Privacy Policy

The data controller is The Car Key People Ltd, a company registered in England & Wales, trading as SERMI Track. Contact: hello@sermitrack.com.

When you use SERMI Track to log jobs about your end customers, you are the controller of that customer data and we act as your processor.

• Account data: name, email, business name, role.
• Job data you enter: vehicle registration, customer name, ID document photos, signatures, evidence photos, notes. V5C logbook images are stored only in their auto-redacted form (see section 2a).
• Payment metadata: billing email, plan, invoice history. Card details are handled directly by Stripe and never stored by us.
• Usage & technical data: log entries, device/browser info, IP address.
• Cookies: essential cookies for authentication and session management only.

When you upload a V5C logbook photo, our system automatically detects and permanently redacts (blacks out, in the saved image itself) the registered keeper's name, address, previous keeper details, date of birth, the full document reference number, and any signatures or barcodes — before the image is written to storage. The original, un-redacted V5C image is processed in memory only and is never written to disk.

We retain only what SERMI requires us to verify: vehicle registration, VIN, make, model, and the document layout. You confirm the redacted preview before it is saved.

• Contract: to provide the service you have subscribed to.
• Legitimate interest: to secure, improve and support the service and prevent fraud.
• Legal obligation: to keep accounting and tax records.
• Consent: for any optional marketing emails (you can opt out at any time).

To deliver the SERMI Track service, process payments, send transactional emails (receipts, account notices), provide support, prevent abuse, and comply with legal obligations.

• Stripe — payment processing.
• Lovable Cloud (Supabase) — database, authentication and file storage hosting (EU region).
• Resend — transactional email delivery.
• Cloudflare — content delivery and security.

Each sub-processor is contractually bound to appropriate data protection terms.

Where data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or equivalent safeguards.

Job records are retained while your subscription is active and for the period described in our Fair Use Policy. Account data is deleted within 30 days of account closure unless we are legally required to retain it (e.g. tax records: up to 6 years).

Under UK GDPR you have the right to:

• Access a copy of your personal data.
• Have inaccurate data corrected.
• Request erasure (subject to legal exceptions).
• Restrict or object to processing.
• Receive your data in a portable format.
• Complain to the UK ICO at ico.org.uk.

To exercise any of these rights, email hello@sermitrack.com.

Data is encrypted in transit (TLS) and at rest. We use row-level security, scoped access controls, and audit logging. Access to production data is limited to authorised staff on a need-to-know basis.

We only use cookies essential for the service to function (authentication sessions and security). We do not use third-party advertising or tracking cookies.

SERMI Track is a business tool and is not intended for anyone under 18. We do not knowingly collect data from children.

We may update this policy from time to time. Material changes will be notified by email. Questions? Email hello@sermitrack.com.