Privacy Policy

ashdub ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our cloud-based garage management platform (the "Service").

This policy is provided in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Please read it carefully to understand our practices regarding your personal data.

For the purposes of UK GDPR, the data controller for personal data collected through the Service is:

We may collect and process the following categories of personal data:

3.1 Account Information

• Full name and job title
• Email address
• Telephone number
• Business name and address
• Password (stored in hashed form)

3.2 Garage Customer Data

When you use the Service to manage your garage operations, you may input personal data relating to your own customers, including:

• Customer names, addresses, and contact details
• Vehicle registration numbers, make, model, and VIN
• Service history and job records
• Invoice and payment information
• MOT and vehicle health check data

3.3 Usage Data

• IP address and browser type
• Device information and operating system
• Pages visited, features used, and time spent
• Referral source and navigation paths

3.4 Payment Data

• Billing name and address. Payment card details are processed directly by our payment provider and are not stored on our servers.

We use your personal data to:

• Provide, maintain, and improve the Service
• Create and manage your Account
• Process payments and send billing notifications
• Provide customer support and respond to enquiries
• Send service-related communications (e.g., updates, security alerts)
• Send marketing communications where you have opted in (you can unsubscribe at any time)
• Analyse usage patterns to improve functionality and user experience
• Detect, prevent, and address technical issues and security threats
• Comply with legal obligations

Under UK GDPR, we rely on the following legal bases for processing your personal data:

• Contract: Processing is necessary for the performance of our contract with you (i.e., providing the Service).
• Legitimate Interests: Processing is necessary for our legitimate interests, such as improving the Service, preventing fraud, and ensuring network security, provided these interests are not overridden by your rights and freedoms.
• Consent: Where you have given clear consent for us to process your personal data for a specific purpose, such as marketing communications.
• Legal Obligation: Processing is necessary to comply with a legal obligation to which we are subject.

We do not sell your personal data. We may share your data with the following categories of third parties:

• Supabase (Database Provider): We use Supabase as our database and authentication provider. Supabase acts as a data processor on our behalf and processes data in accordance with their privacy policy and our data processing agreement.
• Vercel (Hosting Provider): Our Service is hosted on Vercel. Vercel acts as a data processor and processes data in accordance with their data processing addendum.
• Payment Processors: We use third-party payment processors to handle subscription payments. They process payment data under their own privacy policies.
• Professional Advisers: Lawyers, accountants, and insurers where reasonably necessary.
• Law Enforcement: Where required by law, or to protect our rights, safety, or property.

When you use the Service to store and manage personal data about your own garage customers (e.g., customer names, vehicle details, service records), you are the data controller for that data, and ashdub acts as a data processor on your behalf.

As data processor, we will only process your customers' personal data in accordance with your instructions and applicable data protection legislation. We will implement appropriate technical and organisational measures to protect the data and will notify you without undue delay upon becoming aware of a personal data breach.

You are responsible for ensuring that you have a lawful basis for collecting and processing the personal data of your garage customers, and for providing them with appropriate privacy notices.

We retain your personal data only for as long as is necessary for the purposes set out in this policy:

• Account Data: Retained for the duration of your Subscription, plus 30 days after termination to allow for data export.
• Customer Data: Retained for the duration of your Subscription, plus 30 days after termination. You may request earlier deletion.
• Billing Records: Retained for 7 years in accordance with HMRC requirements.
• Usage Data: Retained in anonymised or aggregated form for up to 24 months.

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request that we correct any inaccurate or incomplete personal data.
• Right to Erasure: You can request that we delete your personal data, subject to certain exceptions (e.g., legal obligations).
• Right to Data Portability: You can request a copy of your data in a structured, commonly used, machine-readable format. The Service also provides data export tools for this purpose.
• Right to Restrict Processing: You can request that we restrict the processing of your personal data in certain circumstances.
• Right to Object: You can object to the processing of your personal data where we are relying on legitimate interests as the legal basis.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time.

To exercise any of these rights, please contact us at privacy@ashdub.com. We will respond to your request within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We use cookies and similar technologies to enhance your experience, analyse usage, and remember your preferences. For full details on the cookies we use, please see our Cookie Policy.

Some of our data processors (including Supabase and Vercel) may process data outside the United Kingdom. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place, such as:

• Transfers to countries that have been deemed to provide an adequate level of protection by the UK Secretary of State.
• Standard contractual clauses (International Data Transfer Agreement or Addendum) approved by the ICO.
• Other appropriate safeguards as permitted under UK GDPR.

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Regular security assessments and vulnerability testing
• Access controls and role-based permissions
• Regular data backups
• Staff training on data protection

However, no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will take steps to delete such data.

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or by posting a notice within the Service. The updated policy will be effective from the date stated at the top of this page.

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us at: