Legal
Privacy Policy
Last updated: 28 May 2026
SpareCarPart Ltd ("SpareCarPart", "we", "us") takes your privacy seriously. This policy explains what personal data we collect, why we collect it, how we use it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who we are
SpareCarPart Ltd ("SpareCarPart", "we", "us") is a UK-based marketplace that connects vehicle owners with independent breaker yards and parts suppliers. We are the data controller for personal data you provide to us through the website, mobile experience and customer support channels.
Company details
SpareCarPart Ltd
T1 Dudley Court North, The Waterfront, Brierley Hill, DY5 1XP, United Kingdom
Email: info@sparecarpart.com
If you have any questions about this policy or how we handle your data, contact us at privacy@sparecarpart.com.
2. What we collect, and why
We collect only what we need to introduce you to suppliers, fulfil orders and run a safe marketplace. In plain English:
| Category | Examples | Why we collect it |
|---|---|---|
| Account | Name, email, hashed password, phone, postcode | Create your account, send quote responses, recover access |
| Vehicle | Registration, make, model, year, parts requested | Match the right part to your vehicle and route requests to suppliers who stock it |
| Transactional | Quotes, order status, delivery and warranty events | Fulfil the contract, support warranty claims, meet UK tax and consumer-protection law |
| Communications | Messages with suppliers and support, complaints | Resolve disputes, improve service, hold suppliers to our standards |
| Payments | Stripe charge/refund metadata (no full card numbers stored by us) | Take payment securely via Stripe and reconcile refunds |
| Technical | IP address, browser/device, cookies | Run the site, prevent fraud and — only with consent — analytics & marketing (see Cookie Policy) |
3. Lawful bases for processing
We process your personal data under the following lawful bases as set out in Article 6 of the UK GDPR:
- Contract — to provide the marketplace, send quote requests and process orders.
- Legitimate interests — to operate, secure and improve the service and prevent fraud.
- Legal obligation — to meet tax, accounting and consumer-protection duties.
- Consent — for marketing emails and non-essential cookies. You can withdraw consent at any time.
4. How we share data
We share the minimum data needed to fulfil your request:
- With suppliers, so they can quote and dispatch the part you asked for.
- With service providers (hosting, payments, email, analytics) acting as data processors on our instructions.
- With authorities where required by law or to protect our rights or users.
We never sell your personal data.
5. How long we keep it
We keep account data while your account is active and for up to 6 years after closure to meet UK tax and consumer-protection requirements. Marketing preferences are kept until you withdraw consent. Technical logs are typically deleted within 12 months.
6. Your rights
Under UK GDPR you have the right to access, correct, delete, restrict, port and object to processing of your personal data, and to withdraw consent. To exercise any of these rights, email privacy@sparecarpart.com. We will respond within one month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
7. Security
We use industry-standard safeguards including TLS encryption in transit, encryption at rest for personal data (database storage and backups), role-based access control, audit logging, and regular security reviews.
Multi-factor authentication. Supplier accounts can enrol time-based one-time-password (TOTP) MFA from Supplier security settings — recommended for everyone handling customer orders, and required for staff accounts.
No system is 100% secure — if we ever suspect a breach affecting you, we will notify you and the ICO as required by law.
8. Your choices and controls
You're in control of what we send you and what we measure:
- Marketing emails — opt in or out at any time from Your account → Communication preferences. We default to opted-out; we only email you when you tick the box.
- Cookies & tracking — toggle analytics and marketing cookies on Cookie preferences. Strictly-necessary cookies stay on because the site needs them to run.
- Transactional emails — quote replies, order updates and security alerts are always sent because they're part of the service you asked for.
9. Processors and sub-processors
We use the following third parties to run the Service. Each acts as a data processor on our written instructions under a Data Processing Agreement. A more detailed register is available on request.
| Processor | Purpose | Location |
|---|---|---|
| Lovable Cloud (Supabase) | Database, auth, file storage | EU / UK |
| Cloudflare | Edge hosting, security | Global edge (UK PoP) |
| Stripe | Card payments | EU / US (IDTA) |
| Lovable AI Gateway | AI Chat, Part Finder, Health Check (prompt + image inference) | EU / US (IDTA) |
| DVLA, DVSA | Vehicle & MOT lookups | UK |
| Parts catalogue partners | Reference part listings | EU / US |
| Google Fonts | Web fonts (IP visible during font fetch) | Global CDN |
We do not currently use any analytics, advertising, retargeting, A/B-testing or session-replay vendors. If we add one, we will update this list, refresh the cookie banner, and ask for fresh consent before it loads in your browser.
10. International transfers
Some of our processors operate outside the UK. Where they do, we rely on UK adequacy regulations or the ICO's International Data Transfer Agreement to ensure your data remains protected to UK standards.
11. Changes to this policy
We may update this policy from time to time. Material changes will be flagged on the site or by email at least 14 days before they take effect.