Your data. Stored in the EU. Not sold.

Vellox Ltd, Cardiff.

The data controller for personal data processed in connection with the NEXUS DSP platform is:

VELLOX LTD
Company number 17136312, registered in England and Wales.
Registered office: Cranberrie Heights, Old Newport Road, Old St Mellons, Cardiff CF3 5FX.
ICO registration: ZC115373.
Contact: [email protected]

Data Protection Officer. We have appointed a Data Protection Officer, registered with the Information Commissioner's Office. The DPO can be contacted by email at [email protected] or by post at our registered office marked "FAO Data Protection Officer". The DPO monitors our compliance with data-protection law, advises on data-protection impact assessments, and acts as the point of contact for the ICO and data subjects.

What this covers.

This notice applies to personal data we process in connection with:

• The marketing website at nexusdsp.ai;
• The NEXUS DSP platform at app.nexusdsp.ai;
• The NEXUS DSP driver application (for drivers whose DSP has activated the application);
• Correspondence with us at [email protected], [email protected], [email protected], [email protected], or [email protected].

Where we process personal data on behalf of a DSP (our business customer) — including information about the DSP's drivers uploaded or entered into the platform — the DSP is the data controller and VELLOX LTD is the data processor under UK GDPR Article 28. In that case, the DSP's own privacy notice governs that processing. Our role and responsibilities as a processor are set out in our Data Processing Agreement, available on request at [email protected].

Seven kinds.

3.1 Account and contact data

When you create an account or contact us, we collect:

• Name and work email address;
• Employer / DSP name, Amazon station code, DSP short code;
• Your role within the DSP;
• Password (stored as a one-way cryptographic hash using Argon2id);
• Multi-factor authentication secrets, where enabled;
• Records of your communications with us.

3.2 Operational data uploaded to the platform

Once an account is active, the DSP can upload Amazon-issued performance data to the platform. These files contain information relating to named drivers, including:

• Amazon transporter ID;
• Name (where present in mapping files provided by the DSP);
• Weekly performance metrics (DCR, DSC, CC, CE, POD, PHR, IADC, DWC, False Scan and related);
• Concession records, including tracking IDs, cost data and reason codes;
• Route, postcode and delivery geography data;
• Telematics-derived scores (FICO, Mentor, or Netradyne where applicable).

Where the DSP uploads data relating to identified individuals, VELLOX LTD processes that data as a data processor on the DSP's behalf. The DSP is the controller.

3.3 Derived intelligence data

From uploaded operational data, the platform generates:

• Driver performance scores and tier classifications;
• Pattern analysis, including anomaly flags and drift detection;
• Postcode risk profiles and geocoded location data;
• Self-Organizing Map (SOM) behavioural clusters;
• Triangulation findings and service-update drafts;
• Integrity indicators.

Derived intelligence is held in the same processor relationship as the underlying operational data (§3.2) and is deleted when that data is deleted.

3.4 Driver application data

Where a DSP has activated the NEXUS DSP driver application, we additionally process:

• The driver's mobile phone number, for one-time-password authentication;
• Expo push notification tokens, for delivery of platform-initiated notifications;
• App usage data (log-in timestamps, screens viewed, notification read and acknowledgement receipts);
• Content uploaded by the driver through the app (for example, field-report photos, voice notes, or GPS coordinates attached to a report submission).

Driver application data is processed on the instructions of the driver's DSP. The DSP is the controller. Drivers should direct rights requests to their DSP in the first instance.

3.5 Technical data

When you use the platform or the driver application, we automatically collect:

• IP address and approximate location (country / city level);
• Browser type and version, operating system, device type;
• Pages accessed, features used, timestamps of actions;
• Error events and diagnostic data (via Sentry);
• Rate-limiting counters (keyed by IP or user identifier, held for 24 hours).

3.6 Billing data

When you subscribe, payment information is collected and processed by Stripe Payments UK Ltd in its capacity as an independent data controller. We do not see or store your full card details. We receive and store the Stripe customer identifier, subscription status, tier and billing history.

3.7 Data you do not have to provide

You do not have to give us data beyond what is needed for the contract (§3.1, §3.2, §3.4 and §3.6). If you choose not to provide it, we may not be able to provide the service.

Nine purposes. Article 6.

We process personal data only where we have a lawful basis to do so under UK GDPR Article 6.

Where we process operational data (§3.2), derived intelligence (§3.3) or driver application data (§3.4) uploaded or instructed by DSPs, we do so as a processor on the DSP's instructions, not under our own lawful basis. The lawful basis for that processing is the DSP's to identify and document.

A short list. Under contract.

We share personal data only where necessary and only with:

• Our sub-processors, listed in §6. All sub-processors are bound by data protection obligations no less protective than ours;
• Professional advisers (lawyers, accountants, auditors) bound by confidentiality duties;
• Law enforcement, regulators and courts where required by law, court order, or legally binding request;
• Prospective or actual successors in the context of a merger, acquisition, or sale of all or substantially all of our assets. Any successor will be required to honour this notice.

We do not sell your personal data. We do not share it with advertisers. We do not use it to train third-party AI or machine-learning models.

Ten, with purposes and locations.

We use the following sub-processors to operate the platform:

Notes on the push notification chain. When we send a push notification to a driver, we send it to the Expo Push Service, which relays it to Firebase Cloud Messaging (for Android devices) or the Apple Push Notification service (for iOS devices) for final delivery. Apple's push notification service is included in the chain but is not listed separately above because we do not transmit identifiable content directly to Apple — the notification payload is opaque to Apple at the point of delivery.

Where a sub-processor transfers personal data outside the UK, we rely on one or more of the following transfer mechanisms: UK adequacy regulations, the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with any supplementary measures identified as appropriate following a transfer risk assessment.

A current list of sub-processors is maintained and available on request. We will provide advance notice of material changes to business-customer contacts.

Mostly EU. Some outside.

Most of your personal data is stored in the EU (Republic of Ireland). Some sub-processors (e.g. Cloudflare edge, Stripe US entity, Resend, Expo, Firebase Cloud Messaging) may process data outside the UK and EU. Where this occurs, we rely on the transfer mechanisms described in §6.

Fourteen categories. Published schedule.

We apply published retention periods to every category of personal data we process. A summary appears below; for the full retention schedule — including specific deletion methods, backup behaviour, and derived-intelligence cascade rules — see our Data Retention Policy.

We may retain data longer where required to comply with a legal obligation, to establish or defend legal claims, or to protect the rights of another person.

Eight rights under UK GDPR.

Under UK GDPR you have the following rights in respect of your personal data:

• Right of access — to obtain a copy of the personal data we hold about you.
• Right to rectification — to have inaccurate personal data corrected.
• Right to erasure ("right to be forgotten") — to have your personal data deleted, subject to limited exceptions.
• Right to restrict processing — to limit how we process your data in certain circumstances.
• Right to data portability — to receive your personal data in a structured, commonly used, machine-readable format.
• Right to object — to object to processing based on our legitimate interests, including any direct marketing.
• Right to withdraw consent — where we process data on the basis of consent, at any time, without affecting the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making — including profiling, where such a decision produces legal or similarly significant effects. We do not carry out such decision-making; see §11.

To exercise any of these rights, contact [email protected] or our Data Protection Officer at [email protected]. We will respond within one month. We may need to verify your identity before acting on a request. In limited cases — for example, where a request is manifestly unfounded or excessive — we may charge a reasonable fee or refuse to act, and will tell you why.

Where you are a driver whose data has been uploaded by a DSP, or whose data has been entered into the driver application by or on behalf of your DSP, please direct your request to the DSP in the first instance. The DSP is the controller of that data.

Us first. Then the ICO.

If you believe we have mishandled your personal data, please contact us first at [email protected] or [email protected]. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:

Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
ico.org.uk · 0303 123 1113.

Information, not decisions.

The platform performs analytical processing — including clustering, anomaly detection, pattern analysis and forensic scoring — against operational data uploaded by DSPs. These outputs are presented as information for the DSP to act on. They do not produce legal or similarly significant effects on any individual without human review and decision by the DSP. We do not make solely automated decisions that produce such effects.

Eleven measures.

We take information security seriously. Measures include:

• Certification. VELLOX LTD is Cyber Essentials certified. Certificate fd4ff875-0799-4a20-9ed4-a4b3897b5392, issued by The IASME Consortium Ltd (NCSC Cyber Essentials Partner) on 13 April 2026, valid to 13 April 2027. The certification covers the whole organisation and is verifiable on the IASME public register.
• Encryption in transit. All traffic to and from the platform is encrypted using TLS 1.2 or higher.
• Encryption at rest. Database and file storage are encrypted at rest using AES-256.
• Access control. Customer data is protected by row-level security policies enforced at the database layer. Access is limited to authenticated members of the customer's organisation. Managers are restricted to their assigned stations. Staff access is on a least-privilege basis.
• Authentication. Password-based authentication with strong hashing (Argon2id). Multi-factor authentication is supported and enforced for privileged roles. Leaked-credential detection is enabled via Cloudflare.
• Monitoring. Production systems are monitored for error, abuse and anomalous access. Security events are logged and reviewed via a role-scoped audit log, retained for 36 months.
• Rate limiting and abuse controls. Sign-in, account-creation, file-upload and sensitive endpoints are rate-limited against brute-force and enumeration attempts, using Upstash Redis sliding-window counters.
• Bot protection. Cloudflare Turnstile is deployed on authentication pages; Cloudflare WAF and Bot Fight Mode are deployed across the platform.
• Backups. Point-in-Time Recovery is enabled on the primary database, with 7-day backup retention in the EU-West-1 region. Backups are encrypted at rest.
• Sub-processor diligence. We review the security posture of sub-processors before onboarding and at reasonable intervals thereafter.
• Coordinated disclosure. A security.txt file is published at /.well-known/security.txt with a working contact for responsible disclosure of vulnerabilities.

No platform can guarantee absolute security. You are responsible for keeping your account credentials confidential and for notifying us promptly of any suspected compromise.

72 hours to the ICO.

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours where required under UK GDPR Article 33, and will notify affected individuals without undue delay where required under Article 34. Where we are a processor for data uploaded by a DSP, we will notify the DSP without undue delay on becoming aware of a breach affecting that data.

Essential only.

We use only essential cookies required for authentication, session management and security (including bot protection). We do not use analytics, marketing or tracking cookies. Full details are in our Cookie Policy.

Not for minors.

The platform is intended for business use by Amazon DSP operators and their staff. It is not directed at children under 13 and we do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [email protected].

14 days' notice for material changes.

We may update this notice from time to time. The "Last revised" date at the top of the page reflects the date of the most recent change. Material changes affecting how we process your personal data will be communicated to registered account holders by email at least 14 days before they take effect. Continued use of the platform after the notice period indicates acceptance of the revised notice.

Four addresses.

For privacy matters: [email protected]
For our Data Protection Officer: [email protected]
For general support: [email protected]
For legal matters: [email protected]

VELLOX LTD, company number 17136312, registered in England and Wales. Registered office: Cranberrie Heights, Old Newport Road, Old St Mellons, Cardiff CF3 5FX. ICO registration: ZC115373.