Feature · Data protection

Data protection as a core property, not an add-on

Wintertrace handles sensitive data: driver movement, customer addresses, photos of private property. The tooling to handle that responsibly is in the core software — not a paid module, not a checkbox in someone else's cloud.

Self-hosting is the starting point

Data stays on the operator's server. There is no third-party processor involved in the software itself — no analytics provider, no log aggregator, no telemetry endpoint. The hosting provider sees the server, not the application data.

This is not a compliance claim; it is an architectural fact. The absence of telemetry is verifiable in the open-source code. The single outbound calls the software makes are the optional update check and the configured weather provider request.

The compliance framing — what Wintertrace does and does not promise — is set out on the compliance page.

Tools shipped with the core

Each of these is part of the standard distribution. No premium edition, no separate plugin.

Data protection consent

Customisable Markdown text shown to drivers on first sign-in. Company-specific values are inserted automatically into the template.

Immutable consent record

Every driver consent is stored permanently with the exact text shown, the timestamp, the source IP, the user agent, and the template version.

Version control

Material changes to the consent text require drivers to re-confirm. The version chain is preserved so the original consent can always be recovered.

Retention policies

Configurable retention per data category. A common default is three years — matching a typical liability statute of limitations. Expired data is aggregated and deleted automatically.

Driver anonymisation

Personal driver data can be irreversibly anonymised when employment ends — without losing the operation records they performed.

Data subject export

A full export of one driver's data (profile + consent records) as a ZIP archive — useful for subject access requests under GDPR or similar regimes.

Data deletion

Individual records or entire time ranges can be irreversibly deleted from the operator interface. Audit log preserves the fact of deletion.

Wintertrace Settings Privacy retention policy form with separate retention windows for operation data, photo retention and audit log. — Settings → Privacy. Retention periods per data category. Defaults are conservative.

Wintertrace driver anonymisation dialog with a preview of which fields will be replaced and a confirmation that the action cannot be undone. — Driver anonymisation dialog: preview which fields are replaced before confirming.

What this is not

Wintertrace is software. It cannot, and does not claim to, certify your organisation under any data protection regime. GDPR compliance, for example, depends on how the operator uses the software — what retention period they choose, who they grant admin access to, how they handle subject access requests.

The role of the software is to provide the tools that make compliant handling possible without separate add-ons. Whether the resulting practice satisfies a regulator is a question for the operator's data protection officer or counsel.

Wintertrace provides documentation support and data protection tooling. It is not a substitute for legal advice.

Audit trail

What was changed, who changed it, and when — with no way to edit the record after the fact.

GPS data is locked at operation end and cannot be retroactively changed. Other edits to operation data (notes, customer assignment) remain possible within a 24-hour window, and every such edit is stored in a separate audit table.

The audit log is part of the database — visible to the operator, inspectable in the codebase, and not configurable away. This matters when an external review asks: "could this record have been changed?"