Privacy Policy - Tripcatcher

This is the Privacy Policy for Tripcatcher.

Introduction
What Information We Collect
How We Use Your Information
How We Share Your Information
How Long We Keep Your Data
Your Rights
Complaints
Keeping Your Personal Data Safe
Children’s Data
Links to Other Websites
Changes to This Privacy Policy
Contact Us

Last updated: 12 May 2026

1. Introduction

In this document, when we refer to ‘we’, ‘our’, ‘us’ or Tripcatcher, that means Tripcatcher Ltd, a company registered in England and Wales (company number 8927861) with registered office at Epsilon House, The Square, Gloucester Business Park, Gloucester, Gloucestershire, GL3 4AD, United Kingdom.

We provide mileage expense software for individuals, businesses, organisations, bookkeepers and accountants.

Tripcatcher is the Data Controller for personal data processed through our services, in accordance with the UK General Data Protection Regulation (UK GDPR). This means we decide what data to collect, why, how long to keep it, how to secure it, who to share it with, and which sub-processors to use. The Data Controller has legal responsibility for these decisions. You can contact us about this Privacy Policy or any aspect of how we handle your personal data at support@tripcatcherapp.com.

There are two ways to get a Tripcatcher account: signing up directly, or accepting an invitation from someone who already has an account (for example, your accountant, bookkeeper, or employer). Either way, you agree to our Terms and Conditions when you join.

In this Policy, a User is anyone with a Tripcatcher account. A Subscriber is a User who pays for an account. Both terms are defined in our Terms and Conditions.

This Privacy Policy explains how we handle your personal data in compliance with UK GDPR and the Data Protection Act 2018.

You don’t have to give us your personal data. But we can’t provide the service without some of it — your name, email address, and password are essential.

2. What Information We Collect

We collect only the information we need to provide our mileage expense service.

Account Information

When you create an account we collect your name, organisation, email address, and password. We use your email address to identify your account uniquely and to send you service emails. We use your name to address you in those emails. The organisation name lets us group related users together and apply organisation-wide settings.

Financial Information

Whether we collect financial data about you depends on how you joined Tripcatcher.

If you are a User but not a Subscriber (for example, you were invited by an accountant, bookkeeper, or employer): we don’t collect any financial data about you.

If you are a Subscriber who signed up directly through our website: your card details go straight to Stripe — they never pass through our servers and we don’t store them. Stripe passes the following data to Tripcatcher so we can manage your subscription:

The last 4 numbers of your credit/debit card;
The credit card brand, e.g. Visa;
The country the card is based in;
The expiry month and year;
Your payment history with Tripcatcher.

If you are a Subscriber who signed up via the Xero website: your financial information is processed by both Xero and Stripe. Xero shares your Tripcatcher payment history and current payment status with us, but we do not collect any financial information directly from you.

Device and Technical Information

We collect the following information to make sure the service works correctly across different devices and browsers, and to help us diagnose problems if they arise:

IP Address;
Device type and model;
Operating System;
Browser type.

Usage and Interaction

When you’re logged in, we record what you do in your account — for example, the settings you change and the data you enter. This creates an audit trail for security and dispute resolution.

Location Information

Location names and addresses are collected to identify the start and end locations for trips;
For GPS tracking, the route travelled is processed entirely on your device. It is never transmitted to or stored on Tripcatcher’s servers, which means it is also never present in our server backups;
GPS tracking is recorded only when you tap Start GPS, and stops when you tap Stop GPS. The GPS trail is used on your device to calculate the distance travelled, and is then deleted when the trip is saved;
GPS tracking is off by default. You have to turn it on yourself;
Your home and office address can be stored on the phone and used as the start and/or end location of a trip;
We have completed a Data Protection Impact Assessment for our GPS-tracked trip processing, and review it whenever the GPS feature materially changes. A summary is available on request from support@tripcatcherapp.com.

Vehicle Information

We collect information about your vehicle so we can calculate mileage at the relevant HMRC rate:

The type of vehicle you select for a trip determines which HMRC rate set applies (Approved Mileage Allowance Payments for personal vehicles; Advisory Fuel Rates or Advisory Electric Rates for company vehicles).
For company vehicles, and for private vehicles where you are claiming VAT on fuel, we collect engine details to determine the correct Advisory Fuel Rate.
For electric company vehicles, and for private electric vehicles where you are claiming VAT on charging costs, we collect your charging location (home or public) to determine the correct Advisory Electric Rate.

For information about how long trip and vehicle data is retained, see section 5 (How Long We Keep Your Data) below.

Support Emails

When you email our support team, we keep a record of your messages and our replies, so we can help you and refer back to previous queries if needed.

Information We Receive From Others

In some cases, we receive information about you from someone other than you directly:

From an accountant, bookkeeper, or employer who invites you. When your accountant, bookkeeper, or employer invites you to use Tripcatcher, they provide us with your name and email address as part of the invitation, so we can send you the invitation email and create your account.
From Stripe (our payment processor). If you subscribe directly, Stripe provides us with the limited card and billing information described in the Financial Information section above.
From Xero. When you connect Tripcatcher to a Xero organisation, Xero provides us with information about that organisation (such as its name, country, and tax/currency settings) and accounting reference data (such as your chart of accounts) so we can apply the correct settings and construct expense and bill records. We also hold the names and email addresses of users in your Xero organisation. If you subscribe to Tripcatcher via the Xero website, Xero also provides us with your billing history and current payment status, as described in the Financial Information section above.

We only use this information for the purposes set out in this Privacy Policy.

3. How We Use Your Information

We only use your personal data for the purposes set out below. We collect just what we need for each purpose, and no more.

Provision of Services

To calculate your mileage expenses, facilitate submissions to your bookkeeping/accounting software, or enable exports to PDF, CSV, or Excel;
To provide multi-user accounts with tools to simplify administrative tasks;
To keep you informed about changes to the service;
To process payments, generate invoices, and manage financial transactions securely.

Customer Support and Communication

To promptly address any technical support issues or other queries relating to our website and services;
To communicate important operational information, via notices on the website and operational emails, such as changes to the service or guidance on using the software.

Marketing and User Engagement

To send you marketing emails about Tripcatcher, if you’ve opted in. You can opt out at any time — every marketing email has an unsubscribe link.
To understand which features and topics interest you, so we can make our service and communications more relevant.

Website and Service Enhancement

To analyse how our website and services are used — using aggregated and anonymised data — so we can produce reports and improve the service.

Cookies

A cookie is a small data file that is transferred to an internet browser, which enables Tripcatcher to remember and customise your subsequent visits.

Necessary Cookies: These are essential for you to log into Tripcatcher and navigate around the app. They include security cookies that protect your account against unauthorised commands sent from other websites you have open in your browser.
Google Analytics Cookies: These cookies help us understand how visitors use our website, so we can improve it. You can turn them off through your browser’s privacy settings.
No Cross-Website Tracking: We do not use cookies to track your activity across different websites, nor do we use advertising platforms that track users across various sites.

Safety and Security

To detect, prevent, and respond to fraudulent or malicious activities, ensuring the integrity and security of our platform;
To enforce our terms and policies, conducting audits and complying with legal and regulatory requirements.

Lawful Basis for Each Activity

Under UK GDPR, we must have a lawful basis for each way we process your personal data. The table below sets out which lawful basis applies to each of our processing activities.

Activity	Lawful basis	Notes
Calculating mileage expenses, logging trips, exporting reports	Performance of contract	Core service you’ve signed up for.
Managing your account (settings, profile, multi-user features)	Performance of contract
Sharing your mileage data with Dext or Xero	Performance of contract	At your instruction; only when you choose to publish.
Sharing your mileage data with Crunch	Performance of contract	Trips are published to Crunch when you add them to Tripcatcher.
Processing payments, generating invoices	Performance of contract; Legal obligations	Tax record-keeping required by HMRC.
Operational emails (service updates, security notices)	Performance of contract; Legitimate interests	Necessary to keep you informed about the service.
Customer support and responding to queries	Performance of contract; Legitimate interests
Marketing emails about Tripcatcher	Consent	Opt-out at any time via the unsubscribe link.
Necessary cookies (login, security)	Legitimate interests
Google Analytics cookies	Consent
Aggregated website usage analytics	Legitimate interests	Improving the service.
Detecting fraud or malicious activity	Legitimate interests
Audit logging of account activity	Legitimate interests
Retaining billing and identity records	Legal obligations	Six years per HMRC requirements.

Where we rely on legitimate interests, we have considered whether our interests are outweighed by your rights and interests, and we are satisfied that they are not. You can object to processing based on legitimate interests at any time (see the Right to Object in section 6 (Your Rights) below).

Where we rely on consent, you can withdraw it at any time (see the Right to Withdraw Consent in section 6 (Your Rights) below).

4. How We Share Your Information

We do not sell, rent, lease, or share your personal data for advertising, marketing, or commercial purposes. We also do not share anonymised or aggregated data about our users with third parties. We share your data only as described below — primarily with the third-party providers we rely on to deliver our service, with bookkeeping partners you choose to integrate with, and where required by law.

Third Party Service Providers and Partners

We use third-party providers to help us run the service — for example, Stripe to process payments. Each provider is bound by a contract that requires them to protect your data and only use it for the purposes we agree with them.

Regulatory and Legal Obligations

We may share your personal data when the law requires it — for example:

to help with a criminal investigation, if the police or other authorities ask;
to comply with a court order or other legal process;
to prevent fraud;
to protect our rights or someone else’s safety.

Integration with Bookkeeping and Accounting Partners

If you use a bookkeeping or accounting partner — for example Dext, Xero, or Crunch — your mileage data will be shared with that partner at your instruction. For Dext and Xero, you choose when to publish each trip. For Crunch, trips are published when you add them to Tripcatcher. Once your data has been shared, it is governed by the partner’s privacy policy. We cannot recall or delete data after it has been shared, and any data protection rights you wish to exercise in relation to that data should be raised directly with the partner.

Business Transfer, Sale or Acquisition of Assets

If Tripcatcher is sold, merged, restructured, or wound up, your personal data may transfer to the new owner. The new owner will have their own privacy policy, which may differ from this one.

If someone else pays for your account

Some Tripcatcher accounts are paid for by someone else — for example, by your employer, accountant, or bookkeeper. That paying User is the Subscriber. You are a User, with access to the account but no payment responsibility.

The Subscriber can see and manage your account data — your trips, start and end locations, vehicle details, and expense claims — so they can check your trips are business-related, review and approve your expense claims, and manage the account. The Subscriber does not see GPS-tracked route data.

Sub Processors

We use the following sub-processors to provide our service:

Heroku — application hosting platform
MongoDB Atlas — database hosting
Cloudflare — content delivery network and network security
Stripe — payment processing
Postmark — transactional email delivery
Mailchimp — marketing email
Google Workspace — business email (including support correspondence)

Each sub-processor is bound by a contract that requires it to protect your personal data and use it only for the purposes for which we engage it.

International Data Transfers

Tripcatcher is a UK-established company and your personal data is processed under the UK GDPR.

The majority of our processing — including our hosting infrastructure and primary database — takes place in Ireland, which the UK recognises as providing an adequate level of protection for personal data. No additional transfer safeguard is required for personal data processed within the European Economic Area.

Some of our sub-processors are based outside the UK and the European Economic Area, including in the United States. When your data goes to them, we make sure it stays protected by using one of the legal safeguards UK GDPR Article 46 requires. These are usually the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or certification under the UK Extension to the EU-US Data Privacy Framework. Each safeguard is designed to keep your data protected to a standard equivalent to UK GDPR. You can check the safeguards each sub-processor uses by reading their published Data Processing Agreement, or for US sub-processors, the Data Privacy Framework register at https://www.dataprivacyframework.gov/list.

5. How Long We Keep Your Data

We keep your personal data only for as long as we need it for the purposes described in this Privacy Policy, or as required by law.

Data	How long we keep it
Account information (name, email, organisation, password)	While your account is active. Deleted on request once the account is closed, except where retention is required for tax or legal purposes.
Trip data (mileage records, locations, vehicle details)	Until you delete the trip, or your account is deleted, or six years plus the current tax year after the expense was claimed (per HMRC retention requirements) — whichever is later.
GPS trail data	Held only on your device, only during an active trip. Deleted when you save or discard the trip. Never transmitted to our servers.
Billing and payment records (last 4 digits of card, billing history)	Six years, to comply with HMRC tax obligations and for the establishment, exercise or defence of legal claims.
Customer support communications	Retained while your account is active, and for a reasonable period after account closure to resolve any outstanding queries.
Cookies	Necessary cookies are deleted when you log out or close your browser. Google Analytics cookies persist according to Google’s policy (typically up to 2 years) and can be cleared at any time via your browser.
Audit logs of account activity	Retained for one year from the date of the logged activity, for security and dispute-resolution purposes.

When a retention period ends, we will either delete or anonymise your personal data so that it can no longer be associated with you.

6. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right to be Informed. You have the right to know how we use your personal data. This Privacy Policy is intended to provide that information clearly and transparently.
Right of Access. You can view your personal data through the Tripcatcher web app while your account is active. You can also ask us for a copy of your personal data and information about how we process it. We may need to verify your identity before responding.
Right of Rectification. If your personal data is inaccurate or incomplete, you can correct it directly in the Tripcatcher web app, or contact us for assistance.
Right of Erasure. You can ask us to delete your personal data. We will do so unless we are required to retain it — see section 5 (How Long We Keep Your Data) above for our retention periods. Data stored locally on the phone app is removed when you uninstall the app from your phone; this does not affect data already saved to your Tripcatcher account, which is stored on our servers.
Right to Restrict Processing. In certain circumstances set out in UK GDPR — for example, if you believe the data we hold is inaccurate or you have objected to our processing — you can ask us to restrict how we use your personal data while the matter is resolved. If we agree that restriction applies, we will pause active processing of the affected data and notify you before lifting any restriction.
Right to Object. You can object to our processing of your personal data where we rely on legitimate interests as our lawful basis. You can also object at any time to the use of your personal data for direct marketing purposes; we will stop without delay.
Right to Withdraw Consent. Where we rely on your consent (for example, for marketing emails), you can withdraw that consent at any time. Every marketing email includes an unsubscribe link.
Right to Data Portability. Where we process your personal data on the basis of consent or performance of a contract, you can ask us to provide your data in a structured, commonly used and machine-readable format. You can also export your trip and expense data directly from the Tripcatcher web app to PDF or Excel.
Rights Related to Automated Decision-Making. Tripcatcher does not make automated decisions about you that have a significant impact on you.

To exercise any of these rights, please email us at support@tripcatcherapp.com. We will respond within one month of receiving your request. If your request is complex or you have made several requests, we may extend this period by up to two further months, in which case we will tell you within the first month and explain why.

You also have the right to complain to the Information Commissioner’s Office (see section 7 (Complaints) below).

7. Complaints

If you’re concerned about how Tripcatcher has handled your personal data, you can raise a complaint with us directly, with the Information Commissioner’s Office (ICO), or both.

Complain to us

Email us at support@tripcatcherapp.com with details of your concern. We will acknowledge your complaint within 30 days of receipt, as required under data protection law. We will then investigate, keep you informed of progress, and respond without undue delay. When we let you know the outcome, we will also remind you of your right to complain to the ICO if you are not satisfied.

Complain to the ICO

You also have the right to complain to the Information Commissioner’s Office, which is the UK’s independent supervisory authority for data protection. You can find out how to contact the ICO at https://ico.org.uk.

Complaining to the ICO does not affect any other legal rights or remedies you may have.

8. Keeping Your Personal Data Safe

We use the following technical and organisational measures to protect your personal data:

Secure Access

Your password is stored in a scrambled form (hashed and salted) that can’t be reversed. We never store or see your password in its original form.

Encryption in Transit

All data exchanged between your device and our servers is encrypted in transit using TLS.

Secure Storage

Your data is stored in MongoDB Atlas (hosted on Amazon Web Services in Ireland) and is encrypted at rest and in transit.

Where any of our sub-processors transfer your personal data outside the UK, we apply the safeguards described in the International Data Transfers section above.

Network Protection

We use Cloudflare to monitor and protect our network traffic against malicious activity.

Access Control

Internal access to customer personal data is restricted to authorised personnel with a legitimate business need. We do not grant access to contractors or other external parties.

In Case of a Data Breach

If we become aware of a personal data breach, we will act quickly to contain the incident, investigate the cause, and inform those who need to know.

Our breach notifications follow four separate paths, depending on who needs to be informed:

1. The Information Commissioner’s Office (ICO). When a breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of it, in line with Article 33 of the UK GDPR. If full information is not available within 72 hours, we will notify the ICO with the information we have at the time and provide further detail as our investigation progresses.

2. Our customers. When a breach affects the personal data of a Subscriber’s Users (for example, a Subscriber who pays for accounts on behalf of their staff or clients), we will notify the Subscriber by email without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Our initial notification will set out the information available at that point, and we will provide further detail as our investigation progresses.

3. Affected individuals. When a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will inform them without undue delay, in line with Article 34 of the UK GDPR. We will use clear and plain language to describe what happened, what data was affected, and what steps individuals can take to protect themselves.

4. Integration partners. When a breach affects, or could affect, data we have received from or shared with an integration partner — such as Xero — we will notify the partner without undue delay through their designated security channel.

9. Children’s Data

Tripcatcher is a business service and is not intended for children. Our Terms and Conditions require all account holders to be at least 16 years old. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16, we will delete it as soon as reasonably possible. If you believe a child has provided us with personal data, please contact us at support@tripcatcherapp.com.

10. Links to Other Websites

Our website, app, and email communications may contain links to third-party websites or services that are not operated by Tripcatcher. This Privacy Policy does not apply to those websites or services. We recommend you read the privacy policy of any third-party website you visit before providing any personal data.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in legal requirements, our data processing activities, or new features. We will let you know about significant changes through the service, by email, or in our newsletter. The latest version is always available on our website, with the date it was last updated.

A change is significant if it does any of the following:

Adds a new category of personal data we collect;
Adds a new purpose for using your data;
Adds a new sub-processor or moves your data to a new country;
Changes the lawful basis for processing your data;
Changes how long we keep your data;
Reduces your rights or how you can exercise them;
Changes our international data transfer mechanisms.

Any change not listed above does not require notification — for example, rewriting for clarity, updating contact details, or removing a sub-processor we no longer use.

By continuing to use Tripcatcher after a change takes effect, you agree to the updated Privacy Policy. If you do not agree with a change, you can close your account.

12. Contact Us

For more information about our privacy practices, please contact us by email at support@tripcatcherapp.com.

We hope you enjoy using Tripcatcher!