Privacy Policy

Last updated: 3 June 2026

1. Introduction

This Privacy Policy explains how Mat Mad LTD (Company No. 09270153)("we", "us", "our"), trading as HauliK, collects, uses, shares and retains personal data in connection with the HauliK platform — including the HauliKweb dashboard and the HauliK Driver mobile applications for iOS and Android (together, the "Service").

It applies to transport operators and their businesses, their drivers and other authorised users, visitors to our public website, and anyone who contacts us for support or other enquiries.

This policy is written with UK GDPR and the Data Protection Act 2018 in mind, and is intended to align with relevant ICO guidance and mobile platform privacy expectations. It is not legal advice and remains subject to solicitor review.

2. Who we are

Mat Mad LTD (Company No. 09270153)is a company registered in England & Wales. Our registered office is at Swadlincote, UK. HauliK is a trading name and product brand of Mat Mad LTD (Company No. 09270153).

For privacy and data-protection enquiries, please contact us at info@matmad.co.uk.

3. Controller and processor roles

Under UK GDPR, the roles of "controller" (who decides why and how data is processed) and "processor" (who processes data under the controller's instructions) vary depending on whose data is involved and for what purpose. HauliK operates in both roles:

Fleet, driver and operational data

For personal data about drivers and other authorised users — including job records, walkaround checks, defect reports, proof of delivery, messages, timesheets, fuel logs and other operational or compliance records — the transport operator is ordinarily the data controller. Mat Mad LTD (Company No. 09270153) acts as a data processor, processing that data on the operator's instructions and solely for the purpose of providing the Service.

Platform administration, billing, security and website data

For data relating to operator account registration and management, subscription and billing, website visitors, support communications, security monitoring, legal acceptance records, marketing enquiries and platform administration, Mat Mad LTD (Company No. 09270153) is the data controller in its own right.

Needs legal review:the controller/processor split depends on the exact processing activity and customer arrangement. This policy reflects HauliK's intended B2B SaaS model.

Drivers: if you have a question about your employment records or operational data, you should contact your transport operator in the first instance, as they control that data. You may also contact us at info@matmad.co.uk and we will assist or route your request appropriately.

4. Who this policy applies to

This policy applies to:

Transport operators — businesses or individuals who subscribe to HauliK to manage their fleet
Operator admins, dispatchers and mechanics — authorised users within an operator account
Drivers — individuals invited by an operator to use the HauliK Driver mobile app for iOS or Android; drivers cannot sign up independently
Website visitors — anyone browsing the public HauliK website at haulik.co.uk
Support contacts — anyone who contacts us by email or via the contact form

5. Data we collect

We collect the following categories of personal data, depending on your role and how you use the Service:

Category	Data collected	Typical controller
Account data	Name, email address, user ID (Supabase authentication identifier), role (owner / admin / dispatcher / mechanic / driver), account creation timestamp	Mat Mad LTD (for account administration); Operator (for driver/user accounts the operator creates)
Operator / company data	Company name, company type, subscription plan, billing state, number of authorised users, trial status	Mat Mad LTD
Driver profile and membership	Driver name, linked user account, role, company membership, linked vehicle or trailer, activity timestamps	Operator
Vehicle and trailer data	Registrations, make / model, vehicle type, associated check, defect and maintenance records	Operator
Jobs and proof of delivery	Job assignments, collection / delivery stops, job status, timestamps, odometer readings, recipient name, recipient digital signature, delivery photos	Operator
Inspection and defect data	Walkaround check answers, defect descriptions, defect severity / category, defect notes, check outcome (pass / advisory / fail), timestamps, linked vehicle or trailer	Operator
Location data	Approximate device location captured only when a driver actively submits a relevant operational record (e.g. a walkaround check) while the app is open in the foreground. See section 7.	Operator
Messages	Text messages sent between drivers and office staff within the app	Operator
Timesheet and working-time data	Shift start / end times, break periods, total hours worked	Operator
Fuel and AdBlue data	Fuel log entries, quantities, vehicle or trailer linkage	Operator
Uploaded documents, photos and signatures	Files uploaded to the document store, inspection evidence photos, defect photos, proof-of-delivery signatures and photos	Operator
Technical data	IP address, browser / app user-agent, app version, device type and OS version, server-side request and error logs	Mat Mad LTD
Push notification token	Device push token issued by Apple APNs (iOS) or Google FCM (Android) via Expo, used only to send job and message alerts to the driver app	Mat Mad LTD / Operator
Billing and payment data	Stripe customer identifier, subscription plan and status, invoice and payment event records. Card details are processed and held by Stripe; we do not store raw payment card numbers.	Mat Mad LTD
Legal acceptance records	Timestamp, IP address and user-agent recorded when the Terms of Service or this Privacy Policy are accepted	Mat Mad LTD

What we do not collect: We do not collect payment card numbers, government-issued ID or national insurance numbers, biometric data, device advertising identifiers (IDFA on iOS / GAID on Android), contacts, calendar data or microphone / audio recordings. We do not use advertising SDKs or cross-app tracking SDKs in the mobile apps. We do not conduct in-app purchases. We do not sell personal data.

6. Mobile app permissions and device data

The HauliK Driver apps for iOS and Android request only the permissions needed to deliver their operational features:

Permission	iOS / Android label	Why we use it
Camera	Camera / Take photos	To photograph vehicle defects, walkaround check evidence, and proof of delivery. Only triggered when you choose to take a photo within a relevant feature.
Photo library	Photos / Media library	To attach an existing image from your device where supported as an alternative to the camera.
Location (When In Use)	Location — When In Use / ACCESS_FINE_LOCATION	To capture a location stamp when you submit a specific operational record (e.g. a walkaround check) while the app is in the foreground. See section 7.
Push notifications	Notifications	To receive job-assignment alerts, message notifications and other operational updates. You may decline this permission; doing so means alerts will not be delivered to your device.

Permissions we do not request:

Microphone — no audio recording of any kind
Background location — location is never collected when the app is in the background or closed
Contacts — we do not access your device contact list
Advertising identifier (IDFA / GAID) — we do not collect advertising identifiers
Tracking — we do not track you across other apps or websites
In-app purchase — all billing is managed by the operator through the web dashboard

7. Location data

Location access is requested as "When In Use" / foreground only. Location is collected only when a driver actively submits a specific operational record (for example, a walkaround check) while the HauliK Driver app is open on their screen.

What is collected: approximate device location at the moment of submission.
When it is collected: only at the point of submitting a relevant operational record, with the app open in the foreground.
Purpose: to help the transport operator verify where a compliance record was completed.
Who sees it: the transport operator and their authorised users (admin, dispatcher, etc.).
What it is not used for: advertising, profiling, cross-app tracking, or sale to third parties.
Background collection: we do not collect location data while the app is closed, locked or in the background. HauliK does not perform continuous or background GPS tracking of any kind.
Operator responsibility: operators must inform their drivers that location data is captured at the point of record submission and include this in their own driver privacy notice.

8. Photos, signatures and operational evidence

Photos, digital signatures and other files uploaded through the Service are stored as operational evidence attached to specific records (walkaround checks, defect reports, jobs, proof of delivery, document store).

Who can see them: the transport operator and their authorised users. Individual drivers can see their own submissions.
Purpose: compliance record-keeping, dispute resolution and operational evidence on behalf of the transport operator.
Storage: stored using Supabase Storage and designed to be controlled through account, database and storage access controls. Hosting region and policy configuration depend on managed-provider settings and service configuration.
Accuracy and lawfulness: the operator is responsible for ensuring that uploaded evidence is accurate, relevant and collected lawfully, including any required lawful basis for photos of individuals.
Retention: retained with the related record. See section 16 for retention periods.

9. How we use personal data

We process personal data for the following purposes:

Providing, operating and maintaining the HauliK platform and HauliK Driver mobile apps
Creating and managing operator accounts, authorised user accounts and driver accounts
Assigning and tracking jobs, routes and delivery confirmations
Recording and reporting vehicle safety inspections, walkaround checks and defects
Storing proof-of-delivery records on behalf of transport operators
Enabling in-app messaging between drivers and office staff
Recording working-time and timesheet data for hours-compliance reporting
Recording fuel log entries for operational reporting
Capturing location evidence at the point of operational-record submission
Delivering push notifications (job alerts, messages, operational updates)
Processing subscription payments and managing billing through Stripe
Providing customer support and responding to queries
Monitoring, debugging and improving service security and reliability
Meeting our legal, regulatory, tax and accounting obligations
Sending transactional communications (account invitations, billing notices, password resets)
Investigating and preventing fraud, abuse and security incidents

10. Legal bases for processing

Where Mat Mad LTD (Company No. 09270153) acts as a data controller, the legal bases we rely on under UK GDPR Art. 6 are:

Processing purpose	Legal basis	Notes
Account provision and service delivery to operators	Performance of contract (Art. 6(1)(b))	Required to provide the subscription service
Billing and subscription management	Performance of contract (Art. 6(1)(b)) / Legal obligation (Art. 6(1)(c))	Including invoicing and accounting obligations
Security monitoring, fraud prevention and audit logs	Legitimate interests (Art. 6(1)(f))	To protect the Service and its users from harm and misuse
Service improvement, debugging and performance monitoring	Legitimate interests (Art. 6(1)(f))	To maintain and improve the platform
Transactional communications (invitations, billing notices)	Performance of contract (Art. 6(1)(b)) / Legitimate interests (Art. 6(1)(f))	Necessary to operate the service
Legal, regulatory or court-ordered disclosure	Legal obligation (Art. 6(1)(c))	Where required by UK or other applicable law
Push notification delivery (where enabled)	Legitimate interests (Art. 6(1)(f))	Mobile OS permissions are device-level authorisations granted by the user; they are not automatically equivalent to UK GDPR consent

Processor basis: for fleet, driver and operational data where the transport operator is the controller, Mat Mad LTD (Company No. 09270153)processes that data on the operator's instructions as a data processor, in accordance with our Terms of Service. The operator is responsible for establishing and documenting a valid legal basis for their own processing of driver and fleet data.

11. Driver, employee and contractor data

Drivers and other employees or contractors whose personal data is processed through HauliK should be aware that:

Their employer or transport operator is the data controller for their operational records, job history, inspection records, messages, timesheets and location evidence collected through the Service.
The operator may use HauliK records as part of their employment records and workplace monitoring arrangements, subject to their own employment law obligations.
ICO guidance expects employers to handle worker monitoring lawfully, transparently and proportionately. Operators should consult the ICO's guidance on monitoring at work.
Drivers wishing to access, correct or erase their operational records should contact their employer / operator in the first instance, as the operator controls that data. Drivers may also contact us at info@matmad.co.uk and we will assist or route the request.
Drivers who leave employment retain their UK GDPR rights. The operator is responsible for handling such requests in respect of the data they control.

12. Operator responsibilities

Transport operators who use HauliK have their own responsibilities as data controllers for fleet and driver data:

Driver / staff privacy notice: operators must provide their drivers, employees and workers with a clear privacy notice explaining what data is collected through HauliK, why, for how long and their rights.
Lawful basis: operators must identify and document a valid UK GDPR lawful basis for their use of driver and fleet data through the Service (typically employment contract, legal obligation or legitimate interests).
Employment law and monitoring: operators must ensure their use of the Service — including job tracking, inspection records, messages, location evidence and timesheets — complies with applicable employment law, working-time regulations, ICO monitoring-at-work guidance and equality obligations.
Access control: operators are responsible for managing which users have access to their HauliK account, assigning appropriate roles, and removing access promptly when users leave their organisation.
Prohibited use: operators must not use the Service for unlawful surveillance, harassment, discrimination or any processing that is not fair, lawful and transparent.
Data processing arrangement: by accepting the Terms of Service, operators enter into a data processing arrangement with Mat Mad LTD (Company No. 09270153) under which Mat Mad LTD (Company No. 09270153)processes fleet and driver data on the operator's instructions, as further described in those Terms.

13. Who we share data with

We do not sell personal data. We do not share personal data with third-party advertisers. We may share data with the following categories of recipient:

Your transport operator — if you are a driver, your operational records, job history, check submissions, messages, timesheets and uploaded evidence are visible to the operator who invited you and their authorised users.
Sub-processors and service providers — we use third-party infrastructure to provide the Service. See section 14 for the full list.
Professional advisers — legal advisers, accountants and auditors, where necessary and under confidentiality obligations.
Authorities, regulators and courts — where we are required by applicable law, court order, or regulatory requirement, or to protect our legal rights.
Business transfers — in the event of a merger, acquisition, restructure or sale of all or part of our business, personal data may be transferred to the relevant entity under appropriate safeguards.

14. Service providers and sub-processors

We rely on the following key service providers to operate the Service. Each acts as a data processor or sub-processor on our behalf (or, where noted, processes data under their own terms when you interact with their platform directly). Exact provider roles, processing locations and transfer mechanisms may vary by provider configuration and applicable provider terms.

Provider	Role	Data processed	Primary location
Supabase, Inc.	Database, authentication, file storage	All platform data including user accounts, fleet records, uploaded photos / signatures and operational records	EU region where configured; provider edge, support and operational processing may occur in other locations
Vercel, Inc.	Cloud hosting, edge infrastructure, web analytics	HTTP request data (IP address, headers, user-agent) for serving the web dashboard and API; aggregate anonymised site analytics via Vercel Analytics / Speed Insights	Global CDN; US-based company
Stripe Payments Europe, Ltd.	Subscription billing and payment processing	Billing contact, Stripe customer ID, subscription status, payment events. Card details are held by Stripe; we do not hold raw card numbers.	EU / US (Stripe DPA applies)
Resend, Inc.	Transactional email delivery	Email address and email content for account invitations, billing notifications, password resets and support communications	US-based
Expo, Inc.	Mobile app build tooling and push notification delivery	Push notification token, notification payload	US-based
Apple Inc. (APNs)	iOS push notification delivery	Device push token and notification payload delivered to iOS devices	Apple infrastructure (US / global)
Google LLC (FCM)	Android push notification delivery	Device push token and notification payload delivered to Android devices	Google infrastructure (US / global)
Apple App Store	iOS app distribution	Download / update of HauliK Driver for iOS. Apple processes download-related data under their own privacy terms; we do not receive end-user identifiers from the App Store.	Apple infrastructure
Google Play	Android app distribution	Download / update of HauliK Driver for Android. Google processes download-related data under their own privacy terms; we do not receive end-user identifiers from Google Play.	Google infrastructure

We assess sub-processors for appropriate security and data-protection standards before use and require contractual data-protection terms where applicable. This list may be updated as the Service evolves.

15. International transfers

HauliK is intended to use managed providers configured for appropriate UK/EU data protection safeguards where available. The exact Supabase project region, provider processing locations and live international-transfer position may vary by service configuration and provider terms.

Several of our service providers — including Vercel, Stripe, Resend, Expo, Apple (APNs) and Google (FCM) — are US-based companies. Where personal data is transferred to these providers, we ensure appropriate safeguards are in place, including, where applicable, contractual safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, adequacy decisions or provider-specific data processing terms. Exact mechanisms depend on the provider, service configuration and applicable law at the time.

You may request details of the transfer mechanisms we rely on by contacting us at info@matmad.co.uk.

16. Data retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, to comply with our legal obligations, and to resolve disputes or enforce our agreements. Retention periods depend on data category and applicable legal or contractual requirements, customer configuration and available retention controls.

Data category	Retention period	Reason
Job and proof-of-delivery records	We aim to retain for up to 7 years, or as required by applicable accounting, commercial or legal obligations	Commercial and legal record-keeping
Vehicle inspection and defect records	Designed to support operator record retention needs, including common 15-month maintenance-record expectations. Operators remain responsible for confirming and retaining records required by law or policy.	DVSA / Traffic Commissioner compliance
Timesheet and working-time records	We aim to retain for a minimum of 2 years, or as required by applicable working-time law	Working Time Regulations 1998 compliance
Operator account data	Duration of subscription, plus a reasonable period after account closure for legal, security and dispute purposes	Contractual continuity and legal obligations
Driver and user account data	Duration of the relevant user account, plus a reasonable period after deletion or departure	Operational continuity and legal obligations
Messages	We aim to retain for up to 12 months, subject to operator-controlled configuration where available	Operational and dispute resolution
Technical / server logs	Provider and platform dependent; retained for security, debugging and service-operation purposes	Security and debugging
Billing and invoice records	Up to 7 years from invoice date, or as required by UK tax law	Accounting and HMRC obligations
Legal acceptance records	We aim to retain for the duration of the account plus a reasonable period thereafter	Evidence of terms acceptance
Push notification tokens	Removed when a user logs out, token refreshes or account is deleted; may be retained briefly for delivery-failure analysis	Push notification delivery
Operational evidence (photos, signatures, defect images)	Retained with the related record for the applicable period above	Compliance evidence

Where product retention automation is still evolving, some periods above are targets or best-effort. Audit logs, invoice records and other data subject to a legal retention obligation may be kept after account closure for the period required by law. You are responsible for exporting and retaining any records you are legally required to keep (for example, DVSA, O-licence, HMRC or employment records).

17. Account deletion and data deletion requests

You can request deletion of your account and associated personal data via our dedicated data-deletion page:

Request data deletion → /data-deletion

Alternatively, email us at info@matmad.co.uk with the subject line "Data deletion request".

Drivers and employees: your operational and employment records are controlled by your transport operator. In the first instance, contact your employer. You may also contact us and we will route your request or assist where we can.

What may be retained after deletion: some records may be retained where we have a legal obligation to do so (for example, accounting records, regulatory compliance records, records subject to an active dispute or legal hold). We will inform you of any such retention.

We aim to respond to deletion requests within one calendar month, as required by UK GDPR. A lawful extension of up to two further months may apply where requests are complex or numerous; if so, we will notify you within the first month.

The /data-deletion page also serves as the account and data deletion URL required by the Google Play Data Safety policy.

18. Your UK GDPR rights

Subject to applicable exemptions and, where relevant, to the transport operator being the controller of your data, you have the following rights under UK GDPR:

Right	What it means
Access	Request a copy of the personal data we hold about you (Subject Access Request).
Rectification	Ask us to correct inaccurate or incomplete personal data.
Erasure	Request deletion of your personal data ("right to be forgotten"), subject to lawful retention requirements.
Restriction	Ask us to restrict processing of your data while a dispute or objection is resolved.
Portability	Receive personal data you have provided to us in a structured, commonly used, machine-readable format.
Object	Object to processing based on legitimate interests or to direct marketing.
Withdraw consent	Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at info@matmad.co.uk or use our data deletion page. We may ask you to verify your identity before responding. We aim to respond within one calendar month; complex or numerous requests may take up to three months in total and we will notify you if an extension is required.

19. Security

We apply the following technical and organisational measures to protect personal data:

Encryption in transit: all data transmitted between your browser or device and our servers is encrypted using HTTPS / TLS.
Encryption at rest: provider-managed encryption is expected for managed database and object storage services, subject to provider configuration.
Row-level security (RLS): database-level row-level security policies ensure each operator account can access only its own data.
Role-based access: within an operator account, access to sensitive features is restricted by user role (owner, admin, dispatcher, mechanic, driver).
Least privilege: service components are granted only the minimum database and storage permissions needed for their function.
Audit logs: key platform actions are logged with timestamp, user and action type for security review and incident investigation.
Backups: HauliK relies on managed-provider backup and recovery features where available and enabled.
Regular review: we review and update our security practices on an ongoing basis.

No system is completely secure and we cannot guarantee absolute security. If you believe your account has been compromised, you become aware of a security concern, or you need to report a suspected personal data breach, contact us immediately at info@matmad.co.uk.

20. Cookies, analytics and tracking

Mobile apps (HauliK Driver for iOS and Android):

The apps do not use cookies.
They do not use advertising identifiers (IDFA on iOS / GAID on Android).
They do not contain advertising SDKs or cross-app tracking SDKs.
They do not use Google Analytics, Firebase Analytics or any equivalent analytics SDK.
We do not track you across other apps or websites.
We do not sell location data or any other personal data for advertising purposes.

Website (haulik.co.uk):

We may use technically necessary cookies or browser storage to manage your login session on the web dashboard.
We use Vercel Analytics and Vercel Speed Insights to collect aggregate, anonymised usage and performance data (page views, referrer, device type, Core Web Vitals). These tools do not use persistent cross-site cookies or build personal profiles. See Vercel's Privacy Policy for details.
We use Google Analytics 4 to understand how visitors use our public website (pages viewed, referring source, approximate location and device type). Google Analytics cookies are set only if you accept analytics cookies on our cookie banner; if you decline, it runs in a cookieless mode and stores nothing on your device. Advertising and ad-personalisation signals are disabled. See our Cookie Policy and Google's Privacy Policy.
When you use the Stripe billing portal to manage your subscription, Stripe may set necessary cookies on Stripe-hosted pages under their own privacy terms.
We do not use advertising cookies, retargeting pixels or third-party marketing trackers on our website.

21. Children

The Service is intended for business use by adults aged 18 or over. We do not knowingly collect personal data from children under the age of 18. If you believe we have inadvertently collected data relating to a child, please contact us at info@matmad.co.uk and we will take appropriate steps to delete it.

22. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, applicable law, or regulatory guidance. The "Last updated" date at the top of this page indicates when it was most recently revised.

Where a change is material, we will give reasonable advance notice by email, in-app notification, or dashboard notification before it takes effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

23. Contact and complaints

For any privacy-related queries, to exercise your UK GDPR rights, or to raise a concern about our handling of personal data, please contact us:

HauliK — Data Privacy

Mat Mad LTD (Company No. 09270153)

Swadlincote, UK

Email: info@matmad.co.uk

Data deletion: haulik.co.uk/data-deletion

Contact form: haulik.co.uk/contact

Right to complain to the ICO

If you are not satisfied with how we have handled your personal data or responded to your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's data protection supervisory authority:

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113

ico.org.uk/make-a-complaint

Legal & Trust

Privacy Policy Terms of Service Cookie Policy Acceptable Use Service Availability Data Deletion Data Processing (DPA)Sub-processors Security DR & Incident Response Contact