Privacy Policy

Last updated: February 2026

1. Data Controller

Roundbear Ltd (trading as Pothole Payback), registered in England & Wales under company number 12858345, Farthing Corner, West Tytherley, Salisbury SP5 1NR, GB. Contact: ed@potholepayback.com.

2. What Data We Collect

• Account data: email address (used for authentication via magic link)
• Vehicle data: registration number (used to look up MOT and vehicle details via the DVSA API)
• Incident data: photos of damage and the pothole, location (postcode or map pin), date of incident, description of damage, estimated repair cost
• Payment data:processed directly by Stripe — we do not store card numbers
• Witness details:if you choose to provide them, the name and contact details of any witness to the incident. You must have the witness's permission before sharing their details with us; their data is used only to include them in your claim letter.

3. How We Use Your Data

4. Third Parties

We share data with the following processors:

• Supabase(database & authentication) — EU hosted, SOC 2 compliant
• Stripe(payments) — PCI DSS Level 1 compliant
• Google Gemini(AI photo analysis) — data is processed for analysis and letter generation only and is not used to train Google's models
• FixMyStreet API— we query publicly available pothole report data; no personal data is shared
• DVSA MOT History API— we look up publicly available vehicle data using your registration number
• Brevo(email delivery) — used to send transactional emails
• PostHog(analytics) — EU-hosted. Without your consent we collect only cookieless, in-memory usage events (no cookies or device storage are used; this is processed under our legitimate interest in understanding how the service is used, and you can object at any time by emailing us). If you accept analytics cookies via the cookie banner, we additionally use cookies and local storage so we can recognise repeat visits
• Vercel(hosting) — our application is hosted on Vercel's edge network; standard web server logs (IP address, browser type) are processed
• Vercel Web Analytics & Speed Insights— cookieless, privacy-friendly site analytics and performance measurement. No cookies are set and no cross-site identifiers are used; processed under our legitimate interest in operating and improving the site
• Nominatim / OpenStreetMap(geocoding) — used to look up location data from map coordinates you provide
• Postcodes.io(postcode lookup) — used to validate and geocode UK postcodes you enter

5. Data Retention

• Claim data: retained for 7 years (in line with the UK limitation period for civil claims)
• Account data: retained until you request deletion
• Payment records: retained for 7 years (legal requirement)

6. International Transfers

Some of our processors are based, or process data, outside the UK. In particular, Google (Gemini AI), Stripe and Vercel may process your data in the United States. Where your personal data is transferred outside the UK we rely on UK adequacy regulations (including the UK Extension to the EU–US Data Privacy Framework for certified recipients) or on the UK International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses. Contact ed@potholepayback.com for details of the safeguard applying to any particular transfer.

7. Your Rights

Under UK GDPR, you have the right to:

• Access— request a copy of your personal data
• Rectification— correct inaccurate data
• Erasure— request deletion of your data
• Portability— receive your data in a structured format
• Object— object to processing based on legitimate interest
• Restriction— ask us to limit how we use your data in certain circumstances
• Withdraw consent— where we rely on consent (such as analytics cookies), withdraw it at any time without affecting earlier processing

To exercise any of these rights, email ed@potholepayback.com.

8. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.