Privacy Policy

Last Updated: 29 May 2026

1. Introduction

CarMate ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our car listing analysis service.

We are registered in the United Kingdom and comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

Company Name: Moose Technologies Ltd

Registered in: England and Wales

Contact Email: privacy@car-mate.co.uk

Location: United Kingdom

3. Information We Collect

3.1 Personal Information

  • Email Address: When you create an account or make a purchase
  • Payment Information: Processed securely through Stripe (we never store full card details)
  • IP Address: For security and fraud prevention

3.2 Usage Data

  • Car listings you analyse (URLs, manually entered details, and extracted data)
  • Analysis results and reports generated
  • Audit credit balance and usage history
  • Feedback and support communications

3.3 Screenshot Uploads

If you use the screenshot upload feature, your image is transmitted to our processing provider for text extraction. We do not store your screenshot images. Only the structured data extracted from them (make, model, price, etc.) is retained as part of your audit report. Images are processed in transit and are not retained by our provider beyond the duration of the request.

3.4 Technical Data

  • Browser type and version
  • Device information
  • Timestamps of activities
  • Cookies and similar technologies (see Cookie Policy)

4. Legal Basis for Processing

We process your personal data under the following lawful bases:

  • Contract Performance (Article 6(1)(b)): Providing the car analysis service you have paid for, managing your credits, and delivering reports
  • Legitimate Interests (Article 6(1)(f)): Preventing fraud, improving analysis accuracy, rate limiting, and platform security
  • Consent (Article 6(1)(a)): Analytics cookies and marketing communications (opt-in; can be withdrawn at any time)
  • Legal Obligation (Article 6(1)(c)): Retaining payment records for 7 years to meet HMRC tax requirements

4.1 Processing Activity Mapping

Processing ActivityLawful BasisProcessorRetention
Car listing analysisContractGoogle Gemini / Internal24 months
Registration plate lookupContractDVLA / DVSAReal-time only
Screenshot image analysisContractGoogle GeminiIn transit only
Payment processingContractStripe7 years (HMRC)
Account authenticationContractSupabaseDuration of account
MOT lead captureLegitimate InterestSupabase12 months
Analytics / site usageConsentGoogle AnalyticsPer GA settings
IP rate limitingLegitimate InterestInternalRolling hourly window

5. How We Use Your Information

  • To provide and maintain our car analysis service
  • To process payments and manage your audit credits
  • To send you analysis reports and service updates
  • To respond to your support requests and feedback
  • To improve our analysis accuracy
  • To prevent fraud and ensure platform security
  • To comply with legal obligations

6. Data Sharing and Third Parties

6.1 Service Providers

We share data with trusted third-party providers under written Data Processing Agreements (DPAs) where applicable. All processors are required to handle your data securely and only for the purposes specified.

  • Stripe: Payment processing (PCI DSS compliant) - DPA
  • Supabase: Database and authentication (EU/UK servers) - DPA
  • Google Cloud (Gemini API): Car listing image analysis - DPA
  • Railway: Backend hosting infrastructure - Privacy Policy
  • Vercel: Frontend hosting - DPA
  • DVLA (Driver & Vehicle Licensing Agency): Vehicle registration and specification data - operated under statutory UK government frameworks
  • DVSA (Driver & Vehicle Standards Agency): MOT history and test records - operated under statutory UK government frameworks

When you submit a registration plate for analysis, that registration number is sent to DVLA and DVSA via their official trade APIs to retrieve vehicle and MOT data. These are UK government bodies operating under their own statutory obligations and privacy notices.

6.2 Legal Requirements

We may disclose your information if required by law, court order, or to:

  • Comply with legal obligations
  • Protect our rights and property
  • Prevent fraud or security threats
  • Protect user safety

6.3 No Selling of Data

We never sell your personal data to third parties.

7. Data Retention

  • Account Data: Retained while your account is active and for 12 months after deletion
  • Analysis Reports: Retained for 24 months or until you delete them
  • Payment Records: Retained for 7 years for tax and accounting purposes
  • Support Communications: Retained for 3 years

You can request earlier deletion of your data at any time (subject to legal requirements).

8. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right to Access

Request a copy of all personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data ("right to be forgotten")

Right to Restrict Processing

Request limitation on how we use your data

Right to Data Portability

Receive your data in a machine-readable format

Right to Object

Object to processing based on legitimate interests

Self-service options (immediate):

  • Right to Erasure: Delete your account and all data instantly from Account Settings
  • Right to Data Portability: Export all your data as JSON from Account Settings

For all other rights (access, rectification, restriction, objection), contact us at privacy@car-mate.co.uk. We will respond within one calendar month as required by UK GDPR Article 12.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption in transit (HTTPS/TLS) and at rest
  • Secure authentication (passwordless OTP system)
  • Regular security audits and updates
  • Access controls and staff training
  • Secure payment processing via Stripe

While we strive to protect your data, no internet transmission is 100% secure. We cannot guarantee absolute security.

10. International Data Transfers

Your data may be processed in countries outside the UK. We ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) with service providers
  • Adequacy decisions by the UK government
  • Privacy Shield Framework (where applicable)

11. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately.

12. Cookies and Tracking

We use cookies and similar technologies to provide and improve our service. For detailed information, see our Cookie Policy.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or a prominent notice on our website. Continued use of our service after changes indicates acceptance.

14. Data Protection Officer

As a small business, Moose Technologies Ltd is not required to appoint a Data Protection Officer (DPO) under UK GDPR Article 37. All data protection enquiries are handled directly by our team. You can reach us at privacy@car-mate.co.uk.

15. Contact Us

For any questions, concerns, or requests regarding your privacy:

Email: privacy@car-mate.co.uk

Support: support@car-mate.co.uk

16. Complaints

If you're not satisfied with how we handle your data, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)

Website: https://ico.org.uk

Helpline: 0303 123 1113