Last updated: 19 May 2026
This Privacy Policy explains how Sorted Cars Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use sortedcars.co.uk ("Website") and our services. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The data controller responsible for your personal data is:
| Data Category | Examples | When Collected |
|---|---|---|
| Account information | Name, email address | When you sign in via Google OAuth or magic link |
| Vehicle registration numbers | Registration plate entered for checks | When you use SortedCheck or SortedInspect |
| Payment data | Processed by Stripe — we do not store card details | When you purchase a paid service |
| Identity verification data | Government ID (driving licence or passport), selfie, and V5C logbook photo — captured directly by Persona; SortedCars receives only the inquiry result and extracted fields (name, date of birth, address, document number) | When you verify your identity to list a vehicle |
| Vehicle photos | Up to 8 photos per listing or inspection | When you list a vehicle or use SortedInspect AI |
| Usage data | Pages visited, features used, IP address, browser type | Automatically when you browse the Website |
| Communication data | Emails sent to/from support | When you contact us |
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| Provide vehicle check reports | Performance of a contract (Art. 6(1)(b)) |
| Process payments via Stripe | Performance of a contract (Art. 6(1)(b)) |
| Verify seller identity (Government ID, selfie, V5C) via Persona | Legitimate interest — trust and safety (Art. 6(1)(f)) |
| Send reports and transactional emails | Performance of a contract (Art. 6(1)(b)) |
| Send marketing emails (free tier lead capture) | Consent (Art. 6(1)(a)) |
| Improve our services and fix bugs | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
| AI photo analysis (SortedInspect) | Performance of a contract (Art. 6(1)(b)) |
| AI MOT-history analysis (SortedCheck) | Performance of a contract (Art. 6(1)(b)) |
AI-generated editorial buyer's guides at /inspect/…-buyers-guide | Legitimate interest (Art. 6(1)(f)) — no personal data is processed in generating these pages |
Note on AI-generated editorial content. Some pages on sortedcars.co.uk — in particular the year-by-year buyer's guides under /inspect/ — are produced with the assistance of large language models grounded against publicly available UK sources (owner forums, buyer guides, gov.uk recall data). No personal data is used to generate this content. Where AI is used to analyse your data (for example MOT analysis on a checked registration, or photo analysis you have uploaded), the lawful basis is performance of a contract per the rows above. This is not "automated decision-making with legal or similarly significant effects" within UK GDPR Article 22 — the AI output is editorial guidance and does not on its own determine any contractual outcome affecting you.
We share your data with the following third-party processors who act on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) |
| Cloudflare | Website hosting, CDN, Workers (API gateway) | Global edge network |
| Cloudflare R2 | Photo and document storage | EU jurisdiction |
| Stripe | Payment processing | UK/EU |
| Resend | Transactional email delivery | Ireland (EU) |
| OAuth authentication | EU/US (UK adequacy) | |
| DVLA | Vehicle data (VES API) | UK |
| DVSA | MOT history data | UK |
| OneAutoAPI / Experian | Vehicle provenance data (finance, stolen, write-off) | UK |
| Persona Identities, Inc. | Seller identity verification (Government ID, selfie, V5C document capture and OCR) | US (Standard Contractual Clauses) |
| Anthropic (Claude) | AI photo inspection analysis | US (UK adequacy) |
Where data is transferred outside the UK, we ensure appropriate safeguards are in place. Transfers to the EU are covered by the UK adequacy decision. Transfers to the US (Google, Anthropic, Persona) rely on UK adequacy decisions or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, as applicable. In particular, transfers of Government ID images, selfie images, and V5C images to Persona Identities, Inc. (US) are made under Standard Contractual Clauses.
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Vehicle check reports | 30 days (for re-download), then deleted |
| Raw identity images (Government ID, selfie, V5C photo) | Captured directly by Persona; SortedCars never stores the raw images. Retained by Persona under its own retention schedule and processor agreement |
| Persona inquiry record (inquiry ID, decision, extracted name/DOB/address, timestamps) | 120 days after listing ends |
| Verification audit trail (DVLA / MOT / Experian results, keeper name match outcome) | 120 days after listing ends |
| Vehicle photos (marketplace listings) | 30 days after listing removed |
| Vehicle photos (SortedInspect) | Deleted after report generation |
| Payment records | 7 years (UK tax/accounting requirements) |
| Marketing email consent | Until you unsubscribe |
Under the UK GDPR, you have the following rights:
To exercise any of these rights, email support@sortedcars.co.uk. We will respond within one month.
Our SortedInspect AI service uses automated analysis to assess vehicle condition from photographs. This analysis is advisory only and does not produce legally binding decisions. No automated decisions with legal or similarly significant effects are made based solely on automated processing.
We use essential cookies required for the Website to function (authentication tokens, session management). We do not currently use advertising or tracking cookies. If this changes, we will update this policy and implement a cookie consent mechanism.
We take appropriate technical and organisational measures to protect your personal data, including:
Our services are not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly.
We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new "Last updated" date.
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
For any privacy-related questions or to exercise your data rights: