Legal

Privacy Policy

Last updated: 1 April 2026

This Privacy Policy explains how Garage Desk Ltd (“GarageDesk”, “we”, “us”, or “our”) collects, uses, and protects personal data in connection with the GarageDesk service available at garagedesk.co.uk. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Garage Desk Ltd is a company registered in England and Wales. We operate the GarageDesk platform, a WhatsApp inbound management system for UK independent garages.

Contact us about privacy matters at: privacy@garagedesk.co.uk

We are registered with the Information Commissioner’s Office (ICO) as a data controller.

2. Our Role: Controller and Processor

GarageDesk operates in two distinct roles depending on whose data is being processed:

Data Controller — for garage subscribers

When you sign up and use GarageDesk as a garage owner or operator, we are the data controller of your personal information (name, email, payment details, etc.). We determine how and why that data is processed.

Data Processor — for end-customers of garages

When members of the public contact a garage via WhatsApp through our platform, we process their personal data on behalf of the garage (the data controller). The garage is responsible for the lawful basis for that processing and for informing their customers about it.

3. What Data We Collect

3.1 Garage Subscribers

When you sign up for GarageDesk, we collect:

  • Full name and business name
  • Email address
  • Phone number
  • Payment and billing details (processed securely via our payment provider)
  • Garage address and business information
  • Account usage data and login records

3.2 End-Customers of Garages

When a member of the public contacts a garage via GarageDesk, we process on behalf of the garage:

  • Full name
  • WhatsApp phone number
  • Vehicle registration plate
  • Vehicle details (make, model, year — retrieved from the DVLA)
  • Description of the vehicle problem or service required
  • Full WhatsApp conversation history with the AI and any garage staff
  • AI-generated diagnosis notes

3.3 Technical and Analytics Data

  • IP addresses and browser information
  • Dashboard usage and activity logs
  • Essential session cookies (see Section 10)

4. Lawful Basis for Processing

Garage subscriber data

Contract (Article 6(1)(b) UK GDPR) — processing is necessary to provide the GarageDesk subscription service and fulfil our contractual obligations to you.

End-customer WhatsApp data

Legitimate interests (Article 6(1)(f) UK GDPR) — the garage has a legitimate interest in following up with customers who have contacted them or called them. Garages are responsible for ensuring their customers are informed about this processing.

Legal obligations (e.g. tax records)

Legal obligation (Article 6(1)(c) UK GDPR) — we retain certain financial records as required by HMRC and UK law.

5. Sub-Processors

We use the following trusted third-party sub-processors to deliver the GarageDesk service. Each is subject to a data processing agreement:

Twilio Inc.

Purpose: WhatsApp message delivery and receipt

Location: United States

Transfer mechanism: Standard Contractual Clauses (SCCs)

Anthropic PBC (Claude AI)

Purpose: AI-powered conversation handling and diagnosis

Location: United States

Transfer mechanism: Standard Contractual Clauses (SCCs)

Supabase Inc.

Purpose: Database storage for enquiries and conversation data

Location: EU (database hosted in EU region)

Transfer mechanism: EU adequacy / within UK adequacy framework

DVLA (via VES API)

Purpose: Vehicle registration lookup

Location: United Kingdom

Transfer mechanism: No transfer — UK domestic

6. International Data Transfers

Some of our sub-processors (Twilio and Anthropic) are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Chapter V.

Transfers to Twilio and Anthropic are carried out under Standard Contractual Clauses (SCCs) as approved by the ICO (International Data Transfer Agreements — IDTAs), which provide an equivalent level of protection to that required under UK data protection law.

Supabase stores data in the EU under an EU-hosted configuration. This falls within the UK’s adequacy framework for EU data transfers.

7. Data Retention

Garage subscriber account data

6 years from end of subscription (HMRC tax records requirement)

End-customer enquiry and conversation data

12 months from the date of the enquiry, then permanently deleted

Analytics and usage data

12 months on a rolling basis

Payment and billing records

6 years (legal obligation)

8. Your Data Subject Rights

Under UK GDPR, you have the following rights in relation to personal data we hold about you:

Right of access

You can request a copy of the personal data we hold about you (a Subject Access Request).

Right to rectification

You can ask us to correct inaccurate or incomplete personal data.

Right to erasure

You can ask us to delete your personal data in certain circumstances (the "right to be forgotten").

Right to data portability

You can request a copy of your data in a structured, machine-readable format.

Right to object

You can object to processing based on legitimate interests.

Right to restrict processing

You can ask us to restrict processing of your data in certain circumstances.

To exercise any of these rights, please contact us at privacy@garagedesk.co.uk. We will respond within one month of receiving your request.

Note: If you are an end-customer of a garage (i.e. a member of the public who contacted a garage via WhatsApp), you should also contact the garage directly, as they are the data controller for your enquiry data.

9. ICO Registration and Right to Complain

Garage Desk Ltd is registered with the Information Commissioner’s Office (ICO) as a data controller. If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the ICO:

Information Commissioner’s Office

Website: ico.org.uk

Helpline: 0303 123 1113

We would always appreciate the opportunity to address your concerns before you contact the ICO.

10. Cookies

GarageDesk currently uses essential cookies only. These cookies are strictly necessary for the operation of our service (for example, to maintain your login session) and do not require your consent under PECR.

We do not currently use analytics, advertising, or tracking cookies. If this changes, we will update this policy and provide appropriate consent mechanisms.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (TLS), secure database access controls, and access restricted to authorised personnel only.

In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify you and the ICO without undue delay, and no later than 72 hours of becoming aware of the breach.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. For significant changes, we will notify subscribers by email.

13. Contact Us

For any privacy-related questions or to exercise your data subject rights, contact:

Garage Desk Ltd — Privacy Team

Email: privacy@garagedesk.co.uk

Website: garagedesk.co.uk

Related legal documents:

Terms & ConditionsData Processing Agreement