SignOver Legal

Privacy Policy v0.1.0-beta.4

Signover Platform — All Users

signover.app | Vehicle Proof of Delivery Platform

Draft for Legal Review — Version 1.0

Effective 2026-05-05 · Evidence hash 58c7455e6ac7

1. Who We Are

Signover is operated by [COMPANY LEGAL NAME], a company registered in England and Wales with company number [NUMBER], whose registered office is at [ADDRESS] ("Signover", "we", "us", "our").

We operate the vehicle proof of delivery platform available at signover.app.

For the purposes of UK data protection law, Signover acts as:

  • Data Controller for personal data we collect directly from operators, drivers, and users of our platform for the purposes of providing and administering the Signover service
  • Data Processor for personal data that operators submit through the platform in connection with vehicle transport jobs, including countersigner data and job records

2. Contact Details

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

  • Email: [privacy@signover.app]
  • Post: [Registered address]

3. What Personal Data We Collect

3.1 Operator Account Data

When a transport company registers for a Signover account, we collect:

  • Company name and registered address
  • Name and email address of the account holder
  • During beta, no card or payment account information is collected from operators
  • Login credentials

3.2 Driver Account Data

All drivers using Signover have their own individual account. We collect:

  • Full name
  • Email address
  • Login credentials

Drivers may be permanently linked to an operator company, or may be connected to an operator on a one-off basis via a unique job code. In either case the driver maintains their own independent Signover account.

3.3 Job Record Data

For each vehicle transport job created on the platform, we collect and store:

  • Vehicle details (make, model, registration, and other identifying information)
  • Collection address
  • Delivery address
  • Damage markers, defect notes, and condition assessments recorded by the driver
  • Photographs of the vehicle taken at collection and delivery
  • Timestamps for each stage of the job

3.3A Beta Application Data

When you apply to join the Signover beta waitlist, we collect and store:

  • Full name
  • Email address
  • Company name
  • IP address
  • User-agent string
  • Timestamp of application and consent record

3.4 Collection Countersigner Data

At the point of vehicle collection, the driver collects the email address of the person handing over the vehicle. We collect:

  • Name of the collection countersigner (if provided)
  • Email address of the collection countersigner
  • One-time password (OTP) generation and verification log
  • Digital signature
  • IP address and user-agent at OTP verification/signature
  • Timestamp of OTP use, agreement, and signature
  • Version and document hash of terms in force at time of signing

3.5 Delivery Countersigner Data

At the point of vehicle delivery, the driver collects the name (if provided) and email address of the person receiving the vehicle. We collect the same categories of data as for collection countersigners, including OTP logs, signature, IP address, user-agent, and legal acceptance metadata.

3.6 Platform Usage Data

We collect non-identifying performance and usage data through Vercel Speed Analytics. This data does not identify individual users and is used solely to monitor platform performance.

4. How We Use Your Personal Data and Our Lawful Basis

We process personal data only where we have a lawful basis under UK GDPR / EU GDPR. Depending on the context, this is one or more of the following: performance of a contract, compliance with legal obligations, and legitimate interests.

  • Beta application data (name, email, company, IP, user-agent): legitimate interests in operating and securing the closed beta, preventing abuse, and administering invitations.
  • Operator and driver account data: performance of contract (account creation, authentication, and service delivery).
  • Job record data (vehicle record, photos, stage timestamps): performance of contract with operators and legitimate interests in providing verifiable handover records.
  • Countersigner data (name/email, OTP log, signature, IP/user-agent, legal acceptance metadata): legitimate interests in fraud prevention, identity verification at signature point, and maintaining evidential integrity of records.
  • Security and audit logs: legitimate interests and legal obligations (security, incident response, and legal compliance).

5. How Long We Keep Your Data

We do not keep personal data for longer than is necessary for the purpose for which it was collected. Our retention periods are as follows:

For beta applications, if you are not selected for beta access, you may request deletion of your beta application data at any time by contacting us at [privacy@signover.app]. If no deletion request is made, we will automatically delete unselected beta application data when the platform exits beta and goes live, unless we are required to retain it by law.

When an operator cancels their subscription, we will send an automated notification advising that job records will be permanently deleted 6 months from the cancellation date, and recommending that all records are downloaded before that date.

Operator and driver account records are retained for as long as accounts remain active, then for a limited period required to complete closure, dispute handling, and legal/compliance obligations. Countersigner data that forms part of job records follows the same job-record retention period.

6. Who We Share Your Data With

6.1 Subprocessors

We use the following third-party service providers to operate the platform. Each processes personal data on our behalf and is bound by appropriate data protection obligations:

  • Supabase — database hosting and storage for all job and account data
  • Cloudflare Images — secure storage and delivery of vehicle and inspection images
  • Resend — transactional email delivery (OTP emails)
  • Vercel — platform hosting and non-identifying performance analytics
  • No payment processor is active during beta

6.2 Operators

Job record data, including countersigner information, is accessible to the operator whose account the job was created under. Operators are Data Controllers for this data and are responsible for how they use, store, and share it.

6.3 Legal Requirements

We may disclose personal data if required to do so by law, court order, or in connection with legal proceedings.

7. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

  • Right of access — you can request a copy of the personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate data
  • Right to erasure — you can ask us to delete your data in certain circumstances (see below)
  • Right to restriction — you can ask us to limit how we use your data
  • Right to portability — you can request your data in a structured, machine-readable format
  • Right to object — you can object to processing based on legitimate interests

7.1 Right to Erasure — Important Limitation for Countersigners

If you are a countersigner (a person who signed a vehicle condition record through the Signover platform), please be aware that the right to erasure does not apply in all circumstances.

Your signature, email address, and associated record data form part of a vehicle condition record that may be required for the establishment, exercise, or defence of legal claims. Under UK GDPR Article 17(3)(e), we may refuse an erasure request where processing is necessary for this purpose, even if no claim is currently active.

If you make an erasure request, we will respond within one calendar month. If we are unable to comply, we will explain why and inform you of your right to complain to the Information Commissioner's Office (ICO).

8. How to Exercise Your Rights

To exercise any of your rights, please contact us at [privacy@signover.app]. We will respond within one calendar month of receiving your request. We may ask you to verify your identity before processing your request.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or destruction. These include:

  • Encryption of data in transit and at rest
  • Role-based access controls limiting internal access to personal data
  • Secure authentication for all platform users
  • Regular monitoring of platform security

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify operators and drivers of any material changes by email. The date of the most recent update is shown at the top of this document. We recommend checking this policy periodically.

Last updated: [DATE]

Signover — signover.app. This document is a draft for legal review only and does not constitute legal advice.