GDPR and UK data protection support

Trackely is designed to support common UK GDPR and EU GDPR obligations, but this page is not a certification, legal opinion, or substitute for your own compliance programme.

Last updated: 24 April 2026

What this page is for

This page explains how Trackely is intended to support customers who need to meet data protection requirements when handling route, driver, customer, proof-of-delivery, and account data. It sits alongside our Privacy Policy, Security page, and DPA summary.

Security controls

Trackely uses layered access controls, TLS in transit, role checks, tenant isolation, audit-oriented records, and managed infrastructure protections to support Article 32 style security obligations.

Transparency and control

The product includes account settings, customer-facing legal pages, export features, audit trails, and retention-oriented workflows intended to help customers document and explain what the service is doing.

Processor terms

Our contractual position is intended to reflect controller-processor requirements, including scope of processing, documented instructions, security, assistance, and end-of-contract handling where a DPA or commercial agreement is in place.

Rights support

Export, deletion, and operational review tools exist to support access, correction, deletion, and audit processes, though some requests still need manual review and controller involvement.

1. Typical data protection roles

In most operational deployments:

  • the Trackely customer is the controller for driver, recipient, and delivery data;
  • Trackely acts as the processor for that operational data; and
  • Trackely acts as controller for its own billing, security, and service-administration processing.

Customers remain responsible for their own privacy notices, lawful bases, worker monitoring decisions, and records of processing.

2. Data categories typically processed

  • account and user identity data;
  • driver assignment, location, route execution, and check data;
  • recipient and delivery details;
  • proof-of-delivery records such as signatures, photos, timestamps, and notes;
  • notification and tracking activity;
  • audit, diagnostic, and security logs.

3. Worker monitoring and GPS tracking

Driver location tracking can be sensitive. Customers should assess necessity, proportionality, transparency, and employment-law implications before enabling or using it, and should keep monitoring under review rather than treating it as a set-and-forget feature.

4. Data subject rights

Depending on the circumstances, individuals may have rights to access, rectify, erase, restrict, object, and receive copies of personal information. When Trackely acts as a processor, the relevant customer usually remains the first point of contact for those requests.

Trackely can assist controllers where required, but customers must ensure they have internal processes to receive, assess, and respond to requests lawfully.

5. Retention, deletion, and end-of-contract handling

Retention should be limited to what is necessary for operational history, dispute management, compliance, and security. At the end of a contract, deletion or return of data should be governed by the parties' written agreement and any legal retention duties. Backup deletion may take longer where data is put beyond use and removed on the next secure deletion cycle.

6. Security and breach support

Trackely is intended to support customers with breach reporting, DPIAs, and security obligations through documented technical and organisational controls and, where applicable, contractual assistance commitments. Actual reporting timelines and outcomes will depend on the facts of the incident and the law that applies.

7. International transfers and sub-processors

Customers should review Trackely's sub-processor position, transfer mechanisms, and deployment arrangements before using the service for regulated or sensitive workflows. These matters are usually addressed in commercial paperwork and the DPA rather than this page alone.

8. What customers should still do themselves

  • publish their own controller-facing privacy notices for drivers and recipients;
  • document lawful bases and legitimate interests where relevant;
  • carry out DPIAs where required, especially for worker monitoring or large-scale tracking;
  • review retention settings, integration flows, and customer-notification content;
  • enter into a signed DPA where processor terms are required.

9. Contact

For GDPR or UK data protection questions, email legal@trackely.co.uk or support@trackely.co.uk.