Privacy Policy

Data Controller (for Organisation data): FleetForward Ltd, trading as Comtrak.

Data Processor (for Driver data): FleetForward Ltd processes Driver personal data on behalf of the Organisation, which acts as the data controller for its own drivers and employees.

For questions about this policy, contact us at: info@comtrak.co.uk

We use personal data for the following purposes:

• To provision and manage your Comtrak account and subscription
• To process payments and manage billing via Stripe
• To provide access to safety training content assigned by your employer
• To record and verify completion of training, policies, and declarations
• To generate compliance certificates and audit-ready reports
• To send login codes (OTP) and training notifications by email
• To send subscription-related communications (invoices, renewal reminders, data retention notices)
• To detect and prevent fraud at sign-up using IP address and device information
• To respond to support enquiries submitted via our contact form
• To maintain an audit trail for regulatory compliance purposes
• To improve the Platform based on aggregated, anonymised usage data

We process your personal data on the following lawful bases under UK GDPR:

• Contract (Art. 6(1)(b)): Processing necessary to provide the Platform services you have contracted with us, including account management, payment processing, and delivering training content.
• Legal obligation (Art. 6(1)(c)): Retaining billing records for 7 years as required by UK law (Companies Act 2006, HMRC guidelines).
• Legitimate interests (Art. 6(1)(f)): Fraud prevention at sign-up (using IP and device data), securing the Platform, and improving our services using anonymised analytics.
• Consent (Art. 6(1)(a)): Where you have explicitly consented (e.g. agreeing to these Terms and our Privacy Policy at sign-up).

We share personal data only with trusted third-party processors necessary to operate the Platform. All processors are contractually bound to handle data in compliance with UK GDPR.

• Stripe Inc. — Payment processing and subscription management. Stripe stores and processes your payment method details. Stripe is PCI DSS compliant. Stripe Privacy Policy
• Neon Technologies Inc. — Cloud database hosting (EU-based servers). Your data is stored in their managed PostgreSQL infrastructure.
• Resend Inc. — Transactional email delivery (login codes, notifications, certificates). Only the data required to send a specific email is passed to Resend.
• Vercel Inc. — Web application hosting and edge network. Vercel processes requests and serves the Platform.

We never sell your personal data to third parties. We do not use your data for advertising purposes.

Administrators within your Organisation can view all Driver training records, completion data, and compliance certificates within their account. This is a necessary function of the Platform.

We will email Administrators a reminder before the 90-day deletion window closes. You may request early deletion by contacting us (note: billing records cannot be deleted early where required by law).

Separately from the Platform itself, we operate an internal CRM to identify and contact UK fleet operators we believe may benefit from Comtrak.

What data we collect for prospecting

• Business contact information (work email, work phone, job title, name)
• Company information (company name, registration number, website, sector, fleet size, FORS status)
• Public LinkedIn profile URL where available
• Engagement signals (whether you opened, clicked, replied to, or unsubscribed from our outreach emails — we use a tracking pixel and wrapped links for this purpose)

Where the data comes from

• Companies House (UK public register)
• DVSA Operator Licence database (UK public register)
• Publicly listed contact information on company websites
• Trade directories and industry publications
• Manual entry by Comtrak staff (e.g. people you have spoken to)

Lawful basis

For named individuals at Limited companies, PLCs, LLPs and other corporate subscribers, we rely on Legitimate Interest (UK GDPR Article 6(1)(f)). We have completed a Legitimate Interest Assessment which concludes that our interest in promoting compliance training to relevant fleet operators is balanced against the limited intrusion of receiving a small number of clearly-identified business emails which include a one-click unsubscribe and erasure link. For B2B email under PECR, we rely on the corporate subscriber exemption (Reg 22(2)). We do not cold-email sole traders, partnerships or personal email addresses (gmail, hotmail, etc.) without prior consent.

How we use the data

• To send a small sequence of cold emails introducing Comtrak (typically no more than 4 emails over 14 days)
• To track whether each email was delivered, opened, clicked, or replied to (using a tracking pixel and wrapped links)
• To pause further outreach immediately if you reply, unsubscribe, complete our public Compliance Health Check, or otherwise indicate you are not interested
• For internal sales prioritisation

Retention

Prospect records are automatically deleted 24 months after the last contact attempt or status change. If you unsubscribe, we delete your personal data and retain only your email address on a permanent suppression list — solely so we never contact this address again.

Your rights

• Object to direct marketing at any time by clicking the unsubscribe link in any of our emails — this stops further outreach immediately and is a permanent opt-out
• Request erasure of all personal data we hold about you by clicking the “erase my data” link in any of our emails, or by visiting /erase-my-data, or by emailing support@comtrak.co.uk
• Subject Access Request — email support@comtrak.co.uk

No automated decision-making

We do not use any solely-automated decisions with legal or similarly significant effect on you. Where we use AI tools to help personalise outreach (for example, to draft a relevant opening line based on your public website), the resulting email is reviewed before sending and the AI provider acts as our processor under a Data Processing Agreement. We do not transfer prospecting personal data to providers outside the UK / EEA without an appropriate transfer mechanism.

Comtrak uses the minimum cookies necessary to operate:

• access_token — httpOnly, secure session cookie. Used to keep you logged in. Expires after 15 minutes of inactivity.
• refresh_token — httpOnly, secure cookie. Used to silently renew your session. Expires after 7 days.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. No cookie consent banner is required as our cookies are strictly necessary for the service to function.

We implement the following technical and organisational security measures:

• All data is transmitted over HTTPS (TLS 1.2+)
• Password-less authentication via one-time email codes (OTP) — no passwords stored
• New self-serve customers receive a temporary password which must be changed on first login
• Passwords are hashed using bcrypt (12 rounds) — never stored in plain text
• Rate limiting on login and sign-up endpoints to prevent brute force attacks
• JWT session tokens with short expiry times
• Database hosted in the EU (London region) with automatic backups
• Payment data handled exclusively by Stripe (PCI DSS Level 1 compliant)

9.1 Your data is primarily stored on Neon's EU-based (London region) servers and processed within the UK and EU.

9.2 Some of our sub-processors (Stripe, Resend, Vercel) are US-based companies. Where personal data is transferred outside the UK/EEA, we rely on Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Agreement (IDTA) to ensure adequate protection.

Under UK GDPR, you have the following rights:

• Access: Request a copy of all personal data we hold about you (Subject Access Request)
• Rectification: Ask us to correct inaccurate or incomplete data
• Erasure: Request deletion of your personal data, subject to our legal retention obligations
• Restriction: Ask us to limit processing of your data in certain circumstances
• Portability: Receive your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent, withdraw it at any time

Drivers should contact their company Administrator in the first instance. For any right you cannot exercise through the Platform, or for Organisation-level requests, contact us at info@comtrak.co.uk. We will respond within one calendar month.

We may update this Privacy Policy from time to time. Where changes are material, we will notify Administrators by email at least 14 days before the changes take effect. The “Effective date” at the top of this page reflects the date of the most recent update.

If you have concerns about how we handle your personal data, please contact us first at info@comtrak.co.uk and we will do our best to resolve the issue.

If you remain dissatisfied, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):