VeriCar
Official DVLA & DVSA Data·12-Point Vehicle Analysis·Instant Results

Privacy Policy

Last updated: April 2026

1. Who we are

VeriCar (“we”, “us”, “our”) provides an online vehicle checking service at vericar.co.uk. VeriCar is operated by Matthew Coombes, a sole trader based in the United Kingdom, and is the data controller for the personal information we process.

For any privacy-related questions, contact [email protected].

2. What data we collect

  • Vehicle registration numbers you search for
  • Email address (when you purchase a paid report, or voluntarily provide one)
  • Payment information — processed directly by Stripe; we receive confirmation and limited metadata only, never full card details
  • Basic usage analytics (pages visited, device type, referring website)
  • Server logs (IP address, request timestamps) for security and troubleshooting

3. How we use your data and lawful basis

Under UK GDPR we must have a lawful basis for each purpose of processing. Our purposes and bases are:

  • Delivering the vehicle check service (running DVLA/DVSA/provenance queries, generating reports, emailing you the PDF) — Performance of a contract (UK GDPR Article 6(1)(b)).
  • Taking paymentPerformance of a contract (Article 6(1)(b)).
  • Keeping payment and accounting recordsLegal obligation (Article 6(1)(c)), specifically UK tax and record-keeping requirements.
  • Improving our service, fixing bugs, preventing abuse (usage analytics, server logs) — Legitimate interests (Article 6(1)(f)). Our interest is in running a reliable, secure service; we balance this against your privacy by minimising data collected and retention.
  • Customer support (responding to emails about your order) — Legitimate interests (Article 6(1)(f)) or performance of a contract depending on context.

We do not currently send marketing emails. If we start, we will obtain your explicit consent (Article 6(1)(a)) and you will always be able to unsubscribe.

4. Who we share data with (processors)

We share the minimum data necessary with the third-party services required to deliver our product. Each of these is a data processor acting on our instructions.

  • Stripe — payment processing (card details, billing email)
  • DVLA (Vehicle Enquiry Service) — vehicle lookups by VRM
  • DVSA (MOT History API) — MOT history lookups by VRM
  • Experian Automotive and other automotive data providers — provenance checks (finance, stolen, write-off, plate change) via our data partner
  • Anthropic — AI-generated report text (Claude API; we send vehicle data, not your email or payment info)
  • Resend — transactional email delivery (your email address + the report PDF)
  • Railway and Cloudflare — hosting and content delivery
  • Plausible Analytics or Google Analytics — aggregated usage statistics (see “Cookies and analytics” below)

We do not sell your personal data. We do not share data with advertisers or data brokers.

5. International transfers

Some of our processors are based outside the UK. Where your personal data is transferred outside the UK, we rely on the following safeguards:

  • EU/EEA transfers — covered by the UK's adequacy decision, which recognises the EU as providing an equivalent standard of data protection.
  • US transfers (Stripe, Anthropic, Resend, Cloudflare, Railway) — covered by the UK International Data Transfer Agreement, UK Addendum to the EU Standard Contractual Clauses, or the UK-US Data Bridge, depending on the processor.

You can request more information about the specific safeguards for any transfer by contacting us.

6. Data retention

We keep personal data only as long as we need it. Our retention periods are:

  • Payment records — 6 years from the end of the tax year, to comply with UK tax law (HMRC).
  • Email addresses tied to a paid report — up to 2 years from last purchase, for customer support and refund handling.
  • Vehicle check results (VRM + API responses) — up to 12 months, for debugging and service improvement. VRMs are not stored alongside personally identifying information except where you also made a payment.
  • Server logs — 90 days.
  • Aggregated analytics — up to 14 months (anonymised where possible).

You can request earlier deletion of your data at any time (see “Your rights” below), subject to any legal retention requirements we are bound by.

7. Cookies and analytics

We use a minimal set of cookies and tracking technologies:

  • Essential cookies — required to operate the site, process payments, and maintain session state. These do not require your consent.
  • Analytics — we use a privacy-respecting analytics tool (Plausible Analytics, which does not use cookies and does not track across sites) or Google Analytics 4 with IP anonymisation. Analytics data is aggregated and does not identify you personally.

We do not use advertising cookies, cross-site trackers, or share data with advertising networks.

8. Automated decision-making

We do not use automated decision-making that produces legal effects or similarly significant effects concerning you (UK GDPR Article 22). AI-generated report text is informational content and does not make decisions about you as an individual.

9. Children

VeriCar is not directed at children under the age of 18. We do not knowingly collect personal data from under-18s. If you believe a child has provided us with personal data, please contact us and we will delete it.

10. Data security

We take appropriate technical and organisational measures to protect your personal data, including encryption in transit (HTTPS/TLS), encrypted storage, access controls, rate limiting, and routine security updates. No system is perfectly secure — if we become aware of a data breach affecting your personal information, we will notify you and the ICO as required by law.

11. Your rights

Under UK GDPR, you have the right to:

  • Access a copy of the personal data we hold about you
  • Rectify inaccurate or incomplete personal data
  • Erase your personal data (“right to be forgotten”), subject to legal retention requirements
  • Restrict or object to our processing of your data
  • Data portability (receive your data in a structured, machine-readable format)
  • Withdraw consent, where processing is based on consent

To exercise any of these rights, email [email protected]. We will respond within one month.

You also have the right to complain to the Information Commissioner's Office (the UK data protection regulator) if you believe we are handling your data incorrectly. You can contact the ICO at ico.org.uk or on 0303 123 1113. We would, however, appreciate the chance to resolve any concerns directly first.

12. Changes to this policy

We may update this Privacy Policy from time to time. The latest version will always be published on this page with the updated date. Material changes will be highlighted where reasonably possible.

13. Contact

For any privacy-related questions, data access requests, or other queries about how we handle your information, please email [email protected].