Privacy Policy
Last updated: 18 July 2026
We only collect the personal data we need to give you a working car-check. We do not sell your data.
1. Who is the data controller
Ask Ralph is the data controller for personal data processed through this website. You can reach us via the contact form.
2. What we collect
| Category | Examples | Why |
|---|---|---|
| Account | Email address, sign-in identifiers | To create your account and send magic-link sign-in emails. |
| Check inputs | Registration, VIN, listing URL, postcode | To run MOT, provenance and price checks and to produce reports. |
| Payment | Stripe customer ID, purchase history | To sell credits. Card details go directly to Stripe — we never see or store them. |
| Usage | Pages viewed, checks run, IP address, device and browser info | To keep the service secure, debug faults, and improve UX. |
| Cookies & storage | Session cookies, consent preference | See our Cookie Policy for details. |
3. Lawful bases (UK GDPR)
- Contract— to deliver checks, accounts and purchases you have requested.
- Legitimate interest— to secure the platform, prevent fraud, and analyse usage.
- Consent— for non-essential cookies and any optional marketing emails. You can withdraw consent at any time.
- Legal obligation— to keep tax and accounting records.
4. Who we share data with
We share personal data only with the processors we need to run the service:
- Supabase— authentication and database hosting.
- Stripe— payments.
- Vercel— website hosting and CDN.
- Google Cloud Run— API hosting.
- DVSA MOT History API— MOT lookups by registration or VIN.
- One Auto API and its underlying providers— finance, stolen, condition and valuation checks (Deep Check only).
- Anthropic and OpenAI— LLM inference for the interpretation layer. We do not send them raw personal identifiers such as your name or email.
- Google Gemini— LLM inference and vehicle-photo review. We do not send raw personal identifiers such as your name or email.
- Resend— transactional and contact-form email delivery.
- Scrape.do— retrieving supported public auction listings when direct access is unavailable.
We do not sell your personal data. We only share it with law enforcement if legally compelled.
5. International transfers
Some processors host data outside the UK/EEA (for example, US-based cloud providers). Where they do, we rely on the UK IDTA, EU Standard Contractual Clauses, or equivalent safeguards.
6. How long we keep it
- Account data: while your account is open, plus 12 months.
- Reports and check history: 24 months, then archived or deleted.
- Payment records: 7 years, to meet tax law.
- Logs: up to 90 days.
7. Your rights
Under UK GDPR you have the right to access, correct, delete, port or restrict processing of your personal data, and to object to processing based on legitimate interest. Use the contact formand we’ll respond within one month. You may also complain to the ICO at ico.org.uk.
8. Security
We use encrypted connections, access controls, and audited third-party infrastructure. No system is perfectly secure — if we discover a breach affecting your data, we will tell you and the ICO promptly.
9. Changes to this policy
We may update this policy. Material changes will be flagged on this page and, where practical, by email.

