Privacy Policy

1. Who we are

Performance Car Intelligence is a trading name of PERFORMANCE CAR INTELLIGENCE LIMITED, a company registered in England and Wales (company number 17227133). Our registered office is at 66 Paul Street, London, EC2A 4NA. We operate the website performancecarintelligence.com and provide buyer-commissioned pre-purchase analysis reports — the Performance Car Intelligence Report — for used Porsche vehicles registered in the United Kingdom, covering the 911, 718 Cayman, 718 Boxster, Cayenne, Macan, Panamera, and Taycan.

We are the data controller for the information described in this policy. We are registered with the UK Information Commissioner's Office (ICO) under registration number 00013811807.

Contact: hello@performancecarintelligence.com

2. What data we collect

We deliberately collect the minimum data needed to deliver a Performance Car Intelligence Report to you. Specifically:

• Your email address — so we can deliver your report and respond to support queries.
• The vehicle registration mark (VRN) — required for every report. The VRN is used to query our licensed vehicle-data provider and UK government registers about the specific vehicle you are considering (see §5).
• A listing URL — optional. If you provide a URL from a UK vehicle marketplace (for example Auto Trader UK), our system will read the publicly visible content of that listing and include a specification audit comparing the seller's claims against the factory data returned by the VRN query.
• Order metadata generated automatically: a public order reference (e.g. PCAR-2026-XXXXX; older orders carry an FS- prefix), a timestamp, and the status of your order (queued, processing, delivered).

We do not collect your name, postal address, phone number, date of birth, payment card details, or any other personal identifier. Payments are handled entirely by Stripe (see §5) — we never see or store your card data.

A note on the VRN

3. Why we collect it and legal basis

Under the UK GDPR we must have a lawful basis for processing personal data. The bases we rely on are:

• Performance of a contract (UK GDPR Art. 6(1)(b)): Processing your email address, your submitted VRN, and any listing URL you provide is necessary to generate and deliver the Performance Car Intelligence Report you have paid for.
• Legitimate interests (Art. 6(1)(f)): Retaining order records for a limited period to handle refund requests, support queries, and fraud prevention. Also: querying our licensed vehicle-data provider and government registers about the VRN you submit, so that the report can include accurate factory specification, provenance, finance, write-off, mileage, MOT and recall data. The legitimate interest is yours, as a prospective buyer conducting due diligence on a vehicle that is being or is intended to be marketed or offered for sale. We have considered the interests of the registered keeper of the queried vehicle and concluded that this processing does not override those interests, in light of the safeguards described in §10 and §11.
• Legal obligation (Art. 6(1)(c)): Retaining payment and transaction records for the period required by UK tax law (currently 7 years for VAT and corporation tax purposes).
• Consent (Art. 6(1)(a)): If and when we enable optional analytics (see §6), we will rely on your explicit consent.

4. How long we keep it

We retain your email address, submitted VRN, and order records for 12 months from your last order or interaction, after which the email address and VRN are automatically scrubbed from our database.

Your Performance Car Intelligence Report is delivered as a web page hosted on our servers (see §5a, Railway). It is accessible only via a unique link, containing an access token, that we include in your delivery email — the link is not publicly indexable or searchable. The report remains available at that link for 12 months from generation, after which it is automatically deleted. When you open the link, your browser exchanges standard web traffic information with our servers (such as IP address and browser type) over HTTPS, in the ordinary course of loading any web page. An internal PDF copy of the report may also be retained on our document storage (see §5a, Google) for operational purposes, but is no longer linked to an identifiable customer record once the 12-month window has passed.

Payment and transaction records (held by Stripe and reflected in our accounting records) are retained for 7 years after the end of the accounting period in which the transaction occurred, in line with HMRC requirements under the Companies Act 2006 and applicable VAT regulations.

We do not retain the underlying vehicle data returned to us by our licensed provider beyond the runtime of each report. See §10 for the data-architecture safeguards that implement this.

If you explicitly request deletion of your data sooner, we will do so within 30 days, except for records we are legally required to retain. Email hello@performancecarintelligence.com with your order reference to request deletion at any time (see §8).

5. Third parties we share data with

We share the minimum necessary data with the following service providers and external sources. We distinguish between data processors (companies that act on our instructions), licensed data providers (commercial sources that supply vehicle data to us under licence), and independent data sources (government registers we query about your vehicle).

5a. Data processors

Each processor below acts on our behalf under a written agreement (or equivalent terms in their service contract) that complies with Article 28 of the UK GDPR.

Stripe (payments)

Stripe Payments UK Ltd processes your payment. When you pay, you provide your card details directly to Stripe — we never see them. Stripe also collects your email address at checkout, which is shared back to us so we can deliver your report. Data is processed in the UK and the United States. Stripe's privacy policy.

Resend (email delivery)

Resend (resend.com, operated by Resend, Inc.) is the email delivery service we use to send your report and any support messages to you. Resend processes your email address and the email body (which includes your order reference and a link to your report). Data is processed in the United States. Resend's privacy policy.

Google (Drive — file storage)

Generated PDF reports are stored on Google Drive (Google Ireland Ltd). Google does not receive your email address. Data is processed in the European Economic Area, with onward processing in the United States under Google's standard contractual safeguards. Google's privacy policy.

PDFShift (PDF rendering)

PDFShift converts the HTML version of your report into a PDF document. The HTML content (which contains the VRN, any listing URL you provided, and the analysis text) is sent to PDFShift, which renders the PDF and returns it. Your email address is not shared with PDFShift. Data is processed in France. PDFShift's privacy policy.

Anthropic (AI analysis)

Report content is generated using Anthropic's Claude AI model. The vehicle data returned by our data providers (described in §5b below) and, where you have provided one, the content of the listing URL, are processed by Anthropic to produce the analysis text. Your email address is not shared with Anthropic. Data is processed in the United States; Anthropic operates under standard contractual clauses for international transfers from the UK. Anthropic does not retain customer API inputs for model training. Anthropic's privacy policy.

Railway (hosting)

Our application, database, and the hosted HTML version of your report are hosted on Railway (Railway Corp.). Railway stores the operational data described in §2 and the rendered HTML of each report (accessed via the unique link in your delivery email; see §4) on secure infrastructure. Data is processed in the United States. Railway's privacy policy.

5b. Licensed vehicle-data provider

To produce a Performance Car Intelligence Report, we query a licensed commercial provider of UK vehicle data. We send only the VRN you submitted; we do not send your email address or any other personal information about you. The provider acts as a separate data controller in respect of its own vehicle-data database.

Vehicle Data Global Limited (VDGL)

VDGL (Princess House, Princess Way, Swansea, SA1 3LW; company number 16053104) is a UK-based licensed reseller of UK vehicle data, operating under DVLA's bulk data licensing framework. We query VDGL with your VRN to retrieve:

• Factory specification, model derivative, and indicative valuation;
• MOT history (test dates, results, mileage at each test, advisories, and failure reasons);
• Provenance and risk data: outstanding finance records, insurance write-off categorisation (MIAFTR), stolen markers (PNC), structured mileage anomalies, keeper-change history, plate-change history, V5C reissue history, and cherished-transfer markers;
• Outstanding safety recall data.

The data VDGL supplies is sourced under licence from DVLA, Experian Limited, and other industry providers. We have no direct contractual relationship with DVLA, Experian Limited, or any other upstream provider — our relationship is with VDGL under their published licence terms, which include DVLA Schedule 4 flow-down obligations relating to the use and disclosure of DVLA-sourced data.

Data is processed in the United Kingdom. VDGL's privacy notice.

From time to time we may switch to an equivalent licensed provider where this improves the accuracy or coverage of our reports. Any such change will be reflected in an updated version of this policy.

5c. UK government register we query directly

In addition to the licensed provider above, we query the following UK government API directly as a redundancy layer:

DVLA — Vehicle Enquiry Service (VES)

The Driver and Vehicle Licensing Agency (DVLA) operates the Vehicle Enquiry Service. We use this as a redundancy layer for basic vehicle identity (make, model, year of manufacture, fuel type, colour, MOT and tax status, CO₂ emissions, type approval, and export markers) in the event that a VDGL query fails. About the DVLA Vehicle Enquiry Service.

DVLA processes VRN queries in line with its own published privacy notice. We do not control how DVLA processes the data we send it or how long it retains query logs.

5d. Listing platforms (optional)

If you provide an optional listing URL with your order, our system reads the publicly accessible content of that listing page so the report can include a specification audit comparing the seller's claims against the factory data returned by the VRN query. Where the listing is on Auto Trader UK (autotrader.co.uk) we read the publicly visible HTML of the page; we have no contractual relationship with Auto Trader and do not transmit your email address, VRN, or any other personal information about you to the listing platform. Other major UK listing platforms may be supported from time to time and will be reflected in an updated version of this policy when they are.

5e. International transfers

Some of the processors above are based in, or transfer data to, countries outside the UK. The countries involved are:

• United States (Stripe, Resend, Anthropic, Railway, and Google's onward processing): the UK Government has issued an adequacy decision for the EU-US Data Privacy Framework (the UK Extension), and where a processor is certified under that framework, transfers rely on it. Where not, transfers are made under the UK Addendum to the EU Standard Contractual Clauses.
• European Economic Area (Google primary processing in Ireland; PDFShift in France): the UK considers the EEA adequate; no additional safeguards are required.
• United Kingdom (Stripe UK, VDGL, DVLA): no international transfer.

6. Cookies and analytics

Strictly necessary cookies

When you pay through Stripe Checkout, Stripe sets cookies necessary for the payment flow (e.g. fraud prevention). These cookies are set by Stripe on the Stripe domain and are not under our control. They are strictly necessary for the payment function and do not require separate consent.

We do not set any first-party cookies on performancecarintelligence.com.

Analytics (not currently active)

We may in future enable Google Analytics (GA4) or a similar privacy-respecting analytics tool to understand how visitors use the site. At the time this policy is published, no analytics service is active on this website, and no analytics cookies are set.

If and when we enable analytics:

• A cookie consent banner will appear on your first visit, asking you to accept or decline analytics cookies.
• Analytics will not load unless you explicitly opt in.
• Only aggregated, pseudonymised usage data will be collected — for example, which pages are visited and the approximate region a visit came from. We will not attempt to identify individual visitors.
• You will be able to change your preference at any time.

We will update this policy to reflect the specific analytics provider and data collected before enabling it.

7. Automated decision-making

The Performance Car Intelligence Report is generated by automated software and AI without manual human review of each individual report. The report includes a risk classification (Low, Moderate, Elevated, or High) which is produced algorithmically by combining:

• The vehicle data returned by VDGL for the VRN you provided (factory specification, derivative, valuation);
• The provenance data returned by VDGL (outstanding finance, write-off status, stolen markers, mileage anomalies, keeper- and plate-change history, recalls);
• The MOT test history returned by VDGL;
• Vehicle identity data returned by DVLA VES where used as a redundancy layer;
• The content of the listing, if you provided a URL;
• Model and generation-specific rules about Porsche features, options, and known issues.

Article 22 of the UK GDPR gives you the right not to be subject to a decision based solely on automated processing where that decision produces legal effects or similarly significant effects for you. Our processing falls outside the strict scope of Article 22 because:

• The risk classification is presented as part of an informational report, not a binding decision about you;
• The decision the report informs (whether to view, negotiate on, or buy a vehicle) is made by you, not by us;
• The analysis concerns a vehicle, not the data subject; the data subject is the buyer commissioning the report, and the report contains analysis they have commissioned for their own use.

We mention this here in the interest of transparency, so you understand both what the automated processing does and what it does not do:

If you would like an explanation of how a specific element of your report was determined, contact us at hello@performancecarintelligence.com quoting your order reference.

8. Your rights

Regardless of where you live, you can contact us at any time to exercise the following rights over the data we hold about you:

• Right of access — request a copy of the data we hold about you.
• Right to rectification — ask us to correct data that is inaccurate.
• Right to erasure — ask us to delete your data. We will do so within 30 days unless we have a legal obligation to retain it (for example HMRC tax records — see §4).
• Right to object / restrict processing — ask us to pause or stop certain uses of your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Rights regarding automated decisions — see §7.

To exercise any of these rights, email hello@performancecarintelligence.com. We will respond within 30 days (one calendar month).

9. Jurisdiction-specific rights

UK United Kingdom

This policy is governed by UK data protection law, including the UK GDPR and the Data Protection Act 2018. If you believe we have mishandled your personal data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would, however, appreciate the chance to address your concern first — please contact us before escalating.

10. Security and data-architecture safeguards

We take reasonable technical and organisational measures to protect your data:

• All data is transmitted over HTTPS (TLS).
• Our database is not publicly accessible and is hosted on managed infrastructure with restricted access.
• Access to administrative systems is restricted to the company's sole director (the only person with access) and protected by two-factor authentication.
• API credentials for VDGL, DVLA, Stripe, Resend, Anthropic, PDFShift, and Google are stored as environment variables in the hosting environment and are never exposed to the browser.
• Payment card data is never stored by us — it is handled entirely by Stripe.

10.1 Data-architecture safeguards

In addition to the general security measures above, we operate four specific data-architecture safeguards in connection with the licensed vehicle data we obtain from VDGL. These safeguards exist to honour our obligations under VDGL's licence terms (which incorporate DVLA Schedule 4 and Schedule 5 flow-down requirements and VDGL's Provenance Data Reseller Terms) and to protect the registered keepers of vehicles our customers query:

1. Strict per-report data fetching. Every Performance Car Intelligence Report triggers a fresh, live query to VDGL for the VRN in question. We do not maintain a persistent cache of VDGL responses for serving future customer lookups. Vehicle data exists only as runtime state during the generation of an individual report.
2. No secondary vehicle database. We do not use the data we receive from VDGL to construct, populate, or maintain any internal database, directory, index, or lookup of vehicles. Historical lookups exist only as report artefacts (the customer's PDF) and operational logs sufficient to handle support queries; they are not queryable as a dataset, and they are deleted in line with the retention periods in §4.
3. No VIN exposure to customers. Where VDGL returns a Vehicle Identification Number (VIN) to our pipeline, the VIN is used only as an internal key for matching against manufacturer factory data. No VIN — full, partial, or otherwise — is shown in the Performance Car Intelligence Report delivered to the customer, in any visible field, hidden field, metadata, or source code. This safeguard reflects DVLA Schedule 5 §3.1(a), under which the full VIN must not be disclosed to consumers; and Schedule 5 §4.2–§4.3, under which even a partial VIN can uniquely identify a vehicle where fewer than 500 of a given type are first-registered in a year — a threshold which applies to several low-volume Porsche variants we cover.
4. Analytical commentary only. The data we receive is transformed into narrative analysis for delivery to the customer. The Performance Car Intelligence Report does not expose raw structured DVLA records, raw engine numbers, raw industry record identifiers, or any data field in a form that could be machine-extracted and used to harvest data, impersonate the vehicle, or otherwise misuse the licensed data.

These safeguards are encoded in our product architecture and are enforceable against our own staff and systems. They reflect compliance commitments made to our licensed data provider and, ultimately, to the UK Government's framework for the licensing of DVLA-sourced data.

10.2 Incident notification

No system is perfectly secure. If we become aware of a data breach that affects your personal data and is likely to result in a risk to your rights, we will notify you and the ICO within 72 hours, in line with UK GDPR requirements.

11. Vehicle data and the registered keeper

When you submit a VRN, we obtain data about a specific vehicle. UK data protection law treats some of this data as personal data of the vehicle's registered keeper, because the keeper can be identified by combining the VRN with other information (held, for example, by DVLA). The licensed provider we use (VDGL) returns technical information about the vehicle (specification, finance status, write-off status, mileage history, MOT history, keeper-change history, plate-change history) without disclosing the keeper's name, address, or contact details to us.

Because we cannot link the technical vehicle data we hold to a specific identifiable keeper, the transparency obligations in Article 14 of the UK GDPR are limited in scope (per Article 11(2)). Nonetheless, we are committed to publishing the information in this policy so that any registered keeper who becomes aware that a report has been commissioned on their vehicle can understand what data was processed, why, and on what legal basis (see §3 and §5).

11.1 The customer as the end recipient of analytical output

The Performance Car Intelligence Report is structured so that the customer — the buyer who has commissioned the report — receives a finalised analytical PDF as the data's terminus. The customer:

• Does not have any query access, API access, or programmatic interface to our underlying vehicle data;
• Does not receive raw structured DVLA records, raw engine numbers, raw VINs (see §10.1, safeguard 3), or any other data field in a form that enables onward distribution as data;
• Receives a single, fixed PDF (and matching hosted HTML page) containing synthesised analytical narrative, applicable to the specific vehicle referenced in the report.

This product structure is deliberate. It means the customer is the end recipient of analytical output, not an intermediary in the supply chain of DVLA-sourced data, and not subject to the onward-distribution obligations that would apply to a commercial reseller of vehicle data. The customer's own use of the report is governed by our Terms of Service, in particular the purpose-limitation and no-redistribution clauses (Terms §9.1 and §9.2).

If you are the registered keeper of a vehicle and you believe a report has been commissioned about it, you can contact us at hello@performancecarintelligence.com to discuss your rights. Note that we may be unable to confirm whether a specific VRN has been queried without sufficient information to verify your identity as the keeper, and we may be unable to disclose customer identities without a legal basis to do so.

12. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Substantive changes (for example, enabling analytics, adding a new processor, or adding a new category of data) will be notified to existing customers by email where reasonably possible. Continued use of the service after a change constitutes acceptance of the updated policy.

13. Contact