Privacy Policy
Last updated: March 2026
CarFile Ltd ("CarFile", "we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (carfile.app), mobile applications (iOS and Android), and related services (collectively, the "Service").
Data Controller: CarFile Ltd, a company registered in England and Wales (Company No. 14550359), London, United Kingdom.
By using our Service, you consent to the data practices described in this policy. If you do not agree, please do not use the Service.
1. Information We Collect
1.1 Information You Provide
- Account information (name, email address)
- Vehicle information (registration number, VIN, make, model, year)
- Service and maintenance records you enter
- Expense and fuel records
- Insurance details you enter
- Contact form submissions and support requests
1.2 Information Collected Automatically
When you use our website or mobile apps, we may automatically collect:
- Device information: device type, operating system, unique device identifiers, browser type and version
- Usage data: pages visited, features used, time spent, crash reports and diagnostics
- IP address and approximate location (country/region level)
- App version and performance data
1.3 Payment Information
Payment transactions are processed securely by Stripe. We do not store your full credit card number, CVV, or bank account details on our servers. Stripe may collect and process payment data in accordance with their own privacy policy. We receive billing event data from Stripe via webhooks (e.g., subscription status, payment amounts) but never your card details.
1.4 Push Notifications
With your consent, we may send push notifications to your mobile device for MOT reminders, tax reminders, service alerts, and other relevant updates. You can manage or disable push notifications at any time through your device settings.
2. DVLA Data Integration
We access vehicle data through official DVLA channels. This includes:
- MOT history and status
- Tax status
- Vehicle specifications
- First registration date
This data is accessed in compliance with DVLA's terms of service and UK data protection laws.
3. Lawful Basis for Processing
Under UK GDPR Article 6, we process your personal data on the following legal bases:
Contract Performance (Article 6(1)(b))
We process the following data because it is necessary to provide you with the CarFile service under our Terms of Service:
- Account information (name, email address) — to create and manage your account
- Vehicle data (registration number, VIN, DVLA data, MOT history) — to deliver core vehicle management features
- User-entered data (fuel logs, service history, expenses, insurance records) — to provide tracking and analytics features
- Billing information received from Stripe — to manage your subscription
Legal Obligation (Article 6(1)(c))
- Billing and transaction records — we are required to retain financial records for up to 7 years to comply with HMRC requirements
Legitimate Interest (Article 6(1)(f))
- Usage analytics and service improvement data — to understand how our service is used and to improve it. We have conducted a balancing test and concluded that this processing does not override your rights, as we use aggregated and pseudonymised data where possible and you can opt out via cookie settings
- Fraud prevention and security monitoring — to protect your account and our service
Consent (Article 6(1)(a))
- Analytics cookies (Google Analytics) — only set after you click "Accept" on our cookie banner. You can withdraw consent at any time by clearing your cookies or using our cookie settings
- Marketing communications (if applicable in future) — only with your explicit opt-in
4. Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this policy:
| Data Type | Retention Period |
|---|---|
| Account data (name, email) | Duration of your account plus 30 days after deletion to allow for account recovery |
| Vehicle data (registration, DVLA data, MOT history) | Duration of your account — deleted upon account deletion |
| User-entered data (fuel logs, service history, expenses) | Duration of your account — deleted upon account deletion |
| Billing and transaction records (from Stripe) | 7 years from the date of transaction, as required by HMRC |
| Analytics data | 26 months from collection (Google Analytics default) |
| Support correspondence | 2 years from last interaction |
| Server logs | 90 days |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are legally required to retain it (e.g., billing records for HMRC).
5. How We Use Your Information
We use the information we collect to:
- Provide, operate, and maintain the Service
- Send MOT, tax, insurance, and service reminders
- Process payments and prevent fraud
- Send push notifications (with your consent)
- Respond to your enquiries and support requests
- Analyse usage patterns to improve our Service
- Comply with legal obligations
- Detect and prevent technical issues and security threats
6. Our Data Processors
We use the following third-party service providers who process personal data on our behalf:
- Auth0 (Okta Inc.) — User authentication and identity management. Auth0 processes your email address and login credentials. Privacy Policy
- Stripe Inc. — Payment processing and subscription management. Stripe processes your payment card details (which we never see or store) and provides us with billing event data via webhooks. Privacy Policy
- Google Analytics (Google LLC) — Usage analytics to improve our service. Processes pseudonymised usage data only with your cookie consent. Privacy Policy
- Cloudflare Inc. — Content delivery, DDoS protection, and security. Privacy Policy
- DVLA (VES API) — Vehicle enquiry data (make, model, MOT, tax status). Governed by DVLA terms of use.
- MOT History API (DVSA) — MOT test history for vehicles. UK Government service.
- Rapidcarcheck — Additional vehicle history checks. UK-based. Privacy Policy
- Apple Push Notification Service (APNs) — Push notifications on iOS devices
- Firebase Cloud Messaging (FCM) — Push notifications on Android devices
7. Data Security
We implement industry-standard security measures to protect your personal information. All data is encrypted in transit (TLS/SSL) and at rest. Your personal data is stored on dedicated servers co-located at Telepoint data centre in Sofia, Bulgaria (European Union). Bulgaria is covered by the UK's adequacy decision for the EU/EEA under the UK GDPR, meaning your data receives an equivalent level of protection. Backups are maintained on the same infrastructure. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.
8. Data Sharing
We do not sell, trade, or rent your personal information. We may share your information only:
- With your consent
- To comply with legal obligations
- With service providers who assist in our operations (under strict data processing agreements)
- To protect our rights and prevent fraud
9. International Data Transfers
Your personal data may be transferred to, and processed in, countries outside the United Kingdom. We ensure that appropriate safeguards are in place for each transfer:
International Processors
| Service Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Telepoint Sofia (our servers) | Data hosting and storage | Bulgaria (EU) | UK adequacy decision for EU/EEA |
| Auth0 (Okta Inc.) | Authentication | United States | UK Extension to EU-US Data Privacy Framework |
| Stripe Inc. | Payment processing | United States | UK Extension to EU-US Data Privacy Framework |
| Google LLC (Analytics) | Website and app analytics | United States | UK Extension to EU-US Data Privacy Framework |
| Cloudflare Inc. | CDN and security | United States / Global | UK Extension to EU-US Data Privacy Framework |
UK-Based Processors
| Service Provider | Purpose | Location |
|---|---|---|
| DVLA (VES API) | Vehicle data lookup | United Kingdom |
| MOT History API | MOT history data | United Kingdom |
| Rapidcarcheck | Vehicle history checks | United Kingdom |
We only transfer data to countries or organisations that provide an adequate level of protection as recognised by the UK Government, or where appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place.
10. Your Rights
Under UK GDPR, you have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your data ("right to be forgotten")
- Restrict processing of your data
- Object to data processing
- Data portability — receive your data in a structured, machine-readable format
- Withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
Right to Complain to the ICO
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first at [email protected].
11. Account Deletion
You can request deletion of your account and all associated personal data at any time by:
- Using the "Delete Account" option in your account settings within the app
- Visiting our Account Deletion page
- Emailing us at [email protected]
Upon receiving a valid deletion request, we will delete your account and personal data within 30 days. Some data may be retained as required by law (e.g., payment records for tax purposes).
12. Children's Data
Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children or minors. If you are under 18, please do not use our Service or provide any personal data to us.
If we become aware that we have collected personal data from a person under 18, we will take steps to delete that information promptly. If you believe we may have collected data from a child, please contact us at [email protected].
13. Cookies
Our website uses cookies and similar technologies:
- Essential cookies: required for the website to function (session management, security, preferences)
- Analytics cookies: help us understand how you use our website (Google Analytics, only with your consent)
You can manage your cookie preferences through the cookie banner displayed on first visit, or through your browser settings. For full details, please see our Cookie Policy. Our mobile apps do not use cookies.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. For significant changes, we may also notify you via email or through the app. Your continued use of the Service after changes constitutes acceptance of the updated policy.
15. Contact Us
If you have any questions about this Privacy Policy or our data practices, or if you wish to exercise any of your rights, please contact us:
Data Protection Contact: Iliya Hristov (Founder & Data Controller)
Email: [email protected]
Address: CarFile Ltd, London, United Kingdom
Company Number: 14550359 (registered in England and Wales)
ICO Registration: [Registration pending]