This is a summary. Full legal detail follows in the numbered sections below.
Rider Vault is a motorcycle management app. We collect and use your data solely to provide you with the service — nothing more.
Arroket Intelligence Ltd ('we', 'us', 'our') is the data controller for personal data processed through Rider Vault (the mobile application and any associated service). Registered in England and Wales.
| Registered address | 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ |
| Company No. | 17137573 |
| Privacy contact | admin@arroketintelligence.com |
| ICO registered | C1907107 |
We collect only what is necessary to deliver the service. Each category below states what we collect, why, and the lawful basis under UK GDPR.
| Data | Purpose | Lawful Basis |
|---|---|---|
| Email address | Authentication and service communications (MOT/VED reminders, critical alerts). | Art. 6(1)(b) — Performance of contract |
| Password | Stored as bcrypt hash (cost factor 12) only. Never transmitted or stored in plain text. | Art. 6(1)(b) — Performance of contract |
| Data | Purpose | Lawful Basis |
|---|---|---|
| Registration (plate) | Used to query DVLA VES and DVSA MOT History APIs for tax status, MOT history, and recall information on behalf of the user. | Art. 6(1)(b) |
| Make, model, year, variant | Entered by the user; used to build the bike profile and calculate the health score. | Art. 6(1)(b) |
| Purchase date, current mileage | Used for service interval calculations and health score. | Art. 6(1)(b) |
| VIN / V5C reference number | AES-256 encrypted on-device before transmission. Server holds ciphertext only. Encryption key stored in iOS SecureStore — we cannot decrypt without the device. | Art. 6(1)(b) |
Service logs entered manually by the user: service type, date, mileage, workshop, and notes. These are not parsed for advertising or profiling. Used solely to generate health scores and reminders.
Optional. If added, photos are stored on your device only using expo-file-system. Photo files never reach our servers. Only a filename reference and bike profile link are stored in our database. EXIF metadata (which may include GPS location) is stripped before the photo is written to device storage.
Not collected in the current version. When GPS mileage tracking is introduced (future update), explicit consent will be required, only derived mileage figures will be stored (not raw GPS coordinates), and consent can be withdrawn from Settings at any time.
Crash logs collected via Sentry for app reliability. Configured for crash reporting only — not behavioural analytics. Device identifiers are not linked to user accounts. Retained for 90 days. Does not constitute tracking under Apple ATT rules. Lawful basis: Art. 6(1)(f) — Legitimate interests.
| Delivering the service | Calculating the health score, checking MOT/VED/recall status via government APIs, generating reminders. |
| Account management | Authentication, billing, customer support. |
| App reliability | Crash reporting via Sentry. No behavioural analytics. |
| Legal compliance | Retaining records as required by UK law. |
We do not use your data for advertising, profiling, behavioural targeting, or any purpose beyond operating the service. We do not sell your data.
| Data residency | All personal data stored in the United Kingdom. Supabase database: London region (AWS eu-west-2). No cross-border transfer outside UK or EEA. |
| Photo storage | On-device only (expo-file-system). Photo files never reach our servers. |
| VIN / V5C encryption | AES-256 client-side encryption before any transmission. Server holds ciphertext. Decryption key in iOS SecureStore. |
| Database isolation | Supabase Row Level Security (RLS) enabled on all 12 tables. Each user can access only their own rows. Enforced at database level independent of application controls. |
| Password storage | bcrypt hash, cost factor 12. Plain-text password never stored or transmitted. |
| Session tokens | JWT tokens stored in iOS SecureStore (not AsyncStorage). 15-minute access token expiry; 7-day refresh token with rotation. |
| Breach notification | Users notified within 72 hours per UK GDPR Art. 33/34 in the event of a relevant breach. |
| No ad tracking | Rider Vault does not use ad networks, cross-app tracking, or behavioural profiling. Apple ATT not triggered. |
All processors have been selected with UK data residency and security in mind.
| Processor | Purpose | Data and Residency |
|---|---|---|
| Supabase | Database and authentication hosting | UK (AWS eu-west-2). Processes: email, registration numbers, service records. Photos are not transferred. |
| Railway | API server hosting (Fastify backend) | Processes registration numbers in transit only; no persistent personal data storage. |
| Sentry | Crash reporting | May receive device identifiers. Crash-reporting only; not linked to user accounts. |
| Apple (App Store) | App distribution / TestFlight | Apple's terms apply to users directly. |
| DVLA (VES API) | Vehicle data query — government API | Receives registration number only. Returns vehicle data. No other account data transmitted to DVLA. |
| DVSA (MOT History API) | MOT history query — government API | Receives registration number only. Returns MOT history. No other account data transmitted to DVSA. |
| Account data | Retained for the life of the account. Deleted within 30 days of account deletion. |
| Service records | Retained for the life of the account. Deleted on account deletion. |
| Crash logs (Sentry) | 90 days. |
| DVLA / DVSA API cache | Retained per the terms of the respective government API. |
| Photos | On-device only. Removed when the user deletes photos or uninstalls the app. |
You have the following rights under UK GDPR. To exercise any right, contact admin@arroketintelligence.com or use the in-app controls where indicated. We will respond within 30 days.
| Access (SAR) | Request a copy of all personal data we hold about you. Email admin@arroketintelligence.com. |
| Rectification | Correct inaccurate data. Most data is self-serviceable directly within the app. |
| Erasure | Delete your account and all personal data via Settings > Delete Account (two-step confirmation). Also available by email. Data removed within 30 days. Irreversible. |
| Restriction | Request that processing be restricted while a dispute is resolved. Contact us by email. |
| Data portability | Receive your data in structured JSON or CSV format. Email admin@arroketintelligence.com. In-app export planned post-launch. |
| Object | Object to processing based on legitimate interests (e.g. crash analytics). Contact us by email. |
| Withdraw consent | Location data consent (Phase 9, not yet active): withdrawable from app Settings at any time without affecting prior lawful processing. |
| Complain to ICO | ico.org.uk · 0303 123 1113 · Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. |
Vehicle and MOT data displayed within the app is sourced from official UK government APIs and is reproduced with permission:
Contains public sector information licensed under the Open Government Licence v3.0.
DVLA Vehicle Enquiry Service · DVSA MOT History API
We will notify registered users of material changes via the email address on their account. The current version is always available at ridervaultapp.co.uk/privacy. Continued use of the app after notification constitutes acceptance of the revised policy.
| admin@arroketintelligence.com | |
| Privacy-specific queries | admin@arroketintelligence.com |
| Registered address | 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ |
| Company No. | 17137573 |