Privacy Policy
Last updated: 31 May 2026
Workshop Boss is operated by AutoCircuit Solutions Ltd (trading as Essex Recons), company number 16403398, a company registered in England and Wales with its registered office at 181-183 Station Lane, Hornchurch, Essex, RM12 6LL. In this policy, “Workshop Boss”, “we”, “us” and “our” refer to AutoCircuit Solutions Ltd. We are the data controller for personal data collected through the Workshop Boss platform (“the Service”).
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO) under registration number 【ICO registration no. — to confirm】.
1. Data We Collect
1.1 Account and Business Information
When you register for Workshop Boss we collect:
- Name, email address and password of the account holder(s)
- Business name, address, phone number and VAT number
- Billing details (processed and stored by Stripe — we do not store full card numbers)
- Subscription plan and payment history
1.2 Customer and Vehicle Data
When you use the Service to manage your garage operations, you input data about your own customers and their vehicles. This may include:
- Customer names, addresses, phone numbers and email addresses
- Vehicle registration marks (VRM), make, model, year and VIN
- MOT history, service records and job cards
- Invoice and payment records
- Notes and communications history
You are the data controller for this information. AutoCircuit Solutions Ltd processes it as your data processor under a Data Processing Agreement.
1.3 Usage and Technical Data
We automatically collect:
- IP address, browser type and version, device type and operating system
- Pages visited, features used, and actions taken within the Service
- Log data and error reports (captured by our error-monitoring provider, Sentry)
- AI interaction logs (prompts and responses, without customer personal data where possible)
1.4 Cookies
We use only the following, and no analytics, advertising, or third-party tracking cookies:
- Strictly necessary: Session cookies required for authentication and security (Supabase auth tokens). These cannot be disabled.
- Functional: Preferences such as sidebar state and selected date, stored in your browser’s local storage. These never leave your device.
Because we set no analytics or advertising cookies, there is nothing to consent to beyond the strictly necessary cookies the Service cannot run without. Disabling those will prevent you from using the Service.
2. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide and operate the Service | Account info, Customer Data | Contract performance |
| Process subscription payments | Billing details, subscription plan | Contract performance |
| Send transactional emails and SMS | Email address, phone number | Contract performance |
| Generate AI-powered diagnostics and insights | Vehicle data, job history (anonymised where possible) | Contract performance / Legitimate interests |
| MOT and service reminders to your customers | Your customers' contact details and vehicle due dates | Contract performance (you as controller) |
| Customer support | Account info, communications | Contract performance / Legitimate interests |
| Platform security and fraud prevention | Usage logs, IP address | Legitimate interests |
| Marketing communications | Email address, name | Consent (opt-in only) |
| Legal and regulatory compliance | Financial records | Legal obligation |
3. Legal Bases for Processing
We rely on the following legal bases under UK GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service and manage your subscription.
- Legitimate interests (Art. 6(1)(f)): Improving the Service, preventing fraud, and ensuring platform security.
- Legal obligation (Art. 6(1)(c)): Retaining financial records for the period required by HMRC.
- Consent (Art. 6(1)(a)): Marketing communications, where you have opted in. You may withdraw consent at any time.
4. Third-Party Data Processors
We use the following sub-processors to deliver the Service. All processors are bound by data processing agreements and comply with UK GDPR:
| Processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, and file storage | EU / UK region (AWS eu-west-2) |
| Vercel Inc. | Application hosting and edge delivery | EU / USA (SCCs in place) |
| Stripe Inc. | Payment processing and subscription billing | EU / USA (SCCs in place) |
| Twilio Inc. | SMS reminders and two-way messaging | EU / USA (SCCs in place) |
| Resend Inc. | Transactional email delivery | EU / USA (SCCs in place) |
| Groq, Inc. | AI-powered diagnostic suggestions and insights (vehicle and job context) | USA (SCCs in place) |
| Functional Software, Inc. (Sentry) | Application error monitoring and performance diagnostics | EU / USA (SCCs in place) |
| DVLA / DVSA (UK Gov) | Vehicle registration and MOT history lookups | United Kingdom |
Where processors are located outside the UK or EEA, transfers are protected by Standard Contractual Clauses (SCCs) or an adequacy decision. A full list of sub-processors is available on request.
5. Data Sharing
We do not sell your personal data. We share data only:
- With the sub-processors listed above, to deliver the Service.
- Where required by law, regulation, or a court order (e.g., HMRC, law enforcement).
- In connection with a merger, acquisition, or sale of assets, where the successor entity agrees to honour this Privacy Policy.
6. Data Retention
| Data Category | Retention Period |
|---|---|
| Account and billing records | 7 years after account closure (HMRC requirement) |
| Customer and vehicle records | 6 years after last activity, or upon your deletion request |
| Job cards and invoices | 7 years (statutory accounting obligation) |
| AI conversation logs | 90 days, then anonymised for model improvement analysis |
| Server and access logs | 90 days |
| Marketing preferences | Until consent is withdrawn |
On account termination, your Customer Data is retained for 30 days to allow you to request an export. After this period it is permanently deleted unless a legal obligation to retain it applies.
7. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security policies on all database tables
- Multi-factor authentication support for user accounts
- Regular security reviews and dependency updates
- Access controls limiting staff access to data on a need-to-know basis
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR Article 33.
8. Your Rights Under UK GDPR
You have the following rights in relation to your personal data. To exercise any of these rights, please contact us at tony@essexrecons.com. We will respond within one calendar month.
Right of Access (Article 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Article 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17)
Request deletion of your personal data ("right to be forgotten"), where no overriding legal basis to retain it exists.
Right to Restriction (Article 18)
Request that we restrict processing of your data in certain circumstances.
Right to Data Portability (Article 20)
Receive your personal data in a structured, machine-readable format (JSON or CSV) for transfer to another controller. You can export your data at any time from Settings → Data Export.
Right to Object (Article 21)
Object to processing based on legitimate interests, including direct marketing.
Right to Withdraw Consent
Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
Rights Related to Automated Decision-Making (Article 22)
We do not make solely automated decisions that produce legal or similarly significant effects on you.
9. Marketing Communications
We will only send you marketing communications (product updates, tips, special offers) if you have opted in. You can unsubscribe at any time by clicking the unsubscribe link in any marketing email or by updating your preferences in Settings → Notifications.
10. Children's Privacy
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected such data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. We will notify you of material changes by email or in-app notice at least 14 days before the changes take effect. The “Last updated” date at the top of this page will always reflect the most recent version.
12. Right to Lodge a Complaint with the ICO
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you approach the ICO. Please contact us first at tony@essexrecons.com.
13. How to Contact Us
For any data protection queries or to exercise your rights, please contact us using the details below. We will direct your request to the team member responsible for data protection at AutoCircuit Solutions Ltd.
AutoCircuit Solutions Ltd (trading as Essex Recons)Romford, Essex, England
Registered office: 181-183 Station Lane, Hornchurch, Essex, RM12 6LL
Email: tony@essexrecons.com