Privacy Policy for DOCRIDE TECH LTD

How we collect, use, and protect your personal information

Effective Date: 20 October 2025

1. Introduction

DOCRIDE TECH LTD ("we," "us," or "our"), operating as DocRide, is committed to protecting the privacy of our users ("user" or "you") who interact with our website at www.docride.co.uk, our mobile application (collectively, the "Services").

DocRide provides cloud-based occupational health and safety (OHS) management software, including risk assessments, safety inspections, incident reporting, compliance management, and related services. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information and organizational data when you use our Services.

Please read this policy carefully. By using the Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with its terms, please do not access or use the Services.

2. Information We Collect

We collect various types of information when you use our Services, including:

2.1 Account and Registration Information
  • Personal Information: Name, email address, telephone number, job title, company name, business address, and other information you provide when creating an account or profile.
  • Credentials: Username, password (encrypted), and authentication information.
  • User Profile Data: Profile pictures, role within organization, department, certifications, and qualifications.
2.2 Operational and Safety Data
  • Safety Management Records: Risk assessments, safety plans, inspection reports, audit records, incident reports, corrective actions, permit-to-work documents, and compliance records.
  • Incident and Hazard Information: Details about workplace incidents, near-misses, hazards, injuries, and related investigations that may include personal information of affected individuals.
  • Employee and Contractor Data: Names, roles, training records, competency assessments, and safety certifications of personnel within your organization.
  • Media Files: Photos, videos, and documents uploaded to the Services (e.g., photos of worksite conditions, equipment, safety signage, or incident scenes), including any metadata such as GPS location and timestamps.
2.3 Technical and Usage Data
  • Device and Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and device model.
  • Usage Data: Pages viewed, features accessed, time spent on the Services, click patterns, navigation paths, search queries, and actions taken within the platform.
  • Location Data: Approximate location from IP address, and precise GPS location data (with your permission) when using mobile applications for on-site inspections or incident reporting.
  • Log Data: Server logs including access times, error logs, and system activity records.
2.4 Payment and Billing Information
  • Financial Information: Payment card details, billing address, and transaction history. Note: We use third-party payment processors (such as Stripe) who directly collect and process payment information. We do not store complete payment card numbers on our servers.
  • Subscription Information: Subscription plan details, renewal dates, and billing history.
2.5 Communications and Support Data
  • Correspondence: Content of emails, chat messages, support tickets, feedback, and survey responses.
  • Marketing Preferences: Communication preferences and consent records for marketing communications.
2.6 AI-Generated Data
  • AI Processing Data: When you use AI-powered features (e.g., risk assessment generation, automated compliance checks), we process the input data you provide and store the AI-generated outputs associated with your account.

3. How We Use Your Information

We use your information for the following purposes:

  • Service Provision: To create and manage your account, authenticate users, provide access to the Services, and enable you to use OHS management features including risk assessments, inspections, incident reporting, and compliance tracking.
  • Safety Management: To store, organize, and present your safety data, generate reports, track corrective actions, manage workflows, and facilitate compliance with health and safety regulations.
  • AI and Automation: To power AI features that generate risk assessments, provide compliance recommendations, automate safety checklists, and analyze safety data to provide insights.
  • Communication: To send you service-related notifications, account updates, security alerts, system maintenance notices, and respond to your inquiries and support requests.
  • Marketing: To send newsletters, promotional offers, product updates, and marketing communications (only with your consent, and you may opt out at any time).
  • Payment Processing: To process subscriptions, handle billing, manage payment methods, and fulfill orders.
  • Service Improvement: To analyze usage patterns, improve our Services, develop new features, conduct research, and optimize user experience.
  • Security and Fraud Prevention: To protect against unauthorized access, detect and prevent fraud, investigate security incidents, and enforce our terms of service.
  • Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests.
  • Analytics: To generate anonymized and aggregated statistical data for internal analysis and business intelligence.
  • Business Operations: To manage our business operations, maintain records, conduct audits, and fulfill contractual obligations.

Legal Basis for Processing (UK GDPR): We process your personal data based on: (a) contractual necessity to provide the Services; (b) your consent; (c) our legitimate interests in operating and improving our business; and (d) legal obligations.

4. How We Share Your Information

We may share your information in the following circumstances:

  • Within Your Organization: Data you input into the Services may be accessible to other authorized users within your organization based on their assigned roles and permissions. You control who within your organization has access to your data through user management features.
  • Third-Party Service Providers: We engage trusted third-party service providers to perform functions on our behalf, including:
    • Cloud hosting and infrastructure (e.g., DigitalOcean)
    • Payment processing (e.g., Stripe)
    • Email delivery and communication services
    • Analytics and monitoring tools
    • Customer support platforms
    • AI and machine learning services
    These providers are contractually obligated to use your data only for providing services to us and to implement appropriate security measures.
  • Legal Obligations and Rights Protection: We may disclose your information if required by law, court order, or governmental regulation, or when we believe disclosure is necessary to: (a) comply with legal processes; (b) enforce our terms and conditions; (c) investigate potential violations; (d) protect the rights, property, or safety of DocRide, our users, or the public; (e) prevent fraud or security threats.
  • Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the successor entity. We will notify you via email and/or a prominent notice on our website before your data is transferred and becomes subject to a different privacy policy.
  • With Your Consent: We may share your information with third parties when you have explicitly provided consent or directed us to do so (e.g., when you choose to share safety reports with external auditors or clients).
  • Aggregated or De-Identified Data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you for research, analytics, industry benchmarking, or marketing purposes.

Important: We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

5. Security of Your Information

We take the security of your data seriously and implement comprehensive security measures to protect your information:

  • Encryption: Data at rest is encrypted using AES-256 encryption. Data in transit is protected using TLS (Transport Layer Security) encryption to secure communications between your device and our servers.
  • Access Controls: We implement role-based access controls, multi-factor authentication options, and least-privilege principles to ensure only authorized personnel can access sensitive data.
  • Infrastructure Security: Our Services are hosted on secure, industry-standard cloud infrastructure (DigitalOcean) with DDoS protection, firewalls, intrusion detection systems, and regular security updates.
  • Password Security: User passwords are hashed using industry-standard cryptographic algorithms and are never stored in plain text.
  • Security Monitoring: We maintain audit logs, monitor for suspicious activities, and conduct regular security assessments to identify and address potential vulnerabilities.
  • Data Backups: Regular automated backups are performed to prevent data loss and ensure business continuity.
  • Employee Training: Our personnel receive regular training on data protection, security best practices, and privacy obligations.

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, and you acknowledge that you provide information at your own risk. If you become aware of any security breach, please contact us immediately at info@docride.co.uk.

6. Cookies and Similar Technologies

Our Services use cookies and similar technologies to enhance your experience, analyze usage, and deliver personalized content.

  • Essential Cookies: Necessary for the Services to function; consent is not required.
  • Non-Essential Cookies: Used for analytics or advertising; require your consent, obtained via our cookie banner.

7. Your Data Protection Rights

Under the UK GDPR, you have the following rights:

  • Right to Access: Request a copy of your personal data.
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (in certain circumstances).
  • Right to Restrict Processing: Request limitation of data processing.
  • Right to Data Portability: Request your data in a structured, machine-readable format.
  • Right to Object: Object to processing based on legitimate interests or direct marketing.
  • Right to Withdraw Consent: Withdraw consent at any time where it is the basis for processing (e.g., via unsubscribe links in emails or cookie settings).

To exercise these rights, contact us at info@docride.co.uk. We will respond within one month.

8. Data Retention

We retain your personal data only as long as necessary to fulfill the purposes outlined in this Privacy Policy and to comply with legal, accounting, and reporting obligations. Retention periods vary based on data type and purpose:

  • Account Information: Retained while your account remains active and for a reasonable period after account closure to comply with legal obligations and resolve disputes.
  • Safety and Compliance Records: Retained in accordance with applicable health and safety regulations, which may require retention for up to 7 years or longer depending on the jurisdiction and record type.
  • Transaction and Billing Data: Retained for seven years to comply with tax and financial reporting requirements.
  • Technical and Usage Data: Typically retained for 12-24 months unless required for security investigations or legal compliance.
  • Marketing Data: Retained until you withdraw consent or opt out of marketing communications.

Upon expiry of retention periods, we securely delete or anonymize your personal data. For specific retention periods applicable to your data, please contact us at info@docride.co.uk.

9. International Data Transfers

Currently, we do not transfer your personal data outside the UK. Should this change, we will implement safeguards (e.g., standard contractual clauses) and update this policy accordingly.

10. Automated Decision-Making and Profiling

We may use your data to create profiles for personalizing your experience across our Services. However, we do not engage in automated decision-making that produces legal or similarly significant effects on you.

11. Policy for Children

Our Services are intended for business use and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you believe we have inadvertently collected information from a child, please contact us immediately at info@docride.co.uk, and we will promptly delete such information.

12. Data Controller and Processor Relationship

DOCRIDE TECH LTD acts as a data controller for personal information collected directly from you (e.g., account registration, billing information, support communications).

For organizational data you input into the Services (e.g., employee records, safety inspections, incident reports), you (the customer organization) are the data controller, and we act as a data processor on your behalf. In this capacity:

  • You retain control over what data is collected and how it is used within your organization.
  • We process your organizational data solely in accordance with your instructions and our Terms of Service.
  • You are responsible for ensuring compliance with data protection laws regarding data you collect about your employees, contractors, and other individuals.
  • We provide you with tools to manage access, export, and delete organizational data as required by applicable laws.

13. Data Breach Notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (Information Commissioner's Office in the UK) within 72 hours of becoming aware of the breach, as required by the UK GDPR.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Provide clear information about the nature of the breach, the data affected, potential consequences, and measures we are taking to address the breach and prevent future occurrences.
  • Cooperate with regulatory authorities and affected parties to minimize harm and resolve the incident.

14. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices or content of these third parties. We encourage you to review the privacy policies of any third-party services before providing them with your personal information.

If you choose to integrate third-party services with DocRide, data may be shared with those services in accordance with your configuration. You are responsible for reviewing and accepting the terms and privacy policies of any third-party integrations you enable.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will:

  • Update the "Effective Date" at the top of this policy.
  • Notify you via email or through a prominent notice on our Services at least 30 days before the changes take effect.
  • For significant changes that expand our use of your personal data, we will seek your consent where required by law.

Your continued use of the Services after the updated Privacy Policy becomes effective constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Company Name: DOCRIDE TECH LTD (trading as DocRide)

Email: info@docride.co.uk

Website: www.docride.co.uk

Response Time: We aim to respond to all privacy-related inquiries within one month.

Data Protection Officer: We have not appointed a dedicated Data Protection Officer, as we do not engage in large-scale processing of special category data. However, privacy inquiries can be directed to the email address above, and they will be handled by our data protection team.

Right to Complain: If you are not satisfied with our response to your privacy concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Phone: 0303 123 1113

Website: www.ico.org.uk

We are committed to resolving privacy concerns fairly and promptly, and we welcome the opportunity to address any issues before you contact the supervisory authority.