QED Trucking← Back home

Legal

GDPR

Last updated: 20 April 2026

QED Trucking operates under UK GDPR and the Data Protection Act 2018, and — for customers in the Republic of Ireland — the EU GDPR as enforced by the Data Protection Commission. This page explains how we split the responsibilities.

Controller vs processor

  • We are the data controllerfor the account-holder's personal data — the details you submit to register a company and pay us.
  • We are a data processor for the driver, vehicle, job and POD records you put into the app on behalf of your fleet. You (the operator) are the controller of that data.

Lawful basis

We process account-holder data under Article 6(1)(b) (performance of the subscription contract). We process fleet and driver data on your behalf as your processor — the lawful basis is the one you rely on as the employer / fleet operator.

Subprocessors

We use the subprocessors listed in the Privacy Policy. All are GDPR-compliant with published DPAs or equivalent commitments. Data stays in the UK / EEA (Supabase eu-west-1 is Dublin; Vercel lhr1 is London).

International transfers

Some subprocessors (Anthropic, Stripe, Sentry, PostHog) are US-based. Transfers rely on the UK IDTA or the EU Standard Contractual Clauses (SCCs), plus supplementary measures (encryption in transit and at rest, minimised payloads).

Your rights as a data subject

Whether you're an operator or a driver on a QED Trucking fleet, you have the right to:

  • Access the personal data we hold about you
  • Ask us to correct anything inaccurate
  • Ask us to delete your data (“right to be forgotten”)
  • Restrict or object to processing
  • Port your data out in a machine-readable format (CSV)
  • Withdraw consent where consent is the lawful basis

Drivers should raise requests with their operator first — we act on the operator's instruction for fleet records. If the operator can't or won't help, contact us at help@qedtrucking.co.uk.

Data Protection Officer

We do not meet the threshold for a statutory DPO, but privacy questions land in a named person's inbox — help@qedtrucking.co.uk. Our registered address is in Northern Ireland.

Breach notification

If we become aware of a personal-data breach that is likely to affect your rights and freedoms, we will notify the account owner within 72 hours and give you the information you need to notify the ICO (or DPC) in turn. If the breach relates only to processor activity on your behalf, the duty to notify the regulator sits with you as controller — we will give you everything required.

Supervisory authorities

Questions?

Email help@qedtrucking.co.uk or use the contact form. This document is a plain-language summary of our current practice and will be superseded by the final policy once our solicitor reviews it.