Privacy Policy

Last updated: 12 May 2026

This policy explains how PartsCloud, operated by One77 LTD ("we", "us", "our"), collects, stores, and uses personal data when you use our parts management platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are the data controller for personal data processed through our website at partscloud.co.uk and our application at app.partscloud.co.uk.

1. Data We Collect

When you create an account and use PartsCloud, we collect and store:

• Account information: Username, email address, password (hashed).
• Business data: Organisation name, vehicle records, parts inventory, invoices, customer details.
• Uploaded files: Photos of parts and vehicles.
• Usage data: Login timestamps, IP addresses (stored in our audit log for security).
• Sign-up requests: Business name, contact name, email, phone number, selected plan.
• Contact messages: Message content submitted via our contact form.

We do not collect special-category personal data (health, biometric, racial or ethnic origin, religious belief, sexual orientation, political opinion, trade-union membership, or genetic data).

2. How We Protect Your Data

• Contact name, email address, and phone number are encrypted at rest using AES-128 symmetric encryption (Fernet). The encryption key is stored separately from the database.
• Passwords are hashed using bcrypt and are never stored in plaintext.
• All connections to PartsCloud are encrypted via HTTPS/TLS.
• Our database is hosted on a private virtual server (Hetzner, Germany, EU) accessible only to authorised administrators.
• Security headers (CSP, HSTS, X-Frame-Options) are enforced on all pages.
• Rate limiting is applied to authentication endpoints to prevent brute force attacks.
• Daily encrypted backups are taken to three separate destinations (Cloudflare R2, Dropbox, GitHub) for disaster recovery.

3. Why We Collect It (Legal Basis under UK GDPR)

We process personal data on the following legal bases:

• Performance of a contract — to provide the platform features you signed up for: account creation, inventory management, invoicing, eBay listings, payment processing.
• Legal obligation — to retain financial records (invoices, transaction logs) for the period required by UK tax and company law (6 years).
• Legitimate interests — to maintain platform security, prevent fraud and abuse, respond to support enquiries, monitor service performance, and improve the product. We balance these interests against your rights.
• Consent — for any optional processing not covered by the above (for example, marketing communications). You may withdraw consent at any time.

4. Who Can See Your Data

Your data is only accessible to you and your organisation's administrators. We do not sell, rent, or share your personal data for marketing or advertising purposes — to anyone, ever. Any marketing communications you receive from PartsCloud come from us directly and you can opt out at any time. We may share your data with the following processors strictly to operate the service or comply with law:

• Hetzner (hosting provider, EU/Germany) — stores your encrypted data on our behalf as a data processor.
• Stripe (payment processor) — processes subscription payments securely. We never see or store your card details.
• Postmark (email provider, USA) — sends transactional emails (password resets, invoices, notifications) on our behalf.
• Anthropic (AI provider, USA) — powers AI features such as the support chat. Message content is processed but not stored long-term by Anthropic and is not used to train their models.
• Vehicle Data Global / DVLA / DVSA — receives vehicle registration numbers you submit for lookup. We do not share account-holder personal data with these services.
• Cloudflare R2 (UK/EU regions) — encrypted backup storage.
• Legal authorities — where we are required to disclose data by law, court order, or to protect the rights of PartsCloud or others.

International transfers. Some of the providers above (Stripe, Postmark, Anthropic) are located outside the UK and EEA. Where data is transferred internationally, the transfer is protected by an adequacy decision (where one applies) or by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, ensuring an essentially equivalent level of protection.

Internal alerts. Automated internal alerts (via Telegram) may include your name and business name. Email addresses and phone numbers are not included in alerts.

Technical support access. Authorised PartsCloud staff may access your account in view-only or administrative mode to provide technical support, investigate billing or security issues, diagnose errors you have reported, or comply with a lawful request. All such access is logged internally (time, staff member, account accessed, reason) and reviewable on request. We will not access your account for any other purpose, and we will not modify, export, or share your data beyond what is necessary to resolve a specific support or security issue.

5. Data Retention

• Account data is retained for as long as your account is active.
• Sign-up request data is retained for up to 12 months.
• Contact messages are retained for 12 months.
• Audit log entries (IP addresses and actions) are retained for up to 12 months for security.
• If you request account deletion, all personal data is permanently removed, except records we are legally required to retain.
• Financial records (invoices, transaction history, VAT records) are retained for 6 years after the end of the relevant tax year, as required by HMRC under UK tax law. This applies even if you request account deletion.
• Accounts inactive for more than 24 months may be flagged for deletion. We will notify you by email before any action is taken.

6. Cookies & Local Storage

• Session cookie: A single cookie is used to keep you logged in.
• Theme preference: Your light/dark mode choice is saved in localStorage. This data never leaves your device.

No tracking, analytics, advertising, or third-party cookies are used.

7. Your Rights (UK GDPR)

You have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your data ("right to be forgotten"), subject to legal retention requirements.
• Restriction of processing — ask us to limit how we use your data while a query about it is being resolved.
• Portability — receive your data in a structured, machine-readable format and have it transmitted to another controller where technically feasible.
• Object — to any processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time. This does not affect the lawfulness of processing carried out before withdrawal.
• Not be subject to automated decision-making — we do not make decisions that produce legal or significant effects on you based solely on automated processing. Where AI features are used (e.g. support chat), the output is informational only and human staff remain responsible for any account action.

To exercise any right, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach.
• Notify affected users directly via email without undue delay.
• Document all breaches internally regardless of severity.

9. Changes to This Policy

We may update this policy from time to time. The date at the top of this page will reflect the most recent revision. Material changes will be communicated via email or in-app banner.

10. Reporting Security Issues

Found a security issue or vulnerability? Please report it to [email protected]. We commit to acknowledging every report within 2 working days, investigating in good faith, and crediting reporters in our release notes where appropriate. Please do not publicly disclose a vulnerability until we have had a reasonable opportunity to address it.

11. Contact & Data Controller

Data Controller: One77 LTD
Company No: 12025018
VAT No: GB478345061
Trading as: PartsCloud
Email: [email protected]
Website: partscloud.co.uk