DISPATCH IT
Legal

Privacy Policy

Effective May 19, 2026

This policy explains what Dispatch It (“we”, “us”) collects, why, who handles it, and the rights you have over it. We operate under the UK GDPR; users outside the UK have equivalent rights under the EU GDPR or CCPA where applicable.

1. What we collect

From you (the account holder):

  • Email address and password hash (for sign-in)
  • Company name, phone, email, and address (shown on customer-facing emails)
  • Hashed PINs for the Admin and Dispatcher profiles inside the app
  • Standard server logs (IP address, user agent, timestamps) retained for up to 30 days for security and rate-limiting

From your own customers and drivers (entered by you):

  • Customer name, phone, email, pickup and dropoff addresses, journey times
  • Driver name, phone, email, status
  • Vehicle make, model, plate, type

2. Why we collect it

  • To provide the Service: store your bookings, dispatch drivers, send confirmation emails to your customers
  • To secure the Service: rate-limit login attempts, detect abuse, recover compromised accounts
  • To keep an audit trail of actions taken inside your account (the Activity Log)

We do not sell your data. We do not use it to train AI models. We do not show ads. We do not run analytics scripts that profile you.

3. Who else handles it

We use the following subprocessors to operate the Service. Each one only sees the data needed for its role:

  • Supabase (US) · stores your account, your bookings, your drivers, your vehicles
  • Vercel (US) · hosts the web application and runs the API routes
  • Resend (US) · sends transactional emails (booking confirmations, driver job offers)
  • Upstash (US / global edge) · holds rate-limit counters (no personal data, just hashes of identifiers)
  • Google Maps Platform (US) · powers the address autocomplete on pickup and dropoff fields

Data leaves the UK / EU under each provider’s standard contractual clauses or equivalent transfer mechanism.

4. How long we keep it

  • While your account is active: indefinitely
  • After you delete your account: nothing. Every row in every table that references your user ID is removed within seconds. Your email becomes immediately re-registrable.
  • Server logs: up to 30 days
  • A single line noting that an account was deleted (with the user ID and timestamp, no personal data) may be retained in our infrastructure logs for audit purposes

5. Your rights

You can at any time:

  • Access all data we hold about you (visible directly inside the app)
  • Export your data (currently via screenshots / the Supabase data export — programmatic export is on the roadmap)
  • Correct any information by editing it inside the app
  • Erase your account and all associated data via Account → Danger Zone → Delete my account
  • Object to specific processing by emailing us

If you operate a fleet using the Service, your own customers and drivers have these same rights against you (you are their data controller). Use the Service’s edit and delete features to honour their requests.

6. Security

  • Passwords are hashed with bcrypt (cost 12)
  • PINs are hashed with bcrypt (cost 12)
  • Database access is gated by row-level security · users see only their own data
  • All connections are HTTPS-only with HSTS enforced
  • Standard security headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) are set on every response
  • Rate limits guard login, PIN verification, dispatch, and email-send endpoints
  • We never bundle the Supabase service-role key into client-side JavaScript

7. Cookies

We use only essential cookies, set by Supabase for session management. We do not use tracking cookies, marketing cookies, or third-party analytics cookies.

8. Email

When you create a booking, we send your customer a confirmation email from your company name. When you dispatch a job, we send the driver an email with an Accept and Reject link. We do not send marketing emails. We do not share email addresses with third parties.

9. Children

The Service is for business users and is not directed to anyone under 16.

10. Changes to this policy

We will tell you about material changes by email or in-app notice at least 14 days before they take effect.

11. Contact

For privacy questions, data-subject requests, or to report a security issue, email us via the contact details on your operator account.

Plain-English summary: We collect what we need to run the booking and dispatch features, we don’t sell it, we don’t train AI on it, and if you leave we delete the lot. The exact technical detail is in the sections above.