BackEquityGo

Privacy Policy

Last updated: 11 June 2026

1. Who we are

EquityGo ("we", "us", "our") is a web application that helps users track their Personal Contract Purchase (PCP) finance agreements. We are the data controller for personal data collected through this service.

For data protection enquiries, contact us at: privacy@equitygo.co.uk

2. What data we collect

We collect the following categories of personal data:

  • Account data: email address and password (stored as a secure hash)
  • Finance contract data: car details, finance company name, contract start date, term, monthly payment, deposit, balloon/GMFV payment, and mileage allowance — entered by you
  • Mileage log data: odometer readings and the dates you record them
  • Market value entries: car market values and dates you log them, used to calculate your equity position
  • Usage data: standard server logs including IP address, browser type, and pages visited, retained for up to 30 days

We do not collect payment card details, government ID, or sensitive personal data as defined by UK GDPR.

3. Legal basis for processing

  • Contract performance (Article 6(1)(b)): processing your account and contract data is necessary to provide the service you signed up for
  • Legitimate interests (Article 6(1)(f)): server logs for security monitoring and abuse prevention

4. How we use your data

We use your data solely to:

  • Provide and maintain your EquityGo account
  • Calculate and display your contract metrics, mileage status, and equity estimates
  • Send transactional emails (account confirmation, password reset)
  • Monitor for security incidents

We do not sell your data. We do not use your data for advertising. We do not share your data with third parties except as described in section 5.

5. Third parties and sub-processors

We use the following sub-processors to operate the service. Each is bound by a data processing agreement and operates in compliance with UK GDPR:

  • Supabase Inc. (USA) — database and authentication provider. Your account and contract data is stored on Supabase-managed infrastructure. Data is encrypted at rest and in transit. Privacy policy at supabase.com/privacy.
  • Vercel Inc. (USA) — web application hosting and content delivery. Processes request metadata including IP addresses and page paths. Privacy policy at vercel.com/legal/privacy-policy.
  • Resend Inc. (USA) — transactional email delivery. Processes your email address solely to send account confirmation, password reset, and other service emails. Privacy policy at resend.com/legal/privacy-policy.
  • Stripe Inc. (USA) — payment processing, used if and when paid subscriptions are introduced. Stripe processes payment details directly and we never see or store your card information. Privacy policy at stripe.com/gb/privacy.

Data transfers to the USA are made under Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms as required by UK GDPR.

6. Data retention

We retain your account and contract data for as long as your account is active. If you delete your account, all associated data (contracts, mileage entries, and profile information) is permanently deleted immediately. Billing records may be retained for up to 7 years where required by UK financial regulations. Server logs are retained for up to 30 days.

7. Your rights under UK GDPR

You have the right to:

  • Access: request a copy of the personal data we hold about you
  • Rectification: correct inaccurate data
  • Erasure: request deletion of your data — use the delete account option in settings, or contact us
  • Portability: receive your data in a machine-readable format
  • Restriction: ask us to stop processing your data in certain circumstances
  • Object: object to processing based on legitimate interests

To exercise any of these rights, email privacy@equitygo.co.uk. We will respond within 30 days.

8. Cookies and performance monitoring

We use only technically necessary cookies required for authentication (session tokens). We do not use advertising cookies. No cookie consent banner is required for strictly necessary cookies under UK PECR.

We use Vercel Analytics and Vercel Speed Insights to collect anonymised traffic and performance metrics (page views, page load times, Core Web Vitals). Both services are cookieless and privacy-preserving — data is not linked to individual users and contains no personally identifiable information.

9. Security

Passwords are stored as bcrypt hashes and never in plaintext. Data is encrypted at rest and in transit (TLS). We follow responsible disclosure practices for security vulnerabilities.

10. Complaints

If you believe we have handled your data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email. Continued use of the service after changes are posted constitutes acceptance.