Privacy Policy
Version 1.0 · Last updated: March 2026
iAutoMotive Ltd · Registered in England & Wales · privacy@iautomotive.co.uk
Important notice: This Privacy Policy applies to all personal data processed by iAutoMotive Ltd in connection with our vehicle consignment platform and services. Please read this policy carefully. If you have any questions, contact our Data Protection contact at privacy@iautomotive.co.uk.
1. Who We Are
iAutoMotive Ltd (“iAutoMotive”, “we”, “us”, “our”) is a vehicle consignment platform registered in England and Wales. We operate the iAutoMotive platform at iautomotive.co.uk, which connects private vehicle sellers with buyers by managing the end-to-end consignment of used vehicles.
iAutoMotive Ltd is the data controller for personal data processed through our platform. This means we are responsible for deciding how and why your personal data is used.
Our contact details
| Company | iAutoMotive Ltd |
| Registered address | [Registered office address — to be confirmed] |
| ICO registration number | [ICO registration number — to be obtained before launch] |
| Data Protection contact | privacy@iautomotive.co.uk |
| General enquiries | hello@iautomotive.co.uk |
| Telephone | [Phone number — to be confirmed] |
2. What Personal Data We Collect
We collect and process different categories of personal data depending on how you use our platform. The tables below set out what we collect, from whom, and why.
2.1 Data collected from sellers (vehicle consignors)
| Category of data | Specific data points | How collected |
|---|---|---|
| Identity | Full name, date of birth (if required for identity verification), gender (if provided) | Account registration; consignment agreement |
| Contact | Email address, telephone number(s), home address | Account registration; collection scheduling |
| Vehicle | Vehicle registration, VIN/chassis number, make, model, mileage, condition, service history, V5C details, HPI check results, outstanding finance information | Intake process; DVLA and HPI lookups |
| Financial | Bank account name and number (for payouts), sort code, net proceeds figures, outstanding finance amounts | Consignment onboarding; payout processing |
| Communications | Messages sent through our platform, call recordings (where consent is given), email and SMS communications | Platform messaging; telephone contact |
| Identity verification | Government-issued ID document details, selfie/liveness check data (where required) | Identity verification process for high-value transactions |
| Technical | IP address, device type, browser type, session data, page views, platform activity logs | Automatic collection via cookies and server logs |
2.2 Data collected from buyers
| Category of data | Specific data points | How collected |
|---|---|---|
| Identity | Full name, date of birth | Account registration; checkout process |
| Contact | Email address, telephone number, delivery address | Account registration; delivery scheduling |
| Financial | Payment card details (processed by Stripe — not stored by us), pre-qualification data (soft credit search), finance application data where applicable | Checkout; finance introduction process |
| Trade-in vehicle | Registration, VIN, condition, outstanding finance (if any) for trade-in vehicles | Trade-in tool |
| Identity verification | Government-issued ID (for fraud prevention on high-value purchases) | Identity verification at checkout |
| Transaction history | Vehicles reserved, purchased, returned; order history | Platform transaction records |
| Preferences | Saved searches, saved vehicles, notification preferences | Platform activity |
| Technical | IP address, device type, browser type, session data, platform activity | Automatic collection via cookies and server logs |
2.3 Data collected from third parties
In addition to data you provide directly, we receive personal data from the following third parties:
- DVLA: vehicle registration details and keeper history, used to verify seller authority and populate vehicle specifications.
- HPI Check / Experian: vehicle history data including outstanding finance, theft, write-off status, and mileage history.
- Identity verification providers (Stripe Identity): ID document authentication and liveness verification results.
- Credit reference agencies: soft-pull pre-qualification results for buyers seeking finance introductions (where FCA-authorised activity applies).
- Fraud prevention services (Point Predictive, Experian CrossCore): synthetic identity scores and fraud risk indicators.
- PEP and sanctions screening services: politically exposed person status and sanctions list matches, as required under the Money Laundering Regulations 2017.
3. How and Why We Use Your Data
We must have a lawful basis to process your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. The table below sets out each purpose for which we process personal data, our lawful basis, and the data categories involved.
| Purpose | Lawful basis | Applies to | Data categories |
|---|---|---|---|
| Providing our consignment service — managing vehicle intake, listing, sale, and payout | Performance of a contract (Article 6(1)(b) UK GDPR) | Sellers | Identity, contact, vehicle, financial |
| Facilitating vehicle purchases — checkout, payment processing, delivery, title transfer | Performance of a contract | Buyers | Identity, contact, financial, transaction |
| Identity verification and fraud prevention | Legitimate interests (protecting our business and customers from fraud); legal obligation (AML regulations) | Sellers and buyers | Identity, identity verification, financial |
| Anti-money laundering and sanctions screening | Legal obligation (MLR 2017; Proceeds of Crime Act 2002) | Sellers and buyers | Identity, financial, PEP/sanctions data |
| Communicating about your transaction — status updates, notifications, payout confirmations | Performance of a contract; legitimate interests | Sellers and buyers | Contact, communications, transaction |
| Processing payments and managing payouts (via Stripe) | Performance of a contract | Sellers and buyers | Financial, identity |
| Finance introductions — introducing buyers to FCA-authorised lenders | Performance of a contract; legitimate interests; consent where required by CONC | Buyers | Identity, financial |
| Handling complaints and disputes | Legal obligation (Consumer Rights Act 2015); legitimate interests | Sellers and buyers | Identity, contact, transaction, communications |
| Improving our platform — analytics, A/B testing, user behaviour analysis | Legitimate interests | All users | Technical, usage, preferences |
| Marketing communications — where you have opted in or where we rely on the soft opt-in | Consent; legitimate interests (soft opt-in for existing customers under PECR) | All users | Contact, preferences |
| Regulatory compliance — maintaining records required by law, responding to regulatory requests | Legal obligation | Sellers and buyers | All categories as required |
| Tax reporting — 1099-K equivalent reporting where required; TIN/UTR verification | Legal obligation (HMRC requirements) | Sellers | Identity, financial |
Legitimate interests
Where we rely on legitimate interests as our lawful basis, we have carried out a Legitimate Interests Assessment (LIA) to ensure that our interests are not overridden by your rights and interests. You have the right to object to processing based on legitimate interests at any time. Contact us at privacy@iautomotive.co.uk.
4. Sharing Your Personal Data
We share personal data with third parties only where necessary for our services, required by law, or with your consent. We do not sell your personal data to third parties for their own marketing purposes.
4.1 Our service providers (data processors)
We share personal data with the following categories of service provider, who process it on our behalf and under our instructions:
| Service provider category | Specific providers | Purpose |
|---|---|---|
| Payment processing | Stripe, Inc. | Buyer card payments; seller Faster Payments disbursements; escrow management |
| Electronic signatures | DocuSign, Inc. | E-signing of consignment agreements, purchase contracts, and all deal documents |
| Identity verification | Stripe Identity; Point Predictive | Government ID verification; synthetic identity and fraud risk scoring |
| Vehicle data | HPI Check / Experian; DVLA; Cazana; Glass’s Guide | HPI checks; vehicle history; market valuation |
| Communications | Twilio, Inc. (SMS); SendGrid / Twilio (email) | Transactional SMS and email notifications to sellers and buyers |
| Cloud hosting and infrastructure | Amazon Web Services (AWS); Vercel | Secure hosting of our platform and data |
| Analytics and monitoring | Datadog; Sentry | Platform performance monitoring; error tracking |
| Photography and imaging | Spyne or equivalent | AI-enhanced vehicle photography processing |
| Finance introductions | RouteOne or equivalent (where FCA-authorised) | Introduction to FCA-authorised lenders for vehicle finance |
4.2 Other parties we may share data with
- Regulated lenders: where a buyer applies for vehicle finance, we share their application data with lenders in the RouteOne network for the purpose of credit assessment. Each lender is an independent data controller for their own processing.
- DVLA: we notify the DVLA of vehicle keeper changes within 5 working days of a sale as required by law.
- HM Revenue & Customs: we may be required to report certain seller transaction data to HMRC in accordance with our tax reporting obligations.
- Law enforcement and regulatory authorities: we will disclose personal data to the police, FCA, HMRC, or other authorities where we are legally required to do so, or where we reasonably believe disclosure is necessary to prevent or detect crime.
- Fraud prevention agencies: we share information with fraud prevention agencies as part of our AML and fraud screening obligations. This information may be used by those agencies to prevent fraud and money laundering and to verify your identity.
- Professional advisers: our solicitors, accountants, and insurers may receive personal data where necessary for their professional services.
- Business transfers: in the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity. We will notify you before your data is transferred and becomes subject to a different privacy policy.
We do not sell your data. iAutoMotive does not sell, rent, or trade personal data with third parties for marketing purposes. We do not share your data with advertisers for the purpose of serving you targeted advertising on other platforms.
5. International Data Transfers
Some of our third-party service providers are based outside the United Kingdom (UK). When we transfer personal data to countries outside the UK, we ensure that appropriate safeguards are in place to protect your data, in accordance with the UK GDPR.
The safeguards we rely on include:
- UK adequacy regulations: transfers to countries that the UK government has determined provide an adequate level of data protection.
- UK International Data Transfer Agreements (IDTAs): standard contractual clauses approved by the ICO for transfers to countries without an adequacy decision.
- UK Addendum to EU Standard Contractual Clauses: where we use the EU SCCs as a transfer mechanism with a UK Addendum.
Key international transfers include:
| Recipient | Country | Transfer mechanism |
|---|---|---|
| Stripe, Inc. | United States | UK IDTA / SCCs with UK Addendum |
| DocuSign, Inc. | United States | UK IDTA / SCCs with UK Addendum |
| Amazon Web Services | United States / EU | SCCs with UK Addendum; AWS EU regions used where possible |
| Twilio, Inc. | United States | UK IDTA / SCCs with UK Addendum |
| Point Predictive | United States | UK IDTA / SCCs with UK Addendum |
6. How Long We Keep Your Data
We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The table below sets out our standard retention periods.
| Data category | Retention period | Reason for retention |
|---|---|---|
| Consignment agreement and deal documents | 7 years from the date of the transaction | Companies Act 2006; HMRC record-keeping requirements; potential contractual disputes |
| Financial transaction records (payouts, invoices) | 7 years from end of financial year | HMRC and tax reporting obligations |
| AML and sanctions screening records | 5 years from the end of the business relationship | Money Laundering Regulations 2017 |
| Identity verification records | 5 years from the end of the business relationship (or longer if required by law) | MLR 2017; fraud prevention |
| Complaints records | 6 years from resolution | Limitation Act 1980 (potential legal claims); FCA requirements |
| Consumer contract records | 6 years from the date of the transaction | Limitation Act 1980; Consumer Rights Act 2015 |
| Account data (active accounts) | For the duration of your account plus 2 years after account closure | Legitimate interests in handling post-closure queries |
| Platform analytics and technical logs | 13 months | ICO guidance on analytics data retention |
| Marketing preferences | Until you withdraw consent or object, plus 1 year | PECR; UK GDPR consent requirements |
| Call recordings (where applicable) | 12 months | Quality assurance and dispute resolution |
| CCTV footage at our lots | 31 days | ICO CCTV code of practice |
When personal data is no longer required, we securely delete or anonymise it. Where anonymisation is not possible, we restrict access to the data until deletion is possible.
7. Your Rights
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exemptions, but we will always consider your request carefully and respond within the required timeframe.
| Your right | What it means |
|---|---|
| Right of access | You have the right to request a copy of the personal data we hold about you (a Subject Access Request or SAR). We will respond within one month. There is no charge unless the request is manifestly unfounded, excessive, or repetitive. |
| Right to rectification | You have the right to ask us to correct inaccurate personal data or complete incomplete data. We will act within one month. |
| Right to erasure | You have the right to ask us to delete your personal data in certain circumstances — for example, where it is no longer necessary for the purpose it was collected, or where you withdraw consent. This right does not apply where we have a legal obligation to retain data. |
| Right to restrict processing | You have the right to ask us to pause processing of your data in certain circumstances — for example, while you contest its accuracy or while we consider your objection. |
| Right to data portability | Where we process your data by automated means on the basis of your consent or a contract, you have the right to receive your data in a structured, commonly used, machine-readable format, and to ask us to transfer it to another controller. |
| Right to object | You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to direct marketing, we will stop processing immediately. |
| Rights related to automated decision-making | You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal or similarly significant effects. Our fraud risk scoring involves automated processing but is always subject to human review before any adverse decision is made. |
| Right to withdraw consent | Where we rely on your consent to process personal data, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal. |
7.1 How to exercise your rights
To exercise any of your rights, please contact us at:
- Email: privacy@iautomotive.co.uk
- Post: iAutoMotive Ltd, [Registered address], Attention: Data Protection
We will respond to your request within one calendar month. In complex cases or where we receive multiple requests from the same individual, we may extend this period by a further two months and will notify you accordingly. We may need to verify your identity before processing your request.
7.2 Right to complain
If you are not satisfied with how we have handled your personal data or responded to your rights request, you have the right to complain to the Information Commissioner’s Office (ICO):
- ICO website: www.ico.org.uk
- ICO helpline: 0303 123 1113
- ICO address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We would always prefer to resolve concerns directly before you approach the ICO, so please contact us first at privacy@iautomotive.co.uk.
8. Cookies and Tracking Technologies
Our website uses cookies and similar technologies to make the platform work, to improve your experience, and — where you have consented — to show you relevant content and measure our marketing performance.
8.1 What are cookies?
Cookies are small text files placed on your device when you visit a website. They help the site remember information about your visit, such as your preferred settings or your login status. Some cookies are placed by us; others are placed by third parties whose services we use.
8.2 Categories of cookies we use
| Category | Purpose | Lawful basis | Examples |
|---|---|---|---|
| Strictly necessary | Essential for the website to function — login sessions, security, the checkout process. Cannot be disabled. | No consent required (legitimate interests / contract) | Session cookies; CSRF protection; authentication tokens |
| Functional | Remember your preferences — saved searches, notification settings, language. | Legitimate interests | Preference cookies; saved search data |
| Analytics | Measure how our platform is used — which pages are visited, how users navigate. Data is aggregated and anonymised where possible. | Consent | Google Analytics; Datadog RUM |
| Marketing | Track the effectiveness of our advertising on third-party platforms. Only set where you have consented. | Consent | Meta Pixel; Google Ads tags (if used) |
8.3 Managing your cookies
When you first visit our website, we will show you a cookie banner asking for your consent to non-essential cookies. You can change your cookie preferences at any time by visiting our Cookie Preferences page at iautomotive.co.uk/legal/cookies. You can also control cookies through your browser settings. Please note that disabling certain cookies may affect your ability to use some features of our platform.
9. Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or damage. Our security measures include:
- Encryption of all personal data in transit using TLS 1.3 and at rest using AES-256 encryption.
- Strict role-based access controls ensuring staff can only access data they need for their role.
- Multi-factor authentication required for all staff accessing personal data.
- Regular security assessments and vulnerability scanning as part of our CI/CD pipeline.
- Annual third-party penetration testing.
- Physical security at our vehicle lots including CCTV and access controls.
- Staff training on data protection, information security, and phishing awareness.
- Documented incident response procedures.
We are working towards achieving SOC 2 Type II certification within 18 months of launch.
9.1 Data breaches
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by Article 33 of the UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, as required by Article 34.
10. Specific Processing Activities
10.1 Vehicle valuations and market data
When you request a valuation for your vehicle, we use your vehicle registration number and mileage to query third-party valuation services (including Cazana, Glass’s Guide, and AutoTrader pricing data). This processing is necessary to perform our contract with you. The results are used to generate your consignment offer and to price your vehicle on the platform.
10.2 Fraud detection and identity verification
We use automated fraud detection tools to assess the risk of fraudulent activity in connection with vehicle transactions. This includes assessing identity documents, cross-referencing against fraud databases, and generating a risk score. Where our automated systems flag a high risk, a human member of our team will review the case before any decision is made. You have the right to request human review of any automated decision.
Identity verification is conducted where required by our AML obligations, for high-value transactions, or where our fraud detection systems indicate a need for enhanced verification. This processing is based on legal obligation and legitimate interests.
10.3 Financial information and bank account data
We collect bank account details from sellers solely for the purpose of making consignment payouts. This data is stored securely and is not used for any other purpose. Bank account details are never displayed in full on our platform — only the last four digits are shown for confirmation purposes.
We do not store payment card details. All card payments are handled by Stripe, who is PCI DSS compliant. We receive only a tokenised reference from Stripe, not the card number itself.
10.4 Call recording
Where our cold-calling CRM team contacts sellers by telephone, calls may be recorded for quality assurance, training, and dispute resolution purposes. You will be informed at the start of any recorded call. If you prefer not to be recorded, you may decline and the call will proceed unrecorded. Recordings are retained for 12 months and then securely deleted.
10.5 CCTV at our vehicle lots
We operate CCTV at our vehicle storage lots for the purpose of security and theft prevention. CCTV is operated in accordance with the ICO’s CCTV code of practice. Footage is retained for 31 days and then automatically overwritten unless required for an investigation. Signage is displayed at all lot entrances informing visitors that CCTV is in operation.
10.6 Marketing communications
We may send you marketing communications about our services, new vehicles on our platform, or relevant automotive news. We will only send marketing communications where:
- You have given us your explicit consent; or
- You are an existing customer and we are marketing similar products or services to those you have previously used with us (the “soft opt-in” under PECR), and you have not objected to receiving marketing.
You can opt out of marketing communications at any time by clicking “unsubscribe” in any marketing email, by replying STOP to any marketing SMS, or by updating your preferences in your account settings. Opting out of marketing does not affect transactional communications related to your active consignment or purchase.
11. Children’s Privacy
Our platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@iautomotive.co.uk and we will delete it promptly.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, our services, or applicable law. When we make material changes, we will:
- Update the “Last updated” date at the top of this policy.
- Notify registered users by email where the changes are significant.
- Display a prominent notice on our website for a period of 30 days following a material update.
We encourage you to review this policy periodically. Continued use of our platform after a policy update constitutes acceptance of the revised policy. Previous versions of this Privacy Policy are available on request by contacting privacy@iautomotive.co.uk.
13. Contact Us
If you have any questions, concerns, or requests relating to this Privacy Policy or our processing of your personal data, please contact us using the details below:
| Data Protection contact | privacy@iautomotive.co.uk |
| General enquiries | hello@iautomotive.co.uk |
| Post | iAutoMotive Ltd, [Registered address], marked: Data Protection |
| ICO (to complain) | www.ico.org.uk | 0303 123 1113 |
iAutoMotive Ltd · Privacy Policy v1.0 · March 2026