Privacy Policy
Last updated: 29 May 2026
5nPay ("we", "us", "our") is a UK-based SaaS platform for fleet Penalty Charge Notice (PCN) management, walkaround checks, defect tracking, accident reporting, and fleet compliance. This privacy policy explains how we collect, use, store, and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
The data controller is 5nPay (operated under sole-trader / limited company TBC).
- Registered address: TBC — update with your registered business address
- Companies House number: TBC
- ICO registration: TBC — register at ico.org.uk/registration
- Contact: privacy@5npay.co.uk
A Data Protection Officer (DPO) is not currently required under UK GDPR Article 37 because we do not conduct large-scale systematic monitoring or process special-category data as a core activity. Where this changes, a DPO will be appointed and named here.
2. Data We Collect
Account & identity
- Full name, email address, account type (standard / enterprise)
- Authentication data and session metadata managed by Clerk
- Company name, fleet size, depot, and team membership (for enterprise accounts)
Vehicle & PCN data
- Vehicle registration marks (VRMs), make, model, MOT and tax status (sourced from DVLA)
- PCN details: reference, council, contravention, location, amounts, deadlines
- Photos of PCN tickets uploaded by you (stored privately, server-side OCR only)
- Driver shift records, rota, and depot assignment data (enterprise accounts)
Walkaround & defect data
- Walkaround check items, statuses, driver name, location (GPS coordinates if you grant permission)
- Defect descriptions, severity, repair status, resolution notes
- Photos of defects you upload (private storage, signed-URL access only)
Accident data (where reported)
- Driver personal data: date of birth, address, contact number, licence class and categories, occupation, accident history
- Third-party data: names, addresses, contact numbers, vehicle details, insurer details (collected by you at the scene and entered on the form)
- Witness names and contact numbers
- Photos and walk-around videos of the company vehicle and third-party vehicles
- Incident location (GPS coordinates if available), description, weather, injuries
- Police and insurance claim reference numbers
Payment data
- Direct Debit mandate metadata held by GoCardless. We do not store your bank account number.
- Subscription status and billing history
Operational telemetry
- Error reports captured by Sentry (may include browser type, stack traces, redacted user IDs)
- Aggregate page-view and performance metrics from Vercel Analytics
- Server-side request logs (IP, user agent, route, status) retained for 30 days
3. Purpose of Processing & Lawful Basis
| Purpose | Lawful basis |
|---|---|
| Provide PCN tracking, defect, accident and fleet management | Contract performance (UK GDPR Art. 6(1)(b)) |
| Process Direct Debit payments via GoCardless | Contract performance |
| Look up vehicle data from DVLA and DVSA | Legitimate interest in providing accurate fleet records |
| Send compliance alerts (MOT, tax, expiring documents) | Legitimate interest in vehicle compliance |
| Send transactional emails (invites, password resets, repair updates) | Contract performance |
| Marketing communications | Consent (opt-in only) |
| Capture accident data including third-party information | Legitimate interest in handling insurance claims and meeting regulatory obligations |
| Improve the platform, fix bugs (Sentry, Vercel Analytics) | Legitimate interest, subject to your cookie consent |
We balance our legitimate interests against your rights and freedoms in each case. You may object to legitimate-interest processing using the contact details below.
4. Sub-processors
We rely on the following sub-processors. Each is contractually bound by data-processing terms compliant with UK GDPR.
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database and file storage (PCN photos, defect / accident photos, receipts) | EU (eu-west-2) |
| Clerk | User authentication and session management | EU / US (data residency) |
| Vercel | Application hosting, edge network, Vercel Analytics | Global edge, EU primary |
| GoCardless | Direct Debit payment processing | UK / EU |
| Resend | Transactional email delivery (invites, alerts, repair notifications) | EU / US |
| Sentry | Error and performance monitoring | EU (eu region pinned) |
| AWS S3 (eu-west-2) | Daily backups of database to private bucket | UK (London) |
| AWS Textract (eu-west-2) | OCR fallback for PCN photo extraction when on-server EasyOCR misses fields | UK (London) |
| DVLA / DVSA scraper service | Real-time vehicle MOT / tax lookup | UK |
| EC2 OCR microservice | On-server EasyOCR + NER processing for uploaded PCN images | UK (eu-west-2) |
| Cloudflare Turnstile | Bot protection for sign-up and contact forms | Global |
We do not sell your personal data to any third party. Data may be shared with law-enforcement bodies, insurers, or regulatory authorities (DVSA, ICO, HSE) when required by law or to handle a claim or audit you have asked us to support.
5. International Transfers
The primary processing region for your data is the United Kingdom and the European Union. Where a sub-processor (Clerk, Resend, Sentry) routes data outside the UK, the transfer is made under the UK International Data Transfer Agreement (UK IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or to a jurisdiction the UK has recognised as providing adequate protection. We perform a Transfer Risk Assessment for each sub-processor that transfers data outside the UK.
6. Data Retention
- Account data — retained for the lifetime of your account.
- PCN, defect, accident records — retained for 6 years after the related event to meet UK insurance and tax record-keeping requirements.
- Payment records — retained for 7 years under HMRC rules.
- Photos and videos — retained alongside their parent record (PCN, defect, accident) and subject to the same retention period.
- Backups (AWS S3) — daily snapshots retained for 365 days, then permanently deleted.
- Sentry error reports — retained for 90 days.
- Vercel access logs — retained for 30 days.
When you close your account or request deletion, we erase personal data within 30 days except where we are legally required to retain it longer. Deletion requests covering insurance-relevant accident or defect records will be deferred until the 6-year retention window has expired or written confirmation is received from the relevant insurer.
7. Automated Decision-Making
We use automated systems to:
- Match PCNs to driver shifts based on time and vehicle data
- Extract text from PCN, defect and accident photos via OCR
- Classify PCN issuers using rule-based pattern matching
None of these systems produce legal or similarly significant effects without human review. All driver nominations and appeals are reviewed by you before submission to a council or operator. You may request human review of any automated outcome by contacting us.
8. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — request correction of inaccurate or incomplete data
- Erasure — request deletion ("right to be forgotten")
- Portability — receive your data in a structured, machine-readable format (we provide CSV / JSON exports from Settings → GDPR)
- Objection — object to processing based on legitimate interest
- Restriction — ask us to limit how we process your data
- Withdraw consent — for any processing relying on consent (e.g. marketing, optional analytics cookies)
Use the tools in your account Settings to export or delete your data, or email us at privacy@5npay.co.uk. We aim to respond within one month.
9. Children's Data
5nPay is a business-to-business platform intended for fleet operators. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected data relating to a child, please contact us and we will delete it.
10. Data Security
We protect your data with: TLS in transit, AES-256 encryption at rest, role-based access controls, row-level security (RLS) on every database table containing user data, server-side rate limiting on expensive endpoints, daily off-site backups to a private versioned S3 bucket, structured audit logs via Sentry, and least-privilege IAM policies on all cloud sub-processors. Photos and videos are stored in private buckets with signed-URL access only.
11. Cookies
We use essential cookies for authentication and session integrity, optional analytics cookies (Vercel Analytics) and optional error-tracking cookies (Sentry). You can manage your preferences via the cookie consent banner or in Settings. See the Cookie Policy for the full list.
12. Third-Party Data You Enter
When you record an accident, you may enter personal data about a third party (other driver, witness, etc.). You confirm to us that you have a lawful basis (typically the legitimate interest of handling an insurance claim) to do so, and that you will inform the third party of the data you have collected if asked. We act as a processor for that data on your behalf and retain it under your account's retention policy.
13. Changes to This Policy
We may update this privacy policy. Material changes will be notified by email and via an in-app banner at least 14 days before they take effect. Minor wording updates will be reflected by changing the "Last updated" date above.
14. Complaints
If you are unhappy with how we handle your data you may complain to us first at privacy@5npay.co.uk or directly to the Information Commissioner's Office at ico.org.uk/make-a-complaint.