Skip to content

Data Processing Agreement

Last updated: May 2026 — UK GDPR Article 28

1. Parties

Controller: the customer who subscribes to FixRoute.

Processor: FixRoute, operated by Chavannes Ltd, registered in England and Wales.

This agreement is entered into automatically when the Controller creates an account and uses the service.

2. Subject matter and scope of processing

The Processor processes personal data on behalf of the Controller solely to provide the service. The Processor does not access or use the data for any purpose other than delivering the service and complying with law.

3. Categories of data subjects

The Controller and the end users on whose behalf the Controller uses the service.

4. Lawful basis for processing

The Controller's account data is processed under Article 6(1)(b) UK GDPR (performance of a contract). Security and abuse-prevention processing relies on Article 6(1)(f) UK GDPR (legitimate interests).

5. Sub-processors

The Processor engages the following sub-processors. All international transfers are covered by Standard Contractual Clauses (SCCs) or an equivalent UK transfer mechanism. This table is kept identical to Privacy Notice §5.

Sub-processorPurposeCountryTransfer safeguard
ResendTransactional email deliveryUSASCCs
StripePayments and subscription managementUSASCCs
RailwayApplication hosting and databaseUSASCCs
Cloudflare R2Photo storageUSASCCs
SentryError monitoringUSASCCs

The Processor will notify the Controller of intended changes to sub-processors with reasonable notice, giving the Controller the opportunity to object.

6. Data retention

  • Account data: deleted synchronously when the Controller deletes their account via /delete-account.
  • Security audit log: retained for 365 days, then permanently deleted by an automated purge job — the same period stated in the Privacy Notice.
  • Payment records: retained by the payment processor per their own policy and applicable financial regulations.

7. Security measures

  • Encryption in transit: all data transmitted over TLS 1.2 or higher.
  • Encryption at rest: the managed database encrypts data at rest.
  • Access control: no routine human access to personal data; administrative access is limited and protected by strong authentication.
  • Incident response: in the event of a personal data breach, the Processor will notify the Controller without undue delay and, where required, report to the ICO within 72 hours.

8. Data subject rights

The Processor will assist the Controller in responding to data subject rights requests (access, rectification, erasure, restriction, portability, objection) within 7 days of receiving the request.

Requests may be submitted at /account/dsar-request or to privacy@fixroute.co.uk. Account holders may exercise erasure directly at /delete-account.

9. Governing law

This agreement is governed by the laws of England and Wales, subject to UK GDPR and the Data Protection Act 2018. The Processor is registered with the ICO under reference ZC142025.

© 2026 FixRoute — Chavannes Ltd.