Privacy Policy

Last updated: 05/06/2026

This Privacy Policy explains how Autodue Ltd ("we", "us", or "our") collects, uses, and protects your personal information when you use our website and services. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Autodue Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller under registration number ZC136310.

1. Information We Collect

Account Information: Name, email address, password.
Phone Number (Optional): Mobile phone number for SMS alerts and occasional short calls about your experience using Autodue.
Vehicle Information: Registration number, make, model, year, colour, tax/MOT status, insurance details, service schedules, and related deadlines.
Mileage Records: Odometer readings recorded manually by you, or automatically captured from MOT history, service logs, walkaround checks, or expense entries. Each reading includes the mileage figure, date, and source.
Service History: Records of vehicle servicing including service date, type (full, interim, major, minor), garage name, cost, mileage at service, parts replaced, and any notes. Attached receipts or invoices (photos/PDFs) are stored alongside the record.
Service Schedules: Your configured service intervals (by time and/or mileage), target mileage, and next service date for each vehicle.
Expense Records: Vehicle-related expenses including category (fuel, service, repair, insurance, tax, MOT, parking, tolls, cleaning, tyres, parts, breakdown cover, finance, or other), amount, date, vendor name, description, and mileage at the time of expense. Attached receipts (photos/PDFs) are stored alongside the record.
Insurance Information: Motor insurance details including provider name, policy number, start and expiry dates, cover type, and premium amount. This data is entered by you or extracted from uploaded insurance documents.
Vehicle Inspection Records: Walkaround check results including pass/fail status for each inspection item, timestamps, notes, and photos of any issues identified.
Location Data: GPS coordinates captured during vehicle walkaround checks to verify where inspections are performed, and the location of a road traffic accident when you report one.
Defect Reports: Details of vehicle defects including descriptions, severity, photos, resolution notes, comments, resolution costs, and assignment information.
Accident Reports: When you report a road traffic accident, we collect the date and time of the accident, its GPS location and address, a description of what happened, road and weather conditions, your vehicle's mileage and damage, whether it remained safe to drive, whether recovery was needed, whether emergency services attended and any police incident reference number, photos of the scene and vehicles, and any insurance claim reference.
Third-Party Details in Accident Reports: Where you choose to record them, the name, phone number, address, vehicle make/model and registration, and insurer and policy number of any other party involved in an accident. You provide this information; it relates to other people, and we hold it so you can manage the accident and any insurance claim.
Injury Information in Accident Reports (special category data): If anyone is injured in an accident, you may record the injured person's name, their role (driver, passenger, pedestrian or cyclist), the nature of the injury, and any treatment or hospital. Information about a person's health is "special category" data under UK GDPR; we collect it only to document the accident and support an insurance claim, and only where you choose to enter it.
Witness Details in Accident Reports: Where you choose to record them, the name, phone number, email address, and any statement of a person who witnessed an accident. You provide this information; it relates to other people, and we hold it so you can manage the accident and any insurance claim.
Activity Logs: Audit trail of actions taken on defects, including who made changes, what was changed, and when.
Uploaded Files: Photos, PDFs, and other documents uploaded during inspections, defect reporting, service logging, or expense tracking. We store the original file along with metadata (filename, file size, and file type).
Uploaded Documents (AI Scanning): Photos and PDFs of vehicle-related documents (such as service invoices, fuel receipts, insurance certificates, and warranty documents) that you choose to scan using our document extraction feature.
Usage Data: Log data, IP address, browser type, device information, and cookies.
Device Information: Device tokens for push notifications, device model, OS version.
Payment & Billing Information: Subscription status, billing history, and invoice records. We do not store your full credit card numbers or payment credentials - these are handled securely by our payment processors (see Section 4).
Communications: Any messages or support requests you send us.
Internal Notes: Notes recorded by Autodue staff about your account, support history, or feedback you share with us. These are visible only to Autodue staff and are not shared with third parties, except as set out in Section 4 (e.g. where required by law).
Making Tax Digital (HMRC) Information: If you connect Autodue to HM Revenue & Customs (HMRC) to use our Making Tax Digital for Income Tax features, we process your National Insurance number, the self-employment business details HMRC holds for you, the income and expense figures you submit, your filing obligations and deadlines, tax calculations, employment income, Self Assessment account balances and payments, and your final declarations. We connect to HMRC using OAuth 2.0 and store the resulting access and refresh tokens; we do not store your HMRC sign-in details (your Government Gateway user ID or password).

2. How We Use Your Information

To provide and maintain our services, including tracking vehicle deadlines and compliance.
To contact the DVLA and other official sources to retrieve vehicle information on your behalf.
To send you email reminders about upcoming deadlines (MOT, tax, service, insurance, and other scheduled reminders).
Mileage Tracking: To record and display odometer readings over time, whether entered manually by you or captured automatically from MOT test history, service records, walkaround checks, or expense entries.
Service History & Scheduling: To maintain a history of vehicle servicing, calculate when the next service is due based on your configured intervals (time and/or mileage), and send reminders when a service is approaching.
Expense Tracking: To record and categorise vehicle-related costs, provide spending summaries, and attach receipts to expense records for your reference.
Insurance Tracking: To store your motor insurance details, track policy expiry dates, and send reminders before your insurance is due for renewal.
Vehicle Inspections: To record and track walkaround check results for compliance and safety purposes.
Location Verification: To verify where vehicle inspections are performed, supporting compliance and audit requirements.
Defect Management: To track and manage vehicle defects from reporting through to resolution.
Accident Management: To record road traffic accidents, capture the details and evidence needed to support an insurance claim, and, where your vehicle is left unsafe to drive, raise a linked defect so the vehicle is flagged until it is checked.
Audit & Compliance: To maintain activity logs for accountability and compliance purposes.
Document Scanning (AI-Powered): When you use our document scan feature, your uploaded document is sent securely to our AI provider (Anthropic) which extracts structured data such as dates, costs, and service details. The extracted data is presented to you for review and editing before anything is saved. We do not use your documents to train AI models.
Fraud Prevention: To detect potentially invalid inspections (e.g., checks completed unusually quickly).
SMS Alerts (Optional): If you provide your phone number, we send SMS alerts for imminent or overdue deadlines. This is optional and you can remove your phone number at any time.
Service Feedback Calls (Optional): We may occasionally call you for a short conversation about how Autodue is working for you and how we could improve. These are not sales calls, and we will not share your number with third parties for marketing. You can ask us not to call at any time and we will record the request and stop.
Push Notifications: To send you push notifications on your mobile device about deadlines and important updates.
To communicate with you about your account, deadlines, and updates.
To improve our services, website, and user experience through analytics.
To monitor and improve app stability and performance.
Customer Support & Internal Notes: To record notes about your account, support history, and feedback so we can give you better support and improve the service.
Making Tax Digital (Income Tax): To retrieve your tax obligations and business details from HMRC, prepare and submit the quarterly updates and final declaration you confirm, retrieve tax calculations, and help you pay any tax due. We only do this for the businesses you choose to manage through Autodue.
To comply with legal obligations.

3. Legal Basis for Processing

Contract: Processing is necessary to provide our services to you.
Consent: Where you have given explicit consent (e.g., for marketing communications).
Legal Obligation: To comply with applicable laws and regulations.
Legitimate Interests: For analytics, service improvement, and fraud prevention.
Special Category Data (health): Where you record injury information in an accident report, that health data is processed under Article 9(2)(f) UK GDPR (the establishment, exercise or defence of legal claims, such as an insurance claim), in addition to the contract basis above.

4. How We Share Your Information

DVLA: We share your vehicle registration number with the UK DVLA to retrieve MOT status, tax status, and MOT test history (including mileage readings recorded at each MOT test).
HM Revenue & Customs (HMRC): If you use our Making Tax Digital features, we send your tax information (such as the income and expense figures you submit and your National Insurance number) to HMRC on your behalf, together with the fraud-prevention header data HMRC requires by law. See Section 4a for detail.
Google Analytics (Web): We use Google Analytics via Google Tag Manager on our website to understand how visitors use our site. Analytics cookies are only set after you give consent. We use Consent Mode v2 to ensure no tracking data is collected before consent is given. Google Privacy Policy
Google Firebase (Mobile App): We use Firebase for analytics, crash reporting, and push notifications in our mobile app. Firebase may collect device information, usage data, and crash logs. Analytics is disabled by default and only enabled after you give consent. Firebase Privacy Policy
Facebook (Meta) - Joint Controller: We use Facebook Pixel on our website and the Facebook SDK / Facebook App Events in our mobile app to measure the effectiveness of our advertising. For the data collected through these tools, Autodue and Meta Platforms Ireland Ltd act as joint controllers under Article 26 UK/EU GDPR (as established by the Court of Justice of the European Union in Wirtschaftsakademie Schleswig-Holstein (C-210/16) and Fashion ID (C-40/17)). The allocation of data-protection responsibilities between us is governed by Meta's Controller Addendum. These tools are only active after you give consent via our cookie banner (web) or the in-app analytics toggle (mobile). Meta Privacy Policy
Hosting Provider: Our hosting provider stores your data securely.
Email Service: We use an email service provider to send reminders and notifications.
SMS Provider (if applicable): If you opt-in for SMS alerts, your phone number is shared with our SMS gateway provider.
Payment Processors: Subscription payments are processed by:
- Apple (App Store): For iOS in-app purchases. Apple Privacy Policy
- Stripe: For Android and web payments. Stripe is PCI DSS Level 1 certified. Stripe Privacy Policy
We receive confirmation of successful payments and subscription status, but we do not have access to your full card details.
Anthropic (AI Processing): When you use our document scan feature, your uploaded document image or PDF is sent to Anthropic's API for data extraction. Anthropic processes the document in real time and does not retain your data after processing or use it for model training. Anthropic Privacy Policy
BookMyGarage (via Awin): When you use the "Book MOT" feature in our app, your vehicle registration number and postcode are passed to BookMyGarage to display local garage prices and availability. This redirect goes through Awin, an affiliate network, which means Autodue may earn a commission if you complete a booking. This does not affect the prices you see. BookMyGarage Privacy Policy · Awin Privacy Policy
Quotezone (via Seopa): When you tap "See insurance offers" on an insurance deadline, we open a Quotezone advertisement in a new tab. No personal data, vehicle data, or registration information is shared with Quotezone from your Autodue account. The link is a passive advertisement; you enter all details directly on Quotezone if you choose to compare quotes. Autodue may earn a commission if you purchase a policy via that link, at no additional cost to you. Quotezone Privacy Policy
With law enforcement or regulators if required by law.
We do not sell your personal data to third parties for marketing purposes.

4a. Third-Party Services in Detail

Google Analytics (Website)

Google Tag Manager + Google Analytics: Tracks page views, navigation patterns, and feature usage on our website.
Consent Mode v2: All tracking is denied by default. Cookies are only set after you give explicit consent via our cookie banner.
What is collected: Page views, click events, browser type, device information. No personally identifiable information.
Legal Basis: Consent (analytics cookies require your opt-in).
Data Retention: Configured according to our Google Analytics settings (default 14 months).

Google Firebase (Mobile App)

Firebase Analytics: Tracks app usage and user behaviour to help us improve the app. Disabled by default and only enabled after you give consent.
Firebase Crashlytics: Monitors app crashes and errors to ensure stability.
Firebase Cloud Messaging (FCM): Sends push notifications to your device.
Legal Basis: Consent for analytics; legitimate interest for crash reporting and push notifications.
Data Retention: Firebase retains data according to their privacy policy (typically 60-90 days for crash logs).

Facebook (Meta) - Joint Controller

Facebook Pixel (Website): Measures the effectiveness of our advertising campaigns by tracking conversions from Facebook ads.
Facebook SDK / App Events (Mobile App): The Facebook SDK in our iOS and Android apps records in-app events (e.g. registration, subscription) for advertising measurement. Disabled by default and only enabled after you give consent via the in-app analytics toggle.
Joint controllership: For the personal data collected through the Facebook Pixel and the in-app Facebook SDK, Autodue and Meta Platforms Ireland Ltd are joint controllers within the meaning of Article 26 UK/EU GDPR. This follows the rulings of the Court of Justice of the European Union in Wirtschaftsakademie Schleswig-Holstein (Case C-210/16) and Fashion ID (Case C-40/17), which established that an operator that integrates Meta's tracking technologies determines, jointly with Meta, the means and purposes of the data collection and transmission. The respective responsibilities of Autodue and Meta are set out in Meta's Controller Addendum, which forms part of the Meta Business Tools Terms.
What is collected: Hashed identifiers (such as email and phone number), event names and parameters, IP address, device and browser information, and Meta-specific identifiers (e.g. _fbp, _fbc on web; mobile advertising IDs where authorised on mobile). No passwords or sensitive personal data.
Legal basis: Your explicit consent under Article 6(1)(a) UK/EU GDPR. Consent is obtained via our cookie banner on the website and the in-app analytics toggle in the mobile app, and you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
Apple App Tracking Transparency (ATT) is not GDPR consent. The ATT prompt shown on iOS is an Apple operating-system permission that controls Meta's access to the device-level advertising identifier (IDFA). It is not a lawful basis for processing under UK/EU GDPR. We therefore ask separately for your in-app analytics consent, which controls whether the Facebook SDK is initialised and whether any events are sent to Meta. Declining ATT, declining our in-app consent, or both are all valid choices and we honour each independently.
International transfers: Meta is established in Ireland but transfers personal data to Meta Platforms, Inc. in the United States. See Section 5 below for the safeguards that apply to those transfers.
Withdrawing consent: You can withdraw consent on the web by re-opening the cookie banner and selecting "Reject", and in the mobile app via Settings → Privacy → Usage Analytics. Withdrawing consent stops further data being sent to Meta; data already transmitted is governed by Meta's Controller Addendum and Meta's Privacy Policy.

Anthropic (AI Document Processing)

Anthropic Claude API: Processes uploaded documents to extract structured data (dates, costs, descriptions, etc.).
What is sent: Only the document image or PDF you choose to scan. No other personal data is included in the request.
Data retention by Anthropic: Anthropic does not retain your inputs or outputs after processing when using their API. Your documents are not used to train their models.
Legal Basis: Contract performance (providing the document scan feature you have chosen to use).

BookMyGarage (MOT Booking via Awin)

Purpose: When you tap "Book MOT", we redirect you to BookMyGarage to compare local garage prices for your MOT test.
What is shared: Your vehicle registration number and the postcode you enter. No other personal data is sent.
Affiliate relationship: The link passes through Awin, an affiliate tracking network. Autodue may receive a commission if you complete a booking. This does not affect the price you pay.
Local storage: Your last-used postcode is saved on your device only (not sent to our servers) so it can be pre-filled next time for convenience.
Legal Basis: Contract performance (providing the MOT booking feature you have chosen to use).

Quotezone (Insurance Comparison via Seopa)

Purpose: When you tap "See insurance offers" on an insurance deadline, we open a Quotezone advertisement so you can compare UK insurance quotes if you choose to.
What is shared: Nothing. No personal data, vehicle data, or registration information leaves Autodue. The link is a passive advertisement; you enter all information directly on Quotezone.
Affiliate relationship: Autodue may receive a commission if you purchase a policy via the link, at no additional cost to you. We are not authorised by the Financial Conduct Authority and we do not introduce customers to insurance providers; the link is advertising only.
Legal Basis: Legitimate interest (showing an advertisement that you can choose to engage with).

HM Revenue & Customs (Making Tax Digital for Income Tax)

Purpose: If you connect Autodue to HMRC, we act as your record-keeping software for Making Tax Digital for Income Tax, retrieving your obligations and business details and submitting the quarterly updates and final declaration you confirm, on your behalf.
Authentication: We use HMRC's OAuth 2.0 flow. You sign in directly with HMRC, so we never see or store your Government Gateway user ID or password. We store the access and refresh tokens HMRC issues, encrypted at rest, and use them only to make the calls you ask us to.
What is sent to HMRC: Your National Insurance number, business and accounting details, the income and expense figures you submit, and your final declaration confirmations, as required by the Making Tax Digital APIs you use.
Fraud prevention data: HMRC legally requires every Making Tax Digital API call to carry "fraud prevention headers". These describe the device and connection used to make the request: a per-installation device identifier, your device's local and public IP addresses and timezone, screen and user-agent details, and our server's own identifiers. We collect this only for HMRC-bound requests, and send it only to HMRC, in line with HMRC's fraud prevention specification. It is a legal requirement, not optional.
How we protect it: Your National Insurance number and HMRC tokens are encrypted at rest and are never written to our logs, background-job payloads, or caches in readable form (we use an irreversible keyed fingerprint for any internal references). All traffic between Autodue and HMRC uses encrypted HTTPS.
Legal Basis: Contract performance (providing the Making Tax Digital service you have chosen to use) and compliance with our legal obligations.

5. International Data Transfers

If we transfer your data outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

For transfers of personal data to Meta Platforms, Inc. in the United States in connection with the Facebook Pixel and the Facebook SDK / App Events, we rely on the UK Extension to the EU-US Data Privacy Framework (in force in the UK from 12 October 2023 under SI 2023/1028) where Meta is self-certified, and on the UK International Data Transfer Addendum to the European Commission's Standard Contractual Clauses as a fallback. Meta's current DPF self-certification status can be verified at facebook.com/privacy/policies/data_privacy_framework.

6. Data Retention

We retain your data for the following periods:

Account Information: Until you delete your account, plus 90 days (soft delete period).
Vehicle Data: Until you remove the vehicle or delete your account.
Mileage Records: Retained for the lifetime of the vehicle record. Deleted when the vehicle is removed or account is deleted.
Service History & Schedules: Service logs and configured service schedules are retained for the lifetime of the vehicle record. Deleted when the vehicle is removed or account is deleted.
Expense Records: Retained for the lifetime of the vehicle record. Deleted when the vehicle is removed or account is deleted.
Insurance Information: Retained for the lifetime of the vehicle record. Deleted when the vehicle is removed or account is deleted.
Vehicle Inspections & Defects: Retained for the lifetime of the vehicle record for compliance and audit purposes. Deleted when the vehicle is removed or account is deleted.
Accident Reports: Retained for the lifetime of the vehicle record, including the third-party, witness, and any injury details recorded against them. Where an accident relates to an insurance claim, the report may be kept for longer to support that claim. Deleted when the vehicle is removed or the account is deleted, subject to any claim-related retention.
Uploaded Photos & Documents: Retained alongside the record they are attached to (inspection, service log, expense, etc.). Deleted when the associated vehicle or account is deleted.
Location Data: Stored as part of inspection records and retained for the same period.
Activity Logs: Retained alongside defect records for compliance and audit purposes.
Email Notifications: Logs retained for 90 days.
SMS Logs: Retained for 90 days.
Billing & Invoice Records: Retained for 7 years after the transaction date, as required by UK tax and accounting regulations (HMRC).
Making Tax Digital (HMRC) Data: Your HMRC connection tokens are kept (encrypted) until you disconnect HMRC or delete your account. Tax figures, obligations, calculations, and submission records are retained for as long as UK tax law requires you to keep records (generally until at least 5 years after the 31 January submission deadline for the relevant tax year), and are deleted when no longer required or when you delete your account, subject to those legal retention periods.
Scanned Documents: The original uploaded document is retained as an attachment to the created record (service log, expense, etc.) for the lifetime of that record. Extracted data from AI processing is retained only until you confirm or discard the extraction (typically minutes). Anthropic does not retain your documents after processing.
Analytics & Crash Data: Automatically deleted after 60-90 days (controlled by Firebase).
Backups: Deleted after 30 days.
After Account Deletion: Your data is soft-deleted immediately and permanently purged after 90 days. You may request account recovery within the first 30 days by contacting support.

If you need your data deleted sooner, please contact us at [email protected].

7. Your Rights

Access your data
Rectify inaccurate data
Erase your data ("right to be forgotten")
Restrict or object to processing
Data portability
Withdraw consent at any time (where applicable)

To exercise your rights, contact us at [email protected].

8. Cookies

We use cookies and similar technologies for the following purposes:

Essential Cookies: Session management, authentication, CSRF protection (cannot be disabled).
Analytics Cookies: Usage statistics via Google Analytics (requires your consent via cookie banner).
Advertising Cookies: Facebook Pixel for advertising measurement (requires your consent via cookie banner). Autodue and Meta act as joint controllers for this processing - see Section 4a.
Preference Cookies: Appearance mode and similar settings (stored locally in your browser).

You can manage your cookie preferences using the cookie consent banner on our website. For more details, see our Cookie Policy.

9. Security

We implement appropriate technical and organisational measures to protect your data. However, no system is completely secure, and we cannot guarantee absolute security.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our website.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or your data, please contact us at [email protected].

12. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO): https://ico.org.uk/make-a-complaint/