Privacy Policy

1. Who We Are

Autolytix is a dealership management platform operated by Autolytix Ltd(“we”, “us”, “our”). We are registered in England and Wales.

For the purposes of UK data protection law, Autolytix acts as a data controller for the personal data of platform users (dealership staff, owners, investors) and as a data processoron behalf of dealerships (“dealers”) for customer booking data.

You can contact our data protection contact at: privacy@autolytix.co.uk

2. The Law That Applies

This policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner's Office (ICO) as a data controller.

3. Data We Collect and Why

A. Dealership Accounts (Platform Users)

When you register as a dealership or are added as a user, we collect:

• Name, email address and phone number
• Business name, address and contact details
• Your role within the dealership
• A securely hashed password
• Login timestamps and activity logs

Legal basis: Contract performance (Art. 6(1)(b) UK GDPR) — these details are necessary to provide the platform service. Legitimate interests (Art. 6(1)(f)) for security logs.

B. Vehicle and Business Data

Dealers enter vehicle records (registration numbers, purchase and sale prices, mileage, documents), financial records, expenses and advertising data. We also query the DVLA and DVSA APIs using vehicle registration numbers to enrich records with make, model, colour, fuel type and MOT status.

Legal basis: Contract performance; DVLA/DVSA queries are made under our legitimate interests to provide accurate vehicle data and under the dealer's legitimate interests as a motor trade business.

C. Investor Data

Dealers may add investor names, contact details and profit-share arrangements. This data is entered by the dealer and stored on their behalf.

Legal basis: Legitimate interests of the dealer to manage investor relationships.

D. Customer Booking Data

When a member of the public submits a booking request through a dealer's public booking page, we collect their name, email address, phone number (optional) and any notes they provide.

Legal basis: Legitimate interests (to facilitate a vehicle viewing appointment requested by the individual). The dealer is the data controller for their customers' data; Autolytix processes this data only on the dealer's behalf.

E. Google Calendar Integration

If a dealer connects their Google Calendar, we store an OAuth access token and refresh token for that dealer's Google account. This is used solely to create calendar events when bookings are confirmed. We do not read, access or store any other Google Calendar data.

Legal basis: Consent of the dealer (who grants authorisation via Google's OAuth flow).

F. Documents and OCR

Dealers may upload vehicle documents (e.g. V5C, invoices). These may be processed by an AI optical character recognition (OCR) service (Google Gemini) to extract text. Documents may contain personal data such as names and addresses.

Legal basis: Contract performance; legitimate interests to provide document management features.

G. Technical and Usage Data

We collect server-side logs, error reports and general usage patterns to operate and improve the platform. We do not use third-party analytics cookies.

Legal basis: Legitimate interests to maintain platform security and reliability.

4. Authentication Tokens

When you log in, we store a secure authentication token in your browser's local storage. This token is strictly necessary to maintain your logged-in session and is not used for tracking or advertising. Under PECR, strictly necessary session tokens do not require cookie consent.

5. Who We Share Data With

We use the following third-party services to operate the platform. Each acts as a data processor under our instructions:

Transfers to the United States are made under the UK Extension to the EU–US Data Privacy Framework or appropriate Standard Contractual Clauses (SCCs) where applicable.

We do not sell personal data. We do not share personal data with any third party for marketing purposes.

6. How Long We Keep Data

• Dealer account data: Retained for the duration of the subscription plus 6 years (in line with UK financial record-keeping obligations under the Companies Act 2006).
• Customer booking data: Retained for 2 years from the date of the booking request, unless the dealer requests earlier deletion.
• Google Calendar tokens: Deleted immediately when the dealer disconnects their Google Calendar, or when their account is closed.
• Uploaded documents: Retained until the dealer deletes them or closes their account.
• Server logs: Retained for 90 days.

7. Your Rights Under UK GDPR

If you are an individual whose data we hold, you have the following rights:

• Right of access — to request a copy of your data (Subject Access Request)
• Right to rectification — to correct inaccurate data
• Right to erasure — to request deletion (“right to be forgotten”)
• Right to restriction — to restrict how we use your data
• Right to data portability — to receive your data in a machine-readable format
• Right to object — to object to processing based on legitimate interests
• Rights related to automated decision-making — we do not carry out solely automated decision-making that produces legal effects

To exercise any of these rights, contact us at privacy@autolytix.co.uk. We will respond within one calendar month as required by UK GDPR.

If you are a customer of a dealership using our platform, your primary right of contact is with that dealership (the data controller). We will cooperate with any erasure or access requests routed through the dealer.

8. Right to Complain

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters:

• Website: ico.org.uk
• Phone: 0303 123 1113
• Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss or destruction. These include:

• Passwords stored using bcrypt hashing
• All data transmitted over HTTPS/TLS
• Role-based access control (RBAC) limiting data access within dealerships
• OAuth tokens encrypted at rest

In the event of a personal data breach that poses a risk to individuals, we will notify the ICO within 72 hours as required by UK GDPR and will inform affected individuals without undue delay.

10. Children

Our platform is not directed at or intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.

11. Chrome Extension Data Usage

Data Accessed by the Extension

• Authentication tokens — used to securely identify your Autolytix account and authorise API calls. Never stored externally or shared.
• Personally identifiable information (PII) — buyer names and contact details entered on GOV.UK DVLA and marketplace lead forms, used solely to auto-fill transfer forms.
• Personal communications — incoming marketplace enquiries (Facebook Marketplace, Gumtree, AutoTrader) used to draft AI-assisted responses within the extension. Messages are not stored on our servers.
• Website content — vehicle listing and form field data scraped from GOV.UK, AutoTrader and auction sites to pre-fill Autolytix records. No data is retained beyond the current browser session.

How Data Is Used

All data accessed by the extension is used exclusively to provide the stated functionality — form auto-fill, lead response drafting, and vehicle data enrichment. Data is passed directly between the extension and your Autolytix account. We do not log, sell, or share extension-accessed data with any third party.

Permissions Used

• storage — to temporarily hold vehicle transfer data between the Autolytix app and the GOV.UK form pages.
• scripting / activeTab — to read and fill form fields on GOV.UK, AutoTrader and marketplace pages.
• tabs — to detect when the user navigates to a supported page and activate the relevant helper.

12. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes we will update the “Last updated” date at the top and, where appropriate, notify registered users by email.