1. Who we are
OperatorAssured is a service provided by PSV Compliance & Training Ltd (referred to as “we”, “us” or “PSV CT” in this policy). We are the data controller for personal data processed through this website and through the OperatorAssured portal at portal.operatorassured.co.uk.
- Data controller
- PSV Compliance & Training Ltd
- Companies House number
- 14891261
- VAT registration
- GB 444 224 123
- ICO registration
- ZB589061 (UK Information Commissioner’s Office)
- Contact
- info@psv-ct.co.uk
2. What this policy covers
This policy covers personal data we process when you:
- Visit operatorassured.co.uk and any subdomains we operate.
- Submit the contact form on this site to request a demonstration or ask a question.
- Hold an account on the OperatorAssured portal as a member of staff at an operator we provide the service to.
If your operator (your employer) gives you a portal account, your operator is the controller for the operational records held against your account (training records, walkaround checks, defect reports, assessments, audit logs). PSV CT acts as a data processor for that operational data on behalf of your operator. Each operator should provide its own staff privacy notice for that processing; this document covers PSV CT's role as platform operator.
3. The personal data we collect
3.1 When you submit the demo request form
The contact form on operatorassured.co.uk asks for:
- Your name
- Your company name
- Your work email address
- Your phone number (optional)
- Your fleet size and operating sector (selected from dropdowns)
- Any free-text message you provide
The form opens your email client with this content pre-filled — your data is not posted to a third-party form service or stored in our database until you press “Send” in your email client and the message lands in our inbox.
3.2 Through analytics cookies (with your consent)
If you accept analytics cookies via our cookie banner, we use Google Analytics 4 to collect:
- Pages visited and time spent on each page
- Approximate location (country / region only — IP addresses are anonymised at collection)
- Device, browser and operating system
- Referring website
- Interactions we have configured as conversion events: contact form submissions, “Request a demo” clicks, and pricing tier card clicks
If you decline, no analytics cookies are set and gtag.js is not loaded. See section 9 for full cookie detail.
3.3 In your portal account
If you have a portal account, we hold:
- Account profile: first name, last name, role (driver / passenger assistant / manager / admin / HR), work email address, phone number (optional)
- Authentication: a one-way bcrypt hash of your password (we never store the plaintext) and signed JWT session cookies
- Training progress: which modules you have started, the responses you have submitted, MCQ scores, manager review outcomes and dates
- An immutable audit log of significant events (login, account changes, assessment submission, password reset)
4. Why we process this data, and the legal basis
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Responding to a demo or contact request | Legitimate interests — replying to an enquiry you initiated |
| Providing portal accounts to operator staff | Performance of the contract between PSV CT and the operator employing the user; legitimate interests of the operator in delivering compliant training |
| Securing the platform (logging, audit trail, rate limiting) | Legitimate interests — protecting the service against abuse and fulfilling our duty as a processor to keep operator data secure |
| Sending transactional emails (account approval, password reset, assessment notifications) | Performance of the contract / legitimate interests of the operator |
| Analytics cookies (Google Analytics 4) | Consent — cookie banner; you can withdraw at any time |
| Marketing emails | Consent — we will only send marketing communications if you have explicitly opted in |
5. Who we share data with
We use the following sub-processors. Each is contractually bound to handle data securely and only for the purposes we instruct.
| Sub-processor | Role | Location |
|---|---|---|
| Render | Hosting the OperatorAssured portal application and Postgres database | Frankfurt, Germany (EU) |
| Cloudflare | DNS, CDN and TLS termination for our domains | EU edge (London / Frankfurt / Amsterdam PoPs) |
| Resend | Sending transactional email (account approval, password reset, assessment notifications) | United States (transfer governed by UK IDTA / EU SCCs) |
| Google (Google Analytics 4) | Anonymised website analytics, only when consent is given | European Union and United States (transfer governed by UK IDTA / EU-US Data Privacy Framework) |
We do not sell personal data. We do not share personal data with advertising networks. We do not enrich your data through third-party brokers.
6. International transfers
The portal database and application are hosted in Frankfurt, Germany — within the European Economic Area. Our email-sending and analytics providers are headquartered in the United States; transfers are covered by the UK International Data Transfer Addendum and (where applicable) the EU–US Data Privacy Framework, with Standard Contractual Clauses as a fallback. We can supply copies of the relevant transfer mechanisms on request.
7. How long we keep data
| Data | Retention period |
|---|---|
| Demo request emails received via the contact form | 2 years from the date of the enquiry, then deleted |
| Portal account profile | For the duration the user holds the account, then 12 months grace period for re-activation, then deleted (subject to your operator’s retention obligations) |
| Portal training records | Minimum 6 years for compliance evidence; longer where the operator’s contract or safeguarding obligations require it (e.g. records relating to children may be retained until the child reaches age 25) |
| Audit log entries | 7 years from the event date |
| Google Analytics user-level and event data | 26 months (the maximum retention period configurable in GA4) |
| Backups | Rolling 30-day window; deleted records are removed from backups within that period |
8. Your rights under UK GDPR
You have the following rights in respect of personal data we hold about you. Most can be exercised free of charge, and we will respond within one calendar month.
- Right of access — ask for a copy of the data we hold about you
- Right to rectification — ask us to correct inaccurate or incomplete data
- Right to erasure — ask us to delete your data, subject to our legal and regulatory retention obligations
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests, including direct marketing
- Right to restrict processing — ask us to pause processing while a query is investigated
- Right to withdraw consent — for processing based on consent (e.g. analytics cookies, marketing emails) you can withdraw at any time without affecting the lawfulness of processing carried out before withdrawal
To exercise any of these rights, email info@psv-ct.co.uk. We may need to verify your identity before responding so that data is only released to the right person.
9. Cookie policy
9.1 Essential cookies
The following cookies are necessary for the service to work and are not subject to consent. They are not used for advertising or analytics.
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
oa_cookie_consent | operatorassured.co.uk | Stores your cookie consent choice (accepted or essential) so the banner is not shown again | Indefinite (browser localStorage; cleared when you clear site data) |
guyan_session | portal.operatorassured.co.uk | Authenticated portal session — JWT in HttpOnly cookie | 8 hours (or until sign-out) |
guyan_refresh | portal.operatorassured.co.uk | Refresh token used to extend an active session | 30 days, rotated on each refresh |
9.2 Analytics cookies (consent required)
If you accept analytics cookies, Google Analytics 4 sets the following cookies on operatorassured.co.uk. These cookies are not loaded at all if you select “Essential cookies only”.
| Cookie | Set by | Purpose | Lifetime |
|---|---|---|---|
_ga | Google Analytics | Distinguishes unique users for analytics | 13 months |
_ga_KWHERF607D | Google Analytics | Maintains analytics session state | 13 months |
9.3 Changing your cookie choice
You can change your cookie choice at any time by clearing the oa_cookie_consent entry from your browser’s site data — the banner will reappear on your next visit. You can also opt out of Google Analytics across all sites by installing the Google Analytics Opt-out Browser Add-on from tools.google.com/dlpage/gaoptout.
10. Security
We hold ourselves and our sub-processors to the following baseline:
- TLS 1.2+ encryption in transit on every public endpoint
- Encryption at rest for the portal database
- Bcrypt password hashing (cost factor 12 or higher)
- JWT RS256 signed access tokens; HttpOnly + SameSite cookies
- Rate limiting on authentication endpoints to deter brute-force attacks
- Tenant isolation enforced at the database schema and API layer — no cross-operator data access by design
- Append-only audit log of significant events
11. Children
Our services are intended for use by adult employees of operator companies. We do not knowingly collect personal data from anyone under 18 through this website. The portal may hold operational records relating to children where an operator’s service involves transporting them (for example SEND home-to-school transport); that processing is the operator’s responsibility under their own contracts and notices, with PSV CT acting as a processor.
12. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top of the page reflects the date of the most recent change. Material changes will be highlighted on the homepage for at least 30 days following publication.
13. Contact
Questions about this policy, or requests to exercise any of the rights described above, can be sent to:
- info@psv-ct.co.uk
- Post
- PSV Compliance & Training Ltd, Data Protection
(address available on request) - Regulator
- UK Information Commissioner’s Office — ico.org.uk