Privacy Policy

Version 2.1 · Effective: 18 May 2026 · GDPR Compliant

  Plain English summary: We store your email address and a record of your searches to operate the Service. We use Google Analytics to understand how people use the site and Google Ads to measure advertising effectiveness. Payments are handled by Stripe. We do not sell your data, share it with advertisers, or use it for anything beyond operating this service. You can ask us to delete everything at any time.

1. Who we are

FactorySpecs is operated by FactorySpecs Ltd, a company registered in England and Wales (company number 17187569). Registered office: 27 Old Gloucester Street, London, WC1N 3AX.

For GDPR purposes, FactorySpecs Ltd is the data controller for personal data processed through this Service and is registered with the UK Information Commissioner's Office (ICO). Registration reference: ZC148836.

Contact: hello@factoryspecs.co.uk

2. What data we collect

Account data: When you register, we collect your email address and a hashed (one-way encrypted) version of your password. We never store your password in plain text.

Payment data: If you purchase a report or credit pack, payment is processed by Stripe. We receive confirmation of payment, your email address, and transaction amount. We do not receive, process, or store your card number, expiry date, or CVV. Stripe's privacy policy applies to payment processing.

Usage data: We log the vehicle registration plates you search, the date and time of each search, the report type, and the number of credits used. This is used to deliver the Service, operate the credit system, and monitor for abuse.

Technical data: Standard server logs may record your IP address and browser type. These are not linked to your account and are retained for a maximum of 30 days.

Analytics data: We use Google Analytics to collect anonymised data about how visitors use the site, including pages visited, time on site, and referral source. This data is aggregated and cannot identify you personally. We also use Google Ads conversion tracking to measure the effectiveness of our advertising.

What we do NOT collect: We do not collect precise location data, biometric data, or any special category personal data. We do not store payment card details.

3. How we use your data

To provide the Service: authenticating your account, delivering reports, and managing credits (Legal basis: Contract)
To process payments: via Stripe, to fulfil purchases (Legal basis: Contract)
To send service communications: order confirmations, important updates, and responses to your enquiries (Legal basis: Contract / Legitimate interests)
To improve the Service: understanding how the site is used via analytics (Legal basis: Consent, via cookie banner)
To measure advertising: tracking whether ad clicks result in signups or purchases (Legal basis: Consent, via cookie banner)
To prevent abuse: detecting automated use, fraudulent transactions, or misuse of the Service (Legal basis: Legitimate interests)

We do not use your data for automated profiling, behavioural advertising, or any purpose beyond operating this Service.

4. Data sharing

We do not sell, rent, or share your personal data with third parties for marketing purposes.

To operate the Service, your vehicle lookup requests are processed by our data providers. These requests contain vehicle registration numbers or VINs only, not your name or email address.

We use the following sub-processors:

Railway (railway.app): hosting and infrastructure
Stripe (stripe.com): payment processing. Stripe receives your email and payment details as necessary to process transactions. See Stripe's privacy policy.
Google (analytics.google.com): anonymised website analytics and advertising measurement
DVSA / DVLA: MOT history and vehicle enquiry data (no personal data transmitted, vehicle reg only)
Vehicle data providers: factory option, valuation, and vehicle history data (vehicle reg/VIN only, no personal data transmitted)

5. Data retention

We retain your account data and search history for as long as your account is active. If you delete your account or request erasure, your data will be permanently deleted within 30 days. Payment records may be retained for up to 7 years as required by UK tax law.

6. Your rights under GDPR

As a UK/EU data subject, you have the right to:

Access: request a copy of the personal data we hold about you
Rectification: ask us to correct inaccurate data
Erasure: ask us to delete your account and all associated data ("right to be forgotten")
Restriction: ask us to stop processing your data in certain circumstances
Portability: receive your data in a machine-readable format
Object: object to processing based on legitimate interests
Withdraw consent: for analytics cookies, at any time via your browser settings or our cookie preferences

To exercise any of these rights, email hello@factoryspecs.co.uk. We will respond within 30 days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

7. Cookies and trackers

We do not set any analytics or marketing cookie until you have given consent through the cookie banner on your first visit. The banner offers "Accept all" and "Reject all" as equally prominent options, plus a "Manage" panel where you can toggle analytics and marketing separately.

Strictly necessary (always active, no consent required):

Session cookie (Flask-managed, name varies): keeps you logged in during your visit. Required for sign-in and the report flow.
Cookie-consent record (fs_consent): a small JSON-encoded record of the choices you made in the cookie banner. Required to honour your choices and to suppress the banner on subsequent pages. Expires after 6 months. Contains no personal identifier.

Analytics (require consent):

Google Analytics (_ga, _ga_*): anonymous usage statistics. Set by Google, expires after 2 years.
Microsoft Clarity (_clck, _clsk): anonymous session-quality and heatmap data. Set by Microsoft. Activated only when configured by us. Not active by default.

Marketing (require consent):

Google Ads conversion tracking (_gcl_*): measures whether ad clicks result in actions on our site. Does not track you across other websites. Set by Google, expires after 90 days.

You can change or withdraw consent at any time on our Cookie Policy page (the "Open cookie settings" button reopens the banner). Site access is not conditional on accepting non-essential cookies.

8. International transfers

Some of our sub-processors (Google, Stripe) may process data outside the UK/EEA. Where this occurs, appropriate safeguards are in place including Standard Contractual Clauses and/or adequacy decisions.

9. Security

Your password is stored as a one-way hash. We cannot recover it. All data is transmitted over HTTPS. Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified provider. However, no system is completely secure and we cannot guarantee absolute security.

10. Children

This Service is not directed at children under 16. We do not knowingly collect data from children. If you believe a child has registered, please contact us and we will delete the account immediately.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The "Effective" date at the top of this page will always reflect the most recent version.

Also see our Terms of Use and Cookie Policy