Legal

Privacy policy

Last updated: 2 June 2026

Wayspost Ltd is the data controller for personal data processed via our platform. This policy explains what we collect, why, and how we protect it under the UK GDPR and Data Protection Act 2018.

What we collect

  • Account: name, email, phone, postcode.
  • Bookings: pickup/dropoff postcodes, item descriptions, contact phone, delivery photos.
  • Drivers: licence number, vehicle details, DBS result, payout bank details.
  • Technical: IP, device, cookies (see cookie policy).
  • Fraud-prevention signals: a hashed device fingerprint (canvas + browser characteristics), GPS coordinates and timestamps embedded in pickup/delivery photos, payment-method risk scores from Stripe, and tamper-evident parcel seal codes.

Why we use it

  • To match deliveries with drivers and process payments.
  • To verify driver eligibility (legitimate interest).
  • To prevent insurance fraud, parcel theft, and abuse of the platform (legitimate interest under UK GDPR Art. 6(1)(f)).
  • To meet legal obligations (anti-money laundering, tax, fraud reporting).
  • To send service emails (contractual necessity) and, with your consent, marketing.

Sharing

We share with: Stripe (payments and risk scoring), the matched Driver/Customer for the booking, our cargo insurer when assessing a claim, our infrastructure providers, and law enforcement, Action Fraud, or Cifas where we reasonably suspect fraud or are legally required to. We never sell personal data.

Retention

Account data is kept while your account is active. Booking records are retained for 7 years for tax compliance. Driver verification records: 5 years after termination. Fraud-prevention signals (device fingerprint, IP, photo GPS, seal codes, claim history): 6 years from the related booking, in line with the limitation period for civil recovery.

Your rights

You can access, correct, delete, restrict or port your data. Request these from your account settings or by emailing admin@wayspost.com. You can complain to the ICO (ico.org.uk) at any time.

International transfers

Our infrastructure is UK/EU-hosted. Where data is processed outside the UK we rely on Standard Contractual Clauses.

Security

Encryption in transit (TLS) and at rest, role-based access, MFA for staff. We will notify you and the ICO of any qualifying breach within 72 hours.

Contact

Data protection enquiries: admin@wayspost.com.