Privacy Policy

Last updated: 25 April 2026

This Privacy Policy explains how Tobsoft Ltd (trading as Servogo) ("we", "us", "our") collects, uses, and protects personal data when you use the Servogo platform ("Service"). We are committed to handling personal data in accordance with the UK GDPR and the Data Protection Act 2018.

1. Who We Are

Tobsoft Ltd (trading as Servogo) is the data controller for the personal data of account holders, billing contacts, and administrators. For personal data entered by customers about their own clients and employees, the customer is the data controller and we act as data processor.

Registered in England and Wales. Company number: 17180232.

Contact: support@servogo.co.uk

2. Data We Collect

2.1 Account and billing data

  • Identity: First name, last name, username, email address.
  • Organisation: Business name, timezone, branding, address, VAT number, company number.
  • Billing: Subscription plan, Stripe customer and subscription IDs. We do not store full card numbers - these are handled by Stripe.

2.2 Service usage data

  • Jobs, routes, service plans, and invoices you create in the Service.
  • Audit log entries recording key actions (login, billing events, role changes).
  • Messages sent between staff and clients within the platform.

2.3 Technical data

  • IP address, browser type, and device type (collected in server logs).
  • Authentication tokens stored in your browser's localStorage.
  • Request IDs and performance metrics for diagnostics.

2.4 Data you enter about others

You may enter personal data about your own clients and employees (names, addresses, phone numbers, email addresses). You are the data controller for this data; we process it solely to provide the Service to you.

3. Legal Basis for Processing

We process personal data on the following legal bases under UK GDPR Article 6:

  • Contract (Art. 6(1)(b)): Processing necessary to provide the Service under your subscription agreement - account management, billing, sending you service emails.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, service improvement, and aggregated analytics. We have balanced these interests against your rights.
  • Legal obligation (Art. 6(1)(c)): Retaining billing records as required by UK tax law.
  • Consent (Art. 6(1)(a)): Marketing communications (where opted in). You may withdraw consent at any time.

4. How We Use Your Data

  • Providing, operating, and improving the Service.
  • Processing subscription payments and sending billing receipts.
  • Sending transactional emails: invitation links, password resets, invoice PDFs, job reminders, and weekly recaps.
  • Detecting and preventing fraud, abuse, and security incidents.
  • Complying with our legal obligations (e.g. VAT record-keeping).
  • Responding to your support requests and enquiries.

5. Data Sharing

We share personal data only with trusted sub-processors required to deliver the Service:

  • Stripe, Inc. - Payment processing. Stripe acts as an independent data controller for card data.
  • Resend - Transactional email delivery.
  • PostHog (EU) - Product analytics and session recording. PostHog records page views, feature interactions, and anonymised session replays to help us improve the product. All data is processed on EU servers. Inputs are masked in recordings; no sensitive form data is captured.
  • OpenWeatherMap - Weather data for route planning (no personal data shared).
  • Hosting provider - Cloud infrastructure, database hosting, and automated backups.

We do not sell your personal data. We do not share it with advertisers.

We may disclose personal data if required by law, court order, or to protect the rights, property, or safety of Servogo, our users, or others.

6. Data Retention

  • Active accounts: Data is retained for the duration of your subscription and for 30 days after account closure to allow data export.
  • Soft-deleted records: Records you delete within the Service are soft-deleted and purged after 180 days.
  • Closed organisations: All organisational data is hard-deleted 30 days after the subscription end date.
  • Billing records: Payment records are retained for 7 years to comply with UK tax law.
  • Server logs: Rotated after 90 days.

7. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

  • Access (Art. 15): Request a copy of your personal data by contacting us.
  • Rectification (Art. 16): Correct inaccurate data through your account settings or by contacting us.
  • Erasure (Art. 17): Request deletion of your personal data. Closing your account triggers our automated erasure process. Some data may be retained where we have a legal obligation to do so.
  • Restriction (Art. 18): Request that we restrict processing of your data in certain circumstances.
  • Portability (Art. 20): Receive your data in a machine-readable format.
  • Object (Art. 21): Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise your rights, contact us at support@servogo.co.uk. We will respond within one month.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

8. Cookies and Local Storage

We do not use advertising cookies. The storage we use falls into two categories:

Essential (no consent required under PECR Reg. 6(4)):

  • Authentication tokens in localStorage - necessary to keep you logged in.
  • UI preferences (table column visibility, sidebar state) in localStorage.

Analytics (PostHog):

  • PostHog sets cookies and uses localStorage to track page views, feature interactions, and session recordings across your use of the Service. This data is used solely to improve the product. You can opt out by contacting us at support@servogo.co.uk.

9. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • TLS encryption in transit; encrypted disk storage at rest.
  • Short-lived JWTs (30-minute access tokens) with rotation on refresh.
  • Role-based access control limiting data access to authorised users.
  • Rate limiting on authentication endpoints to prevent brute-force attacks.
  • Regular automated database backups with a 14-day local retention.

No method of transmission over the internet is 100% secure. If you believe your data has been compromised, contact us at support@servogo.co.uk immediately.

10. International Transfers

Our primary infrastructure is hosted within the UK/EEA. Where sub-processors (such as Stripe or Resend) process data outside the UK, we rely on UK adequacy regulations or standard contractual clauses to ensure adequate protection.

11. Children

The Service is not directed at, and we do not knowingly collect personal data from, anyone under 18 years of age. If you believe we have inadvertently collected such data, please contact us so we can delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice in the Service at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.

13. Contact Us

For privacy-related questions, data subject requests, or to report a concern:

support@servogo.co.uk

Terms of Service