Privacy Policy

1. Who We Are

Rider Vault ('we', 'us', 'our') is the data controller for personal data processed through the Rider Vault mobile application and any associated services. We are registered in England and Wales.

If you have any questions about this policy or how we handle your data, contact us at: [email protected]

2. What Data We Collect and Why

We collect only what is necessary to provide the service. Each category below explains what we collect, why we collect it, and the legal basis under UK GDPR.

2.1 Account Data

• Email address — used for account authentication and service communications (MOT/VED reminders, critical alerts).
• Password — stored as a salted bcrypt hash. We never store or transmit your password in plain text.

Lawful basis: Performance of a contract (UK GDPR Article 6(1)(b)). You cannot use Rider Vault without an account.

2.2 Vehicle Data

• Vehicle registration number (number plate) — used to query the DVLA Vehicle Enquiry Service (VES) and DVSA MOT History API to retrieve tax status, MOT history, mileage, and recall information.
• Make, model, year, and variant — entered by you to build your bike profile.
• Purchase date and current mileage — entered by you for service interval and scoring calculations.
• VIN (Vehicle Identification Number) and V5C reference number — if entered, these are encrypted on your device using AES-256 encryption before transmission. Our servers hold only the encrypted ciphertext. The encryption key is stored in your device's secure enclave (iOS SecureStore). We cannot read your VIN or V5C.

Lawful basis: Performance of a contract (Article 6(1)(b)). Vehicle data is the core input for the service.

2.3 Service History and Maintenance Records

• Service entries you log manually: date, mileage, type of work, cost, and any notes.
• These records are stored against your bike profile and are used to calculate health scores and service interval alerts.

Lawful basis: Performance of a contract (Article 6(1)(b)).

2.4 Photographs

• Photos you choose to add of your bike are stored locally on your device only, using your device's local storage. They are not transmitted to or stored on our servers.
• You may optionally save photos to your camera roll, in which case they are held within your own iCloud or Google Photos account under your own cloud storage agreement. We do not hold, access, or process your bike photos.
• Photo metadata only (filename, upload timestamp, and which photo is set as primary) is stored against your bike profile on our servers to manage display ordering. No image data is transmitted to us.

Lawful basis: Performance of a contract (Article 6(1)(b)). Photo metadata is necessary to provide the gallery feature within the service.

2.5 Location Data (Future Feature — Phase 9)

A future update will introduce automatic mileage tracking using your device's GPS. This feature is not active in the current version of Rider Vault.

• When introduced, location data will be used only to calculate journey mileage. Raw GPS coordinates will not be stored. Only derived mileage figures are retained.
• This feature will require your explicit permission. You will be presented with a clear explanation of how location data is used before any access is requested.

Lawful basis: Explicit consent (Article 6(1)(a)). You will be able to withdraw consent at any time from within the app.

2.6 Usage and Technical Data

• Crash reports and error logs collected via Sentry (crash reporting service). These include device type, operating system version, app version, and the nature of the error. They do not include personal data from your account.
• Anonymous usage analytics may be collected to understand how features are used. This data is aggregated and cannot be linked to individual accounts.

Lawful basis: Legitimate interests (Article 6(1)(f)). We have a legitimate interest in maintaining the reliability and improving the performance of the service.

2.7 Government API Data (DVLA and DVSA)

• When you add a vehicle, we query the DVLA Vehicle Enquiry Service (VES) API to retrieve: tax status, MOT status, colour, fuel type, engine size, CO2 emissions, and date of first registration.
• We also query the DVSA MOT History API to retrieve a vehicle's full MOT test history including test dates, results, mileage at test, and advisory notices.
• This data is sourced from DVLA and DVSA systems. We display it as received and cache it briefly to avoid unnecessary repeat calls. Vehicle data is sourced from the DVLA Vehicle Enquiry Service and DVSA.
• DVLA and DVSA data is not stored beyond what is necessary to display it to you and update your bike's health score. Cache periods are aligned with DVLA API terms of use.

Lawful basis: Performance of a contract (Article 6(1)(b)). Retrieving official vehicle data is the core function of the service.

3. How We Store Your Data

3.1 Storage Location

All personal data is stored in the United Kingdom. We use the following infrastructure providers:

• Supabase (database and metadata storage) — UK region (London, AWS eu-west-2).
• Railway (application server and processing) — EU region.

We do not transfer your personal data outside the UK or EEA.

3.2 Security Measures

• All data in transit is encrypted using TLS 1.2 or higher.
• Passwords are hashed using bcrypt with a cost factor of 12.
• VIN and V5C data is encrypted client-side using AES-256 before transmission. Encryption keys are held in your device's secure enclave. We cannot decrypt this data.
• Access to production systems is restricted to authorised personnel only.

3.3 Data Retention

We retain your data for as long as your account is active. Specific retention periods by data type:

• Account data (email, hashed password): retained for the lifetime of your account and deleted within 30 days of account deletion.
• Vehicle profiles and service history: retained for the lifetime of your account and deleted within 30 days of account deletion.
• Photographs: stored on your device only and remain under your control at all times. Photo metadata records (filename, timestamp, primary flag) held on our servers are deleted within 30 days of account deletion.
• DVLA/DVSA cached data: retained only for the period permitted under DVLA and DVSA API terms of use. Not retained beyond the caching window.
• Crash and error logs (Sentry): retained for 90 days.
• Anonymised analytics: may be retained indefinitely as aggregated data not linked to any individual.

4. Who We Share Your Data With

We do not sell your data. We do not share your data with advertisers or marketing platforms. We share data only with the third-party service providers listed below, who act as data processors on our behalf.

4.1 Infrastructure and Technical Processors

• Supabase Inc. — database hosting and metadata storage. Data held in UK region. Supabase processes data under their Data Processing Agreement.
• Railway Corp. — application hosting and background job processing.
• Sentry (Functional Software Inc.) — crash reporting and error monitoring. Crash data does not include personal account data.

4.2 Payment Processors

• Stripe Inc. — payment processing for Rider Vault subscriptions on Android and web. Stripe does not receive any vehicle or profile data from your Rider Vault account.
• Apple Inc. — in-app purchase processing for iOS subscriptions via StoreKit. Apple processes payments under their own terms.

4.3 Government APIs

• DVLA Vehicle Enquiry Service — we send your vehicle registration number to the DVLA VES API to retrieve vehicle data. This is a one-way query; DVLA does not receive any other account data.
• DVSA MOT History API — we send your vehicle registration number to the DVSA MOT History API to retrieve MOT records.

4.4 Legal Disclosure

We may disclose personal data if required to do so by law, or in response to valid legal process from a UK authority with appropriate jurisdiction.

5. Your Rights Under UK GDPR

As a data subject under UK GDPR, you have the following rights.

5.1 Right of Access

You have the right to request a copy of the personal data we hold about you. Submit a Subject Access Request to [email protected]. We will respond within 30 days.

5.2 Right to Rectification

If any personal data we hold is inaccurate, you have the right to request correction. Most data can be corrected directly within the app. Contact us for anything that cannot be self-corrected.

5.3 Right to Erasure (Right to Be Forgotten)

You have the right to request deletion of your personal data. You can exercise this right directly from within the app:

• Go to Settings within the Rider Vault app.
• Select 'Delete Account'.
• Confirm deletion. A two-step confirmation is required.

Account deletion permanently removes your profile, all vehicle data, service history, and photographs from our systems within 30 days. This action is irreversible.

Alternatively, submit a deletion request to [email protected].

5.4 Right to Restriction of Processing

You have the right to request that we restrict processing of your data in certain circumstances, for example where you contest its accuracy.

5.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format. Contact [email protected] to request a data export.

5.6 Right to Object

You have the right to object to processing based on legitimate interests. Where we process data on the basis of legitimate interests, you may object and we will cease processing unless we can demonstrate compelling legitimate grounds.

5.7 Rights Relating to Automated Decision-Making

Rider Vault uses an automated scoring engine to calculate a health score for each vehicle. This score is generated from data you have provided and data from official government sources. It is presented for informational purposes only and does not constitute a binding assessment. No decisions with legal or similarly significant effects are taken solely on the basis of this automated processing.

5.8 Right to Withdraw Consent

Where processing is based on your consent (for example, location data when that feature is introduced), you may withdraw consent at any time from within the app's Settings screen. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

5.9 Right to Lodge a Complaint

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at [email protected].

6. Cookies and Tracking

Rider Vault is a native mobile application and does not use browser cookies.

We do not use cross-app tracking. We do not use advertising networks or analytics SDKs that perform tracking across apps or websites. Apple's App Tracking Transparency framework is not triggered because we do not engage in the tracking activities that require it.

The app uses session tokens stored in your device's secure storage (iOS SecureStore) for authentication purposes only. These tokens are not shared with any third party.

7. Children

Rider Vault is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at [email protected] and we will delete the data promptly.

8. Changes to This Policy

We may update this privacy policy from time to time. When we make material changes, we will notify you via the app and update the effective date at the top of this page. Continued use of Rider Vault after changes have been notified constitutes acceptance of the updated policy.

Previous versions of this policy are available on request.

9. Contact Us

<