DocRide legal

Privacy Policy

How DocRide Tech Ltd collects, uses, stores, shares and protects personal data in connection with the DocRide occupational health and safety management platform.

Effective date: 2 June 2026

Important notice

This policy is written for DocRide's current operating model. It should be read with our User Agreement, Cookie Policy, Data Processing Agreement, AI Processing Notice, Subprocessor Policy, Data Retention Policy and Data Breach Response Policy.

1. Who we are

DocRide is operated by DocRide Tech Ltd, a company registered in England and Wales under company number 16944760. DocRide Tech Ltd trades as DocRide.

For privacy enquiries, contact Adeem, Data Protection Lead at info@docride.co.uk. We are in the process of registering with the UK Information Commissioner's Office where required.

Our registered office is recorded at Companies House. For security and privacy reasons, we use the contact details above for data protection correspondence unless and until a separate business correspondence address is published.

2. Our role as controller and processor

DocRide may act as a data controller or a data processor, depending on the processing activity.

  • We are usually a controller for account administration, billing, website analytics, marketing, platform security, support, professional membership features and DocRide business administration.
  • We are usually a processor when a customer organisation uses DocRide to store or manage personal data about its employees, contractors, consultants, visitors, suppliers, clients, auditors, assessors or other individuals.

Where we act as processor, the customer organisation is responsible for providing privacy notices to relevant individuals and for ensuring that it has a lawful basis for using DocRide.

3. Personal data we process

Depending on how DocRide is used, we may process the following categories of personal data:

  • Account data: names, email addresses, telephone numbers, usernames, authentication data, job titles, profile photos, organisation names, roles and permissions.
  • Business and subscription data: business details, sites, account administrators, plan details, invoices, billing status and Stripe payment references.
  • Employee, contractor and consultant data: job roles, competence records, training records, certificates, qualifications, professional memberships, licences, assessment records and sign-off records.
  • OHS documentation: risk assessments, RAMS, method statements, safe systems of work, construction phase plans, permits to work, emergency plans, inspections, audits, legal registers, corrective actions, contractor documents and performance reports.
  • Incident and investigation records: incident details, near misses, hazards, injuries, witness details, investigation findings, photographs, root cause analysis and corrective actions.
  • Uploaded files: PDFs, images, certificates, inspection evidence, audit evidence, contractor records, medical or occupational health documents if users choose to upload them, and related metadata.
  • Communications: support requests, emails, feedback, demo requests, messages and service notifications.
  • Technical data: IP addresses, device and browser data, login records, audit logs, security logs, error logs, usage events, cookie identifiers and local storage preferences.
  • AI input and output data: user prompts, selected source records, generated drafts, AI-assisted risk assessments, audit support, compliance suggestions, summaries and user edits.

4. Special category and sensitive data

DocRide is not a dedicated medical records system. However, customers may upload or create records that include health data, injury details, sickness information, occupational health reports, disability-related information or other special category data.

Customers are responsible for ensuring that any special category data they upload is necessary, proportionate and supported by a lawful basis and an Article 9 UK GDPR condition. Customers should avoid uploading excessive medical information and should redact information where appropriate.

Incident or investigation records may also include criminal offence-related information. Customers must ensure that any such processing is lawful.

5. How we use personal data

  • to provide, operate and secure the DocRide platform;
  • to create and manage user accounts, permissions and authentication;
  • to store, organise and display OHS records and customer content;
  • to support risk assessment, audit, inspection, competence, contractor, incident and corrective action workflows;
  • to provide AI-assisted drafting, analysis and recommendations;
  • to process payments and subscriptions through Stripe;
  • to send platform emails, notifications and transactional messages using Amazon SES;
  • to provide customer support and respond to enquiries;
  • to monitor service performance, investigate errors and prevent misuse;
  • to produce aggregated or anonymised benchmarking and performance insights;
  • to comply with legal, regulatory, tax, accounting and security obligations;
  • to send permitted marketing communications and manage opt-outs.

6. Lawful bases

Where DocRide acts as controller, we rely on one or more of the following lawful bases:

  • Contract: to provide the platform, account, support and subscription services.
  • Legal obligation: for tax, accounting, regulatory, security and compliance obligations.
  • Legitimate interests: to operate, secure, improve and promote DocRide, prevent misuse, manage customers and develop our services.
  • Consent: for certain cookies, marketing and optional features where required.
  • Legal claims / substantial public interest / employment and social protection conditions: where special category data is processed and an applicable condition is required.

7. AI processing

DocRide currently uses Google Gemini to support AI-assisted features, including document drafting, risk assessment support, audit support, performance analysis and compliance-related suggestions.

Customer content submitted through DocRide is not used to train Google Gemini's general AI models. AI processing is used to generate outputs requested by users and to provide the DocRide service.

AI outputs are intended to assist human users. They may be incomplete, inaccurate, unsuitable for a particular site or out of date. Users must review and approve AI outputs before relying on them.

8. Performance records, profiling and automated decisions

DocRide does not currently score individuals or make automated decisions about individuals. The platform may display performance records, activity records, competence records, training records, sign-off records and audit trails entered or generated through customer use of the platform.

These records are intended to support human review and management. They should not be used as the sole basis for decisions that materially affect an individual, such as employment, disciplinary, competence, contractor approval or safety-critical decisions.

9. Cookies and analytics

We use essential cookies for authentication, security and session management. Google Analytics is used on our public website only if you accept analytics cookies in our cookie banner. Until you accept, analytics cookies are not set.

See our Cookie Policy to manage your preferences.

10. Sharing personal data

We may share personal data with:

  • authorised users within a customer organisation;
  • Stripe for payment processing;
  • Amazon SES for email delivery;
  • Google Gemini for AI-assisted processing;
  • Google Analytics for website analytics when you have accepted analytics cookies;
  • UK hosting, infrastructure, backup and security providers;
  • professional advisers, insurers, regulators, courts and public authorities where required;
  • successors or prospective buyers in connection with a business sale, merger, investment or restructuring.

See our Subprocessor Policy for more information about third-party providers.

11. International transfers

We aim to host customer platform data in the United Kingdom. Some suppliers, including payment, analytics, email or AI providers, may process personal data outside the UK or EEA. Where required, we use appropriate safeguards such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, EU Standard Contractual Clauses and transfer risk assessments.

12. Retention and deletion

Customer-controlled OHS records are generally retained for as long as the customer keeps them in the platform or for the duration of the customer contract, unless deleted earlier by the customer or required to be retained.

Customers may delete tenant data, subject to contractual, technical, backup, legal, audit and regulatory limitations. Tenant data means the data held in a customer DocRide workspace, including users, business records, sites, documents, risk assessments, safety plans, incident records, audits, inspections, training records, competence records, contractor records, uploaded files, reports and related metadata.

Where a consultant, auditor, reviewer or competent professional signs off, approves, reviews or submits a document for a customer organisation, that sign-off or approval record forms part of the customer's safety, compliance and audit trail. Such records may not be deletable by the consultant or reviewer after submission.

13. Security

We use technical and organisational measures designed to protect personal data, including access controls, authentication, encryption in transit, role-based permissions, audit logging, backups, security monitoring, supplier controls and incident response procedures.

No service can guarantee absolute security. Customers must manage users, passwords, roles and access permissions responsibly.

14. Your rights

Depending on the applicable law, you may have rights to access, correct, erase, restrict, object to processing, request portability, withdraw consent and object to marketing.

Data protection rights are not absolute. We may refuse or restrict deletion requests where continued retention is necessary for legal obligations, legal claims, regulatory compliance, health and safety records, audit trails, security, fraud prevention, contractual enforcement or the rights and freedoms of others.

If your personal data is held in a customer-controlled workspace, we may refer your request to the relevant customer organisation.

15. Children

DocRide is intended for business and professional use. It is not directed at children. Customers should not create accounts for children unless legally permitted and appropriate safeguards are in place. Some safety records may refer to young workers, apprentices, visitors or students where relevant to OHS compliance.

16. Complaints

Please contact us first at info@docride.co.uk so we can try to resolve your concern.

You may also complain to the UK Information Commissioner's Office: https://ico.org.uk, telephone 0303 123 1113, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

17. Changes

We may update this policy from time to time. If changes are material, we will take reasonable steps to notify users or customers.

18. Related legal documents