This Privacy Notice explains how Hublix Ltd (" Hublix", "we" or "us" ) collects, uses, and protects personal data of self-employed Service Providers using the Hublix Platform. It also outlines your rights under data protection laws. Hublix is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 in handling your information. Because you are using Hublix in a business-to-business context (as an independent /self-employed service provider), certain consumer-specific laws may not apply to our contract; however, your personal data receives the full protection afforded by UK data protection law.

Data Controller: Hublix Ltd (Company No. 16546874), having its registered office at 31 Swallow Street, Iver, England, SL0 0ER, is the "data controller" for the personal data you provide as a Service Provider. This means we determine how and why your personal data is processed when you use our Platform. You can contact our data protection contact at privacy@hublix.ai or at the postal address above (Attn: Privacy) for any questions or to exercise your rights.

1. Personal Data We Collect

We collect and process several categories of personal data about you when you sign up and use the Hublix Platform. The types of data include:

• Identity and Contact Data: Your name, date of birth, personal/business address, email address, phone number, and login credentials (username, password). We may also record your company or trading name if you provide one, and your Hublix user ID.
• Service Provider Credentials: Driving licence details (licence number, expiry date, categories, any endorsements/points) and information from your driving record. For verification, we may collect your National Insurance number and the check code or details needed to access your DVLA record (with your permission). This yields DVLA status data such as whether your licence is valid, any disqualifications or points, classes of vehicles you can drive, etc., obtained via DVLA checks.
• Vehicle Information: Details of the vehicle(s) you use for your services: make, model, registration plate, year, MOT status (last test date, next due date), road tax status (taxed until date), and possibly vehicle insurance details (expiry date).
• Financial and Payment Data: Your payment card details as processed by our payment provider (Square). We do not store full card numbers or CVV ourselves; instead, we securely store a token or reference provided by Square to represent your card for billing purposes. We maintain records of your subscription payments (amounts, dates) and invoice records. If you are VAT-registered, we collect your VAT registration number and status (to display on invoices and for our VAT accounting). All subscription billing is handled via our secure web checkout integrated with Square; the mobile app itself does not process payments or in-app purchases. When you provide your card details, you authorize Hublix (through Square) to charge your card on a recurring weekly basis under a continuous payment authority. You may be asked to complete a Strong Customer Authentication step (e.g. 3D Secure) during the initial card setup in compliance with payment regulations. Hublix only supports card payments (no Direct Debit is used).
• Profile and Usage Data: Information on how you interact with our Platform. This includes your Hublix account preferences, plan selection, feature usage logs (e.g., how often you use the scheduling tool, when you run a vehicle check, etc.), and support tickets or inquiries you submit. We log your login times and device type, as well as settings or preferences.
• Communications Content: Copies of communications you have with us, such as emails to support, chat messages, or call recordings if you speak with our helpline. This also covers feedback you provide or survey responses.
• Device and Technical Data: When you use the app or website, we collect technical information such as your device model, operating system version, unique device identifiers, IP address, app version.
• Location Data (limited): The Hublix app itself does not continuously track your GPS location. However, if you use vehicle checks or incident reports, we may process location information at those specific times. This is user-initiated and not background tracking. Additionally, your IP address may infer an approximate location (city/region), which we use for fraud prevention and analytics.
• Third-Party Data You Input: If you input personal data of third parties into the app (e.g., adding a customer's contact info, an emergency contact, or including names/addresses on an invoice), we collect that as part of providing the service to you. In such cases, you must ensure you have the right to share that data (see Section 6 on Controller/Processor roles for details on how we handle third-party data you provide).

We do not collect special categories of personal data about you (such as race, religion, health, or biometric data) except if you voluntarily provide something (for instance, if you mention a health issue to support). We also do not intentionally collect any data on criminal convictions beyond what may be present in your DVLA record (e.g., motoring offences). Any processing of criminal offence data (such as endorsement points or disqualifications on your licence) is carried out in accordance with UK GDPR Article 10 and the DPA 2018. Because we are not an official authority, we only handle such data if a specific condition in Schedule 1 of the DPA 2018 is met, and we maintain an appropriate policy document to safeguard this data.

2. How We Use Your Data (Purposes and Legal Basis)

Hublix uses your personal data for the following purposes, each supported by a lawful basis under data protection law:

• Providing the Service (Contractual necessity): We use your Identity, Contact, Credentials, Vehicle, and Profile Data to set up and maintain your account and deliver the Platform features to you. For example, we use your licence and vehicle data to populate your profile and run compliance checks (ensuring the app features reflect your vehicle details); your contact details to communicate important information; and your login credentials to authenticate you. We process data that you input (schedules, notes, etc.) to display it back to you and store it for your use. This is necessary for the performance of our contract with you – without this data, we cannot provide the subscription service you expect. (Legal basis: UK GDPR, contract performance.)
• Payment Processing (Contract and Legal Obligation/Legitimate Interest): We use your Financial and Payment Data to bill your subscription fees and manage transactions (e.g., charging your card weekly and issuing receipts). This is part of our contract with you (providing the service in exchange for payment). We share necessary details with our payment processor (Square) to take payment, and we comply with card scheme rules for recurring transactions (including any required security/authentication measures). We also keep records of payments for accounting and auditing – this is a combination of contract necessity and legal obligation, since we must maintain financial records for tax and regulatory purposes. For instance, under UK tax law we retain invoices and evidence of VAT for at least 6 years.
• DVLA and Eligibility Checks (Legitimate Interest & Consent): We process your Service Provider Credentials and perform checks on your DVLA driving licence record (and vehicle MOT/tax status) to ensure you meet our platform's eligibility criteria and for safety compliance. Our legal basis here is our legitimate interests in maintaining a reliable platform with qualified, safe Service Providers (protecting public safety), as well as protecting our business from the risk of unlicensed or disqualified Service Providers using our Platform. This process is expected and proportionate, given that you sign up to provide driving services. In practice, we obtain your consent to retrieve your DVLA record (since you must explicitly provide the check code or other access details) – that consent facilitates the check in line with DVLA requirements, as DVLA will only disclose your licence information with your approval. Once obtained, we use the DVLA data to make decisions such as whether to continue or suspend your account (see the Terms for our policy on disqualifications or excessive points). Legal basis: UK GDPR Art 6(1)(f) (legitimate interests in safety and compliance). To the extent accessing the DVLA data requires your consent under specific law, we rely on your consent as well (UK GDPR Art 6(1)(a)).
• Service Communications (Contractual necessity & Legitimate Interest): We use your contact information to send essential service-related communications. This includes messages like payment receipts, subscription renewal notices, important policy updates, or security alerts. These communications are necessary for performing our contract with you (keeping you informed about the service you're paying for) and also serve our legitimate interest in ensuring you are aware of important information. For example, if a payment fails or we update our Terms or policies, we will notify you via email or in-app notification.
• Customer Support and Incident Response (Legitimate Interest): If you contact us for help or to report a problem, we will use the information you provide (and possibly relevant data from your account) to assist you and resolve your request. We may access your usage logs or account settings as needed to diagnose and fix issues. It is in our legitimate interest (and yours) that we provide effective customer support and maintain user satisfaction by promptly addressing technical or service issues.
• Improvement and Analysis (Legitimate Interest & Consent): We may analyze usage patterns, feedback, and aggregated data to improve our Platform's features and fix issues. This includes activities like debugging software, monitoring performance, and analyzing which features are most or least used. We rely on our legitimate interests in refining and developing our services for this type of processing. In practice, such analytics data is typically anonymized or aggregated, and you can opt out of non-essential analytics (see Section 8 on Cookies).
• Marketing Communications (Consent or Legitimate Interest): At present, Hublix does not send any marketing emails or texts to Service Providers beyond communications directly related to the service. If in the future we introduce marketing messages (for example, tips, offers, or new feature announcements), we will do so in compliance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR – likely by asking for your opt-in consent unless a lawful legitimate interests exemption applies. In any case, you will be able to opt out of such communications at any time. We will also never share your data with third parties for their own marketing purposes unless you explicitly agree to that separately.
• Legal Compliance and Security (Legal Obligation & Legitimate Interest): We may process any of your personal data as required to comply with applicable laws or valid legal requests, and to maintain the security of our services. For example, we keep certain records to fulfill our tax and accounting obligations (as noted above), and we may disclose information if we receive a court order or a law enforcement request that we are legally obligated to comply with. We will only disclose the minimum necessary in such cases and, when permitted, we will inform you of such disclosures. Separately, we process data for security and fraud prevention – e.g., we log IP addresses and device information to detect suspicious login attempts or protect against unauthorized access, and we may use automated systems to flag fraudulent activity. Our legal bases here are legal obligation (when processing is required by laws or regulations) and legitimate interests (when processing is for security measures, fraud prevention, or protecting our rights). For instance, protecting the platform and user accounts from hacking attempts is in our legitimate interest and benefits all users.

We do not sell your personal data to any third parties. We only share your data as necessary with certain categories of recipients, as described below and always under appropriate safeguards:

• Hublix Group and Personnel: If Hublix has affiliated companies or uses contractors and staff to help provide the service, your information may be shared with them on a need-to-know basis. All Hublix personnel and contractors are subject to confidentiality and are required to protect personal data.
• Service Providers (Processors): We use trusted third-party companies to perform certain data processing activities on our behalf, in support of the Platform's functionality. These providers act under our instructions and are bound by data protection agreements. Key service providers include:
  • Service Providers (Processors): We use trusted third-party companies to perform certain data processing activities on our behalf, in support of the Platform's functionality. These providers act under our instructions and are bound by data protection agreements. Key service providers include:
    • Payment Processor (Square): As mentioned, we use Square to process card transactions and handle subscription billing. Square will receive your card information and billing details (like transaction amounts and dates) for the sole purpose of processing payments and managing your subscription charges. Square is contractually bound to use your data only to provide payment services to us and to protect it in line with data protection law. Your card data is tokenized (replaced with a secure token) by Square and kept securely; Hublix itself never sees or stores your full card number or security code.
    • DVLA Check Partner: If we use an intermediary service or third-party API to perform DVLA licence checks on our behalf, that partner will receive your licence details purely to retrieve your driving record for us. They are also bound by contract to use that data only for the permitted purpose and to handle it in compliance with data protection law. (In some cases, we might use the DVLA's own service directly without a third-party; in those cases your data is sent to DVLA's systems only for the check, and handled according to DVLA's procedures.)
    • Cloud Hosting and IT Providers: We host our application and data on third-party cloud servers and may use other IT or software service providers (for example, for database hosting, backups, or content delivery). These providers may process personal data simply by storing or transmitting it on their systems. We select reputable providers with data centers in the UK to ensure safeguards. They have no authority to use your information for their own purposes, and we require them to maintain strong security measures.
    • Analytics and Crash Reporting Tools: If you have consented to analytics, or if we use crash reporting tools in our app, a third-party platform might process some technical or usage data (for example, anonymized app usage statistics or crash diagnostic information). Such data is typically pseudonymized or aggregated. For instance, we might use a service like Google Analytics (with IP anonymization) for website traffic analysis – but only if you opt in to analytics cookies. Any analytics or crash service provider is disclosed in our Cookies Policy or this Notice, and they will only collect data as configured by us (no unauthorized data sharing).
    • Email/SMS Delivery Services: If we send emails, text messages, or push notifications, we may use third-party communication services (for example, an email sending service or SMS gateway). These services will process your contact details to deliver the messages (e.g., your email address for sending a notification email). They are not allowed to use your information for anything aside from delivering our communications.
    All such service providers are bound by Data Processing Agreements (DPAs) with us, which legally require them to only act on our instructions and to protect your data to UK GDPR standards.
  All such service providers are bound by Data Processing Agreements (DPAs) with us, which legally require them to only act on our instructions and to protect your data to UK GDPR standards.
• Business Transfers: If Hublix is ever involved in a merger, acquisition, sale of assets, or other business transaction, your personal data may be transferred to the acquiring or succeeding entity as part of that deal. If such a transfer occurs, we will ensure that the new owner is contractually obligated to uphold the privacy protections described in this Notice (or inform you of any changes and obtain consent if required by law). Any transfer of this nature would be for the purpose of continuity of service. The legal basis for transferring data in such a scenario would typically be our legitimate interests in the business transition (ensuring the service can continue under new ownership) or possibly necessity for the performance of contract (if the service continues seamlessly). In any event, your rights with respect to your data would remain enforceable.
• Legal Compliance and Protection: We may disclose your data to third parties when required by law or when such disclosure is necessary to exercise, establish, or defend legal claims. For example, we might have to provide information in response to a court order, subpoena, or to cooperate with regulators or law enforcement (such as providing fraud investigation data to the police when required). We will scrutinize each request to ensure it has a proper legal basis and only provide information that is necessary. Where permitted, we will inform you of such requests. Additionally, if needed to enforce our Terms or protect the rights and safety of Hublix, our users, or others, we might share information with appropriate authorities or advisors (for instance, sharing data with law enforcement to report misuse or threats to safety). The legal bases for such processing are legal obligation (when complying with a legal demand) or legitimate interests (when sharing is necessary to prevent harm or enforce our rights, provided this doesn't unfairly prejudice your rights).
• Third Parties at Your Request: We will share your information with a third party if you specifically request or consent to us doing so. For example, if in the future the app allows you to integrate with a third-party service or export data to another platform, we would do so only with your direction. Similarly, if you ask us to provide a reference or verification to a prospective business partner or client on your behalf, we would only share data with your explicit consent.

Note: We do not share your personal data with other Service Providers on the platform, and none of your profile information is visible publicly or to other users by default. If we ever introduce a feature like a user directory, community forum, or referral system, it will be strictly opt-in and clearly explained.

3. International Data Transfers

Hublix is based in the UK. However, the data we collect may be stored or processed in other countries if our service providers are located or use servers abroad. Whenever we transfer personal data outside of the UK (or outside the European Economic Area, as the case may be), we ensure that adequate safeguards are in place to protect your information in accordance with data protection law.

For example, if one of our cloud hosting providers or our payment processor stores data on servers in the United States or another country outside the UK/EEA, we will rely on an approved legal transfer mechanism such as the UK's International Data Transfer Agreement (IDTA) or the standard contractual clauses (SCCs) approved under UK law. These are contractual commitments that oblige the recipient to protect your data to UK/EU privacy standards. We also assess whether additional technical measures (like encryption in transit and at rest) are needed in light of UK regulatory guidance (e.g., following the principles from the "Schrems II" case regarding international transfers).

You can ask us for more information about any international transfers of your data, or request a copy of the relevant safeguards (such as excerpts of the contractual clauses), using the contact details provided at the end of this Notice. We will be transparent about how and where your data is handled.

4. Data Retention

We retain your personal data only as long as necessary to fulfil the purposes set out in this Notice and to meet legal, accounting and reporting obligations. The specific periods reflect the seasonal nature of delivery services and our legal duties.

Active account. While your subscription or account is active, we keep the data needed to operate the Platform on an ongoing basis (e.g. profile, credentials, vehicle details, usage history, and subscription records).

Account inactive or cancelled (archive – up to 24 months). If you cancel or your account becomes inactive, we place it into archive for up to 24 months to support seasonal returns and moves between DSPs. This allows you (or a new DSP) to reactivate without re-entering everything or re-running checks.

• What we keep during archive (data minimisation):
  • Core identity: name, date of birth, contact details (for reactivation and legal records)
  • Service Provider credentials: DVLA check results/licence details (to avoid immediate re-verification)
  • Vehicle: last registered vehicle details
  • Subscription history: plan records and payment history (see "Financial records")
  • Compliance/audit: DVLA check dates, Terms acceptance, CPA consent evidence
• What we delete immediately on cancellation/inactivity:
  • Login credentials (password hash removed; you'll reset on return)
  • Active payment card tokens (deactivated with Square; no further charges possible)
  • Detailed usage logs (e.g. screen views, feature interactions)
  • Device/technical logs (e.g. IP addresses, device IDs)
  • Non-essential support threads (moved to case archive – see "Support communications")
• Access restrictions during archive. Archived data is not used for any new purpose (no analytics/marketing). Access is limited to authorised personnel for: (a) legal/accounting obligations, (b) responding to your rights requests, or (c) reactivating your account at your request or a DSP's request.
• Your right to early deletion. You may request deletion at any time during the archive period (see "Your rights"). We will delete what we can and keep only what the law requires (e.g. financial records, contract evidence).

Deletion after archive. After 24 months of continuous inactivity, we permanently delete or anonymise your personal data in line with our policy. We remove personal identifiers and securely erase or overwrite data so it can no longer be linked to you. Data needed for legal reasons (see below) is kept only to the extent required.

Financial records (6 years from transaction year-end). We keep invoices, payment records and VAT documentation (and associated identity data such as your name/contact details, amounts and dates) for at least 6 years after the end of the financial year in which the transaction occurred. Access is restricted (accounting, audit, regulatory requests) and the data is not used for other purposes.

Contract and consent evidence (up to 6 years from contract end). We keep evidence of your acceptance of the Terms, your Continuous Payment Authority (CPA) consent for recurring billing, and related e-signature/audit logs for up to 6 years after contract end to establish, exercise or defend legal claims. We delete sooner if no longer needed and there is no legal hold.

Support communications (up to 2 years). Support tickets and feedback may be retained for up to 2 years to assist with future inquiries and improve support. We delete earlier if not needed. After account deletion, these are retained as separate case files (not active profile data).

DVLA check data. Your DVLA check code is used to retrieve the record and then discarded (single-use/expiry-bound). DVLA results (e.g. licence validity/endorsements) are kept as part of your compliance record while your account is active and through the 24-month archive, then deleted. Earlier deletion is available on request unless needed for legal reasons.

Payment card data. Cardholder data is handled by our payment provider (Square). We do not store your full PAN or CVV. We keep only basic card identifiers (brand, last-4 digits, expiry) and a non-card customer reference for receipts and display. Your saved card token (held by Square) is active only while your subscription is active and is deactivated on cancellation; it is removed within 30 days of cancellation or as part of confirmed erasure on request. Any card references on invoices/receipts are retained solely within "Financial records".

Backups (rolling cycles). Encrypted backups run on rolling schedules and are overwritten/deleted automatically. After we delete data from live systems, it may persist in backups for a short time until those backups age out; backup data is inaccessible for normal operations.

Legal holds. If required to preserve data (e.g. court order, legal dispute, regulatory investigation), or if deletion is restricted by law, we retain only what's necessary beyond the periods above, isolate it from routine use, and delete it when the requirement ends. If we cannot action a deletion request for this reason, we will let you know.

Propagation of deletion. After deletion/anonymisation on live systems, full purging from all backups and archives may take a brief additional period. During that time, the data is protected by appropriate security and access controls and is not used.

Legal basis for archive retention (24 months). We rely on legitimate interests (UK GDPR Art. 6(1)(f)) to retain a minimal archive for up to 24 months, to support seasonal/returning Service Providers, reduce onboarding friction, maintain compliance continuity and enable DSPs to re-engage Service Providers efficiently. We balance this with your rights by: (a) minimising what we keep, (b) restricting access and use, (c) offering early deletion on request, and (d) limiting the period to a reasonable industry-aligned window. If you object or request deletion, we will comply unless we must retain specific items for legal reasons.

5. Your Rights as a Data Subject

Under UK data protection law (UK GDPR and DPA 2018), you have certain rights regarding your personal data. Even as a business user of Hublix, you retain all the rights afforded to individuals. These include:

• Right of Access: You have the right to request a copy of the personal data we hold about you, as well as information on how we process it (commonly known as a "Subject Access Request"). Upon request, we will provide you with a copy of your data and relevant information, free of charge (except in rare cases of excessive or unfounded requests), typically within one month. We may need to verify your identity before releasing the data to ensure we don't disclose it to the wrong person.
• Right to Rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to have it corrected. You can update some of your information directly via the app (for example, you can change your contact details or vehicle info in your profile). For other corrections, you can contact us and we will promptly correct any confirmed inaccuracies.
• Right to Erasure (Right to be "Forgotten"): You have the right to request deletion of your personal data in certain circumstances. For instance, if the data is no longer necessary for the purposes we collected it, or if you withdraw consent (in cases where consent is the basis) and we have no other lawful basis to continue processing, or if you object to processing and we have no overriding legitimate interest, or if we unlawfully processed your data. This right is not absolute – sometimes we may need to retain certain data despite your request, for example if required by law or if it's needed to establish or defend legal claims. We will assess each erasure request individually. If you choose to leave Hublix and ask us to delete your data before our standard retention period elapses, we will do our best to accommodate the request. (For example, we might be able to delete your profile and usage data immediately, while still retaining transaction records that we are obligated to keep.) We will always explain to you what we can and cannot delete at the time of your request.
• Right to Restrict Processing: You have the right to ask us to restrict or pause the processing of your personal data under certain conditions. This can apply, for example, if you contest the accuracy of the data (while we are verifying or correcting it), or if you have objected to processing (while we consider your objection), or if processing is unlawful but you prefer we hold the data rather than delete it, or if we no longer need the data but you need us to keep it for a legal claim. When processing is restricted, we will store your data but not use it except for legitimate purposes like legal claims or with your consent.
• Right to Data Portability: For personal data that you have provided to us, and which we process by automated means based on your consent or on a contract with you, you have the right to obtain that data in a structured, commonly used, machine-readable format. You also have the right to request that we transfer that data to another controller, where technically feasible. In practice, this could include things like your account profile information or transaction history that you gave us. If you need an export of your data, we will provide it (for example, as a CSV or similar file) so you can reuse it elsewhere.
• Right to Object: You have the right to object to our processing of your personal data in certain situations. Specifically, you can object to processing that we are doing on the basis of legitimate interests (or on the basis of performing a task in the public interest, though we don't do that) if you feel it impacts your rights and freedoms. If you raise such an objection, we will stop the processing in question unless we can demonstrate compelling legitimate grounds for the processing that override your interests, or if we need to continue processing for the establishment or defense of legal claims. You also have an absolute right to object to any processing of your data for direct marketing purposes. As noted, we currently do not process your data for unsolicited marketing, but if we ever did (e.g. sending a newsletter or offer), you could opt out at any time and we would cease that marketing use immediately.
• Right not to be subject to Automated Decisions: You have the right not to be subject to a decision based solely on automated processing (including profiling) that significantly affects you, unless it is necessary for entering or performing a contract, authorized by law, or based on your explicit consent (and even in those cases, you have rights to have a human review and to contest the decision). Hublix does not currently make any solely automated decisions with legal or similarly significant effects on you – for example, we do not have any AI system that automatically bans or penalizes you without human involvement. Any important decisions (like suspension for a failed licence check) involve manual review and are based on transparent criteria. If this ever changes, we will inform you and ensure your rights in this regard are protected.

To exercise any of your rights, you can contact us at privacy@hublix.ai. We will respond as soon as possible and at least within one month, as required by law (we may extend this timeframe by an additional two months for particularly complex requests, but we will inform you if that is the case). We might ask for certain information to verify your identity before fulfilling a rights request, especially for access, deletion, or data portability requests, to ensure we do not inadvertently modify or release data to an unauthorized person. If we cannot fulfill your request in whole or in part, we will explain the reasons – for example, if you request deletion of data that we are legally required to keep, we will inform you of that obligation.

6. Controller/Processor Roles

Hublix operates in different roles depending on the type of data being processed. This section explains when Hublix is the data controller, when others are the controller, and what this means for your rights.

When Hublix Is the Data Controller:

Hublix acts as the data controller for:

• Your Hublix Subscription: Payment processing for your selected subscription plan, Payment card details (processed via Square – only last 4 digits and expiry stored), Billing records, subscription history, invoices, Terms of Use acceptance and e-signature audit trail, Continuous Payment Authority (CPA) consent records.
• Your Hublix Account: Login credentials (email, password – hashed), Account preferences and settings, Hublix-ID (pseudonymous user reference), Session logs (login times, device type, IP address), Security monitoring data (fraud prevention, diagnostics).

When Your DSP Is the Data Controller:

For most data about you in Hublix, your Delivery Service Provider (DSP) is the data controller, not Hublix. Your DSP uses Hublix to manage their uses Hublix to manage their service provider base. For Service Provider and service-related data, your DSP determines what data is collected and why. Hublix acts as data processor on their behalf.

Data Controlled by Your DSP: Service Provider profile (name, address, contact details, date of birth), DVLA license details and verification results, Vehicle information (registration, MOT, insurance, road tax), Service block schedules, route assignments, service blocks, KPI, Invoices for work performed for the DSP, payment records.

Why Your DSP Is the Controller: Decides what data to collect (DSPs can configure Hublix differently), Determines why the data is needed (service provider management, compliance, safety, service block allocation), Decides how to use the data (performance evaluation, payment processing).

Hublix's Role as Data Processor: Processes DSP's data only according to documented instructions under a Data Processing Agreement (DPA), Maintains security and confidentiality (encryption, access controls), Assists DSP in responding to your data rights requests, Notifies DSP immediately of any data breaches, Deletes or returns data when instructed by the DSP.

Hublix does NOT: Use your Service Provider/service data for its own purposes outside providing the platform, Share your DSP's data with other DSPs without consent or legal requirement.

Your Rights for DSP-Controlled Data: Contact your DSP directly to exercise data protection rights (access, rectification, erasure, portability, objection, restriction). Hublix will assist your DSP in fulfilling your request per the Data Processing Agreement, but the DSP is responsible for responding to you.

Switching DSPs: If you switch from one DSP to another, you can keep your Hublix account and subscription. Your service history remains accessible for your records (tax, proof of experience), and the new DSP can onboard you without re-entering all information.

When YOU Are the Data Controller (Third-Party Data You Input):

In some cases, you may input personal data about third parties into Hublix for your own business purposes. For example: Delivery recipient names and addresses, Customer or client contact information on invoices you generate, Contact details for dispatchers, fleet managers, or other business contacts.

In these cases: You are the data controller (it's your customer/business data), Hublix is the data processor (processing on your instructions to provide platform functionality).

Your Responsibilities: Ensure you have a lawful basis to collect and use third-party data (e.g., contract with customer, legitimate business interest); Do not input personal data unless you have the right or permission to do so; Respond to data subject rights requests from your customers or contacts.

Hublix's Role: Uses third-party data only to provide services to you (storage, invoice generation). Does not use it for independent purposes outside providing Hublix services. Applies the same security measures to protect any third-party data you enter.

Data Processing Agreement: This Privacy Notice (together with our Terms of Use) serves as the data processing agreement between you (as controller) and Hublix (as processor) for any third-party personal data you input. If you or a client require a separate signed Data Processing Agreement, contact privacy@hublix.ai.

Not sure who to contact? Email privacy@hublix.ai and we'll direct you to the appropriate controller.

7. Data Security Measures

Hublix takes the security of your personal data very seriously. We implement appropriate technical and organizational measures to protect data against unauthorized access, alteration, disclosure, or destruction. These measures include, among others:

• Encryption: We encrypt personal data in transit and at rest wherever feasible. This means that communications between the app/website and our servers are protected via HTTPS (SSL/TLS), and sensitive data stored in our databases or backups is encrypted. For highly sensitive data (like passwords), we use one-way hashing with salt (so that even we cannot recover your password, only verify it). Any communication with external services (e.g., DVLA or Square) is done over secure, encrypted channels as well.
• Access Controls: We limit access to production systems and databases to a small number of authorized personnel who have a legitimate need to access data (principle of least privilege). Access to administrative tools is protected by strong authentication (including multi-factor authentication where possible) and logged for audit. Our staff are trained in data protection and are bound by confidentiality obligations. We regularly review user permissions and promptly revoke access that is no longer required.
• Pseudonymization: Where possible, we reduce the direct identification of individuals in our system. For example, internally we may separate certain personal details from usage logs, referring to an internal user ID rather than your name. Similarly, as noted, we tokenize financial information so that our systems handle a token or reference instead of your actual card number. This limits exposure of identifiable data throughout our environment.
• Network & System Security: Our servers are protected by firewalls and monitoring systems to guard against unauthorized access. We employ up-to-date security software and apply security patches to our operating systems and applications regularly to address vulnerabilities. We run anti-malware and other protective tools to prevent, detect, and respond to threats. We also use intrusion detection and prevention systems to monitor for suspicious activities.
• Testing and Audit: We periodically test our infrastructure and applications for security weaknesses. This may include vulnerability scanning, penetration testing by independent specialists, and code reviews focused on security. We address any findings with high priority. We also conduct periodic audits or assessments of our security controls to ensure they remain effective. Our security practices are updated continually to adapt to new threats.
• Incident Response and Breach Notification: Despite all measures, no system can be 100% secure. Hublix has a detailed incident response plan in case of a security incident or data breach. If a personal data breach occurs that poses a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office within 72 hours and inform you without undue delay, as required by law. We will also take all necessary steps to contain the breach, mitigate its effects, and prevent future recurrence.
• User Responsibilities: We also remind you that you play a role in keeping your data secure. Please protect your account login credentials – use a strong, unique password and do not share it. Hublix will never ask you for your password via email or phone. If you suspect any unauthorized access or security issue with your account, notify us immediately so we can help secure it.

8. Cookies and Similar Technologies

If you use our website or the web portal, Hublix uses cookies and similar tracking technologies to enable and improve the service. (If you only use the mobile app, cookies may not apply directly, but analogous technologies like local storage or analytics SDKs might.)

• Essential Cookies: These cookies (or similar tokens) are necessary for the website/app to function properly. They include, for example, session cookies that keep you logged in as you navigate, or cookies used for load balancing and security. These are always active and do not require consent because the service cannot run without them. For instance, when you log into the web portal, we use a secure session cookie to recognize your authenticated session.
• Analytics Cookies: These are optional cookies that help us understand how users interact with our site or app. For example, we might use Google Analytics or a similar tool to see which pages are visited most often, how users find our site, or to detect navigation issues. We only set analytics cookies if you consent to them. When you first visit our website, you will see a cookie banner giving you the choice to accept or reject non-essential cookies. If you opt in (accept), the analytics cookies will be set and start collecting information (such as page load times, buttons clicked, generalized location based on IP, etc.). If you decline, we will not set those cookies. You can also change your preference later via our website's cookie settings page.
• No Advertising Cookies: We do not use any third-party advertising or targeting cookies on Hublix. We do not serve ads in our app or on our site, so we have no need for cookies that profile you for advertising purposes.
• Mobile App Analytics: On the mobile app, we may use similar technologies for analytics or crash reporting. For example, we might incorporate an analytics SDK that collects usage events or a crash reporting library that sends crash logs to us. We will ask for your opt-in consent for any analytics tracking in the app. (Typically, this could be a toggle in your app settings or a prompt when you first use certain features.) Crash reporting data, which helps us fix bugs, might be collected by default, but it generally does not include personal info beyond technical device data and the context of the error. You usually have the option to disable analytics in the app settings if you wish.
• Your Choices: For detailed information on all cookies and similar technologies we use, please see our separate Cookie Policy. It lists each cookie, its purpose, and its expiration. You can manage your cookie preferences at any time: most web browsers allow you to delete or block cookies (but note that blocking essential cookies can impair the functionality of our site). Our cookie banner also allows you to withdraw consent by revisiting the settings. Using our site or app will imply consent to essential cookies (since they are needed for service), but for anything else, we respect your choice.

PECR (Privacy and Electronic Communications Regulations) requires that we obtain consent for any non-essential cookies, and we adhere to this requirement (even though you are a business user, the rules apply the same to all users). We do not rely on "implied" consent or pre-ticked boxes – only a clear affirmative action (like clicking "Accept" on the banner) will enable those optional cookies.

9. Your Choices and Contacting Us

• Marketing Preferences: As noted, by default we do not send marketing communications unrelated to the service. If this changes, we will seek your consent or at least offer a clear opt-out mechanism. You can always update your communication preferences (for instance, choosing what types of emails you receive) in the app settings or by contacting our support.
• Updating Your Information: It's important that the personal data we hold about you is accurate and current. You can log in to the Hublix app or portal to review and update certain information in your profile (like your contact details, vehicle info, etc.). If you find any inaccuracies that you cannot correct yourself, you have the right to ask us to correct them (see Right to Rectification above), and we will promptly do so.
• Withdrawal of Consent: Where we rely on your consent for processing (for example, for optional analytics cookies or if you provided consent for us to access your DVLA record), you have the right to withdraw that consent at any time. You can manage cookie consent as described, and you can choose not to provide a DVLA check code (bearing in mind that without it we cannot complete the onboarding licence verification). Withdrawing consent will not affect the lawfulness of any processing done before the withdrawal. It simply means we will stop the particular processing that was based on consent going forward.
• Complaints: We hope to resolve any query or concern you raise about our use of your data, but if you have unresolved concerns, you have the right to complain to the UK supervisory authority for data protection, which is the Information Commissioner's Office (ICO). You can contact the ICO by phone at 0303 123 1113 or by writing to them at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. More information is available on the ICO's website (ico.org.uk). We encourage you to reach out to us first at privacy@hublix.ai with any complaints or issues – we will do our best to investigate and address your concerns as a matter of priority.
• Contact Us: For any questions about this Privacy Notice or any requests regarding your personal data, you can contact our data protection contact/team at privacy@hublix.ai, or by mail at: Hublix Ltd – Privacy, 31 Swallow Street, Iver, England, SL0 0ER. We will respond as soon as practicable.

10. Changes to This Privacy Notice

We may update this Privacy Notice from time to time. The "Last Updated" date at the top shows when it was last revised.

For material changes affecting your rights, we will notify you by email at least 30 days in advance and post a notice in the app.

Your continued use of Hublix after changes take effect means you accept them. If you do not agree, you may cancel your subscription as described in our Terms of Use.

Previous versions are archived and available on request at privacy@hublix.ai.

---