CardealerSaaS
Sign inGet started free
Legal

Privacy Policy

Last updated: 9 May 2026

This policy explains how Car Dealer SaaS ("we", "us") handles personal data on the Car Dealer SaaS platform and the marketing site at cardealersaas.app. We have written it to be readable rather than exhaustive - if anything is unclear, email hello@cardealersaas.app and we will answer plainly.

1. Who we are, and our role under UK GDPR

Car Dealer SaaS is a multi-tenant platform that lets car dealerships run their own branded site, inventory, bookings, customer records and sales workflow.

  • For data about visitors to cardealersaas.app and people signing up to start a dealership, we are the data controller.
  • For data that a dealership stores on the platform about their own customers, vehicles, bookings and sales, the dealership is the data controller and we are the data processor. The dealership decides what is collected, how it is used, and how long it is kept. If you are a customer of one of our dealerships and want to exercise your data rights, contact the dealership directly; we will support them in responding.

2. What we collect

From people interacting with us directly we collect:

  • Account details - name, email address, and a password hash (or a Google account identifier if you sign in with Google), via Firebase Authentication.
  • Dealership details - the tenant identifier, business name, address and any branding or settings you configure during onboarding.
  • Billing details - handled by Stripe. We do not see or store full card numbers.
  • Support correspondence - anything you send us by email or WhatsApp.
  • Technical data - IP address, browser type, pages visited, and error logs, used to keep the service running and secure.

On a dealership's tenant, the dealership may collect things like customer names, contact details, vehicle enquiries, test-drive bookings, deposits, part-exchange details and finance applications. We process that data on the dealership's behalf.

3. Why we use it (legal bases)

  • To provide the service you signed up for - creating your tenant, authenticating you, hosting your site, sending transactional emails. Legal basis: performance of a contract.
  • To bill you and prevent fraud - via Stripe. Legal basis: performance of a contract and our legitimate interest in being paid.
  • To keep the platform secure and reliable - logging, abuse detection, capacity planning. Legal basis: legitimate interests.
  • To answer support requests - when you contact us. Legal basis: legitimate interests, or consent if your message is unsolicited.
  • To meet legal and tax obligations - for example retaining invoices. Legal basis: legal obligation.

We do not use your data, or your dealership's customer data, to train machine-learning models, and we do not sell it.

4. Sub-processors and integrations

The platform is built on Google Cloud (Firebase) and uses a small number of trusted services to deliver functionality. Each only receives the data needed for its specific job.

  • Google Cloud / Firebase - hosting, authentication, database (Firestore), file storage, and serverless functions. Data is hosted in the europe-west2 region (London) where possible.
  • Stripe - subscription billing for dealerships, and Stripe Connect for dealerships taking deposits from their own customers. Each dealership has its own Stripe account; we do not see their payment flows.
  • SendGrid (Twilio) - outbound transactional email (account verification, booking confirmations, reminders, invoices).
  • Google Calendar - optional two-way calendar sync for dealership staff who connect it.
  • DVLA, UKVD and Auto Trader - vehicle data lookups. We only send the registration mark a dealer types in; we do not send any customer data to these providers.

Where a sub-processor is outside the UK or EEA, transfers are protected by Standard Contractual Clauses or an equivalent safeguard.

5. Google user data

This section explains, in line with the Google API Services User Data Policy (including the Limited Use requirements), how Car Dealer SaaS handles data obtained through Google APIs - that is, data you give us by signing in with Google or by connecting your Google Calendar.

What Google user data we access

  • Sign in with Google - basic profile information (name, email address, Google account identifier and profile picture) so we can create or look up your Car Dealer SaaS account via Firebase Authentication.
  • Google Calendar (optional, only if a dealership user connects it) - read and write access to that user's calendar, scoped to the events the platform creates and to free/busy data needed to keep test-drive bookings in sync. We use the https://www.googleapis.com/auth/calendar scope only to create, read, update and delete calendar events for that user, and to read free/busy times so we can prevent double-bookings.

How we use Google user data

Google user data is used solely to provide and improve the user-facing features the user signed up for - account sign-in, and two-way calendar sync between the dealership's bookings and the staff member's Google Calendar. We do not use Google user data for advertising, we do not sell or rent it, and we do not use it to train machine-learning or generative-AI models. Human access is limited to support staff with the user's explicit permission, what is required for security investigations or to comply with applicable law, or where the data has been aggregated and anonymised for internal operational use.

Who we share, transfer or disclose Google user data with

We share, transfer or disclose Google user data only with the following recipients, and only to the extent needed to provide the service you signed up for:

  • Google LLC - the data originates from Google and our calls to the Google Calendar API and Google Identity Services necessarily transit Google's own systems.
  • Google Cloud / Firebase (a Google service) - our hosting, authentication and database infrastructure. Tokens and the calendar events we create on your behalf are stored in Firestore (region europe-west2, London) and Google Secret Manager. OAuth refresh tokens are encrypted at rest by Google Cloud.
  • The dealership you belong to - if you are a member of a dealership tenant, that dealership's administrators can see the Google Calendar events the platform created on your behalf inside their own tenant (for example, a test-drive event linked to a booking). They cannot see other events on your personal calendar.
  • Law enforcement or regulators - only where we are legally compelled to disclose, and only the minimum necessary.

We do not share, transfer or disclose Google user data to any other third party, to advertisers, to data brokers, or to AI/ML training providers. Where data is transferred outside the UK or EEA (for example to Google data centres in the United States), the transfer is protected by Standard Contractual Clauses or an equivalent safeguard.

Retention and revocation

We retain Google user data only for as long as your Google account is connected to Car Dealer SaaS and the connected feature is in use. You can revoke our access at any time by disconnecting Google Calendar from the admin settings page in the platform, or from your Google account at myaccount.google.com/permissions. When access is revoked we delete the stored OAuth tokens; calendar events the platform previously created are left in place so you can manage them yourself.

6. Cookies and similar technologies

We use a small number of strictly necessary cookies and local storage entries to keep you signed in (Firebase Authentication) and remember preferences such as your tenant subdomain. We do not use third-party advertising cookies. We do not currently run analytics on the marketing site; if that changes we will update this page and ask for consent where required.

7. How long we keep data

  • Account data - for as long as your account is active. If you delete your dealership we remove the tenant data shortly afterwards. We keep a minimal record of the deletion and any related invoices for accounting and audit.
  • Invoices and billing records - at least six years, to meet UK accounting and tax requirements.
  • Backups - encrypted backups may persist for a short rolling window after deletion, then are overwritten.
  • Tenant customer data - retained according to the dealership's own retention rules. The dealership can export or delete its customer records at any time from the admin panel.

8. Your rights

Under UK GDPR you have the right to:

  • access the personal data we hold about you;
  • have inaccurate data corrected;
  • have your data deleted, where we are not legally required to keep it;
  • restrict or object to certain uses;
  • receive a copy of your data in a portable format;
  • withdraw consent, where we relied on it; and
  • complain to the Information Commissioner's Office at ico.org.uk.

Dealerships can use the built-in export and delete tooling in the admin panel to satisfy most subject-access and erasure requests for their own customers without contacting us.

9. Security

Each dealership's data lives in its own logical namespace (tenant) inside Firestore and Storage, with isolation enforced at the database-rules level so one dealership cannot read another's data. Authentication is handled by Firebase. Connections use TLS. Access to production by our team is limited to the people who need it and is logged.

10. Children

The platform is intended for businesses. It is not directed at children under 13, and we do not knowingly collect their personal data.

11. Changes to this policy

We will update this page when we change how we handle personal data. The "last updated" date at the top will always reflect the current version. Material changes will be flagged inside the admin panel or by email.

12. Contact

Questions, requests, or complaints - email hello@cardealersaas.app, or message us on WhatsApp at +44 7821 364228 .

← Back to home