Privacy Policy
Last updated: May 2026 · Effective immediately
1. Who We Are
CarLook AI ("CarLook", "we", "us") is a UK-based automotive intelligence platform accessible at carlook.ai. We are the data controller for personal data collected through this platform. This Privacy Policy explains how we collect, use, store, and share your personal data, and your rights under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.
2. What Personal Data We Collect
We collect personal data in the following ways:
| Data Category | Examples | How Collected |
|---|---|---|
| Account data | Name, email address, account role | Registration and OAuth sign-in |
| VRM lookup data | UK vehicle registration marks submitted for checks | User input on VRM Check and Car Valuation tools |
| Payment data | Transaction ID, purchase type, amount | Stripe payment processing (card details never touch our servers) |
| Search preferences | Make, model, price range, postcode, fuel type | User input on Cars for Sale and Top Deals pages |
| Usage analytics | Pages visited, features used, session duration | Anonymised analytics (no cross-site tracking) |
| Communications | Messages sent via contact form or support | Contact form submissions |
We do not collect sensitive personal data (as defined under UK GDPR Article 9), such as racial or ethnic origin, health data, or financial account details. Card payment details are processed exclusively by Stripe and are never transmitted to or stored on CarLook AI servers.
3. How We Use Your Data and Our Legal Basis
| Purpose | Legal Basis (UK GDPR) |
|---|---|
| Providing vehicle checks, valuations, and live listings | Performance of a contract (Art. 6(1)(b)) |
| Processing payments and maintaining transaction records | Performance of a contract; Legal obligation (Art. 6(1)(b), (c)) |
| Sending transactional emails (report delivery, receipts) | Performance of a contract (Art. 6(1)(b)) |
| Sending product updates and marketing emails | Consent (Art. 6(1)(a)) — you may unsubscribe at any time |
| Improving platform features and fixing bugs | Legitimate interests (Art. 6(1)(f)) |
| Fraud prevention and security | Legitimate interests; Legal obligation (Art. 6(1)(c), (f)) |
4. Third-Party Data Sources and Processors
CarLook AI retrieves vehicle data from the DVLA and DVSA under their respective API terms. VRMs you submit are passed to these government APIs solely to retrieve the vehicle information you have requested. We do not share your identity with DVLA or DVSA.
Live dealer listing data is sourced from MarketCheck (marketcheck.com), a US-based automotive data provider. Listing data includes dealer names, asking prices, vehicle details, and location information. When you view live listings, your search parameters (make, model, price range, postcode) are sent to MarketCheck's API. No personal account data is shared with MarketCheck.
Supplementary listing data may be sourced from eBay Motors via the eBay API. Search parameters are shared with eBay to retrieve relevant listings. eBay's privacy policy applies to any interaction you make directly on eBay's platform.
Payments are processed by Stripe, Inc. Stripe acts as an independent data controller for payment data. Please review Stripe's Privacy Policy for details of how they handle your payment information.
5. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy:
- Account data: retained for the lifetime of your account, plus 12 months after deletion to allow for dispute resolution.
- VRM lookup records: retained for 12 months to support report re-delivery and fraud prevention, then deleted.
- Payment transaction records: retained for 7 years to comply with UK financial record-keeping obligations.
- Analytics data: anonymised and retained indefinitely in aggregate form; no individual-level data is retained beyond 26 months.
- Contact form messages: retained for 24 months, then deleted unless ongoing correspondence requires longer retention.
6. Cookies
CarLook AI uses the following categories of cookies:
| Category | Purpose | Consent Required |
|---|---|---|
| Essential | Authentication session, CSRF protection, cookie consent preference | No — strictly necessary |
| Analytics | Anonymised page view and feature usage tracking (self-hosted, no cross-site tracking) | Yes — opt-in via cookie banner |
We do not use advertising, retargeting, or third-party tracking cookies. You can manage your cookie preferences at any time via the cookie settings link in the footer.
7. Your Rights Under UK GDPR
You have the following rights in relation to your personal data:
- Right of access: request a copy of the personal data we hold about you.
- Right to rectification: request correction of inaccurate or incomplete data.
- Right to erasure: request deletion of your data where there is no compelling reason for continued processing.
- Right to restriction: request that we restrict processing of your data in certain circumstances.
- Right to data portability: receive your data in a structured, commonly used, machine-readable format.
- Right to object: object to processing based on legitimate interests or for direct marketing purposes.
- Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us via our contact form. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully.
8. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. These include encrypted data transmission (TLS), access controls, and regular security reviews. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by UK GDPR.
9. International Transfers
Some of our third-party processors (including Stripe and MarketCheck) are based outside the UK and European Economic Area. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO, or reliance on adequacy decisions.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or in-platform notification. The current version is always available at carlook.ai/privacy. The "Last updated" date at the top of this page indicates when the most recent revision was made.
11. Contact
For privacy-related questions or to exercise your data rights, please use our contact form. For general questions about the service, see our Terms of Service.
