Pothole

Version 0.0.1 · Effective 2026-05-03

For users in the United Kingdom.

Draft for solicitor review — not legal advice. Contact support@pothole.fit with questions.

Privacy Policy

This Privacy Policy explains how Pothole Fit Ltd (“Pothole”, “we”, “us”) collects, uses, stores, and shares personal data when you use our websites, mobile apps, and related services (the “Services”). Replace the legal entity placeholder with your ICO registration details after solicitor review.

This policy is provided for Users in the United Kingdom. We process personal data in line with UK GDPR and the Data Protection Act 2018.

Contact: support@pothole.fit

1. Who decides how your data is used?

Pothole is the controller for personal data described here, except where we process data solely on behalf of another party (for example as a processor under a separate agreement).

2. What we collect

Depending on how you use the Services, we may collect:

  • Account data: name, email address, display name, profile photo, authentication identifiers, role preferences (for example Reporter vs Fixer).
  • Payment and payout data: transaction references, amounts, payout status — card data is processed by Stripe, not stored by us.
  • Issue and task data: descriptions, photos, timestamps, bounty amounts, and similar metadata you submit.
  • Location data: where you allow it, precise or coarse location from your device or photo metadata to verify reports and completions.
  • Device and technical data: IP address, device type, app version, diagnostic and security logs (via Firebase and similar services).
  • Communications: messages you send to support and limited in-app interactions we log for safety.

We do not intend to collect special category data (such as health data). Do not submit such information in free-text fields.

3. How and why we use personal data (lawful bases)

We use data as necessary to:

| Purpose | Examples | Lawful basis (UK GDPR) | | ------------------------------ | ----------------------------------------------- | --------------------------------------------------------------- | | Provide the Services | accounts, maps, bounties, claims, notifications | Contract; Legitimate interests (running the platform) | | Process payments | authorisation, capture, payouts via Stripe | Contract; Legal obligation (where applicable) | | Verify submissions | GPS checks, fraud prevention | Legitimate interests (security and integrity); Contract | | Safety and enforcement | investigating abuse, responding to reports | Legitimate interests; Legal obligation | | Improve and secure the product | analytics in aggregated form where possible | Legitimate interests | | Marketing (if any) | waitlist, product updates with consent | Consent where required |

You may withdraw consent for optional activities without affecting lawfulness of earlier processing. You can object to certain processing based on legitimate interests as described in section 8.

4. Stripe (payments and Connect)

If you pay or receive payouts, Stripe processes personal data according to its own privacy policy and as independent controller or processor as described in Stripe’s documentation. Review Stripe’s privacy notice at https://stripe.com/gb/privacy.

We share with Stripe the data required to perform payments and Connect onboarding (such as account identifiers, email, transaction data).

5. Other processors and subprocessors

We use trusted service providers, including:

  • Google Firebase (authentication, database, storage, hosting-related infrastructure);
  • Stripe (payments);
  • Analytics providers where enabled on our marketing site (for example Google Analytics) — see cookie and analytics notices in that context.

We impose data-processing terms where required and limit access to personnel who need it.

6. International transfers

Some providers may process data outside the UK. Where we transfer personal data outside the UK, we use appropriate safeguards (such as the UK International Data Transfer Agreement / Addendum or the provider’s UK-approved mechanisms) where required.

7. Retention

We keep personal data only as long as needed for the purposes above, including:

  • account data while your account is active and for a short period after deletion to recover from mistakes;
  • financial and transaction records longer where tax, accounting, or regulatory obligations require;
  • security logs for a limited period consistent with industry practice.

Exact retention may vary; contact us for more detail about a specific processing activity.

8. Your rights

Under UK data protection law you may have the right to:

  • access your personal data;
  • rectify inaccurate data;
  • erase data in certain circumstances;
  • restrict or object to certain processing;
  • port data you provided where processing is automated and based on consent or contract;
  • withdraw consent where we rely on it;
  • lodge a complaint with the ICO (https://ico.org.uk).

To exercise rights, email support@pothole.fit. We may need to verify your identity.

9. Children

The Services are not directed at children under 18. We do not knowingly collect their personal data. Contact us if you believe we have collected a child’s data.

10. Security

We implement appropriate technical and organisational measures to protect personal data. No method of transmission or storage is completely secure.

11. Changes to this policy

We will post updates here and change the effective date when we do. For material changes, we will provide additional notice where required.

Archived versions may remain at versioned URLs (for example under /legal/privacy/v/…).

12. ICO registration

After solicitor review, add your UK ICO registration number and Data Protection Officer details if applicable.