Legal

Privacy Policy

Last updated: 4 April 2026

1. Who we are

MotaTrack ("we", "our", "us") is a UK-based service that helps private car owners track vehicle expenses, fuel economy, and total cost of ownership. This policy explains how we collect, use, store, and protect your personal data in compliance with UK GDPR and the Data Protection Act 2018.

For privacy enquiries, contact us at: privacy@motatrack.com

2. Data we collect and why

We only collect data that is necessary to provide the MotaTrack service. All data is entered manually by you — we do not connect to any external vehicle, fuel, or insurance APIs.

Account & profile data

What: Email address, display name, phone number (optional), mailing address (optional), currency preference, mileage unit preference.

Why: To create and secure your account, personalise the display of financial figures and distances, and send you reminder emails if enabled.

Lawful basis: Contract (necessary to provide the service you signed up for).

Vehicle data

What: Vehicle make, model, year, registration plate, purchase/sale dates and prices, insurance provider name, odometer readings, service interval preferences.

Why: To calculate total cost of ownership, fuel economy, and generate service reminders.

Lawful basis: Contract.

Expense & fuel data

What: Expense amounts, dates, categories, notes, odometer readings, receipt image files. Fuel entries including litres purchased, price per litre, fuel type, station name.

Why: To produce expense reports, track fuel economy, and calculate running costs.

Lawful basis: Contract.

Reminder data

What: MOT, tax, insurance, service, tyre, and custom reminder due dates, odometer triggers, notes, and email notification timestamps.

Why: To send you timely reminders about upcoming vehicle obligations.

Lawful basis: Contract; legitimate interest in helping you avoid fines or lapses in cover.

AI assistant conversation history

What: Messages exchanged with the MotaTrack AI assistant.

Why: To provide context for follow-up questions within a session and improve response quality. Queries are processed by OpenAI (see Section 5). We never send your vehicle registration, name, or financial amounts to OpenAI without your query initiating it.

Lawful basis: Consent (you choose to use the AI assistant).

Session & authentication data

What: Encrypted session tokens stored in strictly necessary cookies and server-side session records managed by Supabase Auth.

Why: To keep you securely signed in without requiring a password on every page load.

Lawful basis: Legitimate interest in securing access to your account.

3. How long we keep your data

  • Account and vehicle data: Retained for as long as your account is active. When you delete your account, all data is permanently deleted immediately.
  • Dismissed reminders: Automatically hard-deleted within 30 days of dismissal.
  • Completed reminders: Retained for the period you configure in Settings (default 90 days), then automatically deleted.
  • AI conversation history: Retained until you delete your account. You may clear your conversation history at any time from the AI assistant panel.
  • Auth logs: Managed by Supabase Auth in accordance with Supabase's privacy policy.

4. Who can see your data

Your data is never shared with other MotaTrack users. Row-level security (RLS) is enforced at the database level — it is technically impossible for one user to access another user's data, even in the event of an application bug.

Only the following parties may access your data, and only to the extent necessary to provide the service:

  • MotaTrack staff — for support and debugging, via Supabase dashboard with two-factor authentication required.
  • Supabase (database & auth) — infrastructure provider. Your data is hosted in the EU. See Section 5.
  • Resend (email delivery) — receives your email address and reminder content to dispatch notification emails. See Section 5.
  • OpenAI (AI assistant) — receives the text of your queries and relevant summarised expense data when you use the AI assistant. See Section 5.

5. Our data processors

We use the following third-party services to operate MotaTrack. Each acts as a data processor under UK GDPR and we have assessed their compliance status:

Supabase

Purpose: PostgreSQL database, authentication, and file storage.

Data location: EU West (Ireland).

Privacy: supabase.com/privacy

Resend

Purpose: Transactional email delivery for vehicle reminders. Used only if you have email reminders enabled in Settings.

Data transferred: Your email address and the reminder details included in the email.

Privacy: resend.com/privacy

OpenAI

Purpose: Powers the MotaTrack AI assistant (GPT-4o mini).

Data transferred: The text of your queries and summarised expense data relevant to your question. We use OpenAI's API with data retention disabled — your data is not used to train OpenAI models.

Privacy: openai.com/policies/privacy-policy

6. International data transfers

Resend and OpenAI are US-based companies. Where your data is transferred outside the UK or EEA, this is done under appropriate safeguards — specifically Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office. You can request details of these safeguards by emailing privacy@motatrack.app.

7. Cookies

MotaTrack uses strictly necessary cookies only. These are required for the service to function and do not require your consent under UK ICO guidance.

Cookie: sb-[project-id]-auth-token — Supabase Auth session token. Keeps you signed in securely. Expires when your session ends or after 7 days of inactivity. No tracking data is stored in this cookie.

We do not use advertising cookies, analytics cookies, or any third-party tracking.

8. Your rights

Under UK GDPR you have the following rights:

  • Right of access — You can download a full copy of all your data from Settings → Your Data → Download My Data.
  • Right to rectification — You can update your profile, vehicle details, and expense records at any time within the app.
  • Right to erasure ("right to be forgotten") — You can permanently delete your account and all associated data from Settings → Account → Delete Account. Deletion is immediate and irreversible.
  • Right to data portability — Your full data export (Settings → Your Data → Download My Data) is provided in machine-readable JSON format.
  • Right to object — You can disable reminder emails at any time from Settings → Email Preferences. You can stop using the AI assistant at any time.
  • Right to lodge a complaint — If you believe we have mishandled your data, you have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any right that isn't available self-service in the app, email privacy@motatrack.app. We will respond within 30 days.

9. Security

We implement technical and organisational measures appropriate to the risk, including:

  • Row-level security (RLS) enforced at database level — your data cannot be read by other users
  • All data in transit encrypted via TLS 1.2+
  • All data at rest encrypted by Supabase (AES-256)
  • Authentication handled by Supabase Auth with bcrypt password hashing
  • Service role credentials are never exposed to the browser

10. Data breach notification

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected users without undue delay, in line with our obligations under UK GDPR Article 33–34.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you by email. Continued use of MotaTrack after changes are published constitutes acceptance of the updated policy.