FleetFlow

Privacy Policy

Last updated: 16 June 2026

1. Who we are and data controller

FleetFlow is a fleet management platform powered by NovaStack and provided by FORGEAI STUDIO LTD, a company registered in England and Wales and trading as "NovaStack" ("we", "us", "our"). For the purposes of the UK General Data Protection Regulation (UK GDPR) and, where applicable, the EU General Data Protection Regulation (EU GDPR), FORGEAI STUDIO LTD is the data controller of the personal data described in this policy that we process about you as a user of the Service.

Where you use FleetFlow to process personal data about your own customers, drivers or other individuals, you are the controller of that data and we act as your processor; that relationship is governed by our Data Processing Agreement.

You can contact us about privacy matters at support@fleetflowtech.com.

2. Data we collect

  • Account data: your name, email address, organisation name, plan and subscription status.
  • Authentication data: credentials used to sign you in, such as a hashed password and session tokens, managed via our authentication provider.
  • Business data you enter: the vehicle, driver, customer, booking, maintenance and compliance records that you and your users add to the Service.
  • Payment metadata: billing information processed via Stripe, such as your Stripe customer and subscription identifiers and the outcome of payments. We do not store full payment card numbers; card details are handled directly by Stripe.
  • Support communications: the content of messages and any information you provide when you contact us for support.
  • Usage and analytics data: information about how you interact with the Service, such as pages visited, features used, device and browser type, and log data including IP address.
  • Cookies and similar technologies: as described in our Cookie Policy.

3. Why we collect it and our legal bases

We only process personal data where we have a lawful basis to do so under the UK GDPR:

  • Performance of a contract: to create and administer your account, provide the Service, take payment and provide support.
  • Legitimate interests: to operate, secure, maintain and improve the Service, prevent fraud and abuse, and understand how the Service is used, where this is not overridden by your rights.
  • Consent: for non-essential cookies and any optional marketing communications, which you can withdraw at any time.
  • Legal obligation: to comply with our legal, tax, accounting and regulatory duties.

4. Authentication data

We process authentication data, including a securely hashed password and session tokens, solely to verify your identity, keep you signed in and protect your account. Authentication is provided through Supabase. We never store your password in plain text.

5. Payments

Subscription payments are processed by Stripe. When you pay, your card details are submitted directly to Stripe and are not stored on our systems. We retain only payment metadata, such as Stripe identifiers and the success or failure of a charge, to manage your subscription and meet our record-keeping obligations.

6. Analytics

We use analytics to understand how the Service is used so that we can improve it, relying on our legitimate interests and, where required, your consent. Analytics data is used in an aggregated or pseudonymised form wherever practicable.

7. Cookies

We use cookies and similar technologies to operate the Service, keep you signed in and analyse usage. Full details, including the categories of cookies we use and how to manage your preferences, are set out in our Cookie Policy.

8. Support requests

When you contact us for support, we process the information you provide in order to respond to and resolve your query and to keep a record of the interaction. We rely on our legitimate interests and the performance of our contract with you.

9. Data sharing and sub-processors

We do not sell your personal data. We share personal data only with trusted third-party service providers (sub-processors) who help us deliver the Service, and only to the extent necessary. Our key sub-processors are:

  • Supabase — hosting, database (PostgreSQL) and authentication.
  • Stripe — payment processing.
  • Cloudflare — content delivery, performance and security.

We may also disclose personal data where required to comply with the law, enforce our agreements, or protect the rights, property or safety of FORGEAI STUDIO LTD, our users or others.

10. International transfers

Some of our sub-processors may process personal data outside the United Kingdom or the European Economic Area. Where this happens, we ensure appropriate safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (UK IDTA), so that your data continues to receive a level of protection consistent with UK and EU data protection law.

11. Data retention

We keep personal data only for as long as necessary for the purposes set out in this policy. We retain account and business data while your account is active and for a reasonable period after closure to allow recovery and export, after which it is deleted or anonymised. Financial and transaction records may be retained for up to seven years to meet UK tax and accounting requirements. Support communications are kept for as long as needed to manage our relationship with you.

12. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, encryption at rest, role-based access controls and database row-level security. No system can be guaranteed completely secure, so we encourage you to use a strong, unique password. Further detail is available in our Security overview.

13. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict or object to the processing of your personal data, to data portability, and to withdraw consent where processing is based on consent. You also have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. A fuller explanation of these rights is available on our GDPR rights page.

14. How to make a deletion or access request

To exercise any of your rights, including requesting access to or deletion of your personal data, please email us at support@fleetflowtech.com. We may need to verify your identity before acting on a request, and we will respond within the timeframes required by law.

15. Complaints to the ICO

If you are unhappy with how we have handled your personal data, we would welcome the opportunity to put things right, so please contact us first. You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with your local data protection authority if you are in the EEA.

16. Changes to this policy

We may update this Privacy Policy from time to time. Where changes are material, we will give you reasonable notice, for example by email or via the Service. The "Last updated" date at the top of this page shows when it was last revised.

17. Contact

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at support@fleetflowtech.com.