Privacy Policy

How we handle your data

Learn how we protect your personal information and data privacy.

Effective Date: 1st June 2026
Last Updated: 1st June 2026

1. Introduction & Who We Are

Welcome to CheckVehicle.AI! We are committed to safeguarding your privacy and protecting your personal data.

This Privacy Policy explains how we collect, use, store, share, and protect your information when you access our website, use our vehicle history reports, query our API, or otherwise interact with us.

Our practices are fully aligned with the strict standards of the United Kingdom and European Union data protection laws, including:

  • The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
  • The EU General Data Protection Regulation (EU GDPR).
  • The Privacy and Electronic Communications Regulations (PECR).
  • The EU ePrivacy Directive and the EU Digital Markets Act (DMA).

CheckVehicle.AI is operated by Dot Squad Ltd, who acts as the Data Controller for your information. If you have any questions, concerns, or requests regarding your privacy, please feel free to reach out to us at hi [@] checkvehicle.ai.

2. Information We Process

We collect different types of data depending on how you use our Services. This details both what we collect and why:

2.1 Information You Provide to Us

  • Account and Profile Details: When you create an account or sign up for our services, we collect your email address, name, physical address, and telephone number. This allows us to secure your access and communicate with you.
  • Support and Queries: If you fill out a contact form or message our team, we collect your contact info and the contents of your message so we can answer your query.
  • Billing Details: When you buy a report, we collect billing details and transaction confirmations. Please note that your actual payment is handled securely by our licensed processor, Mollie. We never see or store your raw credit or debit card details.

2.2 Information We Collect Automatically

  • Device and Browser Information: As you browse the website, we receive technical logs containing your browser type, device type, operating system, and access times. This helps us display our pages correctly.
  • Diagnostic Data: If our website experiences a crash or error, technical details about the event—such as request headers and diagnostic traces—are processed so that we can find and fix software bugs.
  • Consent Preferences: We store a record of your cookie and tracking consent preferences so we can respect your privacy choices on future visits.
  • Abuse and Rate Limit Metrics: To protect our free service from automated abuse, we process your IP address and obscured technical indicators (such as anonymised device signals). These are used to enforce fair-use limits for anonymous visitors, and for signed-in users. Counters are maintained server-side; a signed browser cookie mirrors the anonymous count for defence in depth.

2.3 Vehicle Information

Because our primary service is vehicle history analysis, we process technical information about cars. This includes:

  • Vehicle Identification Marks: Registration numbers (license plates), Vehicle Identification Numbers (VINs), and technical details (make, model, engine size, year, and fuel type).
  • Vehicle Risk Indicators: Details regarding outstanding finance, MOT histories and defects, mileage records, previous owners, write-off markers, and salvage or auction records.
  • Our Commitment to Privacy: In the UK and EU, while technical car specifications are generally public, a vehicle registration plate can occasionally be connected back to an individual (such as a registered keeper). We treat all vehicle registration plates with strict care, and we enforce redaction rules so that no private owner names, registration certificate details (V5C numbers), or personal addresses are ever exposed to the public.

3. How We Gather Your Information

We gather information from three main sources:

  • Directly From You: When you enter a plate, purchase a report, create an account, or contact our support team.
  • Automated Technologies: When you interact with our pages, we use cookies and browser storage to remember your preferences and run analytics. These tools are strictly governed by our consent settings.
  • Official Registers & Partners: We compile vehicle history in real time by retrieving records from authorised public databases, the DVLA, MOT registers, insurance records, and commercial salvage or finance databases.

4. Our Legal Bases for Processing Data

Under UK and EU GDPR, we must have a specific "lawful basis" to process your personal data. We rely on three distinct legal paths:

4.1 Fulfilling Our Contract With You

We process your personal information when it is absolutely necessary to deliver the services you have actively requested. This includes:

  • Generating and delivering the vehicle history reports you purchase.
  • Managing your registered user account and keeping your portal secure.
  • Handling payment transactions, invoice generation, and refunds.

4.2 Operating Under Our Legitimate Interests

We process technical data when it supports vital business operations, provided those operations do not override your privacy rights. This includes:

  • Bot Mitigation: Using security challenges to protect our servers from automated scrapers, DDoS attacks, and malicious bots.
  • Abuse Control: Enforcing a fair-use limit (up to three free vehicle checks per user) using local counters and rate-limiting to prevent service exploitation.
  • System Health: Analysing crash reports and error logs to maintain the stability and security of our software.

4.3 Relying on Your Explicit Consent

We only process data for analytical, optimisation, and marketing purposes if you have given us your active, informed permission. This includes:

  • Running web analytics and user flow tracking to improve our interface.
  • Showing you relevant recommendations or running advertising campaigns.
  • You hold absolute control over this consent. You can accept or reject these trackers when you first visit, and you can change your mind at any time via the "Cookie preferences" link in our footer.

5. How We Manage Cookies & Browser Storage

To provide a smooth experience, protect our systems, and measure website use, we employ cookies and similar browser storage tools (like localStorage and sessionStorage).

5.1 Our Compliance Model

We follow the strict "Opt-In First" principles of PECR and the EU ePrivacy Directive.

  • By default, all non-essential scripts, trackers, and cookies are blocked.
  • Only strictly necessary security, authentication, and core application files will load before you make a selection.
  • If you click "Reject All" or close our banner without accepting, no analytics or marketing pixels will fire.
  • Your choices are entirely granular—you can choose to allow analytics but block marketing, or vice-versa.

5.2 Our Cookie and Storage Groups

Group 1: Strictly Necessary (Always On)

These items are required to secure the site, authenticate your login, and run the core vehicle search machinery.

  • Supabase Authentication: Stores a secure, encrypted token when you sign in, enabling you to access your personal dashboard.
  • Cloudflare Security: Manages bot challenges and CAPTCHAs, verifying that you are a real human and preventing malicious scraping.
  • Consent Manager: Saves a simple, local cookie to remember your privacy choices so we do not prompt you on every page load.
  • Free-Check Counter: Maintains a signed, tamper-proof counter to enforce our free check fair-use limits.

Group 2: Functional Preferences (Consent Recommended)

These items are used to customise your experience on our website.

  • Search History: Saves a local list of the last few registration plates you checked, letting you easily revisit them. This is only active if you enable Functional cookies.
  • Theme Preferences: Remembers whether you prefer viewing our site in dark mode or light mode.

Group 3: Analytics & Statistics (Consent Required)

These tools help us count visits, analyse popular pages, and monitor for code errors. They are blocked by default.

  • PostHog Analytics: Measures how you interact with our pages, including user paths and error occurrences. We proxy this data internally through our own domain to protect your privacy and limit third-party exposure.
  • Google Analytics (GA4): Tracks aggregate engagement trends, session lengths, and conversion benchmarks.
  • Sentry Diagnostics: Temporarily stores technical performance data and system logs so we can diagnose site crashes.

Group 4: Advertising & Marketing (Consent Required)

These third-party pixels let us measure our advertising campaigns. They are handled securely via Google Tag Manager and are only activated if you grant marketing consent.

  • Google Ads Linker: Attributes your purchases back to Google Search results to measure marketing campaigns.
  • Meta Pixel: Measures conversion success and assists in delivering relevant ads on Facebook and Instagram.
  • Bing Ad Tracker: Attributes purchases back to Microsoft Bing search campaigns.
  • DoubleClick & Display Networks: Evaluates cross-site ad placements and display campaign performance.

6. Consent Mode v2 & The Digital Markets Act (DMA)

We fully support Google Consent Mode v2 to respect the privacy rules of the European Economic Area (EEA) and the EU Digital Markets Act.

When you navigate our website:

  • If you decline consent, Google services enter a restricted, cookie-less state. They do not read or write tracking cookies, and they pass only anonymous, aggregate "pings" to prevent user tracking.
  • If you approve consent, Google tags transition to a fully functional state, supporting conversion analysis and marketing audiences.
  • You can re-open our cookie consent preferences anytime using the "Cookie preferences" link in our page footer to update or revoke your selections.

7. Our Trusted Partners (Data Processors)

We never sell, rent, or trade your personal information. To deliver our services, we partner with trusted software platforms (data processors). Every partner has signed a binding Data Processing Agreement (DPA) with us, ensuring they protect your data under the same strict standards we do:

  • Database & Auth: Supabase Inc (databases are hosted in secure UK/EU datacenters).
  • Payment Gateway: Mollie B.V. (licensed payment institution processing all purchases securely).
  • Content Management: Sanity.io (hosts our website text, articles, and pages).
  • Hosting & Delivery: Vercel Inc (provides secure serverless hosting and routing).
  • Analytics Engine: PostHog Inc (powers our product analytics).
  • System Health: Sentry (processes application diagnostics and errors).
  • Security & CDN: Cloudflare Inc (provides firewalls and CAPTCHA Turnstile).
  • Quota & Rate Limits: Upstash Inc (manages secure Redis clusters for rate limiting).
  • Advertising & Marketing: Google LLC and Meta Platforms Inc (provide optional GTM, GA4, and ad metrics, strictly gated by your consent).

International Data Transfers

We prioritise UK and EU data centres. In cases where our processors store information on secure servers outside the UK or European Economic Area (such as the United States), those transfers are governed by Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring your rights remain fully protected.

8. Data Retention

We keep your personal information only as long as necessary to fulfil the services we described, satisfy legal audits, or meet regulatory requirements:

  • Account Records: Stored until you close or delete your account.
  • Vehicle History Reports: Saved in your user panel for up to 12 months for easy access, or longer if required by financial auditing.
  • Technical & Diagnostic Logs: Anonymised or purged within 30 to 90 days.
  • Consent Preferences: Saved for 12 months, after which we will ask you to confirm your settings again.
  • Free-Check Quota Counter (IP/Account): Both counters expire in their time window (within 30 days).

9. Your GDPR Rights & How to Exercise Them

If you are located in the UK or the EEA, you have robust, enforceable rights regarding your personal data:

  • Right of Access: You can ask for a copy of all the personal information we hold about you.
  • Right to Rectification: You can request that we update or correct any inaccurate details.
  • Right to Restriction: You can ask us to pause the processing of your data in certain scenarios.
  • Right to Portability: You can request your data in a structured, readable format to transfer it elsewhere.
  • Right to Object: You can object to us processing your data based on our legitimate interests or for direct marketing.
  • Right to Erasure (The "Right to be Forgotten"): You can ask us to permanently delete all your personal data from our systems.

9.1 Our Deletion & Erasure Workflow

To give you complete peace of mind, we have built an automated erasure system. When you submit a delete request:

  1. We permanently erase or hard-anonymise your user profile in our Supabase databases and application tables.
  2. We trigger the PostHog Deletion API to permanently wipe your user profile, distinct IDs, and session metrics from our analytics.
  3. We send automatic deletion notices to Sentry, Mollie, and our mailing providers to completely clear your technical profiles and billing links.
  4. Your local browser cookies are cleared on your very next visit.

To exercise any of your rights, simply contact us through our form. We will verify your identity to protect your security and fulfil your request within 30 calendar days, at no cost.

10. Regulatory Complaints

If you feel we have processed your data in a way that violates privacy regulations, you have a legal right to file a complaint with a supervisory authority:

  • In the UK: The Information Commissioner’s Office (ICO).
  • In the EU: Your local national Data Protection Authority (such as the DPC in Ireland, CNIL in France, or BfDI in Germany).

11. Children's Privacy

Our Services are not designed for or targeted at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If we learn that we have accidentally collected data from a child under 16, we will erase it immediately.

12. Updates to This Policy

We will occasionally update this Privacy Policy to reflect upgrades in our code, new features, or changes in data protection laws. When we publish changes, we will update the "Last Updated" date at the top. If the changes significantly affect your cookie preferences, we will show the consent banner to let you review the new settings.