Privacy Policy

Introduction

In this document, when we refer to ‘we’, ‘our’, ‘us’ or Tripcatcher, that means Tripcatcher Ltd.

We provide easy-to-use mileage expense software for individuals, businesses, organisations, bookkeepers and accountants.

Tripcatcher has the role and responsibilities of a Data Controller in accordance with applicable data protection laws. As the Data Controller, we determine the purpose and means of processing your personal data that is collected through our services.

This Privacy Policy is crafted in compliance with the General Data Protection Regulation (GDPR) for our users in the United Kingdom, as well as other applicable data protection laws. Our users are at the heart of what we do, and we are committed to ensuring the security, confidentiality, and integrity of your personal data.

Please be aware that while you are not under any statutory obligation to provide your personal data to us, some personal information is required in order to enter into a contract with us and receive our services, as described in our Terms and Conditions. Without this necessary information, we are not be able to provide you with access to our services effectively.


What Information We Collect

We collect information essential to provide you with our comprehensive mileage expense services. The information is collected directly from you, the subscriber, or if you sign up from a third-party platform (such as Xero or Crunch), from that platform and from you.

Account Information

When you create an account we collect your name, organisation, email address and password, which is securely hashed using the bcrypt algorithm, ensuring it remains confidential and inaccessible even to our staff.

The email address is used to ensure every account is unique and your name is used when emailing you and is used with your email address to identify you.

The organisation name is collected to enable related users to be grouped together and enable the application of organisation-wide business rules.

Financial Information

if you are invited to use Tripcatcher by your accountant, bookkeeper, employer or other organisation, then no financial data is collected about you.

If you subscribe to Tripcatcher directly through our website, your financial information is collected and processed by Stripe. In this scenario, your card details are sent directly to Stripe and do not pass through Tripcatcher’s servers or get stored by us.

Stripe is a secure payment processing service, and we’ve chosen it to ensure that your financial information is handled with the utmost care and security.

The following data is passed from Stripe to Tripcatcher to provide you with information about the credit/debit card being used for payments and to provide billing history:

  • The last 4 numbers of your credit/debit card;
  • The credit card brand eg Visa;
  • The country the card is based in;
  • The expiry month and year;
  • Billing history – date paid, amount, failed transactions.

If you are subscribing to Tripcatcher via the Xero website, your financial information is processed by both Xero and Stripe. In this case, Xero shares your billing history and current payment status with us, but we do not collect any financial information directly from you.

Device and Technical Information

We collect the following information to help ensure our services are fully optimised for various devices and browsers, providing a seamless user experience:

  • IP Address;
  • Device type and model;
  • Operating System;
  • Browser type.

Usage and Interaction

Detailed activity information, such as actions taken within your account, settings changes, and data entries, is collected for logged-in accounts to create comprehensive audit trails.

Location Information

  • Location names and addresses are collected to identify the start and end locations for trips;
  • For GPS tracking, the phone logs your exact location and the route travelled;
  • If you use GPS tracking on the phone app, your location is recorded when you tap Start GPS until you tap Stop GPS. The GPS trail is used to determine the distance travelled and the GPS trail is then deleted when the trip is saved;
  • GPS tracking is, by default, turned off. You must explicitly turn it on to use it;
  • Your home and office address can be stored on the phone and used as the start and/or end location of a trip.

Vehicle Information

  • If you are claiming VAT on fuel, information on the engine details of your vehicle is collected to determine the appropriate HMRC Advisory Fuel Rate to use;
  • We use the type of vehicle you select for a trip to calculate the appropriate mileage rate;
  • Trips are saved until you delete them or the account is deleted or the trip data is longer required to meet the requirements of HMRC Records Management and Retention and Disposal Policy (currently 6 years plus the current year after claiming the expense).

Other Information

We store emails sent to our support team in our Help Desk system to provide you with better and more efficient customer service, ensuring that we have a complete history of your inquiries and our responses.


How We Use Your Information

The personal data we collect is essential for providing our services, enhancing user experience, and ensuring the security of our platform. We adhere strictly to the General Data Protection Regulation (GDPR) standards and are committed to the principle of data minimisation, ensuring that we only collect the data necessary to fulfil these purposes. Below, we outline the ways we utilise your data:

Provision of Services

  • To calculate your mileage expenses, facilitate submissions to your bookkeeping/accounting software, or enable exports to PDF, CSV, or Excel;
  • To provide multi-user accounts with tools to simplify administrative tasks;
  • To provide you with timely updates and essential information about changes to the service you are subscribed to;
  • To process payments, generate invoices, and manage financial transactions securely.

Customer Support and Communication

  • To promptly address any technical support issues or other queries relating to our website and services;
  • To communicate important operational information, via notices on the website and operational emails, such as changes to the service or guidance on using the software. We aim to ensure that all communication is relevant and adds value to your experience with Tripcatcher.

Marketing and User Engagement

  • To send you marketing communications about Tripcatcher in accordance with your stated preferences. You have the full right to opt out of receiving these communications at any time. Every marketing email will include a link to unsubscribe from the marketing emails;
  • To understand your interests and preferences better, helping us tailor our communications and improve our services;
  • Cookies are used to understand how visitors use the Tripcatcher website and the Tripcatcher web app.

Website and Service Enhancement

  • To track and monitor the usage of our website and services, aiming for continual improvement and optimisation;
  • To conduct research and analysis, utilizing aggregated and anonymised data to generate insightful reports.

Cookies

A cookie is a small data file that is transferred to an internet browser, which enables Tripcatcher to remember and customise your subsequent visits.

  • Necessary Cookies: These are essential for you to log into Tripcatcher and navigate around the app, ensuring a seamless user experience. They include security cookies for CSRF protection, helping to safeguard your data against unauthorised commands.
  • Google Analytics Cookies: These statistical cookies help us understand how visitors interact with our website, providing insights that guide improvements to our Services. You can opt out of these cookies by following the instructions for your specific browser;
  • No Cross-Website Tracking: We do not use cookies to track your activity across different websites, nor do we use advertising platforms that track users across various sites.

This cookie policy may be updated, so we encourage you to review it periodically.

Safety and Security

  • To detect, prevent, and respond to fraudulent or malicious activities, ensuring the integrity and security of our platform;
  • To enforce our terms and policies, conducting audits and complying with legal and regulatory requirements.

We do not collect additional categories of personal data or utilise your personal data for purposes that are materially different, unrelated, or incompatible without first providing you with notice and, where necessary, obtaining your consent.

Your personal data is processed based on one or more of the following lawful grounds:

  • Performance of a Contract: Your personal data is processed in order to fulfil the Terms and Conditions accepted by you when deciding to use our services, forming a binding contract between you and Tripcatcher.
  • Legitimate Interests: We process your personal data to serve our legitimate business interests in providing and optimising our services, ensuring security, and enhancing user experience. Activities include calculating mileage expenses, logging trips, administrating your account, integrating with third-party accounting systems, and securely managing billing and financial transactions. We have conducted a thorough balancing test and determined that these processes do not disproportionately infringe on your rights and interests, ensuring responsible and transparent handling of your personal data.
  • Legal Obligations: We may process your personal data as necessary to comply with legal obligations applicable to our business.

How We Share Your Information

Sharing your personal data with third parties is sometimes necessary for providing our services, enhancing functionality, or for other legitimate purposes. Below, we detail the circumstances under which your data may be shared:

Third Party Service Providers and Partners

We entrust certain services to third-party providers who help us operate, improve, and secure our website and services. For instance, we use Stripe to process financial transactions, ensuring your payment details are handled securely. These third parties are contractually obligated to protect your data and can only use it for specified purposes.

Regulatory and Legal Obligations

We may disclose your personal data when required by law, or to:

  • Assist in criminal investigations or alleged criminal activities, when requested by law enforcement or government officials;
  • Protect our rights, interests, or property, or those of others;
  • Prevent fraud and reduce credit risk;
  • Comply with judicial proceedings, court orders, subpoenas, or other legal or administrative processes.

Integration with Bookkeeping and Accounting Partners

If you choose to publish your mileage expenses to one of our bookkeeping/accounting partners (e.g., Dext, Xero, Sage or Crunch), your mileage expense data will be shared with them. Once shared, your data will be governed by the partner’s Privacy Policy.

Business Transfer, Sale or Acquisition of Assets

In the event of a merger, sale, restructuring, bankruptcy, or similar event, we may transfer or disclose your personal data as part of the transaction. The surviving or acquiring entity will be subject to its own privacy policies, which may differ from ours.

Anonymised and Aggregated Information

We may share anonymised or aggregated information with third parties for research, marketing analytics, and other purposes, ensuring that such information does not identify individual users.

Sub Processors

We use various sub processors to enhance our services:

  • GrooveHQ: Provides customer support software for streamlined communication.
  • Postmarkapp: Ensures reliable delivery of transactional emails.
  • Stripe: Processes payments securely and efficiently.
  • Mailchimp: Offers a suite of marketing tools to engage with customers across multiple channels.
  • MongoDB: Safeguards and stores all the information you share with us.

Each sub processor is rigorously evaluated to ensure they meet our security and privacy standards.

International Data Transfers

  • Storage: Our primary data centres are securely located in Dublin, Ireland. Our operations are exclusively based in the UK and your personal data is protected under the UK GDPR.
  • Limited Transfers to the U.S.: Although we operate solely in the UK, some of our subprocessors might transfer your data to the United States. In these cases the subprocessors either participate in the Privacy Shield framework or have implemented suitable standard contract clauses to ensure data transferred to the US is protected to UK GDPR standards.

Your Rights

We value your privacy and are committed to ensuring transparency in how we handle your personal information. Below are the rights you possess concerning your data:

  • Right to be Informed: You have the right to know how we use your personal information. This Privacy Policy is designed to provide a clear and transparent description of our data usage practices.
  • Right of Access: You can view your personal information through the Tripcatcher web app while your account is active. If your account is no longer active, you can contact us to request a copy of your data. Verification of your identity is required to proceed with this request.
  • Right of Erasure: You possess the right to seek the deletion of your personal information from our records. Please be mindful, however, that we are obligated to retain certain data for legal and compliance purposes for 6 years (including Contact, Identity and Financial Transaction Data) for tax purposes and fraud prevention. NB to delete data stored in the phone app (called Tripcatcher in the Google Play Store and Tripcatcherapp in the Apple App Store) simply delete the phone app from your phone.
  • Right of Rectification: Should you discover any discrepancies or inaccuracies in your personal information, you are empowered to make corrections either directly in the Tripcatcher web app or by reaching out to us for assistance.
  • Right to Restrict Processing: If you have concerns about the accuracy or the legitimate use of your personal data, you have the right to ask us to restrict its processing.
  • Right to Object: You hold the right to object to the usage of your personal information for direct marketing endeavours. We engage in marketing communications solely with your explicit consent, which you are free to revoke at any time.
  • Right to Data Portability: You have the right to receive your data in a structured, commonly used, and machine-readable format upon request. Depending on your preferences, we may suggest exporting your mileage expenses directly to your bookkeeping software.
  • Rights Related to Automatic Decision-Making: You have the right to object to automated decision-making. Tripcatcher does not engage in automated decision-making processes.

To exercise any of these rights, please send a request to support@tripcatcherapp.com. We will address your questions promptly and thoroughly.


Keeping Your Personal Data Safe

At Tripcatcher, we prioritize the safety and security of your personal data. Here’s how we ensure its protection:

Secure Access

Your account is protected through password encryption, with the password known only to you. Employing techniques such as salting (adding random characters) before encrypting your password significantly enhances its security, making it exceedingly difficult to decipher even in the event of a security breach.

Encryption in Transit

We ensure that all data exchanged between your device and our servers is securely encrypted using SSL (Secure Socket Layer) technology, establishing a confidential and secure communication channel, and protecting your information from potential interception or tampering.

Secure Storage

Your data is securely stored with MongoDB Atlas, leveraging Amazon Web Services for data hosting. Your data is encrypted both at rest and during transit between our servers and the database, ensuring its safety.

The data is stored in servers based in Dublin. It may be transferred out of the EU by a sub processor to the US, but only where the contract confirms it meets the standards for Data Transfer as approved by the European Commission.

Network Protection

Our network traffic is continuously monitored and protected by Cloudflare, ensuring any malicious activity is swiftly identified and mitigated. The advanced threat intelligence and diverse security mechanisms provided by Cloudflare are integral in maintaining the integrity and security of our network.

Proactive Monitoring

Security Scorecard is instrumental in providing real-time insights into our security stance, allowing us to proactively identify and address potential vulnerabilities and threats. This ensures a robust defence against various cyber risks.

User responsibility

While we ensure robust protection for your data, security is a shared responsibility. To further safeguard your information:

  • Strengthen Your Passwords: Use unique and complex passwords.
  • Update Regularly: Keep your operating system, software, and antivirus programs up to date.
  • Install Antivirus Software: Use reputable antivirus software for an added layer of defence.
  • Be Aware of Phishing: Exercise caution when clicking links or downloading files from unknown sources.
  • Secure Your Device: Lock your device when not in use and consider full disk encryption.
  • Log Out on Shared Devices: Always log out of your Tripcatcher account and close the browser on shared devices.

By following these, and other best practices recommended by your IT Support team, you enhance the security of your personal information. Remember, secure internet practices contribute significantly to data protection.

In Case of a Data Breach

In the unlikely event of a data breach, we are committed to immediate and comprehensive action to address the situation. This includes securing the systems, investigating the breach, notifying affected parties, and implementing measures to prevent future incidents.

By employing these stringent security measures and promoting responsible user practices, we strive to provide a secure and trustworthy environment for all our users.


Changes to This Privacy Policy

Policy Updates

We regularly review and, if necessary, update this privacy policy to reflect changes in legal requirements, our data processing activities, or other relevant circumstances. Any changes made will be promptly published on our website to keep you well-informed.

Your Responsibility

To ensure you remain aware of how we protect your data, we recommend that you review this privacy policy periodically. Your continued use of Tripcatcher services, after any updates indicates your agreement to the changes.

Proactive Communication for Major Changes

In the event of significant changes, particularly those that substantially alter our handling of your personal information, we commit to providing clear and noticeable communication. This may include announcements on our platform or direct notifications sent to your registered email address.


Contact Us

For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by email at support@tripcatcherapp.com.

We hope you enjoy using Tripcatcher!