Privacy notice

1. Who we are

ROAD is a record-first web system operated from the United Kingdom and served at https://www.roadco.uk/. The operator is ROAD CO. UK LIMITED, registered in England and Wales under company number 16903248, with registered office at 51 Nelson Road, Gorleston, Great Yarmouth, England, NR31 6AT. For data protection purposes, the operator acts as the data controller for personal data processed through this system.

Contact for privacy and data rights:

contact@roadco.uk

2. What we collect

When you submit an access request, we collect:

• Email address
• Session timestamp (arrival time in GMT)
• Time spent on site (seconds)
• Sections of the site you reached
• Unique session MARK associated with the request flow
• Confirmation that you acknowledged this notice

Technical data may be processed automatically to deliver the site (for example server or infrastructure logs held by our hosting or database providers). We do not use behavioural advertising or third-party marketing pixels on this site.

Each data point is collected as part of a structured access request record, not for behavioural profiling or advertising.

Where access is granted and the system is used beyond the request phase, additional data may be recorded as part of the operation of the ledger. This may include entries submitted by the user, timestamps associated with those entries, and identifiers required to preserve the continuity and integrity of the record. Such data is handled under the same principles: controlled disclosure, accuracy of record, and no use for behavioural advertising or profiling.

3. Lawful basis

We process the information above on the basis of your consent, given when you submit an access request and confirm you have read this notice. You may withdraw consent at any time; withdrawal does not affect the lawfulness of processing before withdrawal.

Where the system is used beyond the access request phase, processing may also be necessary for the performance of a service requested by the user.

4. Why we use it

We use personal data to:

• Receive, review, and respond to access requests
• Maintain an accurate record of the request and related session context
• Operate and secure the service
• Comply with legal obligations where applicable

The purpose is to maintain an accurate and defensible record of access requests and associated session context.

Where applicable, data may also be used to provide and maintain user accounts and associated system functionality.

5. Processors, hosting, and transfers

We use Supabase as a database and backend provider. Processing may involve storage or processing outside the UK depending on their infrastructure and configuration. Where personal data is transferred internationally, we rely on appropriate safeguards as required by UK data protection law (for example the UK International Data Transfer Agreement, addendum, or adequacy regulations, as applicable).

See Supabase’s own privacy documentation for detail on how they handle service data: supabase.com/privacy

6. Retention

Access request records are retained for twelve months from submission unless a longer period is required by law or you ask us to delete sooner, subject to any overriding legitimate need to retain evidence.

Where the system is used beyond the access request phase, data forming part of the ledger may be retained for the duration necessary to maintain the integrity and continuity of the record, unless deletion is requested and legally permissible.

7. Security

We use technical and organisational measures appropriate to the risk, including encryption in transit (HTTPS) and access controls on systems we control. No method of transmission or storage is completely secure; we work to reduce risk in line with good practice. We do not use third-party advertising trackers or behavioural profiling systems.

The system is designed to minimise data collection and to preserve accuracy over interpretation.

8. Your rights

Under UK GDPR you may have the right to:

• Access your personal data
• Rectify inaccurate data
• Request erasure in certain circumstances
• Restrict processing in certain circumstances
• Object to processing based on legitimate interests (where applicable)
• Withdraw consent where processing is consent-based
• Lodge a complaint with a supervisory authority

To exercise your rights, contact contact@roadco.uk. Requests are handled in line with UK GDPR obligations.

The UK supervisory authority is the Information Commissioner’s Office (ICO). You can find guidance and complaint options at ico.org.uk.

9. Cookies and similar technologies

The site is built to operate without non-essential tracking cookies. Any strictly necessary technical storage (for example to maintain a session or security token) is used only to provide the service you request.

10. Changes

We may update this notice when the service or legal requirements change. The effective date at the top will be revised; material changes will be reflected here.