Data Controller
For the purposes of the UK GDPR (UK Data Protection Act 2018) and EU GDPR (Regulation 2016/679), the data controller responsible for your personal data is:
CarSpanner
Email: contact@carspanner.com
We do not have a data protection officer because we do not engage in large-scale or systematic processing of personal data. All data protection enquiries should be directed to the email address above.
Personal Data We Process
CarSpanner is designed to minimise data collection. We collect only what is necessary to provide the service. No registration, account, name, or email address is required.
| Data Type | What We Collect | Why | Retention |
|---|---|---|---|
| Conversation content | Text messages and uploaded photos sent to the CarSpanner chat | To provide AI-powered parts identification and sourcing responses | 90 days, then automatically deleted |
| Aggregate analytics | Page views, referrer, country (no PII — processed by Plausible) | To understand usage patterns and improve the service | Rolling 12 months, aggregated only |
| Affiliate click events | Referral click recorded by affiliate networks on link click-through | Affiliate commission attribution | Per affiliate network policies (see Cookie Policy) |
| IP address | Logged by hosting infrastructure (Render) and anonymised by Plausible | Security, abuse prevention, infrastructure monitoring | 30 days (infrastructure logs) |
Legal Basis for Processing
We process personal data under the following legal bases under Article 6 of UK GDPR / EU GDPR:
| Processing Activity | Legal Basis | Justification |
|---|---|---|
| Answering parts queries | Art. 6(1)(f) — Legitimate interests | Necessary to provide the AI service you actively chose to use; no override of your interests |
| Storing conversation history | Art. 6(1)(f) — Legitimate interests | Enables session continuity and access to your chat history during a visit |
| Processing uploaded photos | Art. 6(1)(f) — Legitimate interests | Required for AI vision-based part identification; photos submitted at your explicit action |
| Anonymous analytics (Plausible) | Art. 6(1)(f) — Legitimate interests | No personal data is processed; aggregate counts only; no consent required |
| Affiliate referral attribution | Art. 6(1)(f) — Legitimate interests | Attribution of commission-qualifying referrals; disclosed openly in Affiliate Disclosure |
| Security and abuse prevention logging | Art. 6(1)(f) — Legitimate interests | Protecting the integrity and availability of the service |
Your Rights
Under UK GDPR and EU GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, email contact@carspanner.com. We will respond within one month.
Right of Access
Article 15 UK GDPR / EU GDPRYou have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with information about how it is used.
How to exercise: Email contact@carspanner.com with "Subject Access Request" in the subject line.
Right to Rectification
Article 16 UK GDPR / EU GDPRYou have the right to have inaccurate personal data corrected, or incomplete data completed.
How to exercise: Email contact@carspanner.com specifying what data you believe is inaccurate.
Right to Erasure ("Right to Be Forgotten")
Article 17 UK GDPR / EU GDPRYou have the right to request deletion of your personal data where there is no compelling reason for its continued processing. Note that conversation data is automatically deleted after 90 days.
How to exercise: Email contact@carspanner.com with your conversation session ID if available.
Right to Restriction of Processing
Article 18 UK GDPR / EU GDPRYou have the right to request that we restrict processing of your personal data while a dispute about accuracy, lawfulness, or our legitimate grounds is being resolved.
How to exercise: Email contact@carspanner.com explaining the restriction you require.
Right to Data Portability
Article 20 UK GDPR / EU GDPRWhere processing is based on consent or contract, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
How to exercise: Email contact@carspanner.com. We can provide conversation data in JSON format.
Right to Object
Article 21 UK GDPR / EU GDPRYou have the right to object to processing of your personal data where processing is based on legitimate interests. We must stop processing unless we can demonstrate compelling legitimate grounds which override your interests.
How to exercise: Email contact@carspanner.com stating the nature of your objection.
Rights re Automated Decision-Making
Article 22 UK GDPR / EU GDPRCarSpanner's AI responses are automated. However, they do not constitute legally significant or similarly significant automated decisions about you. If you have concerns, you may request human review of any AI response.
How to exercise: Email contact@carspanner.com.
Data Minimisation
CarSpanner does not require registration. We do not collect names, email addresses, telephone numbers, physical addresses, payment details, or account credentials. The only personal data processed is what you actively type or upload into the chat interface, plus pseudonymous infrastructure logs.
This design reflects Article 5(1)(c) of UK GDPR / EU GDPR: data must be adequate, relevant, and limited to what is necessary.
Automated Processing and Profiling
CarSpanner uses Claude (Anthropic) to process your parts queries. This constitutes automated processing of the content you submit. The AI does not produce legal effects or decisions that significantly affect you — it provides informational responses about classic car parts.
The AI does not build profiles of individual users across sessions. Each conversation is processed independently. We do not use your data to make inferences about your characteristics, preferences, or behaviour beyond answering your immediate question.
International Transfers
Your data may be transferred outside the UK/EEA in the following circumstances:
| Processor | Location | Transfer Mechanism | Purpose |
|---|---|---|---|
| Anthropic (Claude AI) | United States | Standard Contractual Clauses (SCCs) | AI processing of your queries and photos |
| Render | United States | Standard Contractual Clauses (SCCs) | Application hosting and database |
| Plausible Analytics | European Union (Germany) | No transfer — EU-hosted | Anonymous aggregate analytics |
Data Retention
We retain personal data only for as long as necessary for the purpose it was collected:
- Conversation data (messages and photos): 90 days from creation, then automatically and permanently deleted.
- Aggregate analytics data (Plausible): Rolling 12-month window; no personal data is retained.
- Infrastructure logs (including IP addresses): 30 days, then automatically purged by Render.
Children's Data
CarSpanner is not directed at children under 13 years (under the UK DPA 2018) or under 16 years (under EU GDPR, where applicable). We do not knowingly process personal data from children. If you believe a child has submitted data, please contact us at contact@carspanner.com and we will delete it promptly.
Supervisory Authorities
You have the right to lodge a complaint with your relevant supervisory authority. You should first contact us to resolve any concerns, but you are not required to do so before lodging a complaint.
Contact & Response Times
For any data protection queries, rights requests, or concerns, please contact us:
Email: contact@carspanner.com
Subject line: "GDPR Request" or "Data Protection Query"
We will acknowledge your request within 5 business days and provide a full response within one calendar month as required by Article 12 UK GDPR / EU GDPR. In complex cases, this may be extended by a further two months, with notice provided.