Privacy Policy
Last updated: 6 June 2026
This Privacy Policy explains how DealerSoftware (“we”, “our”, “us”) collects, uses, stores and shares personal data when you use the DealerSoftware platform (“the Service”). DealerSoftware is a sole trader based in the United Kingdom and is the data controller for personal data described in Section 2 below.
If you have any questions about this policy or want to exercise any of your rights, contact us at support@dealersoftware.co.uk.
1. Who this policy applies to
This policy covers:
- Dealers — UK car dealerships and their staff who sign up for an account and use the Service.
- Visitors to dealersoftware.co.uk who fill in contact, signup, or marketing forms.
Customer leads, sales records, and other end-customer data that dealers store within the Service is the dealer's responsibility as data controller; we act as their data processor under Article 28 UK GDPR. For details, dealers should refer to the Data Processing Addendum that forms part of our Terms of Service.
2. What personal data we collect
From dealers
- Account details: name, email, password (hashed), phone number.
- Business details: dealership name, slug, trading address, opening hours, contact details.
- Billing details: payment card information (handled exclusively by Stripe — we never see the card number), VAT status, subscription tier.
- Usage data: pages visited, features used, errors, log files, IP address.
- Integration tokens: when you connect AutoTrader, Google, Microsoft, social media or accounting accounts, we store the relevant API tokens encrypted at rest.
From visitors
- Information you submit through forms (name, email, message).
- Cookies (see Section 7).
3. Why we process your data and on what legal basis
| Purpose | Data used | Legal basis (Art. 6 UK GDPR) |
|---|---|---|
| Provide and maintain the Service | Account, business, usage | Contract (Art. 6(1)(b)) |
| Process payments | Billing | Contract (Art. 6(1)(b)) |
| Service emails (signup confirmation, password reset, billing notices, security alerts, system status) | Account email | Contract / legitimate interests (Art. 6(1)(b), 6(1)(f)) |
| Prevent fraud and abuse | Usage, IP address | Legitimate interests (Art. 6(1)(f)) |
| Comply with legal obligations (tax, accounting) | Billing | Legal obligation (Art. 6(1)(c)) |
We do not send marketing email. The only emails we send are transactional or important service updates (e.g. a planned outage, a security incident, or a price change). You cannot opt out of these while you have an active account because they are necessary to provide the Service.
4. How long we keep your data
- Active account data — for as long as your account is open.
- Billing records — 6 years after the relevant tax year (HMRC requirement).
- Server logs and security events — 90 days.
- Backups — for up to 30 days before being overwritten.
- If you delete your account, we delete identifiable data within 30 days, except where retention is required by law (billing) or for ongoing dispute resolution.
5. Sub-processors
We use the following third parties to deliver the Service. Each has signed a written data-processing agreement with us and has appropriate safeguards in place.
| Sub-processor | Role | Location |
|---|---|---|
| Supabase | Database + authentication + file storage | United Kingdom (London region) |
| Vercel | Application hosting and edge network | EU / global edge (Standard Contractual Clauses in place) |
| Stripe | Payment processing | UK / EU / US (Stripe is a UK-licensed payment processor) |
| Resend | Transactional email delivery | EU / US (Standard Contractual Clauses in place) |
| AutoTrader UK | Vehicle listing API (only used by dealers who connect AutoTrader) | UK |
| CarGurus UK | Vehicle feed SFTP (only used by dealers who enable CarGurus) | UK |
| AA Cars | Vehicle feed FTP (only used by dealers who enable AA Cars) | UK |
| VDG (Vehicle Data Group) | VRM → vehicle specification lookup | UK |
| Google / Microsoft Graph | Email integrations (only used by dealers who connect a mailbox) | EU / US (provider DPAs in place) |
We do not sell personal data to anyone. We do not share it with anyone outside the list above except where required by law or to protect our or others' rights (fraud, abuse).
6. Your rights under UK GDPR
You have the right to:
- Access a copy of the personal data we hold about you (Art. 15). Use the “Export my data” option in Settings, or email us.
- Rectify inaccurate data (Art. 16). Most details are editable in Settings; for billing or login records, email us.
- Erase your data (Art. 17). Use the “Delete account” option in Settings.
- Restrict processing (Art. 18) — pause our processing of your data in specific situations.
- Portability (Art. 20) — receive a machine-readable copy of the data you provided.
- Object to processing based on legitimate interests (Art. 21).
- Lodge a complaint with the UK Information Commissioner's Office at ico.org.uk. We'd ask that you contact us first so we can try to resolve it.
We aim to respond to all rights requests within one month, as required by Art. 12(3) UK GDPR. If your request is complex we may extend this by two further months and will tell you why.
7. Cookies
We use a small number of cookies to make the Service work. See our Cookies page for the full list and how to change your choices. Optional cookies (analytics, preferences) are off by default and only set if you accept them in the banner that appears on your first visit.
8. Security
We use industry-standard technical and organisational measures to protect personal data: TLS in transit, encryption at rest in the database and storage, hashed passwords, two-factor authentication on staff accounts, regular dependency updates, and least-privilege access controls. No system is perfectly secure; if we ever suffer a personal-data breach that puts you at risk, we will notify the ICO within 72 hours and tell you directly without undue delay.
9. International transfers
Your dealership data is held in the United Kingdom: our database, authentication and file storage all run in Supabase's London region.
A handful of sub-processors (Stripe, Resend, and parts of Vercel's global edge network) may transit personal data through the United States. Where this happens, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, plus additional safeguards as required by the ICO's guidance.
10. Children
The Service is not intended for children. We do not knowingly collect personal data from anyone under 16. If you believe a child has used the Service, tell us and we will delete the data.
11. Changes to this policy
We update this policy from time to time. When we make material changes we will tell dealers by email and via an in-app notice. The latest version always appears on this page with its “Last updated” date.
12. Contact
For any privacy question, exercise of rights, or complaint, email support@dealersoftware.co.uk. As a sole trader below the threshold, we are not required to appoint a Data Protection Officer; the support inbox is the single point of contact for all data-protection matters.