Data Processing Information

Last updated: 12 May 2026

    This page explains how PartsCloud processes personal data on behalf of its customers, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
  

1. Roles Under UK GDPR

When you use PartsCloud, two distinct roles apply:

Data Controller: Your business is the data controller for any personal data you input into PartsCloud (e.g. customer details, staff data).
Data Processor: PartsCloud (One77 LTD) acts as data processor, processing personal data on your instructions to provide the service.

For data relating to your PartsCloud account itself (e.g. your name, email, billing details), PartsCloud acts as the data controller. See our Privacy Policy for details.

2. What Personal Data We Process on Your Behalf

As a vehicle dismantling business using PartsCloud, you may input the following categories of personal data:

Staff / user names and login credentials
Any personal data contained in vehicle records (e.g. previous owner information from V5C documents)
Any personal data included in notes or free-text fields

PartsCloud does not require or encourage you to enter personal data beyond what is necessary for business operations.

3. Purpose and Legal Basis

We process data on your behalf solely for the purpose of providing the PartsCloud service. The legal basis for this processing is contract performance (UK GDPR Article 6(1)(b)), it is necessary to fulfil our obligations under our Terms of Service.

4. Sub-Processors

We use the following sub-processors to deliver our service:

Hetzner Online GmbH: cloud infrastructure and hosting (EU-based servers). Hetzner is GDPR-compliant and operates under a Data Processing Agreement. Hetzner Privacy Policy →

We will notify you of any material changes to our sub-processor list with reasonable advance notice.

5. International Transfers

Your data is hosted on servers located within the European Union (Hetzner, Germany/Finland). No transfers of personal data are made to countries outside the UK or EU/EEA, except where eBay API integration is used, in which case listing data is transmitted to eBay's servers in accordance with eBay's own privacy policies.

6. Data Retention

We retain data for the duration of your subscription, plus 12 months following termination to allow for any disputes or recovery requests. After this period, all data is permanently and securely deleted.

You may request earlier deletion of your organisation's data by contacting us at [email protected].

7. Security Measures

We implement the following technical and organisational security measures:

All data in transit encrypted via TLS 1.2+
Passwords hashed using bcrypt with appropriate cost factors
Server access restricted to authorised personnel only
Automated intrusion detection (fail2ban) on all servers
Regular security patching of server infrastructure
Database access restricted to application processes only (no public exposure)

8. Your Obligations as Data Controller

As the data controller for personal data you input into PartsCloud, you are responsible for:

Ensuring you have a lawful basis to process any personal data you enter into the platform
Complying with UK GDPR obligations towards individuals whose data you process
Responding to data subject access requests or deletion requests relating to data you control
Notifying us promptly if you become aware of any data breach involving data stored in PartsCloud

9. Data Breach Notification

In the event of a personal data breach affecting data we process on your behalf, we will notify you without undue delay and within 72 hours of becoming aware of the breach, providing sufficient information to enable you to meet your own reporting obligations to the ICO where applicable.

10. Data Processing Agreement

Our Terms of Service incorporate the obligations of a Data Processing Agreement (DPA) as required by UK GDPR Article 28. If your organisation requires a standalone DPA document for compliance purposes, please contact us at [email protected] and we will provide one.

11. Contact

For any data protection queries, contact us at:

Email: [email protected]
Company No: 12025018
VAT No: GB478345061
Registered: England and Wales

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.