Privacy Policy

1. Who We Are

APFleet is a fleet management service operated by Auto Princess Ltd, a company registered in England and Wales (Company Number: PLACEHOLDER — insert Companies House number), whose registered office is at PLACEHOLDER — insert registered address ("we", "us", "our").

Auto Princess Ltd is registered with the Information Commissioner's Office (ICO) as a data controller under registration number PLACEHOLDER — insert ICO registration number. Our Data Protection contact is reachable at [email protected].

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018):

• Auto Princess Ltd is the data controller for personal data relating to account holders, billing contacts, and platform usage.
• Auto Princess Ltd acts as a data processor on behalf of fleet operators (our customers) in respect of personal data relating to their drivers and employees held within the APFleet platform.

This distinction is important. Where we act as a processor, the fleet operator's own privacy obligations apply to their use of driver data, and our Data Processing Agreement (incorporated into our Terms of Service) governs that relationship.

2. Scope of This Policy

This Privacy Policy applies to:

• The APFleet web application accessible at apfleets.com and any associated subdomains;
• The APFleet mobile application for iOS and Android;
• All related services, APIs, and integrations provided by Auto Princess Ltd under the APFleet brand.

This Policy does not apply to the main Auto Princess website at www.autoprincess.com, which is governed by its own privacy notice, nor to any third-party services that we integrate with (such as GaragePlus or the DVLA API), which have their own privacy policies.

By creating an account or using APFleet, you confirm that you have read and understood this Policy. If you do not agree, you must not use the service.

3. The Data We Collect

We collect and process the following categories of personal data. Where data relates to third parties (such as drivers), you are responsible for ensuring they have been informed appropriately.

3.1 Account and Identity Data

• Full name, email address, and password (hashed — never stored in plain text)
• Business name and role (fleet owner, fleet manager)
• Phone number (optional, used for account recovery)
• Account preferences and notification settings
• Authentication method (email/password or Google OAuth)

3.2 Vehicle and Fleet Data

• Vehicle registration marks (number plates) submitted by you
• Vehicle details retrieved via the DVLA lookup API: make, model, year of manufacture, fuel type, MOT expiry, vehicle tax status, colour, engine capacity, and CO₂ emissions
• Service history and maintenance records entered manually by fleet managers
• OBD (on-board diagnostics) data where the OBD sync feature is enabled (Fleet Pro tier)
• Defect reports, including written descriptions and photographs uploaded by drivers
• Compliance alert history and dismissal records
• Garage booking records via the GaragePlus integration

3.3 Driver and Personnel Data

This data is entered by fleet owners or managers on behalf of their drivers. Auto Princess Ltd processes this data as a data processor on the fleet operator's instruction.

• Driver full name and contact details (email address, phone number)
• Driving licence number and licence validity status
• Vehicle assignment records
• Defect reports submitted by the driver, including GPS metadata embedded in photographs (where present)
• Invitation acceptance records

3.4 Usage and Technical Data

• IP address, browser type, and operating system
• Device identifiers (mobile devices)
• Login timestamps and session duration
• Pages and features accessed, click paths, and error logs
• Firebase Authentication and Firestore access logs (retained by Google Cloud per their terms)

3.5 Payment and Billing Data

• Billing contact name and email address
• Invoice history and subscription tier
• Payment card details — we do not store card numbers. Card data is handled exclusively by our payment processor (PLACEHOLDER — insert payment processor name, e.g. Stripe) and is subject to their PCI-DSS obligations.
• VAT number (where provided)

3.6 Communications Data

• Content of emails or support messages sent to us
• Records of any disputes or complaints raised

4. How We Collect Your Data

We collect data in the following ways:

• Directly from you — when you register, complete your profile, add vehicles, create driver records, or contact us.
• From the DVLA — when you submit a vehicle registration mark, we query the DVLA's vehicle enquiry API on your behalf. The data returned is then stored within your fleet account.
• From drivers — when a driver accepts an invitation, submits a defect report, or updates their profile via the mobile app.
• Automatically — through cookies, Firebase Analytics, and server logs when you interact with the web or mobile application.
• From Google — if you choose to sign in with Google OAuth, we receive your name and email address from Google's authentication service.
• From OBD devices — where the OBD sync feature is enabled, fault code data is transmitted from the vehicle to our platform via the connected device.

5. Legal Bases for Processing

Under Article 6 of the UK GDPR, we rely on the following legal bases:

Where we rely on legitimate interests, we have conducted a balancing test to confirm that our interests do not override your rights and freedoms. You may request a copy of that assessment by contacting us.

Where we rely on consent (e.g., marketing emails), you may withdraw that consent at any time by emailing [email protected] or clicking the unsubscribe link in any marketing communication. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

6. How We Use Your Data

We use the personal data we collect for the following purposes:

• Account provision: creating and authenticating your account; managing your subscription; providing customer support.
• Platform services: enabling DVLA lookups; generating compliance alerts; managing vehicle, driver, and defect records; facilitating GaragePlus garage bookings; providing AI diagnostic functionality via the Auto Princess AI engine.
• Billing: processing subscription payments; generating and storing invoices; handling cancellations and refunds.
• Communications: sending alert notifications, service updates, and security notices. With your consent, we may also send promotional communications about APFleet and Auto Princess products.
• Safety and security: detecting, investigating, and preventing fraudulent transactions, abuse, or unauthorised access to accounts.
• Legal compliance: retaining records as required by HMRC, Companies House, or other regulatory bodies; responding to lawful requests from authorities.
• Product improvement: analysing aggregated, anonymised usage patterns to improve platform performance and develop new features. We do not use individual driver data for profiling or automated decision-making that produces legal or similarly significant effects.

We will not use your personal data for any purpose that is incompatible with the purposes listed above without first notifying you and, where required, obtaining your consent.

7. Data Sharing and Disclosure

We do not sell, rent, or trade personal data. We share data only in the following circumstances:

7.1 Service Providers (Data Processors)

We engage trusted third-party processors who act only on our documented instructions and are bound by data processing agreements:

• Google Cloud Platform / Firebase — cloud infrastructure, database hosting (Firestore), authentication, and storage. Data is hosted in PLACEHOLDER — confirm Firebase project region, e.g. europe-west2 (London). Google LLC is certified under the EU–US Data Privacy Framework and operates under Standard Contractual Clauses for transfers outside the UK.
• PLACEHOLDER — Payment processor (e.g. Stripe Inc.) — payment processing and subscription management.
• GaragePlus — garage network platform. When you initiate a garage booking, the relevant vehicle registration, contact details, and fault description are shared with GaragePlus to facilitate the booking.
• Auto Princess AI — our proprietary AI diagnostic engine, operated by Auto Princess Ltd. No data is transmitted to third-party AI providers (e.g., OpenAI) without separate disclosure.
• PLACEHOLDER — Email/notification provider, e.g. SendGrid / Firebase Cloud Messaging — transactional email and push notification delivery.

7.2 The DVLA

Vehicle registration lookups are performed against the DVLA's Vehicle Enquiry Service API. Data is retrieved from, not shared with, the DVLA. However, use of that data is subject to the DVLA's API terms of use, which prohibit certain downstream uses (see Section 11 of our Terms of Service).

7.3 Fleet Operators

If you are a driver using APFleet at the invitation of a fleet operator, that fleet operator (your employer or contracting party) can access the data you submit through the platform, including defect reports, vehicle assignment records, and your driver profile. This is the intended purpose of the service. Refer to your employer's privacy notice for further information.

7.4 Legal and Regulatory Disclosure

We may disclose personal data to law enforcement agencies, courts, regulators, or other authorities where we are legally required or permitted to do so, including in connection with legal proceedings, court orders, or to protect the rights, property, or safety of Auto Princess Ltd, our users, or the public.

7.5 Business Transfers

In the event of a merger, acquisition, sale of assets, or restructuring of Auto Princess Ltd, personal data may be transferred to the successor entity. We will notify affected users by email and/or prominent in-platform notice before any transfer occurs, and we will ensure the successor is bound by terms no less protective than this Policy.

8. International Data Transfers

APFleet is operated from the United Kingdom. However, some of our service providers (notably Google Cloud/Firebase) operate infrastructure in the United States and other jurisdictions.

Where personal data is transferred outside the UK, we ensure that an appropriate safeguard is in place in accordance with Chapter V of the UK GDPR and the ICO's guidance on international transfers. These safeguards include:

• Adequacy regulations — transfers to countries granted adequacy status by the UK Government (including, as applicable, the EU under the UK–EU adequacy decisions).
• UK International Data Transfer Agreements (IDTAs) or the EU Standard Contractual Clauses as adapted for UK use, where no adequacy decision applies.
• UK Extension to the EU–US Data Privacy Framework — where applicable to US-based processors.

You may request a copy of the relevant transfer mechanism by contacting [email protected].

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law. Our standard retention periods are:

At the end of the applicable retention period, data is securely deleted or anonymised. Anonymised aggregate data (with no re-identification risk) may be retained indefinitely for product analytics.

You may request early deletion of your personal data, subject to the exceptions described in Section 10 below.

10. Your Rights Under UK GDPR

As a data subject, you have the following rights under the UK GDPR and DPA 2018. These rights apply to data for which Auto Princess Ltd is the data controller. Where we act as a processor (e.g., for driver data held on behalf of a fleet operator), you should direct requests to the fleet operator in the first instance.

To exercise any of these rights, please submit a written request to [email protected]. We will respond within one calendar month of receipt. We may ask you to verify your identity before processing a request. There is no charge for exercising your rights in most circumstances; however, where requests are manifestly unfounded or excessive, we may charge a reasonable administrative fee.

10.1 Right to Complain

If you are not satisfied with how we handle your personal data or respond to a rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, welcome the opportunity to address your concerns directly before you contact the ICO. Please contact us at [email protected] in the first instance.

11. Cookies and Tracking Technologies

APFleet uses cookies and similar technologies to operate the platform and improve your experience. We use the following categories:

• Strictly necessary cookies: Required for authentication (Firebase session cookies), security (CSRF protection), and core platform functionality. These cannot be disabled without breaking the service.
• Analytics cookies: Firebase Analytics collects anonymised usage data (page views, feature usage, error rates) to help us improve the platform. These are enabled by default but can be disabled in your account settings.
• Preference cookies: Store your UI preferences (e.g., notification settings). Functional and can be cleared by deleting browser cookies.

We do not use third-party advertising or tracking cookies. We do not share cookie-derived data with advertising networks.

You can manage or delete cookies through your browser settings. Note that disabling strictly necessary cookies will prevent you from logging in to APFleet.

This Policy, together with your browser consent settings, constitutes our cookie notice in compliance with the Privacy and Electronic Communications Regulations 2003 (PECR) as amended.

12. Security

We implement technical and organisational measures appropriate to the risk presented by our processing activities, including:

• Encryption of data in transit using TLS 1.2 or higher for all connections to and from APFleet;
• Encryption of data at rest within Google Cloud Firestore and Cloud Storage;
• Role-based access controls enforced at the Firestore security rules layer, ensuring fleet data is accessible only to authorised users within that fleet;
• Passwords hashed using Firebase Authentication (bcrypt-based hashing); we never store or transmit passwords in plain text;
• Multi-factor authentication available to all account holders (recommended for fleet owners);
• Regular security reviews and penetration testing of the platform;
• Access to production data limited to authorised Auto Princess Ltd engineers on a need-to-know basis.

No transmission over the internet or method of electronic storage is 100% secure. While we take all reasonable steps to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify affected individuals without undue delay.

If you discover or suspect a security vulnerability in APFleet, please report it responsibly to [email protected].

13. Children

APFleet is a business-to-business service intended for use by commercial fleet operators and their employees. It is not directed at, and we do not knowingly collect personal data from, anyone under the age of 18. If you believe a person under 18 has provided personal data to us without appropriate parental or guardian consent, please contact us immediately at [email protected] and we will take steps to delete that data.

14. Third-Party Links

The APFleet platform may contain links to third-party websites or services, including the GaragePlus booking platform, DVLA public services, and the Auto Princess main website. Clicking such links means you leave APFleet and are subject to the privacy policies of those third parties. We are not responsible for the content, privacy practices, or security of third-party sites and encourage you to review their policies before providing any personal data to them.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the services we provide. When we make material changes, we will:

• Update the "Last updated" date at the top of this page;
• Send an email notification to all registered account holders at least 30 days before the changes take effect; and
• Display a prominent in-platform notice on your next login.

Your continued use of APFleet after the effective date of the revised Policy constitutes acceptance of the changes. If you do not accept a material change, you may terminate your subscription in accordance with our Terms of Service before the change takes effect, and we will refund any prepaid fees for the unused portion of your subscription.

16. How to Contact Us

For all privacy-related enquiries, rights requests, or data protection concerns, please contact us through any of the following channels:

• Email: [email protected]
• Post: Data Protection, Auto Princess Ltd, PLACEHOLDER — insert registered address
• General enquiries: [email protected]

Please mark all correspondence clearly as a data protection matter. We will acknowledge receipt within 3 working days and provide a substantive response within one calendar month.