Privacy Policy

Last Updated: November 2025

1. Introduction

CarHPI Limited (“we”, “us”, “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use CarHPI.com (“the Website”, “the Service”).

This policy is designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller: CarHPI Limited
Contact: privacy@carhpi.com
Address: [Your Business Address]

By using our Service, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

2.1 Personal Information You Provide

When you use our Service, we collect information you voluntarily provide:

Account Registration:

  • Email address (required)
  • Password (encrypted and never stored in plain text)
  • First name and last name (optional)
  • Marketing consent preferences

Vehicle Checks:

  • Vehicle Registration Marks (VRMs) you search
  • Email address (for guest users without accounts)
  • Check tier selected (FREE, SILVER, GOLD)
  • Date and time of checks

Payment Information:

  • Billing name
  • Billing email
  • Payment method details (processed securely by Stripe)
  • Transaction history
  • Bundle purchase records

Communications:

  • Content of emails or messages you send us
  • Support ticket information
  • Feedback and review submissions

2.2 Information Automatically Collected

Usage Data:

  • IP address
  • Browser type and version
  • Operating system
  • Pages visited and time spent
  • Referring website
  • Device information
  • Date and time of access

Cookies and Tracking:

  • Essential cookies for functionality
  • Session management cookies
  • Preference cookies (optional)
  • Analytics cookies (optional, with consent)

2.3 Information from Third Parties

Payment Processor (Stripe):

  • Payment confirmation
  • Transaction status
  • Fraud detection signals

Vehicle Data Providers:

  • We retrieve vehicle information from third-party databases (DVLA, MOT History, MIAFTR, etc.) based on the VRM you provide
  • This data is about vehicles, not individuals, but may include keeper information in GOLD tier checks

3. How We Use Your Information

3.1 Legal Basis for Processing

We process your personal data under the following legal bases:

Contract Performance:

  • To provide the Service you’ve requested:
  • Processing vehicle checks
  • Delivering reports
  • Managing your account
  • Processing payments

Legitimate Interests:

  • For our business operations:
  • Improving our Service
  • Preventing fraud
  • Security monitoring
  • Customer support
  • Business analytics

Legal Obligations:

  • To comply with laws:
  • Tax records
  • Financial reporting
  • Fraud prevention regulations
  • Data protection compliance

Consent:

  • Where you’ve given explicit permission:
  • Marketing communications
  • Optional analytics cookies
  • Newsletter subscriptions

3.2 Specific Uses

To Provide the Service:

  • Generate vehicle history reports
  • Retrieve data from third-party sources
  • Process payments via Stripe
  • Send transactional emails (receipts, reports)
  • Manage bundle credits
  • Enable account access and authentication

To Improve the Service:

  • Analyze usage patterns and trends
  • Identify technical issues
  • Optimize user experience
  • Develop new features

To Communicate:

  • Send order confirmations and receipts
  • Deliver vehicle check results
  • Respond to support requests
  • Send account-related notifications
  • Provide password reset functionality

Marketing (with consent only):

  • Send promotional emails about our services
  • Notify about special offers or bundles
  • Announce new features (e.g., SpareCarPart.com launch)
  • Request reviews and feedback

Security and Compliance:

  • Detect and prevent fraud
  • Monitor for abuse or violations
  • Comply with legal obligations
  • Respond to legal requests
  • Protect our rights and property

4. Data Sharing and Disclosure

4.1 Third-Party Service Providers

We share data with trusted partners who help us operate:

Stripe (Payment Processing):

  • Payment card details (tokenized, not stored by us)
  • Billing information
  • Transaction amounts
  • Purpose: Secure payment processing
  • Location: EU/UK servers
  • Privacy Policy: https://stripe.com/privacy

Vehicle Data Global (Data Provider):

  • VRMs you search
  • Check type requested
  • Purpose: Retrieve vehicle history data
  • Location: UK
  • Data Protection: UK GDPR compliant

Email Service Provider:

  • Email addresses
  • Names (if provided)
  • Email preferences
  • Purpose: Deliver transactional and marketing emails
  • Location: EU/UK servers

Web Hosting Provider:

  • Website usage data
  • IP addresses
  • Purpose: Host and deliver the Website
  • Location: UK servers

Analytics Services (with consent):

  • Anonymous usage statistics
  • Page views and navigation
  • Purpose: Understand user behavior and improve Service
  • Tools: Google Analytics (anonymized IP)

4.2 Legal Requirements

We may disclose your information if required to:

  • Comply with court orders or legal processes
  • Respond to law enforcement requests
  • Protect our rights or property
  • Investigate fraud or security issues
  • Enforce our Terms and Conditions
  • Protect safety of users or the public

4.3 Business Transfers

If CarHPI Limited is acquired, merged, or sells assets, your personal data may be transferred to the acquiring entity. You will be notified of any such change via email and/or prominent notice on our Website.

4.4 What We DON’T Do

We will NEVER:

  • Sell your personal data to third parties
  • Share your data for third-party marketing without consent
  • Provide your email to other companies
  • Use your data in ways not described in this policy

5. Data Retention

5.1 How Long We Keep Your Data

Account Information:

  • Retained while your account is active
  • Deleted within 30 days of account closure (unless legal retention required)

Transaction Records:

  • Retained for 7 years (legal requirement for financial records)
  • Includes: transaction IDs, amounts, dates, VRMs checked

Vehicle Check History:

  • Retained while your account is active
  • You can delete individual checks from your account
  • Deleted 30 days after account closure

Marketing Consents:

  • Retained until you withdraw consent
  • Deleted within 30 days of unsubscribe

Support Communications:

  • Retained for 2 years for quality and training purposes
  • Can be deleted upon request (subject to legal requirements)

Server Logs and Analytics:

  • Anonymized after 90 days
  • Aggregate statistics retained indefinitely

5.2 Guest Users (No Account)

If you perform checks without creating an account:

  • Email and VRM stored for 24 months
  • Used only for delivering your report and customer support
  • Can request deletion at any time via privacy@carhpi.com

6. Data Security

6.1 Security Measures

We implement industry-standard security measures:

Technical Safeguards:

  • SSL/TLS encryption for all data transmission
  • Encrypted password storage (bcrypt hashing)
  • Secure database access controls
  • Regular security updates and patches
  • Firewall protection
  • Intrusion detection systems

Organizational Safeguards:

  • Limited employee access to personal data
  • Staff training on data protection
  • Secure authentication requirements
  • Regular security audits
  • Incident response procedures

Payment Security:

  • No credit card numbers stored on our servers
  • Stripe handles all card data (PCI DSS Level 1 compliant)
  • Tokenized payment processing

6.2 Data Breach Notification

In the unlikely event of a data breach:

  • We will assess the risk to your rights and freedoms
  • Notify the ICO within 72 hours if required
  • Notify affected users without undue delay if high risk
  • Provide clear information about the breach and mitigation steps

6.3 Your Responsibility

Please help us protect your data by:

  • Choosing a strong, unique password
  • Not sharing your account credentials
  • Logging out after use on shared devices
  • Keeping your contact information current
  • Reporting suspicious activity immediately

7. Your Rights Under UK GDPR

7.1 Right of Access

You have the right to request:

  • Confirmation that we process your data
  • A copy of your personal data
  • Information about how we use your data

How to exercise: Email privacy@carhpi.com with “Subject Access Request” in the subject line. We will respond within 30 days.

7.2 Right to Rectification

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete data

How to exercise: Update information in your account settings or email privacy@carhpi.com.

7.3 Right to Erasure (“Right to be Forgotten”)

You have the right to request deletion of your data when:

  • Data is no longer necessary for its original purpose
  • You withdraw consent (where consent was the legal basis)
  • You object to processing (with no overriding legitimate grounds)
  • Data has been unlawfully processed

Limitations: We may retain data if required by law (e.g., 7-year financial records) or for legal claims.

How to exercise: Email privacy@carhpi.com or delete your account through account settings.

7.4 Right to Restriction of Processing

You have the right to request we limit processing when:

  • You contest data accuracy (during verification)
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data but you need it for legal claims
  • You’ve objected to processing (pending verification)

How to exercise: Email privacy@carhpi.com with specific request.

7.5 Right to Data Portability

You have the right to:

  • Receive your data in a structured, machine-readable format
  • Transfer your data to another service provider

Applies to: Data processed by automated means based on consent or contract.

How to exercise: Email privacy@carhpi.com requesting data export.

7.6 Right to Object

You have the right to object to:

  • Processing based on legitimate interests
  • Direct marketing (at any time, no justification needed)
  • Automated decision-making and profiling

How to exercise:

  • Click “unsubscribe” in marketing emails
  • Adjust preferences in account settings
  • Email privacy@carhpi.com

7.7 Right to Withdraw Consent

Where processing is based on consent:

  • You can withdraw consent at any time
  • Withdrawal doesn’t affect prior lawful processing
  • Easy mechanisms provided (unsubscribe links, account settings)

How to exercise: Use unsubscribe links or email privacy@carhpi.com.

7.8 Right to Lodge a Complaint

If you’re unhappy with how we handle your data:

  • Contact us first at privacy@carhpi.com – we want to resolve issues
  • You can complain to the UK Information Commissioner’s Office (ICO):
  • Website: https://ico.org.uk/make-a-complaint/
  • Phone: 0303 123 1113
  • Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

8. Cookies and Tracking Technologies

8.1 What Are Cookies?

Cookies are small text files stored on your device when you visit websites. They help us provide and improve our Service.

8.2 Types of Cookies We Use

Strictly Necessary Cookies (No consent required):

  • Session authentication
  • Security tokens
  • Load balancing
  • Basic functionality

Functionality Cookies (Optional):

  • Language preferences
  • Display settings
  • Remember login status

Analytics Cookies (Optional, with consent):

  • Google Analytics (anonymized)
  • Page view tracking
  • User journey analysis
  • Performance monitoring

We do NOT use:

  • Advertising cookies
  • Cross-site tracking
  • Social media pixels (except on social share buttons)

8.3 Managing Cookies

Browser Settings:

  • Most browsers allow you to refuse or delete cookies
  • Instructions vary by browser (Chrome, Firefox, Safari, Edge)
  • Note: Blocking essential cookies may affect functionality

Our Cookie Consent Banner:

  • Appears on first visit
  • Allows granular control of optional cookies
  • Can be changed anytime in account settings or footer link

Google Analytics Opt-Out:

  • Browser plugin available at: https://tools.google.com/dlpage/gaoptout

8.4 Do Not Track

We respect “Do Not Track” signals where technically feasible. When enabled, we will not deploy optional tracking cookies.

9. International Data Transfers

9.1 Where We Store Data

Your data is primarily stored on servers located in the United Kingdom.

9.2 Transfers Outside the UK

Some of our service providers may process data outside the UK (e.g., Stripe has EU servers). When this occurs:

  • We ensure adequate safeguards are in place
  • Transfers comply with UK GDPR requirements
  • Standard contractual clauses or adequacy decisions apply

Service Providers with International Operations:

  • Stripe: EU/UK (GDPR compliant, adequate data protection)
  • Google Analytics: USA (using GA4 with enhanced privacy settings)

We do not transfer data to countries without adequate data protection unless legally required and with appropriate safeguards.

10. Children’s Privacy

CarHPI.com is not intended for users under 18 years of age.

  • We do not knowingly collect data from children under 18
  • If we discover we’ve collected data from a child, we will delete it promptly
  • Parents or guardians: If you believe your child has provided us with personal data, contact privacy@carhpi.com immediately

11. Automated Decision-Making and Profiling

11.1 Fraud Detection

We use automated systems to detect fraudulent transactions:

  • Analysis of payment patterns
  • IP address geolocation checks
  • Transaction velocity monitoring

Impact: Suspicious transactions may be automatically declined.

Your Rights: You can request human review of automated decisions by contacting support@carhpi.com.

11.2 Marketing Segmentation

We may use data to segment users for targeted marketing (with consent):

  • Check history analysis
  • Bundle purchase behavior
  • Engagement patterns

Impact: You may receive more relevant marketing communications.

Your Rights: Opt out of marketing anytime via unsubscribe links or account settings.

11.3 No Profiling for Core Service

We do NOT use automated profiling to:

  • Determine pricing (everyone pays the same)
  • Restrict service access
  • Make decisions affecting your rights

12. Third-Party Links

Our Website may contain links to external sites (e.g., Trustpilot, social media).

Important:

  • We are not responsible for the privacy practices of third-party sites
  • This Privacy Policy applies only to CarHPI.com
  • We encourage you to review privacy policies of any sites you visit

Third-Party Services We Link To:

  • Trustpilot (reviews)
  • Stripe (payment processing)
  • Social media platforms (if you choose to share)

13. Marketing Communications

13.1 What We Send (With Your Consent)

Promotional Emails:

  • Special offers and discounts
  • Bundle package announcements
  • New feature notifications
  • Partner services (e.g., SpareCarPart.com launch)

Frequency: Maximum 2 marketing emails per month (excluding transactional emails).

13.2 Transactional Emails (No Opt-Out)

These are essential to the Service:

  • Order confirmations and receipts
  • Vehicle check results
  • Password reset requests
  • Account security notifications
  • Important service updates

13.3 Unsubscribe Options

You can opt out of marketing at any time:

  • Click “unsubscribe” link in any marketing email
  • Adjust email preferences in account settings
  • Email marketing@carhpi.com with “unsubscribe” request
  • We will process within 48 hours

Important: Unsubscribing from marketing does not stop transactional emails.

14. Data Protection Officer

Given the scale and nature of our operations, we may appoint a Data Protection Officer (DPO) in the future. Currently, data protection queries should be directed to:

Email: privacy@carhpi.com
Subject Line: Please include “Data Protection Query” for priority handling
Response Time: We aim to respond within 5 business days

15. Changes to This Privacy Policy

15.1 Policy Updates

We may update this Privacy Policy to reflect:

  • Changes in laws or regulations
  • New features or services
  • Feedback from users or regulators
  • Industry best practices

15.2 Notification of Changes

Significant Changes:

  • Prominent notice on the Website
  • Email notification to registered users
  • 30 days notice before changes take effect (where possible)

Minor Changes:

  • Updated “Last Updated” date at top of policy
  • Changes effective immediately upon posting

15.3 Your Continued Use

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy. If you disagree with changes, please discontinue use and contact us about account deletion.

16. Contact Us

16.1 Privacy Questions

For questions, concerns, or requests regarding this Privacy Policy or your personal data:

Email: privacy@carhpi.com
Support: support@carhpi.com
Postal Address: CarHPI Limited, [Your Business Address]

16.2 Data Subject Requests

For exercising your UK GDPR rights (access, deletion, rectification, etc.):

Email: privacy@carhpi.com
Subject: Include request type (e.g., “Subject Access Request”, “Deletion Request”)
Include:

  • Your full name
  • Email address associated with your account
  • Account username (if applicable)
  • Specific details of your request

Verification: We may request additional information to verify your identity before processing requests.

Response Time: We aim to respond within 30 days (may be extended to 60 days for complex requests).

16.3 Supervisory Authority

Information Commissioner’s Office (ICO)**
Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

17. Glossary

Personal Data: Information relating to an identified or identifiable person.

Processing: Any operation performed on personal data (collection, storage, use, disclosure, deletion).

Data Controller: The entity that determines purposes and means of processing (CarHPI Limited).

Data Processor: A third party that processes data on behalf of the controller (e.g., Stripe, hosting provider).

Consent: Freely given, specific, informed agreement to processing.

Legitimate Interests: Processing necessary for our business interests (balanced against your rights).

UK GDPR: UK General Data Protection Regulation (retained EU law post-Brexit).

DPA 2018: Data Protection Act 2018 (supplements UK GDPR).

ICO: Information Commissioner’s Office (UK data protection supervisory authority).

Summary of Key Points

What we collect: Email, VRMs searched, payment info, usage data

Why we collect it: To provide vehicle checks, process payments, improve service, communicate with you

Who we share it with: Payment processor (Stripe), data providers, email service, hosting provider

Your rights: Access, rectify, delete, restrict, port, object, complain

Security: Industry-standard encryption, secure storage, limited access

Retention: Transaction records 7 years (legal requirement), account data while active, guest data 24 months

Marketing: Only with consent, easy opt-out

Cookies: Essential cookies always, optional analytics with consent

Your control: Manage all preferences in account settings or contact privacy@carhpi.com

Last Updated: November 2025

This Privacy Policy is effective as of the date listed above and applies to all users of CarHPI.com.