Privacy Policy

Last updated: 29 May 2026

5nPay ("we", "us", "our") is a UK-based SaaS platform for fleet Penalty Charge Notice (PCN) management, walkaround checks, defect tracking, accident reporting, and fleet compliance. This privacy policy explains how we collect, use, store, and share your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller is 5nPay (operated under sole-trader / limited company TBC).

A Data Protection Officer (DPO) is not currently required under UK GDPR Article 37 because we do not conduct large-scale systematic monitoring or process special-category data as a core activity. Where this changes, a DPO will be appointed and named here.

2. Data We Collect

Account & identity

  • Full name, email address, account type (standard / enterprise)
  • Authentication data and session metadata managed by Clerk
  • Company name, fleet size, depot, and team membership (for enterprise accounts)

Vehicle & PCN data

  • Vehicle registration marks (VRMs), make, model, MOT and tax status (sourced from DVLA)
  • PCN details: reference, council, contravention, location, amounts, deadlines
  • Photos of PCN tickets uploaded by you (stored privately, server-side OCR only)
  • Driver shift records, rota, and depot assignment data (enterprise accounts)

Walkaround & defect data

  • Walkaround check items, statuses, driver name, location (GPS coordinates if you grant permission)
  • Defect descriptions, severity, repair status, resolution notes
  • Photos of defects you upload (private storage, signed-URL access only)

Accident data (where reported)

  • Driver personal data: date of birth, address, contact number, licence class and categories, occupation, accident history
  • Third-party data: names, addresses, contact numbers, vehicle details, insurer details (collected by you at the scene and entered on the form)
  • Witness names and contact numbers
  • Photos and walk-around videos of the company vehicle and third-party vehicles
  • Incident location (GPS coordinates if available), description, weather, injuries
  • Police and insurance claim reference numbers

Payment data

  • Direct Debit mandate metadata held by GoCardless. We do not store your bank account number.
  • Subscription status and billing history

Operational telemetry

  • Error reports captured by Sentry (may include browser type, stack traces, redacted user IDs)
  • Aggregate page-view and performance metrics from Vercel Analytics
  • Server-side request logs (IP, user agent, route, status) retained for 30 days

3. Purpose of Processing & Lawful Basis

PurposeLawful basis
Provide PCN tracking, defect, accident and fleet managementContract performance (UK GDPR Art. 6(1)(b))
Process Direct Debit payments via GoCardlessContract performance
Look up vehicle data from DVLA and DVSALegitimate interest in providing accurate fleet records
Send compliance alerts (MOT, tax, expiring documents)Legitimate interest in vehicle compliance
Send transactional emails (invites, password resets, repair updates)Contract performance
Marketing communicationsConsent (opt-in only)
Capture accident data including third-party informationLegitimate interest in handling insurance claims and meeting regulatory obligations
Improve the platform, fix bugs (Sentry, Vercel Analytics)Legitimate interest, subject to your cookie consent

We balance our legitimate interests against your rights and freedoms in each case. You may object to legitimate-interest processing using the contact details below.

4. Sub-processors

We rely on the following sub-processors. Each is contractually bound by data-processing terms compliant with UK GDPR.

ProviderPurposeRegion
SupabaseDatabase and file storage (PCN photos, defect / accident photos, receipts)EU (eu-west-2)
ClerkUser authentication and session managementEU / US (data residency)
VercelApplication hosting, edge network, Vercel AnalyticsGlobal edge, EU primary
GoCardlessDirect Debit payment processingUK / EU
ResendTransactional email delivery (invites, alerts, repair notifications)EU / US
SentryError and performance monitoringEU (eu region pinned)
AWS S3 (eu-west-2)Daily backups of database to private bucketUK (London)
AWS Textract (eu-west-2)OCR fallback for PCN photo extraction when on-server EasyOCR misses fieldsUK (London)
DVLA / DVSA scraper serviceReal-time vehicle MOT / tax lookupUK
EC2 OCR microserviceOn-server EasyOCR + NER processing for uploaded PCN imagesUK (eu-west-2)
Cloudflare TurnstileBot protection for sign-up and contact formsGlobal

We do not sell your personal data to any third party. Data may be shared with law-enforcement bodies, insurers, or regulatory authorities (DVSA, ICO, HSE) when required by law or to handle a claim or audit you have asked us to support.

5. International Transfers

The primary processing region for your data is the United Kingdom and the European Union. Where a sub-processor (Clerk, Resend, Sentry) routes data outside the UK, the transfer is made under the UK International Data Transfer Agreement (UK IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or to a jurisdiction the UK has recognised as providing adequate protection. We perform a Transfer Risk Assessment for each sub-processor that transfers data outside the UK.

6. Data Retention

  • Account data — retained for the lifetime of your account.
  • PCN, defect, accident records — retained for 6 years after the related event to meet UK insurance and tax record-keeping requirements.
  • Payment records — retained for 7 years under HMRC rules.
  • Photos and videos — retained alongside their parent record (PCN, defect, accident) and subject to the same retention period.
  • Backups (AWS S3) — daily snapshots retained for 365 days, then permanently deleted.
  • Sentry error reports — retained for 90 days.
  • Vercel access logs — retained for 30 days.

When you close your account or request deletion, we erase personal data within 30 days except where we are legally required to retain it longer. Deletion requests covering insurance-relevant accident or defect records will be deferred until the 6-year retention window has expired or written confirmation is received from the relevant insurer.

7. Automated Decision-Making

We use automated systems to:

  • Match PCNs to driver shifts based on time and vehicle data
  • Extract text from PCN, defect and accident photos via OCR
  • Classify PCN issuers using rule-based pattern matching

None of these systems produce legal or similarly significant effects without human review. All driver nominations and appeals are reviewed by you before submission to a council or operator. You may request human review of any automated outcome by contacting us.

8. Your Rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion ("right to be forgotten")
  • Portability — receive your data in a structured, machine-readable format (we provide CSV / JSON exports from Settings → GDPR)
  • Objection — object to processing based on legitimate interest
  • Restriction — ask us to limit how we process your data
  • Withdraw consent — for any processing relying on consent (e.g. marketing, optional analytics cookies)

Use the tools in your account Settings to export or delete your data, or email us at privacy@5npay.co.uk. We aim to respond within one month.

9. Children's Data

5nPay is a business-to-business platform intended for fleet operators. We do not knowingly collect data from anyone under 18. If you believe we have inadvertently collected data relating to a child, please contact us and we will delete it.

10. Data Security

We protect your data with: TLS in transit, AES-256 encryption at rest, role-based access controls, row-level security (RLS) on every database table containing user data, server-side rate limiting on expensive endpoints, daily off-site backups to a private versioned S3 bucket, structured audit logs via Sentry, and least-privilege IAM policies on all cloud sub-processors. Photos and videos are stored in private buckets with signed-URL access only.

11. Cookies

We use essential cookies for authentication and session integrity, optional analytics cookies (Vercel Analytics) and optional error-tracking cookies (Sentry). You can manage your preferences via the cookie consent banner or in Settings. See the Cookie Policy for the full list.

12. Third-Party Data You Enter

When you record an accident, you may enter personal data about a third party (other driver, witness, etc.). You confirm to us that you have a lawful basis (typically the legitimate interest of handling an insurance claim) to do so, and that you will inform the third party of the data you have collected if asked. We act as a processor for that data on your behalf and retain it under your account's retention policy.

13. Changes to This Policy

We may update this privacy policy. Material changes will be notified by email and via an in-app banner at least 14 days before they take effect. Minor wording updates will be reflected by changing the "Last updated" date above.

14. Complaints

If you are unhappy with how we handle your data you may complain to us first at privacy@5npay.co.uk or directly to the Information Commissioner's Office at ico.org.uk/make-a-complaint.