GDPR Compliance

Our commitment to data protection under UK GDPR.

Our Commitment

GarageSync Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take the privacy and security of personal data seriously, both for our direct users and the customers whose data is managed through our platform.

Data Processing Roles

GarageSync as Data Controller

We act as the data controller for data collected directly from our users: account registration details, billing information, usage analytics, and support communications.

GarageSync as Data Processor

When garage operators (tenants) store their customers' personal data in GarageSync, the tenant is the data controller and GarageSync acts as the data processor. We process this data solely on the tenant's instructions and in accordance with our Data Processing Agreement.

Lawful Basis for Processing

  • Contract — processing necessary to provide the GarageSync service to subscribers
  • Legitimate Interest — platform improvement, security monitoring, fraud prevention
  • Legal Obligation — financial record-keeping, tax compliance
  • Consent — marketing communications (opt-in only)

Data Subject Rights

We support all rights under UK GDPR:

  • Right of Access (Article 15) — obtain a copy of your personal data
  • Right to Rectification (Article 16) — correct inaccurate data
  • Right to Erasure (Article 17) — request deletion of your data
  • Right to Restrict Processing (Article 18) — limit processing in certain circumstances
  • Right to Data Portability (Article 20) — receive data in a portable format
  • Right to Object (Article 21) — object to processing based on legitimate interests

For tenant customers: please contact the garage that holds your data directly. They are the data controller for your information. If needed, the garage can use GarageSync tools to fulfil your request.

Data Security Measures

  • All data transmitted over TLS-encrypted connections
  • Tenant data isolated in separate databases (multi-tenant architecture)
  • Passwords hashed using industry-standard algorithms
  • Prepared statements for all database queries (SQL injection prevention)
  • Role-based access controls within each tenant
  • Regular automated backups with encryption
  • Audit trails for sensitive operations

Data Breach Response

In the event of a personal data breach, we will:

  • Notify the ICO within 72 hours where the breach is likely to result in a risk to individuals' rights
  • Notify affected data subjects without undue delay where there is a high risk
  • Notify affected tenants promptly so they can fulfil their own controller obligations
  • Document all breaches, their effects, and remedial actions taken

International Data Transfers

Our servers and primary data storage are located in the UK. Where third-party services process data outside the UK (e.g., Stripe, PayPal), such transfers are protected by appropriate safeguards including Standard Contractual Clauses and adequacy decisions.

Data Processing Agreement

We offer a Data Processing Agreement (DPA) to all tenants, detailing our obligations as a data processor. To request a DPA, contact privacy@garagesync.co.uk.

Contact Our DPO

For any GDPR-related enquiries or to exercise your data rights:

Email: privacy@garagesync.co.uk
GarageSync Ltd, United Kingdom

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.