Privacy Policy

1. Who We Are

CarBuyerIQ, trading as "CarBuyerIQ" ("we", "us", "our"), is the data controller responsible for your personal data.

We provide an AI-powered vehicle intelligence platform that analyses publicly available MOT and DVLA data to help consumers make more informed used car purchasing decisions. We also operate a fuel price comparison and alert service sourced from GOV.UK data.

• Registered address: Piccadilly Place, Manchester, M1 3BN, United Kingdom
• Data protection contact: privacy@davethecarexpert.co.uk
• General enquiries: hello@davethecarexpert.co.uk

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website, web application, and related services (together, the "Service"). It should be read alongside our Terms and Conditions.

We are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), and all other applicable data protection legislation.

2. Information We Collect

2.1 Information You Provide Directly

When you use our Service, you may provide us with the following personal data:

• Account registration: Name, email address, and password (your password is hashed and never stored in plain text). If you register using a social login provider (such as Google), we receive your name and email address from that provider.
• Vehicle searches: Vehicle registration numbers (VRMs) you submit for analysis.
• Listing URLs: Links to vehicle listings on third-party platforms (such as AutoTrader, eBay, or Facebook Marketplace) that you submit for analysis.
• Payment information: When you purchase a report or subscription, your payment is processed securely by Stripe, our third-party payment processor. We receive confirmation of payment, a transaction reference, and your billing details, but we never receive, access, or store your full credit or debit card number.
• Contact form submissions: Your name, email address, and message content when you contact us through our website.
• Ask Dave chat messages: The questions and messages you send through the Ask Dave AI chat feature, along with the AI-generated responses.
• Fuel price alert preferences: Your postcode, preferred fuel type, price threshold, and notification frequency when you create fuel price alerts.
• Repair cost submissions: If you submit repair cost data through our Repair Cost Intelligence tool, we collect the information you provide.
• Email preferences: Your marketing consent choices and communication preferences.

2.2 Information Collected Automatically

When you visit or use our Service, we automatically collect certain technical and usage data:

• Device and browser information: Device type (desktop, mobile, tablet), browser type and version, operating system, and screen resolution.
• Usage data: Pages visited, features used, search history, time spent on pages, and interaction patterns.
• Session data: Session identifiers, landing page, referrer URL, and current page.
• Location data: Approximate location derived from your IP address, including city, region, country, and timezone. We do not collect precise GPS location data.
• IP address: Your Internet Protocol address, which is used for security, fraud prevention, and approximate geolocation.
• Advertising identifiers: If you arrive at our site via a paid advertisement, we may collect click identifiers (such as Google Click ID, Facebook Click ID, or Microsoft Click ID) and UTM campaign parameters for the purposes of attribution and measuring advertising effectiveness.
• Cookies and similar technologies: See Section 10 (Cookies and Tracking Technologies) below for full details.

2.3 Information from Third Parties

We may receive information about you from third-party sources:

• Social login providers: If you register or log in using Google or another social authentication provider, we receive your name, email address, and unique provider identifier.
• Stripe: Payment confirmation, transaction status, and billing details.
• Email service providers: Email delivery, open, click, bounce, and complaint data to manage our communications effectively.

3. How We Use Your Information

We use your personal data for the following purposes:

3.1 Providing and Operating the Service

• Creating and managing your Account.
• Generating vehicle intelligence reports based on VRMs you submit.
• Analysing vehicle listing URLs you provide.
• Providing AI-generated verdicts, scores, predictions, cost estimates, and buying guidance.
• Operating the Ask Dave AI chat feature and providing responses to your questions.
• Displaying fuel price data, operating the fuel map, and delivering fuel price alerts you have configured.
• Processing payments and managing your subscription or single report purchases.
• Generating and delivering PDF reports.
• Enabling report sharing via share links.

3.2 Communications

• Sending transactional emails: report completion notifications, payment receipts, account alerts, and password reset emails.
• Sending fuel price alerts you have configured.
• Sending marketing communications (only with your consent), including product updates, feature announcements, newsletters, and promotional offers.
• Responding to your enquiries submitted through our contact form.

3.3 Improving and Developing the Service

• Analysing usage patterns and user behaviour to understand how our Service is used and to improve its features and performance.
• Improving the accuracy and quality of our AI analysis and scoring algorithms using anonymised and aggregated data.
• Conducting internal research and analysis to develop new features and services.
• Monitoring email engagement (opens, clicks) to improve the relevance and quality of our communications.

3.4 Security and Legal

• Detecting, preventing, and investigating fraud, abuse, security incidents, and violations of our Terms.
• Verifying your identity and authorising access to your Account.
• Complying with legal obligations, including responding to lawful requests from law enforcement or regulatory authorities.
• Establishing, exercising, or defending legal claims.

3.5 Advertising Measurement

• Measuring the effectiveness of our advertising campaigns using click identifiers and UTM parameters.
• Attributing conversions (account registrations, purchases) to specific advertising channels.

4. Lawful Basis for Processing

Under UK GDPR, we must have a lawful basis for processing your personal data. The bases we rely on are:

Processing Activity	Lawful Basis
Providing vehicle reports and managing your Account	Contract — necessary for the performance of our contract with you (Article 6(1)(b))
Processing payments via Stripe	Contract — necessary to fulfil your purchase (Article 6(1)(b))
Sending transactional emails (report notifications, receipts)	Contract — necessary to perform our service obligations (Article 6(1)(b))
Delivering fuel price alerts you configured	Contract — you requested this service feature (Article 6(1)(b))
Sending marketing emails, newsletters, and promotional content	Consent — you have opted in to receive marketing communications (Article 6(1)(a))
Analytics, usage tracking, and service improvement	Legitimate interests — to understand usage patterns, improve service quality, and develop new features (Article 6(1)(f))
Advertising attribution and campaign measurement	Legitimate interests — to measure the effectiveness of our advertising spend (Article 6(1)(f))
Fraud prevention and security	Legitimate interests — to protect our Service, users, and business (Article 6(1)(f))
Complying with legal obligations (e.g., tax records, law enforcement requests)	Legal obligation — required by applicable law (Article 6(1)(c))
Email engagement tracking (opens, clicks)	Legitimate interests — to improve email relevance and manage sender reputation (Article 6(1)(f))

Where we rely on legitimate interests, we have carried out a balancing assessment to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us at privacy@davethecarexpert.co.uk.

Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

5. Vehicle Data Sources

To generate vehicle intelligence reports, we access publicly available vehicle data from the following sources:

• Driver and Vehicle Licensing Agency (DVLA): Vehicle registration details, make, model, fuel type, engine capacity, year of manufacture, colour, and tax status. Accessed via the official DVLA Vehicle Enquiry Service API.
• Driver and Vehicle Standards Agency (DVSA): Complete MOT test history including test dates, results (pass/fail), advisory items, failure items, and recorded mileage. Accessed via the official MOT History API.
• GOV.UK Fuel Finder: Fuel station locations and fuel prices across the United Kingdom. Accessed via the official GOV.UK Fuel Finder API.
• DVSA Bulk MOT Statistics: Anonymised, aggregated MOT test outcome data published by the Department for Transport, used for model-level reliability comparisons and national failure rate rankings.
• Public vehicle listings: When you provide a listing URL (from platforms such as AutoTrader, eBay, or Facebook Marketplace), we access the publicly available information on that page, including the advertised price, description, images, and seller details as displayed on the listing.

Vehicle registration numbers (VRMs) are not personal data in themselves where they relate to a vehicle you are considering purchasing. However, where a VRM could be linked to an identifiable individual (for example, the registered keeper), we treat it with care and process it only as necessary to provide the Service.

6. AI and Automated Decision-Making

Our Service uses artificial intelligence (AI), machine learning, and algorithmic processing to generate vehicle reports, including health scores, risk assessments, cost estimates, predictions, and buying guidance.

6.1 How AI is Used

• Health Score generation: A proprietary scoring algorithm analyses MOT history and DVLA data to produce a numerical health score (0–100) and risk classification for each vehicle. This is fully automated.
• AI-generated narratives: We use third-party AI language models (including OpenAI's GPT models) to generate written verdicts, vehicle stories, buying advice, negotiation scripts, inspection checklists, insurance insights, depreciation outlooks, and make/model intelligence.
• Ask Dave AI chat: When you use the Ask Dave feature, your questions are sent to a third-party AI provider along with relevant vehicle data context to generate responses.
• Predictive analysis: Algorithms estimate MOT failure probabilities, component lifecycle expectations, and repair cost forecasts based on historical data patterns.

6.2 Automated Decision-Making and Profiling

Under Article 22 of the UK GDPR, you have rights in relation to automated decision-making that produces legal effects or similarly significant effects on you.

Our vehicle health scores, risk badges, and other AI outputs are informational and guidance-based — they do not produce legal effects or similarly significant effects on you. They do not determine your eligibility for any product, service, credit, insurance, or employment. No automated decision made by our Service restricts or affects your legal rights.

If you have any concerns about our use of automated processing, please contact us at privacy@davethecarexpert.co.uk.

6.3 Data Sent to AI Providers

When generating AI content, we send the following data to our third-party AI providers:

• Vehicle make, model, year, fuel type, and engine capacity.
• MOT test history (dates, results, advisories, failures, mileage readings).
• Aggregated statistical data (national failure rates, model comparisons).
• Your questions when using Ask Dave chat.

We do not send your name, email address, account details, payment information, or other personal identifiers to AI providers. Vehicle data is sent in the context of the vehicle, not the user.

7. Who We Share Your Data With

We do not sell your personal data to third parties. We share your data only with the following categories of recipients, and only to the extent necessary for the purposes described:

7.1 Service Providers (Data Processors)

We use the following third-party service providers who process data on our behalf under data processing agreements:

• Stripe (payment processing) — processes your payment card details and billing information securely. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy.
• AI providers (including OpenAI) — process vehicle data to generate AI-powered analysis, verdicts, and chat responses. We do not send personal identifiers to AI providers. OpenAI Privacy Policy.
• Email service providers (including Resend, AWS SES, and/or Postmark) — deliver transactional, marketing, and alert emails on our behalf. These providers process your email address and email content.
• Hosting and infrastructure providers — host our servers, databases, and application infrastructure.

7.2 Government APIs (Data Sources)

When you submit a vehicle registration number, we send that VRM to the DVLA and DVSA APIs to retrieve vehicle and MOT data. These are government-operated services with their own data handling policies.

7.3 Report Sharing

If you use the share link feature to share a vehicle report with a third party, that third party will be able to view the report content. You are responsible for deciding who to share reports with. Shared reports do not reveal your personal account details to the recipient.

7.4 Organisation and Team Members

If you are part of a Dealer or Organisation account, certain data (including reports you generate and vehicle searches you conduct) may be visible to other members of your organisation, as determined by your organisation administrator's settings.

7.5 Legal and Regulatory Disclosure

We may disclose your personal data where required to do so by law, regulation, legal process, or enforceable governmental request, including:

• Responding to court orders, subpoenas, or other lawful requests from law enforcement or regulatory authorities.
• Protecting the rights, property, or safety of CarBuyerIQ, our users, or the public.
• Investigating or preventing fraud, security incidents, or violations of our Terms.

7.6 Business Transfers

If CarBuyerIQ is involved in a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you of any such transfer and any changes to this Privacy Policy.

8. International Data Transfers

Your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA). However, some of our third-party service providers may process data outside the UK/EEA, including in the United States.

Where we transfer personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR, including:

• Adequacy decisions: Transfers to countries that the UK Government has determined provide an adequate level of data protection.
• Standard Contractual Clauses (SCCs): Where no adequacy decision applies, we use the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, as approved by the Information Commissioner's Office (ICO).
• Supplementary measures: Where necessary, we implement additional technical and organisational safeguards to ensure the continued protection of your data.

You may request a copy of the safeguards in place for any specific international transfer by contacting us at privacy@davethecarexpert.co.uk.

9. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are as follows:

• Account data (name, email, password): Retained for as long as your Account is active, and for a reasonable period thereafter to allow account reactivation or to respond to queries. Deleted upon your request or within 30 days of confirmed account deletion.
• Vehicle reports: Retained for as long as your Account is active to allow you to access your report history. Reports may be retained in anonymised form after account deletion for statistical and service improvement purposes.
• Ask Dave chat messages: Retained for as long as your Account is active. Deleted upon account deletion.
• Payment records: Transaction records are retained for 7 years after the transaction date, as required by UK tax and accounting regulations (HMRC requirements).
• Email engagement data: Retained for as long as your Account is active and you remain subscribed to communications.
• Fuel price alert preferences: Retained for as long as the alert is active. Deleted when you remove the alert or close your Account.
• Fuel price history data: Retained for 90 days for trend analysis purposes. This is aggregated station-level data, not personal data.
• Visitor session data (IP address, device info, pages visited): Retained for up to 24 months for analytics and advertising attribution purposes.
• Contact form submissions: Retained for 12 months from the date of the enquiry.
• Cookie data: Retained as described in Section 10 below.

When personal data is no longer required, it is securely deleted or anonymised so that it can no longer be linked to you.

10. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve our Service. A cookie is a small text file placed on your device by our website.

10.1 Essential Cookies

These cookies are strictly necessary for the Service to function and cannot be disabled. They include:

• Session cookies: Keep you logged in and maintain your session state as you navigate the Service.
• CSRF tokens: Protect against cross-site request forgery attacks.
• Cookie preference cookies: Remember your cookie consent choices.

Lawful basis: These are exempt from consent requirements under PECR Regulation 6(4) as they are strictly necessary for the provision of the Service you have requested.

10.2 Analytics Cookies

We may use analytics cookies to understand how visitors interact with our Service, including which pages are visited most frequently, how long visitors spend on pages, and how they navigate through the site. This data is used in aggregate to improve the Service.

Lawful basis: Consent (PECR Regulation 6). You may accept or decline analytics cookies. The Service will function normally without them.

10.3 Advertising and Attribution Cookies

If you arrive at our site via a paid advertisement, we may use cookies to track the advertising source for attribution and campaign measurement purposes. These cookies help us understand which advertising channels are effective.

Lawful basis: Consent (PECR Regulation 6).

10.4 Managing Cookies

You can control and delete cookies through your browser settings. Most browsers allow you to:

• View what cookies are stored and delete them individually.
• Block third-party cookies.
• Block all cookies.
• Delete all cookies when you close your browser.

Please note that disabling essential cookies may prevent the Service from functioning correctly. For more information about cookies and how to manage them, visit www.aboutcookies.org or www.allaboutcookies.org.

11. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in relation to your personal data:

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you. We will respond within one month of receiving your request. We may extend this by a further two months for complex or numerous requests, in which case we will inform you within one month.
• Right to rectification (Article 16): You have the right to request that we correct any inaccurate personal data we hold about you, and to have incomplete data completed.
• Right to erasure (Article 17): You have the right to request that we delete your personal data in certain circumstances, including where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where we have no lawful basis to continue processing it. This right is not absolute and may be subject to exceptions (for example, where we need to retain data for legal compliance).
• Right to restrict processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of contested data.
• Right to data portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests (including profiling). We will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for establishing, exercising, or defending legal claims. You have an absolute right to object to processing for direct marketing purposes at any time.
• Rights related to automated decision-making (Article 22): You have rights in relation to decisions made solely by automated means that produce legal effects or similarly significant effects on you. As explained in Section 6.2, our AI outputs do not produce such effects.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at privacy@davethecarexpert.co.uk. We may ask you to verify your identity before processing your request. We do not charge a fee for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

12. Email Communications and Marketing

12.1 Transactional Communications

We send transactional emails that are necessary for the provision of the Service, including report completion notifications, payment receipts, account security alerts, and subscription management emails. These are not marketing communications and are sent on the basis of our contractual relationship with you. You cannot opt out of essential transactional emails while maintaining an active Account.

12.2 Marketing Communications

We only send marketing emails (product updates, feature announcements, newsletters, promotions) where you have given your explicit consent (opt-in). In accordance with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR), we may also rely on the "soft opt-in" for existing customers — sending marketing related to similar products and services you have previously purchased, provided we gave you the opportunity to opt out at the time of purchase and in every subsequent communication.

You can withdraw your consent to marketing at any time by:

• Clicking the "unsubscribe" link in any marketing email.
• Updating your email preferences in your Account settings.
• Contacting us at privacy@davethecarexpert.co.uk.

We will action your opt-out request without delay and no later than within 10 working days.

12.3 Fuel Price Alerts

Fuel price alerts are service notifications you have explicitly configured. They are not marketing. You may disable or modify your alerts at any time through your Account settings.

12.4 Email Tracking

Our emails may contain tracking technologies (such as tracking pixels and tracked links) that allow us to monitor whether emails have been delivered, opened, and whether links within them have been clicked. We use this data to improve the quality and relevance of our communications and to maintain our sender reputation. You can prevent open tracking by configuring your email client to block remote images.

13. Children's Privacy

Our Service is not directed at or intended for use by children under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that data as soon as reasonably practicable. If you believe a child under 18 has provided us with personal data, please contact us at privacy@davethecarexpert.co.uk.

14. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS (Transport Layer Security).
• Password security: User passwords are hashed using industry-standard one-way hashing algorithms and are never stored in plain text.
• Payment security: Payment card data is processed exclusively by Stripe, which is PCI DSS Level 1 certified. We never receive, access, or store full card numbers.
• Access controls: Access to personal data within our systems is restricted to authorised personnel on a need-to-know basis.
• API security: API keys and credentials for third-party services are stored securely in environment configuration files and are not exposed in client-side code.
• Session management: User sessions are managed securely with appropriate timeout and invalidation controls.

While we implement robust security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your data to the best of our ability and in accordance with industry best practices.

15. Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the UK GDPR.
• Where the breach is likely to result in a high risk to your rights and freedoms, notify you without undue delay, as required by Article 34 of the UK GDPR, informing you of the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address it.
• Document the breach, its effects, and the remedial action taken, in accordance with our internal breach response procedures.

16. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or platforms (including government websites, vehicle listing platforms, and social media). We are not responsible for the privacy practices, content, or data handling of any third-party site. We encourage you to read the privacy policies of any third-party sites you visit.

Our integration with third-party services (including the DVLA API, DVSA MOT API, GOV.UK Fuel Finder API, Stripe, and AI providers) is governed by those services' own terms and privacy policies. Our use of data obtained from these services is described in this Privacy Policy.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. The updated policy will be published on this page with a revised "Last updated" date.

For material changes that significantly affect how we process your personal data, we will endeavour to provide at least 30 days' notice by email to registered users and/or by prominent notice on the Platform.

Your continued use of the Service after the publication of an updated Privacy Policy constitutes your acknowledgement of the changes. We encourage you to review this page periodically.

Previous versions of this Privacy Policy are available on request by contacting privacy@davethecarexpert.co.uk.

18. Complaints

If you are unhappy with how we have handled your personal data or believe we have not complied with data protection law, we encourage you to contact us first so we can try to resolve the issue:

• Email: privacy@davethecarexpert.co.uk
• Post: Data Protection, CarBuyerIQ, Piccadilly Place, Manchester, M1 3BN

We aim to respond to all data protection complaints within 30 days.

You also have the right to lodge a complaint with the UK's supervisory authority for data protection:

• Information Commissioner's Office (ICO)
• Website: ico.org.uk/make-a-complaint
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you approach the ICO.

19. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us:

• Data protection enquiries: privacy@davethecarexpert.co.uk
• General enquiries: hello@davethecarexpert.co.uk
• Post: CarBuyerIQ, Piccadilly Place, Manchester, M1 3BN, United Kingdom

We aim to respond to all privacy-related enquiries within 5 working days, and to formal data subject access requests within one calendar month.