This Privacy Policy explains how 73 Auto Ltd ("we", "us", "our") collects, uses, stores and shares personal data when you use the 73auto.com Total Cost of Ownership service (the "Service"). It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (PECR), and follows guidance issued by the Information Commissioner's Office (ICO).
Who we are
The data controller for personal data processed through 73auto.com is 73 Auto Ltd, a company incorporated in England and Wales under company number 16883211, with its registered office at 71-75 Shelton Street, London, England, WC2H 9JQ.
You can reach our Data Protection contact at privacy@73auto.com for any privacy question, complaint or rights request. We aim to acknowledge requests within 5 working days and to respond substantively within one calendar month, as required by Article 12(3) UK GDPR.
Data we collect
We collect only the data we need to provide and improve the Service. Specifically:
- Account data — your email address, an encrypted password (or an OAuth identifier if you sign in with Google), the date your account was created, and your email-verification status.
- Billing data — the plan or pack you purchased, payment amount, currency, Stripe customer and subscription identifiers, invoice metadata and a record of remaining check quota. We never see or store your full card number — that data is held by Stripe under their PCI-DSS Level 1 certification.
- Usage data — the Vehicle Registration Marks (VRMs) you submit, the resulting TCO calculations, the timestamps and IP address of your requests, and aggregate counters used for rate-limiting and quota enforcement.
- Vehicle data we retrieve on your behalf — when you submit a VRM, we query the DVLA Vehicle Enquiry API. The response (make, model, tax band, fuel type, MOT and tax status) is associated with your account so you can review it later in History.
- Technical data — browser type, language, viewport, anonymised analytics events if you opt in (currently none are deployed), and the cookies described in our Cookies Policy.
Lawful basis (UK GDPR Article 6)
We rely on the following lawful bases:
- Contract (Art. 6(1)(b)) for everything required to deliver the Service you signed up for: maintaining your account, running TCO checks, processing payments and providing customer support.
- Legitimate interests (Art. 6(1)(f)) for fraud prevention, abuse detection, rate-limiting, debugging, securing our systems and improving the Service. We have completed a Legitimate Interests Assessment for each of these uses and balance them against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)) for retaining accounting records (HMRC requires six years) and for responding to lawful requests from regulators or law enforcement.
- Consent (Art. 6(1)(a)) for any optional analytics or marketing cookies you choose to accept via the cookie banner. You can withdraw consent at any time by clearing the cookie banner state or by emailing privacy@73auto.com.
How we use it
We use the data above to: authenticate you and protect your account; run TCO calculations and store their results so History works; bill you accurately and reconcile Stripe payouts; send transactional emails (verification, password reset, receipts, account notifications); enforce per-plan check quotas; investigate fraud and abuse; respond to support requests; and meet our legal and accounting obligations. We do not sell or rent your personal data, and we do not use it to profile you for advertising.
Sub-processors
We share personal data only with the sub-processors listed in the Data Processing Addendum, each of which is bound by a written contract that requires them to process data only on our instructions and to apply appropriate technical and organisational safeguards. The current sub-processors include Stripe (payments), Vultr in London (hosting), our self-hosted MongoDB on that host (database), DVLA (vehicle lookup), Brevo (transactional email) and, optionally, Google (only if you sign in with Google).
International transfers
Application data is stored exclusively on infrastructure located in the United Kingdom. Stripe transfers a subset of billing data to the United States; this transfer is protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. If you sign in with Google, the OAuth exchange also involves a transfer to the United States under the same safeguards.
Retention
Account, billing and usage data are retained while your account is active. If you close your account, we delete or fully anonymise your personal data within 90 days, except for records we are legally required to keep (invoices and tax records — six years from the end of the relevant tax year). Server access logs are retained for 30 days for security purposes and then deleted.
Your rights (DSAR)
Under UK GDPR you have the right to: access the personal data we hold about you; have inaccurate data corrected; have your data erased (subject to legal retention obligations); restrict or object to certain processing; receive a portable copy of your data; and lodge a complaint with the Information Commissioner's Office (ico.org.uk, 0303 123 1113).
To exercise any of these rights, email privacy@73auto.com from the address associated with your account, or write to us at the registered office above. We will not charge a fee for the first request in any twelve-month period.
Cookies
We use a small number of strictly necessary cookies (session, theme preference, cookie-consent state). All other cookie categories are off by default and depend on your explicit consent. See the Cookies Policy for the full list and how to change your choice.
Children
The Service is intended for adults using or buying motor vehicles in the United Kingdom and is not directed at anyone under the age of 18. We do not knowingly collect data from children.
Contact
For any privacy-related question, complaint or to exercise your rights, contact us at privacy@73auto.com or write to 73 Auto Ltd, 71-75 Shelton Street, London, England, WC2H 9JQ.
Changes to this policy
We will post any material changes here and update the "last updated" date at the top of the page. For significant changes affecting how we use your data, we will email registered users at least 14 days before the change takes effect.