Driver Codes — Driver Checks Portal Privacy Notice
Provider: RSMT Limited trading as Driver Codes
Version:v1.2 — 15th May 2026
Audience: Administrators and users of the Driver Codes business customer portal at app.driver.codes.
Published location: app.driver.codes/documents/privacy
This notice explains how RSMT Limited (trading as Driver Codes) uses your personal data when you are an administrator or user of the Driver Codes business customer portal at app.driver.codes.
It does not cover:
- visiting the driver.codes marketing website — see the Website Privacy Policy at driver.codes/legal/website-privacy;
- using the Driver Codes mobile app for personal driving information — see the Consumer App Privacy Notice at driver.codes/legal/app-privacy;
- being invited by a company to complete a driving licence check — see the Driver Checks Privacy Notice at driver.codes/legal/checks-privacy.
If more than one notice applies to you, the relevant notice applies to its respective part of the processing.
How to read this notice
You are an administrator for the purposes of this notice if you have been given access to the Driver Codes business customer portal by your employer (the business customer) — for example, as a fleet manager, HR contact, line manager or compliance lead. The business customer is the entity that has signed up to use Driver Codes; you are the individual who logs in and uses the service on its behalf.
Throughout this notice, references to "the business customer" mean your employer or the company that has nominated you as an administrator. Driver Codes processes some of your personal data on the business customer's behalf as a processor — for example, your account record, role and activity within the customer's workspace. Driver Codes also processes some of your personal data as a controller in its own right — for example, security and fraud-prevention logs, billing records, support communications, and platform audit trails. This notice covers the controller-side processing.
For the processor-side processing (your data in the business customer's workspace), the business customer is the controller and is responsible for issuing its own privacy information to you about that processing. If you have not received it, ask your employer.
1. Who is processing your data
RSMT Limited (trading as Driver Codes) is the controller for the processing in this notice. Our registered address is 19A Queens Road, Hale, WA15 9HF. Our company number is 11744436. We are registered with the Information Commission under number ZA788385.
The internal lead for data protection matters is the Owner of RSMT Limited, contactable at privacy@driver.codes.
2. Information we process about you
We process the following categories of personal data about administrators:
Account and identity data — your name, work email address, role, login credentials, multi-factor authentication enrolment, and unique account identifiers.
Activity and usage data — when you log in, which features you use, configuration changes you make, drivers you invite, exports you generate, and similar workflow activity. Some of this is processed for the business customer's workspace (where Driver Codes acts as processor); some is processed by Driver Codes for its own platform-protection purposes (where Driver Codes acts as controller, see section 3).
Technical and security data — your IP address, device and browser information, session identifiers, and authentication events including success, failure and MFA challenges.
Audit and security logs — records of administrative actions in the portal, including user provisioning and role changes, retained for security, abuse prevention, and the defence of legal claims.
Support and communications — messages, enquiries, and support tickets you send to us, and our responses.
Billing and contracting contact data — where you are the named contact for the business customer's billing or contractual matters: name, work email, telephone, and signature/acceptance metadata.
We do not process your driving licence record through your portal account — that processing is covered by the Driver Checks Privacy Notice and only applies if you yourself have also been invited to complete a check.
3. Why we use your information — our lawful bases
We rely on the following lawful bases under Article 6 UK GDPR:
| Purpose | Article 6 basis |
|---|---|
| Authenticate you, secure your account, and operate core portal functionality on the business customer's behalf | Article 6(1)(b) where you have a direct contract or pre-contract with us; otherwise, Article 6(1)(f) legitimate interests in providing the service to your employer |
| Protect the platform against fraud, misuse, and unauthorised access; investigate suspected breaches; maintain integrity of audit and security logs | Article 6(1)(f) legitimate interests in operating a secure, lawful service |
| Provide and manage support, investigate issues, and respond to enquiries | Article 6(1)(f) legitimate interests; Article 6(1)(b) contract where applicable |
| Operate billing, manage the contract relationship with the business customer, and pursue overdue accounts | Article 6(1)(b) contract; Article 6(1)(c) legal obligation; Article 6(1)(f) legitimate interests |
| Comply with our own legal, regulatory and DVLA obligations | Article 6(1)(c) legal obligation; Article 6(1)(f) legitimate interests |
| Establish, exercise or defend legal claims | Article 6(1)(f) legitimate interests |
| Send transactional and service-related communications | Article 6(1)(b) contract; Article 6(1)(f) legitimate interests |
| Send optional marketing or product update emails where you have opted in | Article 6(1)(a) consent; or Article 6(1)(f) legitimate interests under the "soft opt-in" rules of the Privacy and Electronic Communications Regulations 2003 |
Where we rely on legitimate interests, we have carried out a documented Legitimate Interests Assessment. You may ask us for a summary.
4. The controller / processor split for administrator data
Some of the same data points may be processed by Driver Codes in two different roles depending on the activity.
Driver Codes as processor (the business customer is controller). Your account record, role, configuration and activity within the customer workspace are processed on the business customer's instructions. The business customer determines who has access, what actions are taken, and how long records are kept in the workspace. The Data Processing Addendum between Driver Codes and the business customer governs that processing.
Driver Codes as controller (this notice). Where Driver Codes processes administrator data for its own purposes — including platform security and fraud prevention, billing, support, audit logs, defence of legal claims, and operation of the underlying service — Driver Codes is the controller. The business customer cannot direct Driver Codes to delete or restrict this data within the retention periods Driver Codes needs for its own legitimate and regulatory purposes.
This is the same sequential-controller pattern that applies to driver-check data, applied at the administrator layer.
5. Automated decision-making
We do not make solely automated decisions about you that produce legal or similarly significant effects.
6. Who we share your information with
The business customer — for the parts of the processing where the business customer is the controller (the workspace layer). Our staff and systems make administrator data visible to the business customer in the normal course of operating the service.
RSMT Limited staff and our service providers who support, secure or operate the Driver Codes platform. Our current sub-processor list is published at app.driver.codes/documents/subprocessors.
Professional advisers, regulators, courts, law enforcement, DVLA and similar, where disclosure is required by law or reasonably necessary to protect our service, our legal rights, or the safety of others.
A successor entity in the event of a sale, merger, or reorganisation of our business, with appropriate notice where relevant.
We do not sell your personal data, and we do not share it for the purpose of anyone else's direct marketing.
7. Where your data is stored and international transfers
Your personal data is stored in the United Kingdom. We use Amazon Web Services in the London region (eu-west-2) for production hosting. We do not transfer your data outside the United Kingdom as part of normal service operation.
If a specific support activity ever required a limited international transfer (for example, a bug-fix involving a vendor support engineer outside the UK), we would rely on an appropriate UK transfer mechanism (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) supported by a documented Transfer Risk Assessment.
8. How long we keep your information
| Category | Retention period |
|---|---|
| Active administrator account data | While your account is active and the business customer's relationship with Driver Codes continues |
| Closed administrator accounts | Within the business customer's workspace, in accordance with the business customer's retention rules and the closure window in the applicable Driver Codes terms; for Driver Codes' own controller-side records, see below |
| Service security and access logs | Up to 12 months |
| Authentication events (login success, failure, MFA) | Up to 12 months |
| Material administrative actions in the portal (user provisioning, role changes, exports) | Up to 6 years for audit and the defence of legal claims |
| Support tickets | 3 years from closure of the ticket |
| Billing and contract contact records | 6 years plus the current financial year |
| Marketing preferences and suppression lists | Until you withdraw, then retained in a suppression list to honour your preference |
We may keep information longer where the law requires, where there is a live dispute, or where we need to establish, exercise or defend legal claims.
9. Security
We maintain a documented information security programme. A public summary is published at app.driver.codes/documents/security, and a fuller pack is available to enterprise customers under non-disclosure on request. Controls relevant to administrator accounts include role-based access, mandatory multi-factor authentication on all administrator accounts, encryption in transit (TLS) and at rest, continuous 24x7 automated security monitoring, daily encrypted backups, documented incident response, and UK-only hosting.
You play an important role in keeping your account secure: use a strong, unique password, enable MFA, do not share credentials, and tell us promptly at security@driver.codes if you suspect unauthorised access.
10. Your rights
Subject to UK data protection law, you have the right to:
- request access to your personal data;
- ask for inaccurate information to be corrected;
- ask for deletion or restriction of processing, where the conditions for those rights are met;
- object to processing based on legitimate interests, where you have particular reasons relating to your situation;
- receive a portable copy of certain information (data portability), where the conditions apply;
- withdraw consent at any time where processing is based on your consent (this does not affect processing already done before withdrawal);
- not be subject to solely automated decisions producing legal or similarly significant effects.
To exercise a right, contact privacy@driver.codes. We will respond within one calendar month of receiving a valid request, and will let you know if we need an extension in complex cases.
Where your request relates to processing for which the business customer is the controller (your account in the business customer's workspace, your activity records as held for your employer, and so on), you may need to contact your employer directly. Please tell us if you would like us to forward your request, and we will assist as practical.
11. Complaints
You have the right to complain to us about how we handle your personal data. Our Data Protection Complaints Procedure explains how to do this, how we will respond, and your right to escalate to the Information Commission if you are not satisfied. Our complaints procedure complies with section 164A of the Data Protection Act 2018 (in force 19 June 2026).
The fastest route is to email privacy@driver.codes. We will acknowledge your complaint within 30 days of receipt and aim to provide a substantive response within the same period for routine complaints.
If you are not satisfied with our response, you have the right to complain to the Information Commission (formerly the Information Commissioner's Office), the UK's data protection regulator. Their website is ico.org.uk.
12. Changes to this notice
We may update this notice from time to time. The current version, with its version date, is always at app.driver.codes/documents/privacy. Material changes will be notified through the portal or by email to active administrator account holders.
13. Contact
| Privacy | privacy@driver.codes |
| Security | security@driver.codes |
| Support | through the portal, or hello@driver.codes |
| RSMT Limited | 19A Queens Road, Hale, WA15 9HF |
| Company number | 11744436 |
| Information Commission registration | ZA788385 |
For the business customer's own privacy contact (relating to processing where the business customer is the controller), see the privacy information your employer has issued, or ask your employer directly.
Note on regulator naming: at the version date of this document, the Information Commissioner's Office (ICO) remains the operative legal name of the UK data protection regulator. References in this document to the "Information Commission" anticipate the regulator's reconstitution under Part 6 of the Data (Use and Access) Act 2025. Our registration (ZA788385) is held with the regulator and will transfer to the Information Commission by operation of law on commencement of sections 118 and 119 of that Act.