Privacy Policy

1. Introduction

Welcome to IsItAGoodCar ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This policy explains how we collect and use data when you use our website and services, and it describes your rights under UK data protection law.

By using our site, you agree that we and Microsoft can collect and use this data as described here.

2. Who We Are (Data Controller)

We are Matter Logic Limited, registered in England and Wales (Company No. 16768499), registered office 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. We are the data controller for the personal data processed through IsItAGoodCar.

• Data Protection Contact: support [at] isitagoodcar.com
• ICO Registration Number: ZC100345

If you have any concerns about how we handle your personal data, you may contact our data protection contact at the email address above.

3. The Data We Collect

We may collect, use, store, and transfer the following kinds of data:

• Account Data: Email address, authentication details, and account identifiers.
• Subscription & Payment Data: Plan selection, subscription status, credits, Stripe subscription and customer IDs, and billing status (we do not store full card details).
• Vehicle Data: Vehicle Registration Marks (VRMs) you search for and related vehicle data results.
• Usage Data: Information about how you use our website, products, and services.
• Technical Data: IP address, browser type and version, time zone, device identifiers, operating system, and other technical data.
• Communications Data: Support requests, feedback, and other messages you send us.

Children's Data: Our services are not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe we have inadvertently collected data from a child under 13, please contact us (support [at] isitagoodcar.com) and we will delete it promptly.

4. How We Use Your Data (Lawful Bases)

We only use your personal data where we have a lawful basis under UK GDPR:

• Provide and manage accounts, subscriptions, credits, and vehicle reports (contract).
• Process payments, prevent fraud, and maintain billing records (contract, legitimate interests, legal obligation).
• Improve services and understand usage with analytics (consent for analytics; legitimate interests for product improvements).
• Respond to support requests and communicate service updates (contract, legitimate interests).
• Comply with legal obligations and defend legal claims (legal obligation, legitimate interests).

5. AI Processing & Automated Decision-Making

We use AI models to generate vehicle analysis summaries. This may involve sending vehicle data and related inputs to our AI service providers (currently Google Gemini). AI outputs are for informational purposes only and are not used to make automated decisions about you.

We do not carry out any solely automated decision-making that produces legal effects or similarly significant effects concerning you (as described in Article 22 of the UK GDPR). All AI-generated outputs are advisory information about vehicles, not decisions about individuals.

6. Payments and Subscriptions

Payments and subscription management are handled by Stripe. We receive confirmation of payment, subscription status, and related transaction identifiers, but we do not store full payment card details.

7. Sharing Your Data

We may share data with trusted service providers who help us operate the service:

• Stripe (payment processing and subscription management).
• Experian / One Auto API (Full Premium Vehicle Check vehicle data).
• Google Gemini (AI processing for analysis results).
• Google Analytics (only with your consent).
• Microsoft Clarity (only with your consent; behavioral analytics and usage metrics).
• Hosting, infrastructure, and support providers.
• Professional advisers and regulators where required by law.

We require all third-party service providers to respect the security of your personal data and to treat it in accordance with the law. We do not allow them to use your data for their own purposes and only permit them to process your data for specified purposes in accordance with our instructions.

8. International Transfers

Some of our providers may process data outside the UK. Where data is transferred internationally, we ensure a similar degree of protection is afforded to it by implementing at least one of the following safeguards:

• Transferring to countries that have been deemed to provide an adequate level of protection by the UK Government (adequacy regulations).
• Using the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs) approved by the ICO.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Specific retention periods are as follows:

• Account Data: Retained for the lifetime of your account and deleted within 30 days of account deletion, unless required by law.
• Payment & Billing Records: Retained for 7 years after the transaction date to comply with UK tax and accounting obligations (HMRC requirements).
• Vehicle Search Logs: Retained for up to 90 days for security, analytics, and service improvement purposes.
• Analytics Data: Google Analytics and Microsoft Clarity data is retained according to their standard retention settings (up to 14 months).

You can request deletion of your account data at any time, subject to legal retention requirements, by contacting us (support [at] isitagoodcar.com).

10. Cookies

We use essential cookies for security and session management, and optional analytics cookies (Google Analytics and Microsoft Clarity) only with your consent. For detailed information on the cookies we use and how to manage your preferences, please see our dedicated Cookie Policy.

11. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — request a copy of the personal data we hold about you.
• Right to rectification — request correction of inaccurate or incomplete data.
• Right to erasure — request deletion of your personal data where there is no compelling reason for us to continue processing it.
• Right to restrict processing — request that we suspend processing of your data in certain circumstances.
• Right to data portability — request a machine-readable copy of your data to transfer to another provider.
• Right to object — object to processing based on legitimate interests or for direct marketing.
• Right to withdraw consent — withdraw consent for analytics cookies at any time via the consent management controls on our website.

To exercise any of these rights, contact us (support [at] isitagoodcar.com). We will respond to your request within one calendar month of receiving it, as required by UK GDPR Article 12(3). In complex cases, we may extend this by up to two additional months, and we will notify you if this is necessary.

You will not have to pay a fee to exercise your rights, except in limited circumstances where a request is clearly unfounded, repetitive, or excessive.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk.

12. Data Security

We have put in place appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, accessed, altered, or disclosed in an unauthorised way. These include encryption in transit (TLS/SSL), access controls, and regular security reviews.

We limit access to your personal data to those employees, agents, contractors, and third parties who have a business need to know. They will only process your data on our instructions and are subject to a duty of confidentiality.

13. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33.

Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, as required by UK GDPR Article 34, providing details of the breach and the steps you can take to protect yourself.

14. Third-Party Links

This website may include links to third-party websites, plug-ins, and applications. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

15. Changes to This Privacy Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the updated policy on this page with a revised "Last updated" date. Where changes are significant, we may also notify registered users by email.

16. Contact Us

If you have any questions about this privacy policy, our privacy practices, or wish to exercise your data protection rights, please contact us (support [at] isitagoodcar.com).