Privacy Policy

Last updated: May 2026

1. Who We Are

RAMP UP TECHNOLOGIES LTD (“we”, “us”, or “our”) is the data controller responsible for personal data processed through the Settld platform when we determine the purposes and means of processing. We are registered in England and Wales under company number 17121131 and registered with the Information Commissioner's Office under registration number 00013620486.

Where logistics companies (“Organisations”) use the Platform to manage their drivers, the Organisation is the data controller for driver personal data, and we act as a data processor on their behalf under a Data Processing Agreement.

This Privacy Policy describes how we process personal data where we are the data controller — primarily in relation to Managers and administrators who use the Platform.

2. What Personal Data We Collect

We collect and process the following categories of personal data:

Account and Identity Data

  • Full name and job title
  • Email address and phone number
  • Organisation name and hub assignment
  • Login credentials (passwords are hashed and never stored in plain text)

Driver Compliance Data (processed as data processor)

  • Names, contact details, and right-to-work documentation
  • National Insurance numbers and Unique Taxpayer Reference numbers
  • Bank account details for payroll processing
  • VAT registration numbers and Companies House registration numbers
  • Driving licence details and insurance documents
  • Vehicle inspection records, odometer readings, and defect reports
  • Penalty Charge Notice (PCN) records
  • Signed contracts and supporting documents

Vehicle and Fleet Data

  • Vehicle registration marks and DVLA/VES data
  • Mileage records and service history
  • Inspection photographs (which may incidentally capture individuals)

Usage and Technical Data

  • IP address and browser/device information
  • Log data including pages viewed and actions taken within the Platform
  • Session tokens (via Supabase authentication cookies)

3. Legal Basis for Processing

We rely on the following legal bases under UK GDPR Article 6:

  • Contract performance (Article 6(1)(b)): Processing necessary to provide the Platform under our Terms of Service — including account management, authentication, and delivering subscribed features.
  • Legitimate interests (Article 6(1)(f)): Processing for our legitimate interests such as preventing fraud, ensuring security, improving the Platform, and maintaining audit logs. We have assessed that our interests are not overridden by your data protection rights.
  • Legal obligation (Article 6(1)(c)): Processing required to comply with applicable law, including tax, employment, and anti-money laundering legislation.
  • Consent (Article 6(1)(a)): Where we rely on consent (for example, for optional marketing communications), you may withdraw consent at any time without affecting the lawfulness of prior processing.

Where we process special category data (such as right-to-work documentation that may reveal nationality), we rely on Article 9(2)(b) (employment law obligations) and Article 9(2)(g) (substantial public interest) as applicable.

4. How We Use Your Data

We use the personal data we collect to:

  • Create and manage your account and provide access to the Platform
  • Enable Organisations to manage driver onboarding, compliance, scheduling, and payroll
  • Send transactional emails such as invitations, notifications, and alerts
  • Maintain audit logs of actions taken within the Platform for compliance purposes
  • Investigate and resolve security incidents or suspected misuse
  • Comply with legal obligations and respond to lawful requests from authorities
  • Improve the Platform through aggregated, anonymised analytics
  • Provide customer support and respond to queries

5. Data Sharing and Sub-processors

We do not sell your personal data. We share data with the following categories of third parties only to the extent necessary to provide the Platform:

  • Supabase, Inc. — Our database and authentication provider. Personal data is stored in Supabase-managed PostgreSQL databases hosted on AWS infrastructure in the EU (Ireland). Supabase is our sub-processor under a Data Processing Agreement.
  • Vercel, Inc. — Our hosting and deployment provider. Application code and server-side request processing run on Vercel's infrastructure. Vercel acts as a sub-processor under their Data Processing Agreement.
  • Resend, Inc. — Our transactional email provider. Email addresses and the content of system notifications (e.g., onboarding invitations) are processed by Resend to deliver emails. Resend acts as a sub-processor under their Data Processing Agreement.
  • DVLA / VES API — Vehicle registration data is submitted to the DVLA Vehicle Enquiry Service to retrieve publicly available vehicle information. This is a government service and data is used solely for compliance purposes.
  • HMRC VAT API — VAT registration numbers may be verified against HMRC's public VAT validation API.
  • Companies House API — Company Registration Numbers may be verified against the Companies House Public Data API.

All sub-processors are subject to contractual obligations to process data only on our instructions and in compliance with UK GDPR. Where data is transferred outside the UK, we ensure appropriate safeguards are in place (such as the UK International Data Transfer Agreement or adequacy decisions).

6. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, subject to any legal obligations to retain it for longer. Our general retention periods are:

  • Account data: Retained for the duration of the Subscription and deleted within 90 days of account closure, unless legally required to retain longer.
  • Payroll and financial records: Retained for 6 years from the end of the relevant tax year, in accordance with HMRC guidance.
  • Driver compliance documents: Retained for the duration of the driver's engagement plus 6 years, or as required by applicable employment and tax law.
  • Audit logs: Retained for 6 years from the date of the logged event.
  • Inspection records: Retained for 15 months from the date of inspection (in line with DVSA guidance for operator compliance records) unless a longer period is required.
  • Technical/usage logs: Retained for up to 90 days unless required for an ongoing security investigation.

7. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access: You may request a copy of the personal data we hold about you (a “Subject Access Request”).
  • Right to rectification: You may ask us to correct inaccurate or incomplete personal data.
  • Right to erasure (“right to be forgotten”): You may ask us to delete your personal data where there is no longer a lawful basis for processing it, subject to our legal obligations to retain certain records.
  • Right to data portability: You may request your personal data in a machine-readable format where processing is based on consent or contract.
  • Right to restriction of processing: You may ask us to restrict processing of your personal data in certain circumstances, for example while accuracy is contested.
  • Right to object: You may object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
  • Rights related to automated decision-making: You have the right not to be subject to decisions made solely by automated processing that produce significant legal or similarly significant effects. The Platform does not currently make such decisions.

8. How to Exercise Your Rights

To exercise any of your rights, please contact our Data Protection contact at support@getsettld.co.uk. We will respond to your request within one month of receipt. In some cases we may extend this period by a further two months where requests are complex or numerous — we will inform you of any such extension.

We may ask you to verify your identity before fulfilling a request. We will not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request.

9. Cookies

The Platform uses strictly necessary cookies only. These are required for the Platform to function and cannot be disabled without preventing you from using core features.

  • Supabase authentication session cookies: Set by our authentication provider to maintain your login session. These expire when you close your browser or after the session timeout period. No personally identifiable information is stored in the cookie itself beyond an encrypted session token.

We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. If this changes, we will update this policy and obtain your consent where required by the Privacy and Electronic Communications Regulations (PECR).

10. Changes to This Policy

We may update this Privacy Policy from time to time. Where we make material changes, we will notify you by email or by displaying a prominent notice within the Platform before the changes take effect. The “Last updated” date at the top of this page indicates when this policy was most recently revised.

We encourage you to review this policy periodically. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

11. Contact and Complaints

If you have any questions, concerns, or complaints about how we handle your personal data, please contact us:

RAMP UP TECHNOLOGIES LTD
Data Protection contact
ICO registration: 00013620486
Email: support@getsettld.co.uk
Registered office: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

If you are not satisfied with our response, you have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF