Privacy Policy

CarMind Ltd ("CarMind", "we", "us") operates carmind.uk. We are the data controller for personal data you provide to us.

Contact: [email protected]

Account data: Email address, password (hashed), phone number (optional), billing details processed by Stripe.

Search preferences: Your search profiles — makes, models, regions, price ranges, and other criteria you configure.

Usage data: Lead views, status changes (interested/passed), login timestamps, alert delivery records.

Technical data: IP address, browser type, device identifiers, session data (via Supabase Auth).

Communications: Emails and messages you send to our support address.

We use your data to:

• Deliver lead alerts that match your search profiles
• Process payments and manage your subscription
• Send service notifications (billing, system updates)
• Improve our scoring algorithms and matching accuracy
• Comply with legal obligations

Legal bases: contract performance (subscription delivery), legitimate interests (service improvement, fraud prevention), legal obligation (tax, ICO requirements).

We do not use your data for advertising profiling or sell your data to third parties.

Lead alerts may include contact details (phone numbers, names) scraped from public listing platforms. This information is sourced from platforms where sellers have voluntarily made it public. You must use this information only for the purpose of enquiring about the vehicle described in the alert, in accordance with applicable data protection law.

We share data only with service providers necessary to operate CarMind:

• Supabase — database and authentication (EU-hosted)
• Stripe — payment processing
• Twilio — WhatsApp and SMS delivery
• Resend — transactional email delivery
• Anthropic — AI call script generation (no personal data sent to Anthropic; only anonymised listing content)

All providers are bound by data processing agreements and comply with UK GDPR.

We retain your account data for as long as your subscription is active and for 90 days after cancellation. Lead delivery records and anonymised usage stats are retained for up to 24 months for service improvement purposes.

After the retention period, all personal data is securely deleted or anonymised.

Under UK GDPR, you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your personal data
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Restriction — ask us to restrict processing while a complaint is resolved

To exercise any right, email [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the ICO.

You can also submit a data erasure request directly: Request erasure →

We use only essential cookies required for authentication (session token stored by Supabase Auth). We do not use advertising or tracking cookies. No cookie consent banner is required.

Passwords are hashed and never stored in plaintext. All data is encrypted in transit (TLS) and at rest. Access to production data is restricted to named personnel and audited.

We may update this policy from time to time. Material changes will be communicated by email. The date at the top of this page shows when it was last updated.

Data protection enquiries: [email protected]
General enquiries: [email protected]