Privacy notice
UK GDPR · Art 13/14 transparency · Last updated May 2026
Who we are
Controller: Hypernest Innovations Limited (for direct consumer and fleet operator sign-ups to EnforceIQ Labs).
Processor: Hypernest acts as a processor for driver and employee data processed on instructions from fleet customers — see our fleet data processing agreement (template).
Contact: [email protected]
What we process and why
| Category | Examples | Lawful basis | Purpose |
|---|---|---|---|
| Account | Email, name, Clerk user ID | Contract (Art 6(1)(b)) | Provide the compliance inbox and authenticate users |
| Fleet business | Organisation name, vehicle registrations | Contract (Art 6(1)(b)) | Operate fleet PCN workflow and billing |
| Driver | Display name, work email | Legitimate interest (Art 6(1)(f)) / fleet customer instruction | Assign notices and send deadline reminders when enabled |
| Notice content | PCN reference, amount, location, uploaded images | Contract / legitimate interest | Track deadlines, appeals prep, and audit trail |
| Appeals preparation | User explanations, generated draft text | Contract | Structured appeal prep (not legal advice) |
| Technical & security | Hashed IP in audit log, session identifiers | Legitimate interest (security) | Fraud prevention, tenancy isolation, incident response |
Your rights
- Access and portability (Art 15 / 20) — signed-in production users can request a machine-readable ZIP export (JSON: notices, appeals, audit events tied to you)
- Rectification (Art 16) — update profile and notice details with audit
- Erasure (Art 17) — soft-delete with permanent purge after 30 days; fleet organisation owners must transfer ownership before erasure when other members remain
- Object (Art 21) — opt out of non-essential processing
Deadline email reminders require explicit opt-in (notification preferences).
Production data subject requests
GET /api/v1/privacy/export— start export job (poll with?jobId=, download with?jobId=&download=1)POST /api/v1/privacy/erase— schedule erasure ({ "confirm": true })
Exports expire after 7 days. Fleet audit logs may be retained up to 7 years for governance (processor role under your fleet DPA).
Cookies
We classify cookies as essential (security, session, consent storage) or analytics (optional error monitoring). We do not use advertising or social trackers in v1.
- Essential — CSRF token, authentication session (production), and your cookie choice stored in localStorage.
- Analytics — Sentry (if configured) only after you click "Accept analytics" on the cookie banner. Choose "Essential only" to decline.
- Demo mode — mock notice data may use sessionStorage in your browser; cleared when you close the tab.
You can change preferences by clearing site data or using the banner when it reappears after storage is cleared.
Compliance documentation
Transparency summaries for fleet procurement and data protection due diligence (UK GDPR g6–g10):
- Record of processing activities (ROPA) — purposes, lawful basis, retention
- Subprocessor register — Vercel, Neon, Clerk, Stripe, Resend, AWS S3, Upstash
- Breach response — ICO 72-hour procedure and fleet controller notification
Retention
- Active subscription — life of contract plus up to 12 months
- Uploads — 90 days after notice closed (configurable for enterprise)
- Audit log — up to 7 years for fleet governance
- Deleted account or organisation — hard purge 30 days after soft-delete
- DSAR export files — available for download for 7 days, then removed
Fleet customers (B2B)
Fleet operators are controllers for driver personal data. Hypernest provides EnforceIQ Labs as a processor under a written DPA covering purpose limitation, security measures, subprocessor notification, and breach reporting within 48 hours.
Hypernest Innovations Limited · EnforceIQ Labs · ICO registration in progress (see breach response) · Art 13/14 privacy notice (g2).