Privacy Policy

This Privacy Policy explains how cardata.wiki collects, uses, and protects your personal data. We are committed to handling your information transparently and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. By using cardata.wiki, you acknowledge that you have read and understood how we handle your personal data.

1. Who We Are

cardata.wiki is operated by dijitul, based in England. dijitul operates at dijitul.uk.

For the purposes of UK GDPR, dijitul is the data controller for personal data collected through cardata.wiki.

Contact: hello@dijitul.uk

2. Data We Collect

We collect personal data in the following circumstances:

Account Registration

When you create an account, we collect your name and email address. If you register using Google OAuth, we receive your name, email address, and profile picture URL as provided by Google at the time of authentication.

API Subscriptions

When you subscribe to the paid API, billing and payment processing is handled by Stripe. We do not store your card details. We retain a record of your subscription status, subscription start date, and the email address associated with your Stripe customer record.

Data Contributions

If you submit vehicle specification data via CSV upload or through the web interface, we retain those submissions, associated with your account, for review and publication purposes. Uploaded files may be stored for up to 12 months or until the submission has been reviewed, whichever is sooner.

Usage Data and Server Logs

Our servers automatically log standard request data, including IP addresses, browser user agent strings, pages visited, and timestamps. These logs are used solely for security, debugging, and operational purposes and are retained for up to 30 days.

Analytics

We use Google Analytics (property ID: G-C5LM030895) to understand how visitors use the Site. This is described further in Section 4.

3. Legal Basis for Processing

We rely on the following legal bases under UK GDPR to process your personal data:

• Contract performance: processing your name and email to create and manage your account, and to fulfil your API subscription.
• Legitimate interests: server logging and security monitoring to protect the Site and its users; analysing usage patterns to improve the Service. We have assessed that these interests are not overridden by your rights and freedoms.
• Consent: where we send you optional marketing or service update emails, we will ask for your consent and honour any withdrawal of that consent promptly.
• Legal obligation: where we are required to retain or disclose data to comply with a legal obligation.

4. Google Analytics

We use Google Analytics to collect anonymised data about how visitors interact with the Site. This includes which pages are visited, how long sessions last, what country visitors are located in (derived from IP address), and which browsers and devices are used. IP addresses are anonymised by Google before storage.

Google Analytics uses cookies to distinguish between sessions. These cookies do not identify you personally. Data collected by Google Analytics is processed by Google LLC and may be transferred to servers outside the UK. Google’s privacy practices are described in their Privacy Policy.

You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on, or by adjusting your browser’s cookie settings. Most browsers also support Do Not Track signals, which we respect where technically feasible.

5. Cookies

We use the following categories of cookies:

• Session cookie (strictly necessary): used to keep you logged in while you use the Site. This cookie is deleted when you log out or close your browser session. It does not track you across other sites.
• Analytics cookies (Google Analytics): used to collect anonymised usage statistics as described in Section 4. These persist for up to 2 years but can be cleared at any time via your browser settings.

We do not use advertising cookies, social media tracking cookies, or fingerprinting technologies.

6. Data Retention

We retain personal data only for as long as necessary for the purposes described in this policy. Our specific retention periods are:

• Account data: retained for the duration of your account, and for 90 days following account deletion to allow for recovery and to fulfil any outstanding obligations. After this period, account data is permanently deleted.
• Server logs: retained for 30 days, then automatically deleted.
• Uploaded CSV submissions: retained for up to 12 months from the date of upload, or until the submission has been reviewed and processed, whichever comes first.
• API subscription records: retained for 7 years for accounting and tax compliance purposes.

7. Third-Party Services

We use a small number of trusted third-party services to operate cardata.wiki. Each acts as a data processor on our behalf and is subject to appropriate data processing agreements:

• Stripe: payment processing for API subscriptions. Stripe handles all payment card data directly; we do not receive or store card numbers. See Stripe’s Privacy Policy.
• Google (Analytics and OAuth): usage analytics and optional sign-in via Google account. See Google’s Privacy Policy.
• Resend: transactional email delivery (account verification, password reset, subscription notifications). Resend processes recipient email addresses to deliver these messages. See Resend’s Privacy Policy.

We do not sell, rent, or share your personal data with any third party for their own marketing purposes. We will never sell your data.

8. Your Rights Under UK GDPR

Under UK data protection law, you have the following rights in relation to your personal data:

• Right of access: you can request a copy of the personal data we hold about you.
• Right to rectification: you can ask us to correct inaccurate or incomplete personal data.
• Right to erasure: you can request deletion of your personal data where we no longer have a lawful basis to retain it.
• Right to data portability: you can request a copy of your data in a structured, machine-readable format.
• Right to object: you can object to processing based on legitimate interests; we will cease processing unless we can demonstrate compelling legitimate grounds.
• Right to restrict processing: you can ask us to limit how we use your data in certain circumstances.
• Right to withdraw consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at hello@dijitul.uk. We will respond within one month. We may need to verify your identity before processing your request.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk.

9. Security

We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, or disclosure. Passwords are hashed using bcrypt before storage and are never stored in plain text. All data is transmitted over HTTPS. Access to production systems and databases is restricted to authorised personnel only.

No method of transmission over the internet or electronic storage is completely secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by law.

10. Children

cardata.wiki is not intended for use by children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a child under 16, please contact us at hello@dijitul.uk and we will delete it promptly.

11. International Transfers

Some of our third-party service providers (including Google and Stripe) may process data outside the UK. Where data is transferred internationally, we rely on appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) or equivalent mechanisms, to ensure your data is protected to UK GDPR standards.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will update the “Last updated” date at the top of this page. For significant changes, we may also notify registered users by email. We encourage you to review this page periodically.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the way we handle your personal data, please contact us:

• Email: hello@dijitul.uk
• Website: dijitul.uk