Data Processing Policy | SkipRoute

This policy describes how Saunders Simmons Ltd processes personal data on behalf of SkipRoute subscribers in our role as a data processor under UK GDPR. It forms part of our commitment to transparent and lawful data handling.

1. Roles and responsibilities

When you use SkipRoute to manage your business operations, you act as the data controller — you determine what personal data is entered into the system and for what purpose. Saunders Simmons Ltd acts as the data processor — we process that data only on your instructions, as set out in these Terms and this policy.

You are responsible for ensuring you have a valid lawful basis for any personal data you upload or create within SkipRoute (such as customer names, contact details, driver information, and job records).

2. Categories of data processed

As part of providing the SkipRoute Service, we process the following categories of personal data on your behalf:

Customer data — names, addresses, phone numbers, email addresses, and booking history of your customers.
Driver and staff data — names, contact details, and role information for your employees.
Job and waste movement data — delivery addresses, collection records, waste types, and digital waste transfer note (WTN) data.
Vehicle and equipment data — vehicle registration numbers and skip inventory records.

Special category data (as defined under UK GDPR) should not be uploaded to SkipRoute unless you have explicit consent or another valid legal basis to do so.

3. Purposes of processing

We process data on your behalf solely to:

Provide and maintain the SkipRoute Service as described in our Terms of Service.
Enable the features you use, including job scheduling, customer notifications, and waste documentation.
Provide technical support and diagnose issues.
Improve the Service through aggregated, anonymised usage analysis.

We will not process your customers' or employees' personal data for our own independent purposes without your instruction.

4. Sub-processors

We use the following third-party sub-processors to deliver the Service. Each is bound by data processing agreements and complies with UK GDPR:

Sub-processor	Purpose	Location
Supabase	Database hosting, authentication, and file storage	EU (Frankfurt)
Vercel	Application hosting and content delivery	EU / UK
Stripe	Payment processing (billing data only)	EU / UK
Resend	Transactional email delivery	EU

We will notify you of any material changes to our sub-processors.

5. Data transfers

We endeavour to store and process data within the UK and EU. Where any transfer outside these regions is necessary (for example, via a sub-processor), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or an adequacy decision.

6. Data security

We implement and maintain appropriate technical and organisational measures, including:

Encryption of data at rest and in transit (TLS 1.2+).
Role-based access controls limiting staff access to data.
Regular security assessments and patching.
Secure, isolated database environments per customer organisation.

7. Data breaches

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify you without undue delay and within 72 hours of becoming aware. We will provide sufficient information for you to meet your own reporting obligations to the ICO if required.

8. Data subject requests

If you receive a data subject request (right of access, erasure, etc.) relating to data processed via SkipRoute, we will assist you in responding within the required timeframe. Please contact us at hello@paperroute.co.uk with details of the request.

9. Retention and deletion

We retain your data for the duration of your active subscription. Following cancellation or termination, data is retained for 30 days to allow for recovery, after which it is permanently and securely deleted from all systems and backups on a rolling basis.

You may export your data at any time from within the SkipRoute application. We recommend doing so before cancelling your subscription.

10. Your obligations as data controller

As the data controller, you are responsible for:

Ensuring you have a valid lawful basis for processing personal data within SkipRoute.
Providing appropriate privacy notices to your customers and employees.
Responding to data subject requests relating to data you control.
Notifying the ICO of any relevant data breaches within the required timeframe.
Not uploading special category data unless strictly necessary and lawfully justified.

11. Further information

For questions about data processing, to request a Data Processing Agreement (DPA) for your organisation, or to raise a data protection concern, contact us at:

Email: hello@paperroute.co.uk
Phone: 0330 043 6608

Saunders Simmons Ltd, 15 Oxford Road, Pen Mill Trading Estate, Yeovil, Somerset BA21 5HR. Company No: 15839557.

See also our Privacy Policy and Terms of Service.