Legal

Privacy Policy

Effective date: 4 June 2026 · Last updated: 4 June 2026

Welcome to Mule-it. We operate a peer-to-peer delivery marketplace connecting individuals who need items collected and delivered ("senders") with independent local drivers in the United Kingdom ("drivers"). This Privacy and Cookies Policy explains how Mule-it Ltd collects, uses, shares, and protects your personal data when you use our platform — including the sender web app (send.mule-it.co), the driver app (drive.mule-it.co), and this marketing website (mule-it.co).

(A)

Unless otherwise defined, terms in this Privacy Policy hold the same meaning as in our Terms of Service.

(B)

This Privacy Policy may be revised periodically. The latest version will always be available at mule-it.co/privacy. Substantial changes will be communicated at least 30 days prior to taking effect. Your continued use of our services after any changes indicates acceptance.

(C)

We process your data in accordance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

(D)

This Privacy Policy covers only data handled by Mule-it and does not apply to third-party services linked to or integrated with our platform, each of which has its own privacy terms.

(E)

We do not knowingly collect personal data from individuals under the age of 18. If we discover we have collected data from a minor, we will delete it promptly.

(F)

By accessing or using our services, you accept this Privacy Policy.

1. Who processes your personal data?

Your personal data is processed by Mule-it Ltd (the "Controller", "we", "us"), a company registered in England and Wales.

For any questions or requests relating to how we handle your data, contact us at privacy@mule-it.co. Our Data Protection Officer is reachable at dpo@mule-it.co.

2. What personal data do we collect?

2.1 Account and identity data

When you register for an account (as a sender or driver), we collect:

Full name, email address, and phone number
Profile photo (optional)
Account type (sender or driver) and registration date
Authentication credentials (managed via Supabase Auth — we never store raw passwords)

2.2 Delivery job data (senders)

When you post a delivery job we collect:

Item title, description, photographs, and estimated value
Collection address and postcode, and delivery address and postcode
Scheduled collection date and time (if provided)
Vehicle type required
Collection and delivery contact details (name and phone number)
Notes for the driver
Job status history (open, accepted, en route, delivered, cancelled)

2.3 Driver verification and operational data

When you register as a driver we collect:

Full driving licence details and a photograph of the licence document
Vehicle type (car, van, Luton, flatbed)
Bank account details (sort code and last 4 digits of account number) for earnings payouts — full bank details are encrypted and accessible only to authorised payment processing systems
Verification status (pending, approved, rejected) and reviewer notes
Typical working days and area (optional, for demand matching)
Earnings history, per-job net amounts, and payout records

2.4 Payment data

Payment card data is collected and stored exclusively by Stripe Inc. on our behalf. Mule-it stores only a Stripe customer reference ID and a masked card summary (card brand and last 4 digits). We never see, process, or store raw card numbers, CVV codes, or full card details.

For drivers, payout bank details are processed by TransferWise Ltd (Wise). We store only the last 4 digits of the account number and last 2 digits of the sort code for display purposes.

2.5 Location and delivery proof data

To verify collections and deliveries, we collect:

GPS coordinates at the point of collection (latitude, longitude, timestamp)
GPS coordinates at the point of delivery (latitude, longitude, timestamp)
Photographs taken by the driver at collection and delivery as proof of handover
Handover code verification records (whether the correct collection and delivery codes were used)
GPS proximity check results (distance from dropoff postcode at time of delivery)

This data forms the delivery proof record for each job and is used for dispute resolution, fraud prevention, and payment release decisions.

2.6 Technical and device data

When you access our platform, we automatically collect:

IP address, browser type and version, and operating system
Device type and screen resolution
Pages visited, actions taken, and time spent on the platform
Error logs and crash reports

Rate limiting and security: We temporarily retain IP addresses for rate limiting, abuse prevention, and platform security. This data is automatically deleted after 90 days and is never used for profiling or marketing.

Legal basisArt. 6(1)(f) UK GDPR — Legitimate interests — protecting platform availability and security

2.7 Cookies and local storage

2.7.1 What are cookies?

Cookies are small text files placed on your device when you visit our platform. We also use browser local storage for certain preferences. Cookies help us keep you logged in, remember your settings, and understand how the platform is used.

2.7.2 How we use cookies

We use three categories of cookies:

Strictly NecessaryAlways active

Essential for the platform to function. Includes session authentication tokens, CSRF protection tokens, and security-related cookies. These cannot be disabled without preventing you from logging in.

FunctionalConsent required

Enable personalised features such as theme preferences (light/dark mode) and saved display settings. Your theme preference is stored in browser local storage.

AnalyticsConsent required

Help us understand how visitors use the platform — which features are used most, where users encounter errors, and how journeys flow. We do not use third-party advertising analytics. No data from analytics cookies is shared with ad networks.

2.7.3 Managing your preferences

When you first visit our website a cookie consent banner allows you to accept all cookies, reject non-essential cookies, or customise your preferences. You can change your settings at any time via "Cookie Preferences" in the website footer. You can also manage or delete cookies through your browser settings — note that disabling strictly necessary cookies will prevent you from logging in.

3. Why do we process your data, and what is the legal basis?

3.1 Delivering our services

Creating and managing your account (sender or driver)
Matching senders with suitable verified drivers
Processing bids and job acceptances
Generating and verifying handover codes
Releasing escrow payments upon confirmed delivery
Providing in-app job tracking and status updates
Sending SMS notifications for job events and delivery codes
Processing driver payouts via Wise

Legal basisArt. 6(1)(b) UK GDPR — Contractual necessity — processing required to perform our contract with you

3.2 Payment processing and financial record-keeping

Charging senders upon bid acceptance (via Stripe escrow)
Capturing payment upon confirmed delivery
Recording earnings per job for driver wallets
Maintaining transaction records for tax and accounting purposes
Issuing payouts to driver bank accounts

Legal basisArt. 6(1)(b) + Art. 6(1)(c) UK GDPR — Contractual necessity + Legal obligation (HMRC record-keeping, 7 years)

3.3 Driver identity and licence verification

Reviewing driving licence photographs submitted during onboarding
Recording verification status and admin decisions
Preventing unverified or disqualified drivers from accessing the job feed

Legal basisArt. 6(1)(b) + Art. 6(1)(f) UK GDPR — Contractual necessity + Legitimate interests (platform integrity and user safety)

3.4 Safety, fraud prevention, and dispute resolution

Recording GPS coordinates and photographs at collection and delivery
Verifying handover codes to confirm legitimate job completion
Investigating disputes between senders and drivers
Detecting and preventing fraudulent activity on the platform
Rate-limiting API requests to prevent abuse

Legal basisArt. 6(1)(f) UK GDPR — Legitimate interests — protecting users and the integrity of the platform

3.5 Improving the platform

Analysing usage patterns to improve features and user experience
Monitoring platform performance and resolving technical issues
Understanding demand patterns across regions and times (aggregated, anonymised)

Legal basisArt. 6(1)(f) UK GDPR — Legitimate interests — improving and maintaining the quality of our services

3.6 Marketing and communications

If you have opted in to marketing communications, we may send product updates, feature announcements, and relevant industry information to your email address. You can unsubscribe at any time via the link in any email or by contacting hello@mule-it.co.

Legal basisArt. 6(1)(a) UK GDPR — Consent — you may withdraw at any time

3.7 Legal compliance

We process data to comply with applicable laws including HMRC financial reporting requirements, fraud prevention obligations, and any lawful requests from regulatory or law enforcement authorities.

Legal basisArt. 6(1)(c) UK GDPR — Legal obligation

4. Who has access to your personal data?

4.1 Internal access

Access to personal data within Mule-it is restricted to authorised personnel who need it to operate and support the platform. All staff with access to personal data are bound by confidentiality obligations.

4.2 Sub-processors

We engage the following carefully selected sub-processors to help deliver our services. All are bound by data processing agreements and are required to implement appropriate security measures.

Provider	Purpose	Location	Transfer safeguard
Supabase Inc.	Database, authentication, and file storage	United States	SCCs
Stripe Inc.	Payment processing, card tokenisation, and escrow	United States	SCCs
Twilio Inc.	SMS notifications (delivery codes, job alerts)	United States	SCCs
Vercel Inc.	Web application hosting and edge delivery	United States	SCCs
Mapbox Inc.	Mapping, route display, and postcode geocoding	United States	SCCs
TransferWise Ltd (Wise)	Driver earnings payouts to bank accounts	United Kingdom	UK adequacy
Ideal Postcodes Ltd	UK postcode lookup and geocoding	United Kingdom	UK adequacy

SCCs = EU/UK Standard Contractual Clauses. UK adequacy = country recognised as providing adequate data protection under UK law.

Full subprocessors page →

4.3 Legal requirements

We may disclose personal data to law enforcement agencies, regulatory bodies, or courts where required by UK law, to prevent fraud, or to protect the rights, property, or safety of Mule-it, our users, or the public.

4.4 Business transfers

In the event of a merger, acquisition, restructuring, or sale of all or part of our business assets, your personal data may be transferred to the acquiring entity as part of that transaction. We will notify you via email or prominent notice on our platform if such a transfer materially affects how your data is handled, and the acquiring entity will be bound by the same privacy protections as set out in this policy.

5. International data transfers

Several of our sub-processors are based outside the United Kingdom. Whenever we transfer personal data internationally, we ensure that adequate safeguards are in place:

UK Standard Contractual Clauses (SCCs) — for transfers to countries without a UK adequacy decision (e.g. United States)
UK adequacy decisions — for transfers to countries recognised as providing equivalent data protection (e.g. EEA countries)
Binding corporate rules or equivalent approved transfer mechanisms where applicable

You may request a copy of the relevant transfer safeguards in place for any specific sub-processor by contacting privacy@mule-it.co.

6. Data retention

We retain personal data only for as long as is necessary for the purposes for which it was collected, or as required by law. The following specific retention periods apply:

Data type	Retention period	Reason
IP addresses (rate limiting)	90 days, then auto-deleted	Security only — not used for profiling
Account data (name, email, phone)	Duration of account + 6 years after closure	UK financial record-keeping obligations
Delivery proof (GPS, photos, codes)	2 years	Dispute resolution and fraud prevention
Payment and transaction records	7 years	HMRC statutory requirement
Driver licence documents	1 year after account closure	Verification audit trail
Driver earnings records	7 years	HMRC statutory requirement
Platform logs and analytics	90 days	Performance monitoring and debugging
Marketing consent records	Until consent withdrawn + 1 year	Demonstrating lawful basis for communications

You may request deletion of your data at any time (see Section 7 — Your Rights). Where legal retention obligations apply, we will delete the data as soon as those obligations are satisfied.

7. Your rights under UK GDPR

Under UK GDPR you have the following rights. To exercise any of them, contact us at privacy@mule-it.co. We will respond within 30 days. There is no charge for exercising your rights.

7.1

Right of access

Request a copy of the personal data we hold about you (a Subject Access Request). We will provide this in a commonly used, machine-readable format.

7.2

Right to rectification

Ask us to correct any inaccurate or incomplete personal data we hold about you.

7.3

Right to erasure ('right to be forgotten')

Ask us to delete your personal data. We will comply unless a legal obligation requires us to retain it (e.g. financial records for HMRC).

7.4

Right to restriction of processing

Ask us to limit how we process your data — for example, while you contest its accuracy or the lawfulness of processing.

7.5

Right to data portability

Receive a structured, commonly used, machine-readable copy of the data you provided to us, where processing is based on your consent or a contract.

7.6

Right to object

Object to processing based on legitimate interests (Art. 6(1)(f)). We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

7.7

Right to withdraw consent

Where processing is based on your consent (e.g. marketing emails), you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

7.8

Right to lodge a complaint

You have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113 if you believe we have not handled your data lawfully.

8. Security measures

We take the security of your personal data seriously and implement the following technical and organisational measures:

All data encrypted in transit using TLS 1.2 or higher
Database data encrypted at rest
Row-level security (RLS) policies enforced at the database layer — users can only access their own data
Payment card data handled exclusively by Stripe — Mule-it staff have no access to card numbers or CVV codes
Driver bank details encrypted at rest and accessible only to authorised payment processing systems
GPS coordinates and delivery proof photos stored in access-controlled cloud storage
Authentication via industry-standard OTP (one-time password) flows — no plain-text passwords stored
Service-role database access separated from client-side access — sensitive operations require server-side verification
Access controls and role-based permissions for internal staff
Incident response procedures — in the event of a breach, we will notify affected users and the ICO within 72 hours as required by UK GDPR

Despite these measures, no system is completely secure. If you suspect unauthorised access to your account, contact us immediately at privacy@mule-it.co.

9. Notice for California residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information.

Mule-it does not sell personal data to third parties for advertising or any other commercial purpose. To exercise your CCPA rights, contact privacy@mule-it.co.

10. Children's privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data without appropriate consent, please contact us at privacy@mule-it.co and we will delete the data promptly.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or platform features. We will notify you of material changes via email or a prominent notice on our platform at least 30 days before they take effect. The "last updated" date at the top of this page will always reflect the most recent revision. Your continued use of our services after the effective date of any changes constitutes your acceptance of the updated policy.

12. Contact us

For any questions, requests, or concerns about this Privacy Policy or how we handle your personal data, please contact us:

General enquiries

Mule-it Ltd
Registered in England & Wales
Company No. 17006099
hello@mule-it.co

Privacy & data requests

privacy@mule-it.co

Data Protection Officer

dpo@mule-it.co

You also have the right to lodge a complaint directly with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.