Privacy Policy
Last updated: 3 June 2026
FaultyCar Ltd is a company registered in England and Wales.
- Company number: 17242513
- Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ
1. Who we are
This privacy policy explains how FaultyCar Ltd ("we", "us", "our") collects and uses personal data when you use faultycar.co.uk.
We are the data controller for the personal data we process about you. FaultyCar Ltd is a private limited company registered in England and Wales under company number 17242513, with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
We provide tools and guidance to help UK consumers reject faulty vehicles under the Consumer Rights Act 2015. We are not solicitors nor a claims management company, and our service is not required to be authorised or regulated by the Financial Conduct Authority. We do not provide legal advice.
2. How to contact our data protection team
For any questions about how we handle your personal data, or to exercise any of your rights described in section 8, please contact us at dataprotection@faultycar.co.uk.
FaultyCar Ltd has not appointed a formal Data Protection Officer. Our core processing activities do not meet the UK GDPR Article 37 triggers that would require one — we do not undertake large-scale systematic monitoring of individuals, and our core activities do not involve large-scale processing of special-category or criminal-conviction data. The Information Commissioner's Office confirmed in our registration submission that we are not required to appoint a DPO. Rory Webb, Director, is our data protection contact and is responsible for our compliance with this policy.
3. ICO registration
FaultyCar Ltd is registered with the Information Commissioner's Office (ICO) as a data controller. Our public ICO registration number is ZC165345. You can verify this entry on the ICO's public register.
4. What personal data we collect
We collect the following categories of personal data when you use our service:
- Account information: your name, email address, phone number and postal address when you create an account or update your profile.
- Case information: details about your vehicle, the dealer you bought it from, your purchase, any finance arrangements, and the fault you are reporting.
- Evidence: photos, videos and documents you upload to support your case.
- Payment information: payments are processed by Stripe. We do not store your full card number, expiry or CVC on our systems — Stripe handles those directly.
- Communications: the content of messages you send us via the contact form or email.
- Technical and usage data: standard web server logs (IP address, browser type, pages visited) and the cookies and tracking described in section 10.
5. How we use your data and our lawful bases
Under UK GDPR, we must have a lawful basis for each processing activity. The activities we carry out and the lawful basis for each are:
- Account creation and case management — to provide the service you have signed up for. Lawful basis: contract (Article 6(1)(b) UK GDPR).
- Processing payments — to charge you for the service you have purchased. Lawful basis: contract (Article 6(1)(b)).
- Transactional emails — confirmations, case updates, deadline reminders, password resets. Lawful basis: contract (Article 6(1)(b)).
- Marketing emails, if and when we send any — we will rely on your specific consent (Article 6(1)(a)), and every marketing email will include an unsubscribe link.
- Improving our service — limited analytics on how the website is used. Lawful basis: legitimate interests (Article 6(1)(f)), balanced against your privacy.
- Complying with our legal obligations — for example accounting, tax, and responding to lawful requests from regulators or law enforcement. Lawful basis: legal obligation (Article 6(1)(c)).
6. Who we share your data with
We do not sell your personal data. We rely on a small number of carefully selected service providers ("processors") to run our service. We have a Data Processing Agreement in place with each of them that requires them to process your data only on our instructions and to keep it secure.
Our processors are:
- Supabase — provides our database, authentication and file storage. Your account, case and evidence data is held here. Project hosted in AWS Europe (London). Counterparty for our DPA is Supabase Pte. Ltd. (Singapore); the underlying infrastructure is operated by Supabase Inc. (US). International transfers are governed by the EU Standard Contractual Clauses (Module Two, controller-to-processor) and the ICO-approved International Data Transfer Addendum (version B.1.0).
- Stripe — processes payments. Stripe receives your name, email, billing address and card details (the card details go to Stripe directly and are not held on our systems). Counterparty: Stripe Payments Europe, Ltd. (Ireland), with onward transfers to Stripe, Inc. (US) under the Standard Contractual Clauses and UK Addendum.
- Resend — sends transactional emails (account confirmations, case updates, password resets). Resend processes your email address and the contents of those emails. Counterparty: Plus Five Five, Inc. (US), with transfers covered by the Standard Contractual Clauses and UK Addendum.
- Vercel — hosts the faultycar.co.uk website itself. Vercel has runtime access to environment variables that include the credentials our application uses to talk to Supabase, Stripe and Resend. Counterparty: Vercel, Inc. (US), with transfers under the Standard Contractual Clauses and UK Addendum.
- Umami — provides privacy-focused website analytics. Umami does not use cookies and does not collect personally identifying information; we use it to understand how visitors move around the site so we can improve it.
- Meta Pixel (Facebook/Instagram) — measures the effectiveness of any advertising we run on Meta platforms. The Pixel is only loaded if you have given consent via our cookie banner. When loaded, it collects information about your browsing on our site, which Meta may combine with data it holds about you. You can manage your Meta ad preferences at Facebook Ad Preferences.
We may also share personal data where we are required to by law — for example in response to a court order, or to protect our rights, your safety, or the safety of others.
7. International transfers of personal data
Your account, case and evidence data is held in the UK (AWS London region). Some of our processors operate from the United States or elsewhere outside the UK. Where personal data is transferred outside the UK, we rely on the Standard Contractual Clauses together with the ICO-approved International Data Transfer Addendum (version B.1.0) to ensure your data continues to be protected to UK GDPR standards. Where adequacy decisions apply (for example the UK Extension to the EU-US Data Privacy Framework), we rely on those in addition.
8. Your rights under UK GDPR
You have the following rights in relation to the personal data we hold about you:
- Access: ask us for a copy of the personal data we hold about you.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: ask us to delete your personal data (sometimes called "the right to be forgotten"), where we no longer have a lawful basis to keep it.
- Restriction: ask us to stop processing your data in certain circumstances.
- Portability: ask us to provide your data in a structured, machine-readable format so you can move it elsewhere.
- Objection: object to our processing where we rely on legitimate interests.
- Withdraw consent: where we rely on your consent, you can withdraw it at any time.
To exercise any of these rights, email us at dataprotection@faultycar.co.uk. We will respond within one month, as required by UK GDPR.
If you are not satisfied with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk/make-a-complaint or on 0303 123 1113. We would appreciate the chance to address your concerns first.
9. How long we keep your data
We retain personal data only for as long as we need it to provide the service to you and to meet our legal and accounting obligations. We are finalising a written Retention Policy that will set out the specific retention period for each category of data. In the meantime, you can ask us to delete your data at any time by contacting dataprotection@faultycar.co.uk, and we will do so unless we are required by law to retain it (for example for accounting records).
10. Cookies and tracking technologies
We use the following categories of cookies and tracking technologies:
- Essential cookies: needed for the website to work — for example to keep you logged in and remember your preferences. These cannot be switched off.
- Analytics (Umami): a privacy-focused analytics tool that does not use cookies and does not collect personally identifying information.
- Advertising (Meta Pixel): only loaded if you have given consent via our cookie banner. The Meta Pixel collects information about your behaviour on our site and shares it with Meta to measure ad performance and (where you have Meta accounts) to show you relevant ads.
Managing your tracking preferences
You can withdraw consent for non-essential tracking at any time by clearing the cookie banner preference in your browser and refreshing the page. To opt out of Meta advertising tracking specifically, you can adjust your ad preferences at the Facebook Ad Preferences page.
11. How we secure your data
We take the security of your personal data seriously and apply multiple layers of protection:
- Encryption in transit: data transferred between your browser and our servers is encrypted using TLS.
- Encryption at rest: data stored in our database and file storage is encrypted using AES-256.
- Access control: evidence files you upload are stored in a private bucket and can only be accessed by you, via short-lived signed URLs that expire after one hour.
- Authentication: we use industry-standard authentication with secure password hashing. Passwords are never stored in plain text.
- Payment security: all payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never see your full card details.
No system can be perfectly secure, but we follow industry-standard practices and review them regularly.
FaultyCar Ltd also holds Cyber and Data insurance with regulatory defence cover, ensuring we can respond properly to any incident affecting your data, including engaging legal, forensic and breach-notification specialists if required.
12. Personal data breaches
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we are required by UK GDPR to notify the Information Commissioner's Office within 72 hours of becoming aware of it. We will also notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms. We are committed to meeting these timelines.
13. Changes to this policy
We may update this privacy policy from time to time. If we make significant changes, we will notify you by email or through a prominent notice on the website. The "Last updated" date at the top of this page tells you when the policy was last revised.
14. Contact us
For privacy questions or to exercise any of your data subject rights, email dataprotection@faultycar.co.uk.
For any other queries, use the contact form or email support@faultycar.co.uk.