GVMS Platform

Privacy Policy

Last Updated: February 9, 2026

1. Introduction

This Privacy Policy explains how the GVMS & ENS Platform ("we", "us", or "our") collects, uses, discloses, and protects your personal information and business data when you use our Platform.

We are committed to protecting your privacy and handling your data in an open and transparent manner. This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using our Platform, you consent to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Information You Provide

We collect information that you directly provide to us, including:

  • Account Information: Name, email address, phone number, company name, EORI number
  • Authentication Data: Username, password (encrypted), security questions
  • Business Information: Company registration details, VAT number, business address
  • Declaration Data: All information you submit in GMRs and ENS declarations, including:
    • Consignment details (goods descriptions, values, quantities)
    • Transport information (vehicle registrations, trailer numbers)
    • Party details (consignor, consignee, carrier information)
    • Customs references and documentation
  • Communication Data: Messages, support tickets, and feedback you provide

2.2 Automatically Collected Information

When you use our Platform, we automatically collect:

  • Usage Data: Pages viewed, features used, time spent, actions performed
  • Device Information: IP address, browser type, operating system, device identifiers
  • Log Data: Access times, error logs, system events
  • Cookies: Session cookies, preference cookies, authentication tokens

2.3 Third-Party Information

  • HMRC Data: Responses, submission outcomes, GMR numbers, and status updates from HMRC
  • OAuth Credentials: Access tokens and refresh tokens for HMRC API integration

3. How We Use Your Information

3.1 Primary Purposes

We use your information to:

  • Provide Services: Process and submit GMRs and ENS declarations to HMRC
  • Account Management: Create, maintain, and manage your account
  • Communication: Send service notifications, updates, and support responses
  • Authentication: Verify your identity and secure your account
  • HMRC Integration: Authenticate with and communicate with HMRC APIs on your behalf

3.2 Secondary Purposes

  • Improve Services: Analyze usage patterns to enhance features and user experience
  • Security: Detect, prevent, and respond to fraud, abuse, and security incidents
  • Compliance: Meet legal obligations and regulatory requirements
  • Analytics: Generate aggregated, anonymized statistics about Platform usage
  • Support: Provide customer service and technical assistance

3.3 Legal Basis for Processing

Under UK GDPR, we process your data based on:

  • Contract Performance: To fulfill our obligations under the Terms and Conditions
  • Consent: Where you have given explicit permission
  • Legitimate Interests: To improve our services and ensure security
  • Legal Obligation: To comply with customs and tax laws

4. Data Sharing and Disclosure

4.1 HMRC

We share your GMR and ENS declaration data with HMRC as necessary to fulfill the core function of our Platform. This is essential for providing the service you request.

4.2 Service Providers

We may share data with trusted third-party service providers who assist us in:

  • Cloud hosting and data storage
  • Email delivery and communications
  • Payment processing (if applicable)
  • Analytics and monitoring services
  • Customer support tools

These providers are contractually obligated to protect your data and use it only for specified purposes.

4.3 Legal Requirements

We may disclose your information if required to:

  • Comply with legal obligations, court orders, or government requests
  • Enforce our Terms and Conditions
  • Protect our rights, property, or safety
  • Investigate fraud or security issues
  • Respond to lawful requests from public authorities

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

4.5 With Your Consent

We may share your information for purposes not listed above with your explicit consent.

5. Data Security

5.1 Security Measures

We implement industry-standard security measures to protect your data, including:

  • Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Access Controls: Role-based access with multi-factor authentication
  • Monitoring: 24/7 security monitoring and intrusion detection
  • Regular Audits: Security assessments and vulnerability testing
  • Secure Infrastructure: Data stored in secure, UK-based data centers
  • Password Protection: Passwords hashed using bcrypt or similar algorithms

5.2 Data Breach Protocol

In the event of a data breach that may affect your rights, we will:

  • Notify you within 72 hours of becoming aware
  • Report the breach to the Information Commissioner's Office (ICO) as required
  • Take immediate steps to contain and remediate the breach
  • Provide guidance on protective measures you should take

5.3 Your Responsibilities

You are responsible for:

  • Maintaining the confidentiality of your login credentials
  • Using strong, unique passwords
  • Logging out of shared devices
  • Reporting suspected unauthorized access immediately

6. Data Retention

6.1 Retention Periods

We retain your data for the following periods:

  • Account Data: Duration of your account plus 6 years for tax purposes
  • Declaration Records: Minimum 6 years as required by HMRC regulations
  • Communication Logs: 2 years for support and quality purposes
  • System Logs: 90 days for security and troubleshooting
  • Financial Records: 7 years as required by law

6.2 Deletion

After retention periods expire, we securely delete or anonymize your data unless:

  • Required by law to retain longer
  • Necessary for ongoing legal proceedings
  • You have requested specific retention

7. Your Rights

7.1 Under UK GDPR

You have the following rights regarding your personal data:

  • Right to Access: Request a copy of your personal data we hold
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data (subject to legal obligations)
  • Right to Restriction: Limit how we process your data in certain circumstances
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for processing at any time
  • Right to Complain: Lodge a complaint with the ICO

7.2 Exercising Your Rights

To exercise any of these rights, contact us at:

  • Email: privacy@gvmsplatform.com
  • Subject: "Data Rights Request"

We will respond within 30 days of receiving your request. We may need to verify your identity before processing your request.

7.3 Limitations

Some rights may be limited when:

  • We have legal obligations to retain data (e.g., customs records)
  • Data is required for legal claims or proceedings
  • Exercising the right would adversely affect others' rights

8. Cookies and Tracking

8.1 Cookies We Use

  • Essential Cookies: Required for authentication and session management
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with the Platform

8.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the Platform.

9. International Data Transfers

Your data is primarily stored and processed in the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the ICO
  • Transfers to countries with adequate data protection laws
  • Your explicit consent for the transfer

10. Children's Privacy

Our Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

11. Third-Party Links

The Platform may contain links to external websites (including HMRC sites). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

  • Notify you of material changes via email
  • Post the updated policy on the Platform with a new "Last Updated" date
  • Request your consent if required by law

Your continued use of the Platform after changes constitutes acceptance of the updated policy.

13. Data Controller Information

For the purposes of UK GDPR, the data controller is:

  • Company Name: GVMS Platform Ltd
  • Registered Address: [Your Business Address]
  • Registration Number: [Company Registration Number]
  • ICO Registration: [ICO Registration Number]

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

  • Data Protection Officer: dpo@gvmsplatform.com
  • General Privacy Inquiries: privacy@gvmsplatform.com
  • Support: support@gvmsplatform.com

Information Commissioner's Office (ICO)

You have the right to lodge a complaint with the UK's data protection authority:

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

15. Consent

By using the GVMS & ENS Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein.

Back to Home