Privacy Policy

1. Who we are

autoza.co.uk ("Autoza", "we", "us") is an AI-first vehicle marketplace operated by Autoza Ireland Ltd , an Irish-incorporated company (Companies Registration Office number 801808 ) with its registered office at Autoza Ireland Ltd, 2A Forest View, Swords, County Dublin, Ireland . We are the data controller for personal data processed through autoza.co.uk.

Because we are established in Ireland but offer goods and services to individuals in the United Kingdom, both the UK GDPR and the Data Protection Act 2018 apply to our processing of UK personal data, and the EU GDPR applies in parallel. The Privacy and Electronic Communications Regulations 2003 (PECR) govern our use of cookies and electronic marketing in the UK.

Our UK ICO registration is currently: REGISTRATION_IN_PROGRESS . The appointment of our UK GDPR Article 27 Representative is being processed via Rivacy and full contact details will be published on this page once finalised.

2. What personal data we collect

2.1 Buyers

• Account data: name, email, password (hashed), phone number, profile photo.
• Listing preferences: saved searches, favourites, recently viewed vehicles, finance enquiry inputs.
• Mark chat history: the messages you exchange with Mark, our buyer-side AI assistant, including any vehicle criteria you share.
• Enquiries: messages you send to dealers via the Autoza platform.

2.2 Dealers

• Account data: business contact name, work email, password (hashed), phone, role.
• Business details: trading name, company number, VAT/registered address, opening hours, services offered, social handles, logo and showroom imagery.
• Listings: vehicle data and images you upload or import.
• Billing: billing address and Stripe customer reference when a paid subscription is active (card data is processed directly by Stripe and never touches our servers).

2.3 Everyone (website visitors)

• Analytics: pages viewed, approximate location, device/browser type, referring site. Where possible this is anonymised (truncated IP, no advertising identifiers).
• Cookies and similar technologies: see Section 9 and our Cookies Policy.
• Support correspondence: emails, WhatsApp messages and form submissions you send us.

3. How we use your data and the lawful basis

Under Article 6 UK GDPR we rely on the following lawful bases. For each category we set out the purpose, the basis we rely on, and how long we keep the data.

4. Who we share your data with

4.1 Service providers (processors)

We use the following carefully-selected processors. Each is bound by a written data-processing agreement that mirrors Article 28 UK GDPR.

• Vercel Inc. — website hosting and serverless functions.
• Neon — PostgreSQL database hosting.
• Amazon Web Services (AWS S3) — image and file storage.
• Resend — transactional email delivery.
• Stripe — payment processing for dealer subscriptions (when active).
• Anthropic and OpenAI — large-language-model inference for Mark and Aidan. Conversations are sent for inference and not used to train their public models under our enterprise terms.
• Twilio — SMS verification.
• Cloudflare — DNS and edge security.

4.2 Marketing partners

We do not currently share personal data with third-party advertising or marketing partners. If that changes we will update this policy and, where required, obtain your consent first.

4.3 Buyers and dealers on the platform

The platform exists to connect buyers and dealers. When you message a dealer, the dealer can see your name, the message content and any contact details you choose to share. When a dealer publishes a listing, the dealer's public business profile is visible to all visitors. Buyers can leave reviews of dealers, which become public.

4.4 Legal disclosures and business transfers

We may disclose personal data where required by law (e.g. a court order or a request from the police or HMRC) or in connection with a merger, acquisition or sale of the Autoza business — in which case we will notify affected users.

5. International data transfers

As an Irish-incorporated controller, our primary processing takes place inside the European Economic Area (EEA). Some of our subprocessors are based in the United States (notably Anthropic, OpenAI and certain AWS regions) and personal data may be transferred there.

For transfers out of the UK we rely on the UK's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with the European Commission's Standard Contractual Clauses for transfers out of the EEA. Where the UK Government has recognised an adequacy decision or "Data Bridge" for the destination country, we rely on that. We carry out transfer risk assessments before onboarding any new non-UK/EEA processor.

6. Your rights under UK GDPR

You have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data (the "right to be forgotten"), subject to legal retention obligations.
• Restriction — ask us to suspend processing while a query is investigated.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests, or to direct marketing at any time.
• Automated decision-making — Autoza does not make solely-automated decisions that produce legal or similarly significant effects on you. Mark and Aidan provide AI-generated recommendations and information but a human-led contracting process remains in place.
• Withdraw consent — where we rely on consent, you can withdraw it at any time.

To exercise any of these rights, email info@autoza.co.uk. We will respond within one month, as required by UK GDPR Article 12(3).

7. Supervisory authorities — ICO and Irish DPC

You can complain to whichever supervisory authority is more convenient for you. Both supervise the processing of personal data on autoza.co.uk.

The UK GDPR is published at legislation.gov.uk. The Data Protection Act 2018 is at legislation.gov.uk/ukpga/2018/12.

8. UK Representative (UK GDPR Article 27)

Because Autoza Ireland Ltd is established outside the UK but offers services to UK residents, we are appointing a UK representative through Rivacy as required by Article 27 UK GDPR. Current status: UK Representative appointment in progress (Rivacy) .

Once the appointment is finalised, full contact details (name, postal address and contact email of the UK representative) will be published in this section. In the meantime, UK individuals can contact us directly at info@autoza.co.uk and we will respond to requests with the same UK GDPR timelines.

9. Cookies and similar technologies

We use a small number of strictly-necessary cookies for authentication and security, plus optional analytics and preference cookies that only fire if you accept them via our consent banner. PECR requires us to obtain your consent before setting any non-essential cookie. For a full list and how to change your settings, see our Cookies Policy.

10. Data retention

Concrete retention periods:

• Active accounts: retained while your account is open.
• Closed accounts: retained for 6 years after closure to satisfy UK tax and accounting obligations (HMRC); then deleted or fully anonymised.
• Mark chat history: 90 days, then deleted or anonymised.
• Website analytics: anonymised after 14 months.
• Security and access logs: 12 months.
• Marketing suppression list (unsubscribes): kept indefinitely so we don't email you again after you opt out.

11. Security

We take security seriously and apply technical and organisational measures appropriate to the risk, including:

• Encryption in transit via TLS 1.2+ for every page and API.
• Encryption at rest for the production database and image storage.
• Role-based access control with least-privilege defaults.
• Hashed passwords (we never store passwords in plain text).
• Monitoring, anomaly detection and regular vulnerability review.
• Breach notification: in the unlikely event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware and notify affected individuals without undue delay where the risk is high, as required by Articles 33 and 34 UK GDPR.

No system is ever 100% secure, but we work hard to keep your data safe and to learn from incidents that occur anywhere in the industry.

12. Children

Autoza is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please email info@autoza.co.uk and we will delete it promptly.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements or other factors. When we do, we will update the "Last updated" date at the top of this page. Material changes will be notified to registered users by email or by a prominent notice on the site.

14. Contact us

For any privacy-related question or to exercise your rights:

• Data controller: Autoza Ireland Ltd
• Postal address: Autoza Ireland Ltd, 2A Forest View, Swords, County Dublin, Ireland
• Email: info@autoza.co.uk
• WhatsApp: +353 87 459 9273
• UK Representative: UK Representative appointment in progress (Rivacy)