ECOACHMANAGER LTD
Software-as-a-Service Terms & Conditions
Version: 2026-04-30
Governing Law: England and Wales
1. Acceptance of Terms
These Terms and Conditions (“Terms”) govern your access to and use of the eCoachManager software platform (“Software”) provided by ECOACHMANAGER LTD, a company incorporated in England and Wales (“Company”). By clicking “I Agree,” signing an Order Form, or otherwise accessing or using the Software, the customer (“Customer”) agrees to be bound by these Terms.
2. Software Description
The Software is a cloud-based Software-as-a-Service (SaaS) platform providing vehicle management, fleet scheduling, and operational tools designed for coach, minibus charter, and tour operators. The specific features available to the Customer are determined by the subscription plan selected and documented in the applicable Order Form.
3. License Grant
Subject to these Terms and payment of applicable Fees, Company grants Customer a non-exclusive, non-transferable, limited licence to access and use the Software during the Term solely for Customer’s internal business operations. Customer shall not:
- permit any third party (other than authorised users within Customer’s organisation) to access or use the Software;
- modify, reverse engineer, decompile, disassemble, or attempt to derive the source code of the Software;
- create derivative works based on the Software;
- use the Software for any illegal, unlawful, or unauthorised purpose;
- sub-licence, sell, resell, transfer, assign, or otherwise commercialise or make available the Software to any third party.
4. Term and Termination
4.1 Term
The Term shall commence on the date Customer first accesses the Software (“Effective Date”) and shall continue for the subscription period specified in the Order Form (either annually or quarterly). The Term shall automatically renew for successive periods of equal length unless either party provides written notice of non-renewal at least thirty (30) days prior to the end of the then-current Term.
4.2 Termination for Cause
Either party may terminate this Agreement immediately on written notice if:
- the other party commits a material breach of these Terms and (where such breach is remediable) fails to remedy it within fourteen (14) days of written notice; or
- the other party becomes insolvent, enters administration, liquidation, or any analogous insolvency process.
4.3 Suspension for Non-Payment
Company may suspend Customer’s access to the Software upon fourteen (14) days’ written notice if any Fees remain unpaid beyond their due date. Suspension does not relieve Customer of its payment obligations.
4.4 Effect of Termination
Upon termination or expiry of the Term:
- All licences granted hereunder shall immediately cease;
- Customer shall promptly cease all use of the Software;
- Company shall, within thirty (30) days of termination, make available to Customer an export of Customer Data in a commonly used machine-readable format, and shall thereafter securely delete Customer Data from its systems, unless retention is required by law.
5. Fees and Payment
Customer shall pay the fees set out in the Order Form or applicable quote (“Fees”). Fees are invoiced in advance on an annual or quarterly basis. Payment is due within fourteen (14) days of the invoice date.
Company reserves the right to increase Fees at the start of any renewal Term by providing not less than sixty (60) days’ written notice prior to the renewal date. If Customer does not accept the revised Fees, Customer may terminate by providing written notice before the renewal date.
Any sums remaining unpaid after the due date shall accrue interest at the rate of 8% per annum above the Bank of England base rate, in accordance with the Late Payment of Commercial Debts (Interest) Act 1998. Customer is responsible for all applicable taxes, including VAT.
6. Service Levels and Support
Company shall use commercially reasonable efforts to ensure the Software is available 99.5% of the time in any given calendar month, excluding scheduled maintenance windows and circumstances beyond Company’s reasonable control.
Company shall provide technical support during Business Hours (09:00–17:30 UK time, Monday to Friday, excluding UK public holidays). The specific support tier and response times applicable to Customer shall be set out in the Order Form.
7. Data Protection
7.1 Roles
The parties acknowledge that in providing the Software, Company acts as a data processor and Customer acts as a data controller, as those terms are defined under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
7.2 Data Processing Obligations
Company shall process Customer Data only in accordance with Customer’s documented instructions, except where required to do so by applicable law. Company shall:
- implement appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful processing, accidental loss, destruction, or damage;
- ensure that persons authorised to process Customer Data are bound by confidentiality obligations;
- not engage sub-processors without Customer’s prior written consent, and flow down equivalent data protection obligations to any sub-processor;
- notify Customer without undue delay (and in any event within 72 hours) upon becoming aware of a personal data breach affecting Customer Data;
- assist Customer in fulfilling its obligations to respond to data subject requests under applicable data protection legislation;
- upon termination, return or securely delete Customer Data as set out in Clause 4.4.
7.3 Data Processing Agreement
The parties’ detailed data processing obligations are set out in Schedule 2 (Data Processing Agreement), which forms part of these Terms and is incorporated by reference.
8. Confidentiality
Each party (“Receiving Party”) agrees to keep confidential all non-public information disclosed by the other party (“Disclosing Party”) that is designated as confidential or that reasonably should be understood to be confidential (“Confidential Information”). This obligation applies equally to both parties.
The obligations in this Clause shall not apply to information that: (a) is or becomes publicly available other than through the Receiving Party’s breach; (b) was known to the Receiving Party before disclosure; (c) is independently developed by the Receiving Party; or (d) must be disclosed by law or regulatory requirement.
Confidentiality obligations shall survive termination of these Terms for a period of three (3) years.
9. Data Separation and Group Companies
9.1 Group Structure Disclosure
Customer acknowledges that Company is part of a wider group of companies (the “Group”) which includes entities operating coach hire booking platforms, marketplace services, and other transport-related businesses (each a “Group Company”). A current list of Group Companies is available on request. Some directors, officers, or shareholders of the Company may also hold positions in one or more Group Companies.
9.2 Customer Data Separation
Notwithstanding the existence of the Group, Company undertakes that Customer Data held within the Software:
- is stored in a logically separated data environment dedicated to the Software platform;
- is not accessible to any Group Company by virtue of Customer’s subscription to the Software;
- is not shared with, transferred to, or made available to any Group Company without Customer’s express prior written consent, except as permitted under Clause 9.4; and
- will not be used by Company, or disclosed to any Group Company, for the purpose of identifying, approaching, or soliciting Customer’s customers, suppliers, or business contacts.
9.3 Technical and Organisational Controls
Company maintains technical and organisational controls designed to enforce the separation described in Clause 9.2, including:
- separate database environments for the Software and Group Company platforms;
- role-based access controls restricting Customer Data to authorised Company personnel with a legitimate operational need;
- audit logging of administrative access to Customer Data;
- contractual confidentiality obligations binding all Company personnel; and
- no automated data feed, API, or replication that exposes Customer Data to any Group Company platform, except as expressly permitted under Clause 9.4.
9.4 Permitted Exception — Bookings Originating from Group Platforms
Where a booking, job, quote, or referral originates on a Group Company platform and is offered to or accepted by Customer through the Software, the data relating to that specific booking is, by its nature, known to the originating Group Company. This Clause 9 does not restrict the originating Group Company from accessing, retaining, or processing data relating to bookings it originated. This exception is limited strictly to data relating to those specific bookings and does not extend to Customer’s broader Customer Data within the Software.
9.5 Common Directorship
Where any individual holds director, officer, or senior management positions in both Company and any Group Company, that individual is bound by Company’s information security policies and shall not access Customer Data in their capacity as a director, officer, or representative of any Group Company. Information barriers are maintained between Company and Group Companies regardless of overlapping personnel.
9.6 Survival
The obligations in this Clause 9 survive termination or expiry of these Terms for a period of two (2) years.
10. Intellectual Property
The Software and all intellectual property rights therein are and shall remain the exclusive property of Company. These Terms do not grant Customer any ownership rights in the Software.
Customer retains all ownership rights in Customer Data. Company shall have no right to use Customer Data except as strictly necessary to provide the Software in accordance with these Terms.
11. Warranties
Company warrants that:
- the Software will perform materially in accordance with its documentation during the Term;
- it has the right to grant the licences in these Terms;
- it will provide the Software with reasonable care and skill, as required under the Supply of Services (Implied Terms) Act 1982.
12. Limitation of Liability
Nothing in these Terms shall limit or exclude either party’s liability for: (a) death or personal injury caused by its negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded or limited by law.
Subject to the above, Company’s total aggregate liability to Customer arising out of or in connection with these Terms shall not exceed the total Fees paid by Customer in the twelve (12) months immediately preceding the event giving rise to the claim.
Subject to the carve-outs above, neither party shall be liable to the other for any indirect, incidental, special, consequential, or punitive loss or damage, including loss of profit, loss of revenue, loss of data, or loss of business opportunity.
13. Indemnification
Customer agrees to indemnify and hold harmless Company from any third-party claims, losses, damages, and reasonable legal costs arising out of Customer’s breach of these Terms or Customer’s unlawful use of the Software.
Company agrees to indemnify and hold harmless Customer from any third-party claims that the Software, as provided by Company, infringes any third-party intellectual property rights.
14. Force Majeure
Neither party shall be liable for any delay or failure to perform its obligations under these Terms where such delay or failure is caused by circumstances beyond its reasonable control, including acts of God, war, terrorism, pandemic, strike, lockout, or failure of third-party infrastructure providers. The affected party shall notify the other promptly and shall use reasonable endeavours to mitigate the impact.
15. Governing Law and Jurisdiction
These Terms shall be governed by and construed in accordance with the laws of England and Wales. Each party irrevocably submits to the exclusive jurisdiction of the courts of England and Wales to settle any dispute or claim arising out of or in connection with these Terms.
16. Assignment
Customer may not assign, transfer, or sub-contract any of its rights or obligations under these Terms without the prior written consent of Company. Company may assign these Terms in connection with a merger, acquisition, or sale of all or substantially all of its assets, provided it gives Customer reasonable prior written notice.
17. Acceptable Use
Customer shall use the Software only for lawful purposes and in accordance with these Terms. Customer shall not use the Software to:
- store, transmit, or distribute unlawful, defamatory, or infringing content;
- introduce viruses, malware, or any other harmful code;
- attempt to gain unauthorised access to any system or network;
- use the Software in a manner that places unreasonable load on Company’s infrastructure.
18. General
18.1 Entire Agreement
These Terms, together with any applicable Order Form, constitute the entire agreement between the parties and supersede all prior communications, representations, or agreements, whether oral or written.
18.2 Amendment
These Terms may be amended only by a written instrument signed by authorised representatives of both parties, except that Company may update these Terms on not less than thirty (30) days’ written notice, and Customer’s continued use of the Software after that period constitutes acceptance.
18.3 Waiver
No waiver by either party of a breach of any provision of these Terms shall be deemed a waiver of any subsequent breach of the same or any other provision.
18.4 Severability
If any provision of these Terms is held to be invalid or unenforceable, such provision shall be severed and the remaining provisions shall remain in full force and effect.
18.5 Notices
All notices under these Terms shall be in writing and shall be deemed duly served when: (a) delivered personally; (b) sent by first-class post to the address specified in the Order Form; or (c) sent by email to the email address specified in the Order Form, with delivery confirmed by read receipt or non-automated reply.
18.6 Anti-Bribery
Each party shall comply with all applicable anti-bribery and anti-corruption legislation, including the Bribery Act 2010.
ECOACHMANAGER LTD
Version: 2026-04-30
Supplementary Terms to the eCoachManager Master Terms and Conditions (England & Wales)
1. Application of this Schedule
This Schedule applies to Customers whose principal place of business is located in Australia. It forms part of and is incorporated into the eCoachManager Master Terms and Conditions (England & Wales) (“Master Terms”). Where any provision of this Schedule conflicts with the Master Terms, the provisions of this Schedule shall prevail to the extent of that conflict. All other provisions of the Master Terms remain in full force and effect.
2. Governing Law and Jurisdiction
Notwithstanding Clause 15 of the Master Terms, this Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of New South Wales, Australia. Each party irrevocably submits to the non-exclusive jurisdiction of the courts of New South Wales.
3. Australian Consumer Law
3.1 Unfair Contract Terms
The Competition and Consumer Act 2010 (Cth), Schedule 2 (Australian Consumer Law, “ACL”) may apply to this Agreement. Nothing in the Master Terms is intended to exclude, restrict, or modify any right or guarantee that cannot lawfully be excluded under the ACL. To the extent that any provision of the Master Terms constitutes an unfair contract term within the meaning of the ACL (as amended by the Treasury Laws Amendment (More Competition, Better Prices) Act 2022), such provision is severed and the remainder of the Master Terms continues in full force.
3.2 Consumer Guarantees
Where the ACL applies, liability for breach of any guarantee implied by the ACL (other than those that cannot be excluded) is limited to: (a) the resupply of the services; or (b) the payment of the cost of having the services supplied again, at Company’s election.
4. Privacy — Australian Privacy Principles
Company acknowledges that the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs”) may apply to the processing of personal information of Australian individuals in connection with the Software. Company shall:
- handle all personal information in accordance with the APPs;
- not use or disclose personal information for any purpose other than providing the Software;
- on request, provide Customer with a copy of Company’s Privacy Policy;
- notify Customer as soon as practicable upon becoming aware of an Eligible Data Breach within the meaning of the Privacy Act 1988 (Cth), Part IIIC.
The parties’ detailed data processing obligations, including jurisdiction-specific breach notification requirements, are set out in Schedule 2 (Data Processing Agreement) to the Master Terms, which applies in full to this jurisdiction.
5. Goods and Services Tax (GST)
All fees and charges set out in the Order Form are exclusive of GST. Where GST is payable on any supply made under this Agreement, the recipient shall pay to the supplier an additional amount equal to the GST payable, subject to receipt of a valid tax invoice. GST has the meaning given in A New Tax System (Goods and Services Tax) Act 1999 (Cth).
6. Late Payment Interest
Notwithstanding Clause 5 of the Master Terms, interest on overdue amounts shall accrue at the rate of 10% per annum (simple interest), which the parties agree is a genuine pre-estimate of the cost of late payment under Australian commercial practice.
7. Data Separation and Group Companies
Clause 9 of the Master Terms applies in full. For the avoidance of doubt, references to “Group Companies” include The Coach Company Pty Ltd (ABN 51 638 081 188) and any other Australian entity within the Group. The data separation obligations in Clause 9 supplement, and do not limit, Company’s obligations under the Australian Privacy Principles set out in this Schedule.
ECOACHMANAGER LTD
New Zealand Jurisdiction Schedule
Version: 2026-04-30
Supplementary Terms to the eCoachManager Master Terms and Conditions (England & Wales)
1. Application of this Schedule
This Schedule applies to Customers whose principal place of business is located in New Zealand. It forms part of and is incorporated into the eCoachManager Master Terms and Conditions (England & Wales) (“Master Terms”). Where any provision of this Schedule conflicts with the Master Terms, the provisions of this Schedule shall prevail to the extent of that conflict. All other provisions of the Master Terms remain in full force and effect.
2. Governing Law and Jurisdiction
Notwithstanding Clause 15 of the Master Terms, this Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of New Zealand. Each party irrevocably submits to the non-exclusive jurisdiction of the courts of New Zealand.
3. Consumer and Fair Trading Legislation
3.1 Fair Trading Act 1986
Nothing in the Master Terms is intended to exclude any right or remedy available to Customer under the Fair Trading Act 1986 (NZ) that cannot lawfully be excluded. To the extent any provision of the Master Terms is inconsistent with the Fair Trading Act 1986, that provision is modified to the minimum extent necessary to comply.
3.2 Contract and Commercial Law Act 2017
To the extent the Contract and Commercial Law Act 2017 (NZ) applies to this Agreement, any provision found to be unconscionable or in breach of the Act is severed and the remainder of the Master Terms continues in full force.
4. Privacy — New Zealand Privacy Act 2020
Company acknowledges that the Privacy Act 2020 (NZ) applies to the processing of personal information of New Zealand individuals in connection with the Software. Company shall:
- handle all personal information in accordance with the Information Privacy Principles set out in the Privacy Act 2020 (NZ);
- not use or disclose personal information for any purpose other than providing the Software;
- notify Customer without undue delay upon becoming aware of a Privacy Breach that is likely to cause serious harm, as defined under the Privacy Act 2020 (NZ);
- cooperate with the New Zealand Privacy Commissioner in connection with any investigation relating to Customer Data.
The parties’ detailed data processing obligations, including jurisdiction-specific breach notification requirements, are set out in Schedule 2 (Data Processing Agreement) to the Master Terms, which applies in full to this jurisdiction.
5. Goods and Services Tax (GST)
All fees and charges set out in the Order Form are exclusive of New Zealand GST. Where NZ GST is payable on any supply under this Agreement, Customer shall pay an additional amount equal to the applicable GST, subject to receipt of a valid GST invoice. NZ GST has the meaning given in the Goods and Services Tax Act 1985 (NZ).
6. Currency
Unless otherwise specified in the Order Form, all fees shall be invoiced and payable in New Zealand Dollars (NZD). Where fees are quoted in GBP, the conversion rate shall be the mid-market rate published by the Reserve Bank of New Zealand on the invoice date.
7. Data Separation and Group Companies
Clause 9 of the Master Terms applies in full. The data separation obligations supplement, and do not limit, Company’s obligations under the Privacy Act 2020 (NZ) set out in this Schedule.
ECOACHMANAGER LTD
South Africa Jurisdiction Schedule
Version: 2026-04-30
Supplementary Terms to the eCoachManager Master Terms and Conditions (England & Wales)
1. Application of this Schedule
This Schedule applies to Customers whose principal place of business is located in the Republic of South Africa. It forms part of and is incorporated into the eCoachManager Master Terms and Conditions (England & Wales) (“Master Terms”). Where any provision of this Schedule conflicts with the Master Terms, the provisions of this Schedule shall prevail to the extent of that conflict. All other provisions of the Master Terms remain in full force and effect.
2. Governing Law and Jurisdiction
Notwithstanding Clause 15 of the Master Terms, this Agreement and any dispute or claim arising out of or in connection with it shall be governed by and construed in accordance with the laws of the Republic of South Africa. Each party irrevocably submits to the non-exclusive jurisdiction of the High Court of South Africa (Gauteng Division, Pretoria).
3. Electronic Communications and Contract Formation
The parties acknowledge that this Agreement is concluded electronically and that, in accordance with the Electronic Communications and Transactions Act 25 of 2002 (“ECTA”), electronic acceptance (including payment of an invoice) constitutes valid and binding acceptance of these Terms.
4. Consumer Protection
4.1 Consumer Protection Act 68 of 2008
To the extent the Consumer Protection Act 68 of 2008 (“CPA”) applies to this Agreement, nothing in the Master Terms is intended to waive any right that Customer is entitled to exercise under the CPA. Where the CPA applies, Company shall provide Customer with at least twenty (20) business days’ written notice before exercising any right to cancel, suspend, or materially vary the terms of service.
4.2 Limitation of Liability
To the extent that any limitation of liability in the Master Terms is found to be contrary to the CPA or any other applicable South African legislation, such limitation is modified to the minimum extent necessary to achieve compliance, and the remainder of the limitation clause remains in full force.
5. Protection of Personal Information — POPIA
Company acknowledges that the Protection of Personal Information Act 4 of 2013 (“POPIA”) applies to the processing of personal information of South African data subjects in connection with the Software. For the purposes of POPIA:
- Customer is the “responsible party” (equivalent to data controller under UK GDPR);
- Company is the “operator” (equivalent to data processor under UK GDPR).
Company shall, as operator:
- process personal information only with the knowledge or authorisation of Customer as responsible party;
- implement appropriate technical and organisational measures to secure the integrity and confidentiality of personal information in its possession or under its control;
- notify Customer immediately where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by an unauthorised person;
- upon termination, return or securely destroy personal information in accordance with Customer’s instructions, subject to any legal retention obligations;
- not transfer personal information outside the Republic of South Africa without Customer’s prior written authorisation, unless the destination country has equivalent data protection standards or adequate safeguards are in place.
The parties’ detailed data processing obligations, including jurisdiction-specific breach notification requirements, are set out in Schedule 2 (Data Processing Agreement) to the Master Terms, which applies in full to this jurisdiction.
6. Value Added Tax (VAT)
All fees and charges set out in the Order Form are exclusive of South African VAT. Where VAT is payable on any supply made under this Agreement, Customer shall pay an additional amount equal to the applicable VAT, subject to receipt of a valid South African tax invoice where required.
7. Currency
Unless otherwise specified in the Order Form, all fees shall be invoiced in GBP (Pounds Sterling). Where Customer requests invoicing in South African Rand (ZAR), the conversion rate shall be the mid-market rate published by the South African Reserve Bank on the invoice date.
8. Anti-Corruption
Each party shall comply with the Prevention and Combating of Corrupt Activities Act 12 of 2004 (South Africa) and all other applicable anti-corruption legislation. This supplements the Bribery Act 2010 obligation in the Master Terms.
9. Data Separation and Group Companies
Clause 9 of the Master Terms applies in full. The data separation obligations supplement, and do not limit, Company’s obligations under POPIA set out in this Schedule.
eCoachManager
Schedule 2 — Data Processing Agreement
Incorporated into and forming part of the eCoachManager Master Terms and Conditions
1. Definitions
In this Schedule, the following terms have the meanings given below. Capitalised terms not defined here have the meanings given in the Master Terms.
“Controller” means the entity that determines the purposes and means of processing Personal Data (equivalent to “responsible party” under POPIA and “APP entity” under the Privacy Act 1988 (Cth)).
“Customer Data” means all Personal Data submitted to or processed through the Software by or on behalf of Customer.
“Data Protection Law” means all applicable data protection and privacy legislation in force from time to time, including (without limitation) the UK GDPR, the Data Protection Act 2018, the Privacy Act 1988 (Cth) and Australian Privacy Principles, the Privacy Act 2020 (NZ), and the Protection of Personal Information Act 4 of 2013 (POPIA), in each case as applicable to the relevant processing.
“Personal Data” means any information relating to an identified or identifiable natural person that is processed in connection with the Software.
“Processor” means the entity that processes Personal Data on behalf of the Controller (equivalent to “operator” under POPIA).
“Processing” means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
“Security Incident” means any confirmed or reasonably suspected unauthorised access to, disclosure of, or loss of Personal Data.
“Sub-Processor” means any third party engaged by Company to process Personal Data on Customer’s behalf.
2. Roles of the Parties
The parties acknowledge that:
- Customer is the Controller in respect of Customer Data, including driver records, passenger information, and operator staff data entered into the Software.
- Company is the Processor in respect of Customer Data, processing it solely on Customer’s behalf and in accordance with Customer’s instructions.
- Company is the Controller in respect of its own customer relationship data (operator contact details, billing information, and platform usage data), which is governed by Company’s Privacy Policy rather than this Schedule.
Note: This distinction matters. Company processes driver and passenger data as a Processor — it does not own that data, may not use it for its own purposes, and must return or delete it on termination. Operator contact data processed for account management purposes is processed by Company as Controller under its Privacy Policy.
3. Company’s Obligations as Processor
3.1 Instructions
Company shall process Customer Data only on Customer’s documented instructions, unless required to process for other purposes by applicable law (in which case Company shall inform Customer of that legal requirement before processing, unless prohibited from doing so by law).
3.2 Confidentiality
Company shall ensure that all personnel authorised to process Customer Data are subject to binding confidentiality obligations, whether by contract or professional duty, and shall not permit unauthorised persons to access Customer Data.
3.3 Security
Company shall implement appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful processing, accidental loss, destruction, or damage, having regard to the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These measures include:
- Encryption of Customer Data in transit using TLS and at rest using AES-256.
- Role-based access controls restricting access to Customer Data to authorised personnel with a legitimate operational need.
- Audit logging of administrative access to Customer Data.
- Regular security assessments and vulnerability management.
- Incident response procedures as set out in Clause 3.5 of this Schedule.
3.4 Sub-Processors
Customer provides general written authorisation for Company to engage the Sub-Processors listed in Annex A to this Schedule. Company shall:
- Impose equivalent data protection obligations on each Sub-Processor by written contract.
- Remain liable to Customer for the acts and omissions of Sub-Processors to the same extent as if Company had performed the processing itself.
- Notify Customer of any intended addition or replacement of Sub-Processors by updating Annex A and providing not less than thirty (30) days’ prior written notice. Customer may object to the change in writing within that period; if the parties cannot resolve the objection, Customer may terminate the Agreement on written notice without penalty.
3.5 Security Incidents
Company shall notify Customer without undue delay upon becoming aware of a Security Incident affecting Customer Data, and in any event:
- Within 72 hours for Customers subject to UK GDPR or NZ Privacy Act 2020.
- As soon as practicable for Customers subject to the Australian Privacy Act 1988 (Cth) (Notifiable Data Breaches scheme).
- Immediately upon becoming aware for Customers subject to POPIA.
Notification shall include, to the extent then known: (a) the nature of the Security Incident; (b) the categories and approximate number of data subjects and records affected; (c) the likely consequences; and (d) the measures taken or proposed to address the incident. Company shall cooperate with Customer in managing and mitigating the incident and in making any required notifications to supervisory authorities or data subjects.
3.6 Data Subject Rights
Company shall promptly notify Customer upon receiving any request from a data subject exercising their rights under applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection). Company shall not respond to such requests directly (except to confirm that the request has been forwarded to Customer) unless Customer has authorised Company to do so. Company shall provide Customer with such assistance as is reasonably necessary to respond to data subject requests within applicable timeframes.
3.7 Data Protection Impact Assessments
Company shall, on reasonable request and at Customer’s cost, provide such assistance as Customer reasonably requires to carry out data protection impact assessments and prior consultations with supervisory authorities under applicable Data Protection Law.
3.8 Audit Rights
Company shall, on reasonable prior written notice (not less than thirty (30) days) and at Customer’s cost, make available to Customer all information reasonably necessary to demonstrate compliance with this Schedule, and shall permit and contribute to audits or inspections conducted by Customer or a mandated third party auditor, subject to reasonable confidentiality protections. Audits shall be conducted during Business Hours, shall not unreasonably disrupt Company’s operations, and shall not occur more than once per calendar year unless required by a supervisory authority.
4. Data Retention and Deletion
4.1 Retention During Term
Company retains Customer Data for the duration of the Agreement. As a function of system architecture, driver records within the Software are not purged — deletion of a driver record would impact the integrity of historical job, scheduling, and compliance records. Operators requiring a driver to be removed from active use should use the inactive status function rather than deletion. This architecture supports operators’ obligations under applicable transport and employment legislation to retain driver records for prescribed periods.
4.2 Return and Deletion on Termination
Upon termination or expiry of the Agreement, Company shall, within thirty (30) days of termination:
- Make available to Customer an export of Customer Data in a commonly used machine-readable format (CSV or equivalent); and
- Securely delete or destroy all remaining copies of Customer Data from Company’s systems and those of its Sub-Processors, unless retention is required by applicable law, in which case Company shall notify Customer of the legal requirement and the retention period.
Company shall, on request, provide written certification of deletion.
5. International Data Transfers
Company’s primary infrastructure is hosted on Google Cloud Platform in the UK and/or EU. Where Customer Data is transferred outside the UK or EEA, Company shall ensure that appropriate transfer mechanisms are in place, including:
- UK International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs) as applicable.
- For transfers of South African personal information, compliance with POPIA Section 72 requirements, including confirmation that the destination country has equivalent data protection standards or that adequate safeguards are contractually in place.
- For transfers of Australian personal information, compliance with APP 8 cross-border disclosure requirements.
6. Details of Processing
The following describes the subject matter and details of the processing carried out by Company as Processor under this Schedule:
Subject matter: Provision of the eCoachManager SaaS platform for coach and bus fleet management, scheduling, and operations.
Duration: For the duration of the Agreement and as set out in Clause 4 of this Schedule.
Nature of processing: Collection, storage, retrieval, use, and deletion of Personal Data via the Software platform.
Purpose of processing: To provide the contracted Software services to Customer.
Types of Personal Data processed:
- Operator staff and contact data: names, job titles, email addresses, telephone numbers, login credentials.
- Driver data: names, dates of birth, contact details, licence details, accreditation and authority information, work and rest hour records, scheduling and assignment history.
- Passenger data: names, contact details, booking and journey information, special assistance requirements.
Categories of data subjects:
- Customer’s employees, officers, and authorised users.
- Bus and coach drivers employed or engaged by Customer.
- Passengers carried or booked by Customer.
Annex A — Approved Sub-Processors
The following Sub-Processors are approved as at the date of this Agreement. Company will notify Customer of changes in accordance with Clause 3.4.
Sub-Processor | Service Provided | Location | Transfer Mechanism |
Google Cloud Platform (Google LLC) | Cloud infrastructure hosting, data storage, and processing | UK / EU | UK GDPR adequacy / SCCs as applicable |
Note: Company will update this Annex and notify Customer with not less than 30 days’ prior written notice before adding or replacing any Sub-Processor. The current approved Sub-Processor list is available on request at any time.
Signature Block
This Schedule forms part of the eCoachManager Master Terms and Conditions and is incorporated by reference. By accepting the Master Terms (whether by clickwrap, Order Form signature, or payment of invoice), Customer agrees to the terms of this Schedule.
For ECOACHMANAGER LTD:
Signed: ___________________________________
Name: ____________________________________
Title: _____________________________________
Date: _____________________________________
For Customer:
Signed: ___________________________________
Name: ____________________________________
Title: _____________________________________
Date: _____________________________________