Privacy Policy

How we handle personal data.

SubRound holds operational data for UK parcel-subcontractor businesses. This policy describes what we collect, why, how long we keep it, and the rights you have over it. Written in plain English.

Last updated: 16 May 2026 · Version 1.0

On this page

1. Who we are

SubRound is a software-as-a-service product trading as SubRound ("we", "us", "our"). At the time of writing, the operating entity is J Potts Logistics Ltd (Companies House registration number 12902676, registered office in Cumbria, United Kingdom), pending the completion of formation of a dedicated SubRound Ltd entity which will assume operations.

For the purposes of UK GDPR, the data controller for SubRound's prospect and customer relationships is the operating entity above. Where we process operational data on behalf of a SubRound customer (driver records, rotas, carrier statements held within their tenant), we act as a data processor under a written Data Processing Agreement (DPA) with the customer.

2. What personal data we collect

From visitors to subround.com

  • Theme preference (light or dark), stored only in your browser's localStorage. Not transmitted to us.
  • Cookie-consent choice, stored only in your browser's localStorage. Not transmitted to us.
  • Standard HTTP server logs at our hosting provider — IP address, browser user-agent, requested URL, response code, timestamp. These are not linked to any identifier and are retained for a maximum of 30 days for security and abuse detection.

From people who fill out our demo-request form or chat widget

  • Name you provide
  • Email address you provide
  • Company name (optional)
  • Approximate driver count (optional)
  • Any free-text message you write
  • The IP address of the submission and the browser user-agent (held alongside the record for spam-detection)

From SubRound customers (their administrators)

  • Administrator name, work email, and a hashed password (we never see your plaintext password)
  • Multi-factor authentication secret (encrypted at rest)
  • Login activity (timestamps, IP addresses, audit log of admin actions inside the platform)
  • Billing contact details and Stripe customer ID

From SubRound customers' drivers

When a customer uses SubRound to onboard their drivers, the customer's tenant of the platform stores driver names, contact details, ID/right-to-work documents, vehicle details, payroll records, and operational data (rota acceptance, route summaries, incidents, vehicle checks). This data is the customer's, not ours. We process it strictly on their instructions, under the DPA signed at onboarding.

3. Why we collect it

  • Demo form / chat data: to respond to your enquiry, schedule a demo, follow up on a sales conversation.
  • Administrator account data: to allow you to log into the platform and audit who did what.
  • Driver and operational data (customer side): to make the SubRound platform work — rota planning, three-way carrier statement matching, BACS payment runs, compliance reporting.
  • Server logs: for security, abuse detection, and debugging.
  • Billing data: to invoice and collect subscription payments.

4. Lawful basis for processing

ActivityLawful basis (UK GDPR Art. 6)
Responding to your demo requestLegitimate interests — we have a clear business interest in replying to people who ask to speak to us, and you have a clear interest in receiving that reply
Operating the platform for a paying customerPerformance of contract
Holding driver data on behalf of a customerCustomer's legitimate interests or contractual basis (as data controller) — we act as processor
Sending billing-related emailsPerformance of contract
Security / fraud-prevention loggingLegitimate interests

5. Who we share data with

We do not sell personal data. The following service providers ("subprocessors") may process limited data on our behalf, under contract and with appropriate UK-GDPR-compliant data-transfer terms:

SubprocessorPurposeWhat they seeLocation
Contabo GmbHHosting (virtual private servers)All operational data, encrypted at restUK (London datacentre)
ResendOutbound transactional email (account, billing, notifications)Recipient name, email, message bodyEU / US
PostmarkInbound email routing (reply-to-prospect pipeline)Sender email and content of replies sent to our inbound addressEU / US
Let's EncryptTLS certificate issuanceDomain name onlyUS
Stripe (once wired)Subscription billingCustomer billing contact, payment method tokens (we never see card numbers)EU / US

We may also disclose data when legally required to (court order, regulatory request) or to protect SubRound against legal liability.

If we add a new subprocessor, we'll notify paying customers at least 14 days in advance.

6. How long we keep it

Type of dataRetention
Demo-request form submissions3 years from submission, then deleted, unless the prospect becomes a customer
Customer administrator accountsFor the lifetime of the contract, plus 30 days after termination, then deleted
Customer operational data (drivers, rotas, invoices, etc.)For the lifetime of the contract, plus 30 days after termination, then deleted. Backups containing this data are purged on the next backup-rotation cycle (maximum 8 weeks).
Server access logs30 days
Audit-trail of administrator actions inside a customer tenantFor the lifetime of the contract, plus 30 days, in keeping with the operational-data policy above
Billing records (invoices, payment history)7 years (UK tax law requirement)

7. International transfers

Operational customer data is held in the United Kingdom. Some of our subprocessors (Resend, Postmark, Let's Encrypt, Stripe) may process data outside the UK / European Economic Area. Where this happens, we rely on:

  • Adequacy decisions where the destination country has been recognised by the UK government as offering adequate protection
  • UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) where adequacy doesn't apply

8. Cookies and similar technologies

Our marketing site (subround.com) sets zero third-party cookies. We don't run Google Analytics, Facebook Pixel, or any other tracking technology on the marketing site.

We use two pieces of browser localStorage (which behave like cookies but are not transmitted to our server):

  • subround.theme — remembers your light/dark theme preference
  • subround.cookieConsent — remembers your choice on the cookie banner

The customer-facing platform (app.subround.com and customer subdomains) sets standard first-party session cookies required for login. These are essential for the service to function and don't require consent under PECR.

9. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you — we provide a copy within 30 days of a written request
  • Rectify inaccurate data
  • Erase your data ("right to be forgotten") — subject to legal retention obligations such as the 7-year tax record requirement
  • Restrict processing in certain circumstances
  • Object to processing based on legitimate interests
  • Data portability — receive your data in a machine-readable format
  • Withdraw consent where we relied on consent
  • Lodge a complaint with the UK Information Commissioner's Office (ico.org.uk) if you think we've mishandled your data

Customers can export all data from their tenant as CSV at any time via the platform. To exercise any other right, contact privacy@subround.com.

10. Security

See our Security page for the technical detail: TLS encryption in transit, encrypted disk volumes, bcrypt-hashed passwords, multi-factor authentication, daily encrypted backups, audit logging, and single-tenant architecture.

11. Children's data

SubRound is a B2B platform for UK parcel-subcontractor businesses. We do not knowingly collect data about anyone under the age of 18. If you believe a child has provided personal data to us, contact privacy@subround.com and we'll delete it.

12. Changes to this policy

We update this policy from time to time as our practices evolve. The "Last updated" date at the top reflects the most recent revision. Material changes affecting current customers are emailed to the administrator on the account at least 14 days before they take effect.

13. Contact

  • Email: privacy@subround.com
  • Post: SubRound, c/o J Potts Logistics Ltd, Carlisle, Cumbria, United Kingdom
  • Data Protection Officer: Jamie Potts (interim, pending SubRound Ltd formation)
  • UK regulator: Information Commissioner's Office — ico.org.uk — 0303 123 1113