Privacy Policy

Last updated: 19 August 2025

1. Who we are (data controller)

[Your Company Name] is the controller for personal data processed via mycarchecklist.co.uk. Contact: [Contact Email]. Address: [Registered Address].

2. Data we process

  • Lookups you perform: vehicle registration mark (VRM) you type; we request MOT data from DVSA for that VRM.
  • Technical data: IP address, user agent, timestamps, request IDs, error logs (kept short-term for security and troubleshooting).
  • AI processing: we send the make/model/year and recent MOT items to our AI provider to generate buyer warnings or common issues.
  • Analytics (privacy-friendly): we log anonymised events (e.g., “lookup_success”, “ai_shown”) via our own serverless function. No third-party tracking cookies.
  • Local storage / PWA: your browser may cache static assets for faster loads. We do not cache MOT results or personal data in the browser.

We do not collect special category data or payment details through this site.

3. Why we use your data (legal bases)

  • Legitimate interests (UK GDPR Art 6(1)(f)): to operate the Service, prevent abuse, understand performance, and improve results (including AI summaries).
  • Legal obligations: to comply with applicable law and requests from authorities.
  • Consent (where applicable): if we ever introduce optional features requiring consent, we’ll ask clearly. You can withdraw consent at any time.

4. Sharing & processors

We share data only with service providers necessary to run the Service:

  • DVSA MOT History API – provides MOT data for the VRM you query.
  • OpenAI – processes trimmed MOT data to generate buyer warnings/common issues.
  • Netlify and affiliated cloud infrastructure (e.g., AWS) – hosting and serverless functions.

We do not sell your personal data.

5. International transfers

Some providers may process data outside the UK/EEA (e.g., the United States). When this occurs, we rely on appropriate safeguards such as the UK International Data Transfer Addendum / EU Standard Contractual Clauses, or equivalent lawful mechanisms provided by those processors.

6. Data retention

  • Server logs & analytics events: typically retained up to 30 days (short-term for security and diagnostics).
  • Support correspondence: up to 12 months.
  • AI prompts/results: not stored by us beyond transient processing. Providers may have their own limited retention for abuse prevention—see their policies.

7. Security

We use HTTPS, access controls, and principle of least privilege. No system is 100% secure; please contact us promptly if you suspect an issue.

8. Your rights

Under UK GDPR you may have the right to request access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interests.

To exercise your rights, email [Contact Email]. We may need to verify your identity. We will respond within one month.

9. Children

The Service is not intended for children under 16. If you believe a child has provided us data, contact us so we can delete it.

10. Changes

We may update this policy to reflect changes to the Service or the law. We’ll post the new version here and update the “Last updated” date.

11. Contact & complaints

Questions or requests: [Contact Email].

You may also complain to the UK Information Commissioner’s Office (ICO): ico.org.uk.