Data we collect
We collect only the information needed to run the app and your account.
Account information
- Email address and password when you sign up. The password is hashed by Supabase Auth and never visible to us in plain text.
- Optional dealership profile (business name, location, VAT number, tagline) that you enter during onboarding. This appears on PDF reports and exports you generate.
Vehicle and cost data
- Cars you add: registration, VIN, make, model, year, colour, mileage, purchase/sale prices, dates, MOT/service due dates, status, notes.
- Costs and receipts you record against each car: category, amount, supplier, VAT, photos or PDFs of receipts, optional OCR-extracted text.
- Service and MOT history records.
- Photos you attach (car photos, receipt photos).
Push notifications
- Your device's APNs (Apple Push Notification service) device token, used only to deliver MOT and service reminder notifications when a due date is approaching. Tokens are removed when invalidated by Apple or when you delete your account.
Subscription information
- Apple In-App Purchase transactions for the StockBook Pro subscription. Apple processes payment; we never see card details. We receive transaction metadata (product id, transaction id, expiry) needed to confirm your entitlement.
What we do not collect
- Location, contacts, calendar, microphone, health data, or any data unrelated to the app's features.
- Tracking, advertising, or analytics identifiers.
- We do not use Google Analytics, Firebase, Facebook SDKs, or any third-party advertising / tracking SDKs.
Where data is stored
- Supabase (https://supabase.com) — our backend provider — hosts your account, database tables, and uploaded files (receipts, car photos). Data resides in EU regions (eu-central-1 / eu-west-3). Supabase processes data on our behalf as a sub-processor; their privacy practices are at https://supabase.com/privacy.
- Apple— App Store, Apple Push Notification service, and In-App Purchase services. Apple's privacy policy applies: https://www.apple.com/legal/privacy/.
- Your device — the app keeps a local cache so it works offline. Local data is removed when you sign out, delete the app, or delete your account.
We do not sell, rent, or share personal data with advertisers.
Third-party services we call on your behalf
DVLA Vehicle Enquiry Service
When you tap Lookup on a registration, the app sends the registration to a server we operate, which forwards it to the UK Driver and Vehicle Licensing Agency (DVLA) Vehicle Enquiry API to retrieve make, year, colour, fuel type, MOT/tax status. Only the registration is sent — no personal data. DVLA's terms apply: https://developer-portal.driver-vehicle-licensing.api.gov.uk/.
Apple Push Notification service
When you enable notifications, your device registers an APNs token, which we store so our scheduled reminder service can deliver MOT/service-due pushes to your device.
On-device processing
Receipt OCR (extracting amount, date, and supplier from a receipt photo) runs entirely on your iPhone using Apple's Vision framework. The original image and the extracted text are saved with your records; no third-party OCR or AI service is used.
Why we collect each piece of data (legal basis under UK GDPR)
| Data | Purpose | Legal basis |
|---|---|---|
| Email + password | Authenticate you, sync data to your account | Contract performance |
| Cars, costs, receipts, photos, dealership profile | Provide the inventory and cost-tracking features you signed up for | Contract performance |
| APNs device token | Deliver MOT and service reminders | Consent (revocable in iOS Settings) |
| Subscription transactions | Verify your StockBook Pro entitlement | Contract performance |
| DVLA lookup requests | Provide the vehicle lookup feature you triggered | Legitimate interests + your action |
How long we keep data
We keep your data for as long as your account is active. When you delete your account (Settings → Delete account), we permanently remove your auth user and cascade-delete all associated cars, costs, receipts, photos, service records, MOT records, notifications, and device tokens. Backups in our infrastructure may persist for a short rolling window before being purged.
Your rights
You have the right to:
- Access — view all your data inside the app, or export a full backup ZIP from Settings → Backup (CSV, JSON, original photos and PDFs).
- Correct — edit cars, costs, dealership profile, and other records directly in the app.
- Delete — permanently remove your account and all cloud data via Settings → Delete account, or by emailing the address above. Apple requires (and we provide) in-app deletion.
- Object / restrict / portability — contact us at the email above and we will respond within 30 days.
You can disable push notifications at any time in iOS Settings → Notifications → StockBook.
UK users may complain to the Information Commissioner's Office (https://ico.org.uk) if you believe we've handled your data unlawfully.
Children
StockBook is intended for business use by dealership owners and staff. It is not directed at children under 13 and we do not knowingly collect data from children.
Security
- Connections between the app, our servers, and Supabase use HTTPS / TLS.
- Passwords are hashed by Supabase Auth (we never see plain-text passwords).
- Row-Level Security policies in our database ensure only you can read or write your own records.
- The DVLA API key is held server-side and is never embedded in the iOS binary.
No system is perfectly secure, but we follow standard practices to keep your data protected.
Changes to this policy
If we change this policy in any material way, we will update the “Last updated” date and, where appropriate, notify you in-app or by email before the change takes effect.
Contact
Questions, requests, or complaints — email [email protected] or reach out via the contact form.