Record of processing activities (summary)
UK GDPR Art 30 · Controller: Hypernest Innovations Limited · May 2026
Controller for direct consumer and fleet operator accounts. Processor for driver data processed on fleet customer instructions (see fleet DPA).
We do not sell personal data. Year 1 is upload-first — no live DVLA or council API feeds. Address monitor stores user-entered postcodes only, not full addresses unless you include them in free-text fields elsewhere.
| ID | Activity | Purpose | Subjects | Basis | Retention |
|---|---|---|---|---|---|
| PA-01 | Authentication & accounts | Sign-in, org membership, RBAC | Fleet and consumer users | Contract | Active account + 30 days post erasure |
| PA-02 | PCN notice workflow | Ingest, track, assign, report on notices | Drivers, managers, consumers | Contract / legitimate interest (fleet) | Contract + 12 months; uploads 90d after close |
| PA-03 | OCR & human review | Extract fields from uploads | Notice owners | Contract | Per upload + ~90d metrics |
| PA-07 | Address transition monitor | User-declared postcode moves (not DVLA) | Consumer workspace users | Contract / legitimate interest | Until deleted or account erasure |
| PA-08 | Security & audit | Tenancy proof, incident response | All users | Legitimate interest (security) | Audit up to 7 years (fleet) |
| PA-09 | Data subject rights | Export ZIP, erasure scheduling | Requesting user | Legal obligation / contract | Export 7 days; purge 30 days after soft-delete |
| PA-11 | PCN Revenue Agent (B2B outreach) | Fleet prospect discovery, outreach, qualification (internal growth CRM) | Corporate fleet contacts (B2B prospects) | Legitimate interest (UK PECR corporate email) | 24 months default; purge via retention cron; erasure on request |
Retention overview
- Active subscription — contract term plus up to 12 months
- Notice uploads — 90 days after notice closed
- Fleet audit log — up to 7 years
- Deleted account — hard purge 30 days after soft-delete
- DSAR export files — 7 days then removed
Recipients
External recipients are listed in our subprocessor register. Internal access is limited to Hypernest engineering on a need-to-know basis.
Full Art 30 ROPA (all processing activities PA-01–PA-10) is maintained in the EnforceIQ Labs compliance documentation pack. ICO registration: see breach-response page.