Privacy Policy

Last updated: 26 November 2025

1. Who we are

This privacy policy explains how we collect and use personal data when you use the iValet UK Dealership web application and related services (the Service).

For the purposes of UK data protection law, the data controller for personal data processed via the Service is:

iValet UK Valeting Limited
167-169 Great Portland Street, 5th Floor,
London, United Kingdom, W1W 5PF
Company number: 07750662

The Service is developed and operated for iValet UK Valeting Limited by Rezero Consulting Limited (t/a Rezero Software), which acts as a data processor on iValet UK’s behalf:

Rezero Consulting Limited t/a Rezero Software
Ground Floor, Dearing House, 1 Young Street,
Sheffield, S1 4UP, United Kingdom
Company number: 11240887

If you have any questions about this policy or how your data is used, please contact: support@rezero.net. Rezero manages this inbox on behalf of iValet UK Valeting Limited.

2. Scope of this policy

This policy applies to personal data we process when:

you access or use the iValet UK Dealership web application; or
you contact us for support or general enquiries about the Service.

Our public website may use cookies and similar technologies, which are described in our separate Cookies Policy.

If you use the Service as an employee or contractor of a dealership or other organisation, that organisation is also a data controller of your personal data. Their own privacy notices will explain how they use your information.

3. Personal data we collect

3.1 Account and user information

When your organisation signs up to use the Service, we create user accounts for authorised users. For each user we typically process:

Full name
Email address (usually a work email)
Account credentials (such as username and password – passwords are stored in hashed form and are not visible to us)
Associated site / location within the organisation

3.2 Organisation and site information

For each customer organisation and its locations we store only basic information, such as the name of the dealership or site, and identifiers required to operate the Service.

3.3 Content you submit

Users may add free‑text notes or upload attachments as part of their normal use of the Service. These files and notes are stored securely in a private Amazon Web Services (AWS) S3 bucket. We do not routinely review this content, but it may incidentally contain personal data, including potentially sensitive information, depending on what users choose to upload.

We ask all customers and users to avoid uploading unnecessary personal data and, in particular, to avoid including special categories of data (such as health information) unless strictly required.

3.4 Support and correspondence

If you contact us (for example by email to our support address), we process the information you provide, including your name, contact details and the contents of your message.

3.5 Technical and log data

When you access the Service, we may automatically collect limited technical information, such as:

IP address
Browser type and version
Device and operating system details
Dates and times of access
Error and diagnostic information generated by the Service

This information is primarily used for security, troubleshooting and to ensure the Service functions correctly.

4. How we use personal data and legal bases

We use personal data only as necessary to operate and support the Service. Under UK data protection law, we rely on the following legal bases:

4.1 To provide and administer the Service

Creating and managing user accounts and access permissions.
Operating the core functionality of the iValet UK Dealership system.
Providing support and responding to enquiries from users and customer organisations.

Legal basis: performance of a contract with your organisation, and our legitimate interests in operating a B2B software service.

4.2 Security, fraud prevention and service integrity

Monitoring access and usage to detect and prevent unauthorised access or misuse.
Maintaining logs for security, auditing and troubleshooting.
Applying technical and organisational measures to keep data secure.

Legal basis: our legitimate interests in securing our systems and services; compliance with legal obligations.

4.3 Service improvement

Aggregated and anonymised analysis to improve the performance and usability of the Service.
Identifying and fixing bugs and errors.

Legal basis: our legitimate interests in developing and improving the Service.

4.4 No marketing use

We do not use personal data collected through the Service to send marketing communications, and we do not sell or rent personal data to third parties.

5. How we share personal data

We do not share your personal data with third parties for their own marketing or other independent purposes. We share personal data only with:

Service providers (processors) who help us deliver the Service, including:
- Cloud hosting and database services (Amazon Web Services – AWS).
- Email delivery services (Amazon Simple Email Service – SES).
- Error and performance monitoring services (e.g. Sentry).
These providers are contractually required to keep data secure and to use it only in accordance with our instructions.
Customer organisations: if you are using the Service as an employee or contractor of a dealership or other organisation, authorised administrators at that organisation may see your account details and activity within the Service as part of normal business use.
Professional advisers and authorities where necessary to protect our legal rights, comply with a legal obligation, or respond to lawful requests from public authorities.

6. International transfers

Personal data processed in connection with the Service is hosted within the United Kingdom and/or the European Economic Area (EEA). Our primary hosting region is AWS London.

We do not intentionally transfer personal data outside the UK or EEA. If this ever becomes necessary, we will ensure that appropriate safeguards are in place, such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses, and we will update this policy accordingly.

7. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy or as required by law. In particular:

User accounts: we retain account information for as long as the user account is active. When an account is deactivated, we normally retain associated personal data in our live systems for up to 12 months, in case it needs to be reactivated or for audit and record‑keeping. After this period, we either delete the data or irreversibly anonymise it, unless we need to keep it longer for legal or regulatory reasons.
Support communications: emails and other correspondence are generally kept for up to 3 years after the issue is closed, to help us handle any follow‑up queries and maintain a record of support provided.
Technical logs: security and application logs are typically retained for up to 12 months, unless a longer period is required for investigating specific incidents.
Backups: system backups that may contain personal data are retained for limited, rolling periods (typically up to 35 days) and are automatically overwritten. Access to backups is strictly controlled.

Customer organisations may download or export information from the Service. Their own retention policies will apply to copies they hold independently of us.

8. Security

We implement appropriate technical and organisational measures to protect personal data, including:

Use of encrypted connections (HTTPS/TLS) for data in transit.
Encryption of data at rest within our databases and storage services where supported by AWS.
Role‑based access controls, so that users only see data relevant to their role and site.
Private, access‑controlled storage for uploaded files (AWS S3 private buckets).
Regular backups and disaster‑recovery processes.
Access logging and monitoring, including error monitoring via services such as Sentry.
Restriction of access to personal data to authorised personnel on a “need to know” basis.

Two‑factor authentication (2FA) is available and can be enabled on an account‑by‑account basis for additional security.

While we take reasonable steps to protect your information, no system can be completely secure. You are responsible for keeping your login credentials confidential and for choosing a strong password.

9. Your rights

Under UK data protection law, you have certain rights in relation to your personal data. Subject to applicable exemptions, these include rights to:

Access a copy of the personal data we hold about you.
Request correction of inaccurate or incomplete personal data.
Request deletion of your personal data in certain circumstances.
Restrict or object to the processing of your personal data in certain circumstances.
Request that we provide your data in a portable format to you or another organisation, where technically feasible.
Withdraw consent where we rely on consent (we currently do not rely on consent for core processing activities).

In most cases, if you use the Service through your employer or another organisation, you should first contact your organisation’s administrator, who can manage your account and data within the Service. You can also contact us directly using the details below.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you are unhappy with how we handle your personal data: www.ico.org.uk.

10. Contacting us about privacy

To exercise your rights or ask any questions about this policy or our data practices, please contact:

Email: support@rezero.net
(Handled by Rezero Consulting Limited on behalf of iValet UK Valeting Limited.)

11. Changes to this policy

We may update this privacy policy from time to time to reflect changes in the Service, our practices, or applicable law. When we do, we will update the “Last updated” date at the top of the policy. In the event of material changes, we may also notify customer organisations directly through the Service or by email.