GDPR Compliance — Fleet

Last updated: 12 April 2026

This page explains how USK DIGITAL LTD (trading as "Mekavo") complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) for the Mekavo Fleet product.

Fleet operations collect more personal data than a single vehicle owner — driving licences, employee numbers, vehicle assignments, inspection records. This page sets out who is responsible for what. For full details on what data is held and how it is used, please read our Fleet Privacy Policy.

1. Our Commitment to Data Protection

Mekavo Fleet is built with data protection in mind from day one. We have implemented technical and organisational measures appropriate for handling employee and vehicle data, including:

• Data minimisation — we only ask for the data the fleet operator actually needs (e.g., licence expiry, not full DOB unless the operator requires it)
• Purpose limitation — driver data is used for fleet compliance and safety, not for marketing
• Storage limitation — inspection records and defect reports have configurable retention windows
• Integrity and confidentiality — TLS in transit, encryption at rest, per-user and per-org access controls
• Role-based permissions — drivers only see their assigned vehicles; managers see their org; admins see all
• Accountability — we keep an internal record of processing activities (Article 30) and review sub-processors quarterly

2. Data Controller vs Data Processor

Under GDPR, it matters whether you are the controller (deciding what data to collect and why) or the processor (processing data on someone else's instructions). Mekavo Fleet sits on both sides depending on the data:

Mekavo as Data Controller

We are the controller for data we collect directly from the fleet operator:

• Account registration for the fleet manager and organisation owner
• Billing and subscription records (plan, vehicle count, invoices)
• Support tickets and communications
• Website and dashboard analytics (anonymised)
• FCM push tokens and SMS delivery logs tied to Mekavo user accounts

Mekavo as Data Processor

When the fleet operator stores driver, vehicle, and inspection data in Mekavo Fleet, the fleet operator is the controller and Mekavo is the processor. This covers:

• Driver licence numbers, categories and expiry dates
• Employee numbers and internal role assignments
• Vehicle registrations, VINs, service histories and documents
• Inspection records including photos, GPS coordinates and mileage readings
• Defect reports and compliance dashboards

Mekavo processes this data only on the fleet operator's instructions, as set out in our Data Processing Agreement (see Section 7).

3. Lawful Basis for Processing

We process personal data under the following legal bases:

• Contract (Art. 6(1)(b)): to provide the Fleet service the customer has subscribed to
• Legitimate interest (Art. 6(1)(f)): platform security, fraud prevention, fleet-safety feature development
• Legal obligation (Art. 6(1)(c)): tax records, VAT returns (HMRC), vehicle-inspection retention where local law requires
• Consent (Art. 6(1)(a)): marketing emails, non-essential cookies, optional product trials

The fleet operator is responsible for having its own lawful basis for processing employee/driver data (typically contract of employment, legitimate interest in road safety, or legal obligation for compliance inspections).

4. Driver & Employee Data

Because the Fleet product stores data about drivers who may not be the account holder, we take extra care:

• Driving licence numbers are stored encrypted at rest
• Drivers can request their own copy of the data held on them by contacting the fleet operator first, or Mekavo directly if the operator is unresponsive
• When a driver leaves, the fleet operator is responsible for removing them — Mekavo provides a "remove team member" action that deactivates their access immediately
• GPS coordinates recorded during inspections are retained only for the duration of the inspection audit trail, not for live tracking
• Mekavo does not offer continuous driver location tracking. If that functionality is introduced, it will be opt-in and covered by a separate data-processing notice.

5. Your Data Subject Rights

Under GDPR, every individual whose data is held in Mekavo Fleet has the following rights:

• Right of access (Art. 15): request a copy of the personal data held
• Right to rectification (Art. 16): correct inaccurate data (e.g., wrong licence expiry)
• Right to erasure (Art. 17): request deletion where the lawful basis no longer applies
• Right to restrict processing (Art. 18): limit processing while a dispute is resolved
• Right to data portability (Art. 20): receive data in JSON or CSV format
• Right to object (Art. 21): object to processing based on legitimate interest or direct marketing
• Right not to be subject to automated decision-making (Art. 22): Mekavo Fleet does not make fully automated decisions about individuals

6. How to Exercise Your Rights

Where Mekavo is the controller (account holders, billing contacts):

• Email with subject "Fleet Data Subject Request"
• Include your full name and the email on your Mekavo account
• Tell us which right you are exercising and, if relevant, which data points

Where Mekavo is the processor (driver data held on a fleet operator's behalf): contact your employer or fleet manager first — they are the controller and must respond. If they do not respond within a reasonable time, you may escalate to us and we will forward the request and follow up.

We respond within 30 days, extendable by 60 days for complex cases (we will tell you if this applies). There is no fee unless the request is manifestly unfounded or excessive.

7. Data Processing Agreement

Every fleet subscription includes a Data Processing Agreement (DPA) that governs how Mekavo processes driver and vehicle data on the operator's behalf. The DPA covers:

• Scope and purpose of processing
• Categories of data subjects (drivers, vehicle users, managers)
• Categories of personal data (name, licence, assignments, inspection records)
• Security measures (encryption, access control, audit logging)
• Sub-processor list (Stripe, Twilio, Anthropic, Firebase, AWS) and notification of changes
• Data breach notification procedures (72-hour window)
• Return or deletion of data on termination

To request a counter-signed copy of the DPA, email .

8. International Data Transfers

Primary Mekavo Fleet servers are located in the UK and EEA. Some sub-processors operate from outside these regions; where that is the case we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Agreement (IDTA) for transfers from the UK
• Adequacy decisions where the destination country has one

The current sub-processor list and their locations are available in the DPA. Material changes are notified at least 14 days in advance.

9. Data Breach Response

If personal data is compromised, Mekavo:

• Notifies the relevant supervisory authority within 72 hours of becoming aware (Art. 33)
• Notifies affected individuals without undue delay if the breach is high-risk (Art. 34)
• Notifies the fleet operator (as controller) with all information needed to discharge its own reporting obligations
• Documents the breach, effects, and remediation in an internal breach register

10. Contact & Complaints

For all Fleet data-protection matters:

Data Protection Team
USK DIGITAL LTD (trading as Mekavo)
76 Letchworth Rd, Leicester, LE3 6FH, UK

Email:

If you are unhappy with our response, you have the right to complain to your local supervisory authority:

• UK: Information Commissioner's Office (ICO) — ico.org.uk
• Ireland: Data Protection Commission (DPC) — dataprotection.ie
• Spain: Agencia Española de Protección de Datos (AEPD) — aepd.es
• Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) — bfdi.bund.de