FaultyCar.co.ukBack to Home

Privacy Policy

Last updated: 21 December 2025

1. Who we are

FaultyCar.co.uk provides tools and guidance to help UK consumers reject faulty vehicles under the Consumer Rights Act 2015. We are not solicitors and do not provide legal advice.

2. Information we collect

We collect information you provide directly to us, including:

  • Account information: Your name, email address, phone number, and postal address when you create an account or update your profile.
  • Case information: Details about your vehicle, dealer, purchase, finance arrangements, and the fault you are reporting.
  • Evidence: Photos, videos, and documents you upload to support your case.
  • Payment information: We use Stripe to process payments. We do not store your full card details on our servers.
  • Communications: When you contact us via our contact form or email.

3. How we use your information

We use your information to:

  • Provide our services, including generating letters and tracking your case
  • Send you deadline reminders and case updates via email
  • Process payments
  • Respond to your enquiries
  • Improve our services

4. Legal basis for processing

We process your personal data on the following bases:

  • Contract: To provide the services you have paid for
  • Legitimate interests: To improve our services and communicate with you about your case
  • Legal obligation: To comply with applicable laws

5. Data sharing

We do not sell your personal data. We may share your information with:

  • Service providers: Including Stripe (payments), Supabase (database and authentication), Resend (emails), and Vercel (hosting)
  • Legal requirements: If required by law or to protect our rights

6. Data retention

We retain your case data for 6 years from the date of your last activity, in line with the limitation period for most civil claims in England and Wales. You can request deletion of your data at any time by contacting us.

7. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data
  • Correct inaccurate data
  • Request deletion of your data
  • Object to processing
  • Data portability
  • Withdraw consent (where applicable)

To exercise these rights, please contact us using the details below.

8. Cookies

We use essential cookies to keep you logged in and remember your preferences. We do not use advertising or tracking cookies.

9. Document and evidence storage

When you upload evidence to support your case (photos, videos, documents), we store these files securely using the following measures:

  • Private storage: All uploaded files are stored in a private cloud storage bucket. Files are not publicly accessible and cannot be accessed via direct URL.
  • Access control: Files are organised by user and case. You can only access files belonging to your own cases. Each file request is authenticated and authorised before access is granted.
  • Signed URLs: When you view your evidence, we generate temporary signed URLs that expire after 1 hour. This means even if a URL were shared, it would quickly become invalid.
  • Encryption: Files are encrypted at rest using AES-256 encryption. All transfers use TLS/HTTPS encryption.
  • Deletion: When you delete evidence from your case, the file is permanently removed from our storage systems.

Your evidence files are stored with our infrastructure provider, Supabase, which maintains SOC 2 Type II compliance and uses enterprise-grade security measures.

10. Security

We take the security of your data seriously and implement multiple layers of protection:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS).
  • Encryption at rest: Your data is encrypted when stored in our database and file storage using AES-256 encryption.
  • Secure authentication: We use industry-standard authentication with secure password hashing. Passwords are never stored in plain text.
  • Payment security: All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never see or store your full card details.
  • Infrastructure security: Our application is hosted on Vercel and our database on Supabase, both of which maintain robust security certifications and practices.

While we implement industry-standard security measures, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to protecting your information to the best of our ability.

11. Changes to this policy

We may update this privacy policy from time to time. We will notify you of any significant changes by email or through our website.

12. Contact us

If you have any questions about this privacy policy or how we handle your data, please contact us.