:
- invoices relating to deliveries of goods issued by the Company in the name of and on behalf of Couriers,
- invoices relating to fees/commissions charged by the Company against the amounts paid to the Couriers,
- the amount for the transactions carried out as well as the date and time of such transactions.
Such data shall be retained by the Company in intermediate archiving for a period of ten (10) years after the end of the financial year to which the invoice relates.

2.1.5. For online payment, the Company uses a third party payment method (Stripe)

2.2. Data collected automatically when you merely visit Website or Application The Company automatically collects certain information about your devices simply
when you visit our Website or Application, without identifying you, using cookies. The choices that you have regarding the use of cookies are set forth in Article 10 of this Privacy Policy.

3. Fate of data at the end of the retention period
At the end of the aforementioned retention periods, the Data will be anonymised in order to make it impossible to “re-identify” persons, such that the data are no longer personal within the meaning of the GDPR.
As an exception, the Data may be retained for longer durations in intermediate archiving to the extent, in particular, that:
- there is a legal or regulatory obligation to retain the Data for a fixed duration
- the Data are of interest, particularly in the event of litigation, justifying their retention for the periods set forth by applicable rules relating to limitation periods/lapse of rights (for example, in civil, commercial, criminal, accounting and tax matters) or until the end of the proceedings initiated.
In this case, only the Data strictly necessary for the fulfilment of the intended purposes will be retained.
The Data will be anonymised when the reason justifying the archiving is no longer exist.

4. Use of Data by the Company

The Company undertakes to process the Data only in accordance with one of the following legal grounds provided by the GDPR:
- the processing is necessary for the provision of the services subscribed to (in particular via the use of the Website or Application) in accordance with the GCU accepted by the Business Owner or Courier:
o to create, maintain and administer an account to use the Website or Application,
o to enable the establishment of contact between Business Owner and Couriers in order to deliver goods through automated decision-making, particularly based on location data,
o to monitor deliveries of goods as well as assistance to and communication with Business Owner and Couriers regarding deliveries of goods,
o to facilitate intermediation between a Business Owner and a Courier, in particular for the issuance of invoices and the payment thereof,
o to provide technical and operational application support to facilitate the use of the Website and Application,
o to forward information relating to complaints, in particular compensation claims, in connection with a delivery of goods,
- the processing is necessary for the purposes of legitimate interests of the Company or third parties:
o to maintain, optimise and improve the Website, Application and our services and to develop new ones,
o to contact Business Owner and Couriers to provide them with any news or developments necessary to continue using the Website and Application,
o to maintain or improve the security of Business Owner and Couriers, in particular by informing the police or any other service concerned in the event of a threat or breach of the security of property or safety of persons,
o to prevent, detect and combat fraud when using the Website and Application, o to ensure compliance with the GCU,
o to forward information relating to complaints, in particular compensation claims, in connection with a delivery of goods,
o to allow the Company to ensure that it partners with appropriate Couriers,
o to safeguard the Company’s interests in the event of dispute or litigation,
- the processing is necessary to fulfil a legal obligation of the Company:
o to check that the Couriers can legally carry out their independent goods delivery activity and prove such check,
- the processing is also possible when the data subject has given his/her consent (in such case, it is to be very clearly specified when the data subject’s consent is sought):
o to contact the Business Owner and Couriers to inform them about new offers of services and promotions that may be of interest to them. We may also send you such messages
based on the “Company’s legitimate interests”, as the case may be. In any event, you can always unsubscribe from such emails,
o to conduct voluntary surveys.

5. Data Recipients

The Data are retained by the Company and used by the internal teams in charge of executing the services and the proper functioning of the Website and Application. They are also forwarded to any Business Owner or Courier concerned by a delivery of goods.
Lastly, they may be also forwarded to the following third parties depending on the purpose:
- third-party organisations (banks, a chartered accountant, an auditor, insurance companies in the event of dispute, data protection certification bodies, external auditors, social security or tax bodies),
The Data may also be shared in other cases with the consent or in accordance with the instructions of the data subject when the Company is required to do so by law. So, the Business Owner or Courier Data may be forwarded by the Company to partners for the purpose of prospecting electronically in the event that the data subject has expressly given his/her consent before any transmittal.
In the event that all or part of the Company’s business is sold off, the Data may be communicated to the purchaser in order to ensure the continuity of services.

6. Data Transfers outside of the European Union
The Company carries out the bulk of data processing within the territory of the European Union.
However, for certain specific services, particularly IT services, the Company may use subcontractors based outside of the European Union. Certain Data may then be shared within the strict limits of their assignments.
In such case, the Company makes sure beforehand and requires that subcontractors provide adequate guarantees necessary for the supervision, confidentiality and securing of such transfers. There are various legal guarantees allowing the transfer of Data outside of the territory of the European Union which the Company may use, including the following:
- the recipient country is considered by the European Commission as providing an adequate level of protection,
- we sign, with the subcontractor, the standard contractual clauses of the European Commission that guarantee a sufficient level of Data protection,
- the subcontractor is part of a group that has put in place binding corporate rules (BCR) to ensure a satisfactory level of protection during Data transfers,
- the subcontractor has put in place an approved code of conduct containing the binding and enforceable undertaking by the subcontractor to apply the appropriate safeguards,
- in the event of transfer to the United States, the Data shall only be transferred to companies listed in the Privacy Shield register.
7. Rights of data subjects in the collection of Data In accordance with personal data protection regulations, any person whose personal data have been collected has the right, at any time, to invoke the following rights against the Company, subject to meeting the following conditions:
- right to be informed: right to receive clear, transparent and easily understandable information about how the Data are processed. This is why this Privacy Policy has been put in place,
- right of access: right to demand access to one’s own personal data processed by the Company,
- right of rectification: right to demand the modification or updating of one’s own personal data when they are inaccurate or incomplete, - right to erasure: right to demand permanent deletion of one’s own personal data, - right to restriction of processing: right to request that the processing of all or part of one’s own personal data be stopped,
- right to object: right to oppose the processing of one’s own personal data: o invoked on the basis of the legitimate interests of the Company for reasons relating to the particular circumstances of the data subject, or o for the purpose of prospecting, with no particular reason,
- right to portability: the right to demand a copy of one’s own personal data in an accessible and transferable format and the right to demand the transmittal of one’s own personal data to another data controller,
- the right not to be subject to decision-making based exclusively on automated means, including profiling, except when such decision is necessary for entering into or enforcing the GCU or is based on the explicit consent of the data subject,
- the right to give instructions for the retention, erasure and disclosure of your Data after your death,
- the right to lodge a complaint with the national data protection authority (the “ICO”). 8. How data subjects can exercise their rights To exercise such rights against the Company, all you need to do is send an e-mail to the Company at the address contact@driverstop.co.uk making sure to prove your identity (mention the first and last names and e-mail address, and attach a copy of your identification document).
A response will be sent within one (1) month of the date of receipt of the request. If necessary, this period may be extended by two (2) months by the Company, which will alert the data subject, taking into account the complexity and/or number of requests.
In the event of a request for erasure or deletion of Data, the Company may, however, retain the Data in the form of an intermediate archive for the period necessary to meet its legal, accounting and tax obligations and in accordance with the applicable rules of limitation, in order to prevent possible unlawful behaviour after the deletion of the account of a User or Courier or during a litigation period.
It is specified that a request to delete the account of a Business Owner or Courier is not interpreted by the Company as an express request to exercise the rights under the aforementioned Article 7. The account will become inactive and the Data will be retained under the conditions and for the durations referred to in the present policy.

9. Data Security and Protection

9.1. Data Protection
The Company undertakes to adopt all measures to ensure the security and confidentiality of the Data collected. Although no system can be completely secure, the Company has put in place and applies various appropriate technical and organisational policies and measures to ensure a level of security that is appropriate to the risks and to protect Data, in particular against any unauthorised or illegal access, use or disclosure, as well as against accidental damage, loss, alteration or destruction.
In the event of a security incident affecting Data, the Company undertakes to comply with the obligation to notify personal data breaches, in particular to the ICO.

9.2. Security of User or Courier Passwords
The Company takes all manner of useful precautions to ensure the secure storage of the password of the Business Owner or Courier account.
However, the security of a password also depends on its design.
As a result, it is preferable that a good password be sufficiently long, composed of at least 3 different types of characters (letter, number, special character) and not have any link with its holder.

10. Use of Cookies
When using our Website and Application, information relating to browsing on your terminal (computer, tablet, smartphone, etc.) may be recorded in “Cookie” files stored on your terminal, subject to such choices as you may have made regarding Cookies
10.1. What is a cookie?
A cookie is a small text file stored by the Company on the terminal that is used to access the Website or the Application and it allows your activity during your visit to be memorised.
Cookies relate to browsing by the Business Owner or Courier on the Website or Application and allow monitoring of their activity, particularly to determine which pages he/she visited and the date and time of the visit as well as to memorise data over the duration of the validity or storage of the cookie.
At no time do these cookies allow the Company to personally identify the Business Owner or the Courier but, rather, they identify a browser or terminal.

10.2. Which cookies are stored on the terminal when browsing on the Application?

10.2.1. Cookies of the Company
The Company uses its own cookies (linked in particular to the language of the Website) to provide an optimal user experience adapted to the personal preferences of the Business Owner or Courier.

10.2.2. Third Party Cookies
The Company also uses the cookies of third-party applications (Google, Facebook, LinkedIn, etc.) that, in particular, enable the collection of anonymous statistical data on visits to our sites and applications in order to improve their ergonomics.

10.3. How long are these cookies kept?
The retention time for these cookies on the User or Courier terminal does not exceed thirteen (13) months.

10.4. How to refuse the placement of cookies?
By using the Website or Application, the Business Owner or Courier consents to the use of cookies.
The Business Owner or Courier is informed, during his/her first visit, that he/she has the right to object to the storage of cookies, in particular by configuring his/her web browser to do so or by setting the Website or Application options from the “Cookie Banner “.
More help is available on the dedicated pages of the browser (following are the most common browsers):
Internet Explorer
Google Chrome
Safari
Firefox
Opera
The Business Owner or Courier can also set his/her browser so that it sends a code indicating the websites that you do not want to be tracked (“Do No Track” option):
Internet Explorer
Chrome
Firefox
Opera
That notwithstanding, Business Owners and Couriers are informed that cookies play an important role in the functioning of the Company’s services. Therefore, if they refuse or delete cookies, this could affect the availability and functioning of the services.

11. Processor safeguards
With regard to the processing of the Data of senders and/or recipients for whom the User is the data controller and the Company is the processor, the latter undertakes to:
- process the Data only for the purpose(s) mentioned in Section 4 of this Privacy Policy,
- process the data in accordance with the documented instructions, if any, from the
Business Owner. If the Company considers that an instruction constitutes a violation of the GDPR or of any other provision of EU law or of the law of Member States relating to data protection, it shall immediately inform the User accordingly,
- guarantee the confidentiality of the Data processed when using the Website and Application,
- ensure that the persons authorised to process the Data in accordance with the GCU:
o undertake to respect confidentiality or are bound by an appropriate legal duty of confidentiality,
o receive the necessary training on personal data protection,
- with respect to its tools, products, applications or services, be mindful of the principles of data protection from the design stage and data protection by default,
- scrupulously respect the entirety of this Privacy Policy, in particular regarding Data retention and anonymisation periods, security measures, Data transfer, etc.
The Company may use another subcontractor (see Article 5 on Data recipients) to perform specific services, including IT. The User, who is duly informed by means of this Privacy Policy, gives a general authorisation to the Company to do so. The Company shall ensure that the ultimate processor provides the same sufficient guarantees as to the implementation of appropriate technical and organisational measures so that the processing meets the requirements of the GDPR.
It is the responsibility of the Business Owner to provide information to senders and/or recipients concerned by processing operations at the time of data collection.
To the extent possible, the Company shall assist the Business Owner in fulfilling his/her obligation act on requests to exercise data subject rights. When the sender and/or recipient makes a request to the Company to exercise his/her rights, the Company shall upon receipt email such requests to the Business Owner.
The Company shall notify the Business Owner, by email, about any personal data breach as soon as possible after being informed. Such notification shall be accompanied by any useful documentation enabling the Business Owner, if necessary, to give notice of such breach to the competent supervisory authority as well as to the data subjects.
The Company shall assist the Business Owner in conducting data protection impact assessments and in carrying out prior consultation with the supervisory authority.
The Company shall make available to the Business Owner all information necessary to demonstrate fulfilment of all its obligations and allow the performance of audits, including inspections, by the Business Owner or any other auditor appointed by him/her, as well as help with such audits.