Privacy Policy
Last updated: 15 March 2026 | Version 1.01. Who We Are
CarVerdict is a UK-based car review platform operated as a sole trader/small business. Our website is www.carverdict.co.uk.
For the purposes of UK data protection law, CarVerdict is the data controller of the personal information you provide to us.
Contact: If you have any questions about this policy or wish to exercise your rights, please contact us via our Contact page or email us at privacy@carverdict.co.uk.
2. What Data We Collect and Why
We collect different types of information depending on how you interact with our site. Below is a full breakdown.
2.1 When You Submit a Car Review
To publish a review on CarVerdict, you provide:
- Your name — displayed publicly alongside your review so readers know who wrote it.
- Your email address — used only to contact you if we need to verify your review or follow up on a support issue. It is never displayed publicly.
- Your vehicle registration number (VRN) — used solely to verify that you owned or own the car you are reviewing (via the DVLA open data service). The full VRN is stored securely in our database and is never published or shared.
- Review content — your written review text, ratings, pros, cons, and any other fields you complete. This information is published on CarVerdict once approved by our moderation team.
Legal basis: Legitimate interests (providing an honest, verified review platform) and your consent given when you submit the form.
2.2 When You Contact Us
If you use our contact form, we collect:
- Your name
- Your email address
- Your message
This information is stored securely in our database (email addresses are encrypted) and used only to respond to your enquiry. We do not use contact messages for marketing.
Legal basis: Legitimate interests (responding to communications directed at us).
2.3 Automatically Collected Data (Visitor Analytics)
When you visit CarVerdict, our server automatically logs:
- A one-way hash of your IP address — we never store your raw IP address. We apply SHA-256 hashing with a rotating server-side salt so the hash cannot be reversed to identify you.
- The page you visited — e.g.
/cars/ford/focus. - Your referrer URL — the page or search engine that brought you to CarVerdict (if your browser sends this).
- Date and time of visit.
We use this data to understand which content is popular and to improve the site. We do not build individual user profiles.
Legal basis: Legitimate interests (operating and improving a website).
2.4 Cookies
We use cookies as described in our cookie consent banner. Briefly:
- Essential cookies — required for the site to function (e.g. your cookie consent preference). These are always active.
- Analytics cookies — help us understand site usage. Only set if you consent.
- Preference cookies — remember settings such as search filters. Only set if you consent.
You can change your cookie preferences at any time via the Cookie Settings link in our footer.
3. How We Use Your Data
| Purpose | Data used | Legal basis |
|---|---|---|
| Publish and display your car review | Name, review content, ratings, make/model | Consent / Legitimate interests |
| Verify vehicle ownership via DVLA | Vehicle registration number | Consent |
| AI sentiment analysis of reviews | Review text only (no personal info sent) | Legitimate interests |
| Respond to your contact message | Name, email, message content | Legitimate interests |
| Site analytics & performance monitoring | Hashed IP, page views, referrer | Legitimate interests |
| Fraud and abuse prevention | Hashed IP, submission timestamps | Legitimate interests |
| Compliance with legal obligations | Any data required by law | Legal obligation |
We do not use your data for:
- Sending marketing emails or newsletters
- Targeted advertising
- Selling or renting to third parties
- Profiling or automated decision-making that produces legal effects
4. Sentiment Analysis & Third-Party AI
We use the Google Cloud Natural Language API to automatically analyse the sentiment (positive, neutral, or negative) of review text. When a review is submitted, the written text only is sent to Google's servers for processing. No personal identifiers (name, email, VRN) are included in this request.
Google processes this data as a data processor on our behalf under Google Cloud's data processing terms. Google's privacy policy is available at policies.google.com/privacy.
5. Who We Share Your Data With
We only share your data with third parties where necessary to run the service:
- Web hosting provider — our servers store all site data. Your data remains within the UK/EEA unless stated otherwise by the host.
- Google Cloud (Natural Language API) — receives anonymised review text for sentiment analysis only (see Section 4).
- DVLA (Driver and Vehicle Licensing Agency) — we query the public DVLA vehicle enquiry service using your VRN to confirm the car exists and matches the details you provided. We do not share your personal details with the DVLA.
We do not use any third-party marketing, advertising, or analytics platforms (e.g. Google Analytics, Facebook Pixel). We do not sell, rent, or share your personal data with any other companies or individuals.
6. How Long We Keep Your Data
| Data type | Retention period | Reason |
|---|---|---|
| Published review (name, text, ratings) | Until you request deletion or the site closes | The review provides ongoing value to the community |
| Email address (reviews) | 3 years from submission | Support and verification purposes |
| Vehicle registration number | 3 years from submission | Fraud prevention and dispute resolution |
| Contact messages | 2 years from receipt | Record of communications |
| Visitor analytics (hashed IP, page views) | 13 months rolling | Year-on-year traffic analysis |
After the applicable retention period, data is permanently deleted from our systems.
7. How We Keep Your Data Secure
Security is important to us. The measures we take include:
- HTTPS encryption — all data transmitted between your browser and CarVerdict is encrypted using TLS (HTTPS).
- Encrypted email storage — email addresses stored in our database are encrypted at rest so that even in the event of a data breach, addresses cannot be read directly.
- VRN access controls — vehicle registration numbers are accessible only by authorised administrators and are never published, shared externally, or displayed to other users.
- IP address hashing — we never store raw IP addresses. All IPs are immediately hashed using SHA-256 with a server-side salt before storage.
- Admin access controls — our admin panel is protected by password authentication and is not publicly accessible.
- Input validation and parameterised queries — all user inputs are validated and our database queries use parameterised statements to prevent SQL injection attacks.
- Regular monitoring — we monitor server logs for unusual activity and keep software dependencies up to date.
No method of transmission over the internet is 100% secure. While we use industry-standard measures, we cannot guarantee absolute security. In the unlikely event of a data breach that affects your rights and freedoms, we will notify you and, where required, the ICO within 72 hours.
8. Your Rights Under UK GDPR
As a UK resident, you have the following rights regarding your personal data:
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten") — request that we delete your personal data. We will comply unless we have a legal obligation or legitimate reason to retain it.
- Right to restrict processing — ask us to pause processing your data in certain circumstances.
- Right to data portability — receive a copy of data you provided to us in a commonly used, machine-readable format.
- Right to object — object to us processing your data on the basis of legitimate interests.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us. We will respond within 30 days. There is no charge for making a request.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
9. Children's Privacy
CarVerdict is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.
10. Links to Other Websites
Our site may contain links to third-party websites (for example, links to car manufacturer websites). We are not responsible for the privacy practices of those sites and encourage you to read their privacy policies.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the law, our practices, or the services we offer. When we make significant changes, we will update the "Last updated" date at the top of this page. We encourage you to review this page periodically.
Continued use of CarVerdict after a policy update constitutes your acknowledgement of the revised policy.
12. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data rights, or want to report a concern, please reach out:
- Contact form: www.carverdict.co.uk/contact
- Email: privacy@carverdict.co.uk
We aim to respond to all data-related enquiries within 5 working days, and no later than 30 days for formal rights requests.