Privacy Policy
Last updated: 27 February 2026
1. Who We Are
Torqueflow provides a cloud-based garage management platform (“the Service”) for automotive workshops, MOT stations, and vehicle service businesses across the United Kingdom.
Data Controller: Torqueflow Pilgrims, The Convent Newton Abbot TQ13 0DR United Kingdom
Data Protection Contact: privacy@torqueflow.app
This privacy policy explains how we collect, use, store, and protect personal data when you:
- Visit our website at https://torqueflow.app (“the Website”)
- Use the Torqueflow application (“the App”)
- Use the Torqueflow customer portal (“the Portal”)
- Communicate with us by any means
We are committed to protecting your privacy and handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Important Definitions
Throughout this policy:
- “Workshop” or “Subscriber” means the garage, workshop, or automotive business that subscribes to the Service.
- “Staff User” means any individual granted access to the Service by a Workshop (e.g., owners, managers, service advisors, technicians).
- “End Customer” means a customer of the Workshop whose personal data is entered into or processed by the Service.
- “Portal User” means an End Customer who accesses the customer-facing portal.
3. Our Role: Controller vs Processor
Torqueflow operates in two capacities:
| Situation | Our Role | What This Means |
|---|---|---|
| Data about Subscribers and Staff Users (account registration, billing, platform usage) | Data Controller | We determine the purposes and means of processing |
| End Customer data, vehicle data, work order data, and communications entered by the Workshop | Data Processor | We process this data on behalf of the Workshop (the Data Controller) under their instructions |
If you are an End Customer and have questions about how a Workshop uses your data, please contact that Workshop directly. If you have questions about how we handle data as a processor, please contact us at privacy@torqueflow.app.
4. Personal Data We Collect
4.1 Account & Staff User Data
When a Workshop subscribes to the Service, we collect:
- Full name and display name
- Email address
- Role and permissions within the organisation
- Time tracking records (clock in/out, breaks, absences)
- Activity timestamps
4.2 End Customer Data
Workshops may enter the following data about their customers into the Service:
- Title, first name, last name, preferred salutation
- Email address, phone number(s)
- Postal address(es)
- Company name, contact role, VAT number (for business customers)
- Preferred contact method
- Referral source
- Communication consent preferences
- Staff notes
4.3 Vehicle Data
- Vehicle registration number
- VIN (Vehicle Identification Number)
- Make, model, year, colour
- Fuel type, engine capacity, body style
- MOT expiry date, tax status
- Service history and mileage records
- Data retrieved from the DVLA Vehicle Enquiry Service and DVSA MOT History API
4.4 Work Order & Job Data
- Job descriptions, status, and internal notes
- Inspection findings and severity ratings
- Quotes and customer approval decisions
- Time sessions (technician time per task)
- Photographs and videos of vehicle condition
4.5 Financial Data
- Sales invoices, line items, VAT calculations
- Payment records and payment methods
- Purchase invoices from suppliers
- Organisation bank details and VAT registration (settings only, not stored per transaction)
4.6 Communication Data
- Messages exchanged between Workshop staff and End Customers via the Portal, WhatsApp, and other channels
- WhatsApp Business Account configuration (phone numbers, display name)
- Communication consent records and audit trail
- Email delivery status and suppression records
4.7 AI Diagnostic Data
- Diagnostic conversation history between Staff Users and the AI assistant
- Vehicle context provided for diagnostic queries
- Feedback on AI suggestions
- Usage metrics (query counts, not conversation content for analytics)
4.8 Technical & Usage Data
When you use the Website or App, we automatically collect:
- IP address
- Browser type and version
- Operating system
- Pages visited and features used
- Date and time of access
- Referring website
- Error reports (with personal data filtered — see Section 10)
4.9 Portal Data
When an End Customer uses the customer portal:
- Session information (encrypted, httpOnly cookies)
- Pages visited within the portal
- Actions taken (quote approvals, message replies, consent changes)
- WhatsApp phone verification status
5. How We Collect Personal Data
We collect personal data through the following means:
- Directly from you — when you register for an account, fill in forms, or contact us
- From Workshop staff — when they enter End Customer and vehicle data into the Service
- From data imports — when Workshops migrate data from previous systems (e.g., TechMan, Autowork, CSV files)
- Automatically — through cookies, server logs, and error monitoring when you use the Website, App, or Portal
- From third-party APIs — vehicle data from the DVLA and DVSA (initiated by Workshop staff only)
6. Why We Process Personal Data and Our Legal Bases
Under UK GDPR, we must have a lawful basis for processing personal data. The table below sets out our purposes and corresponding legal bases.
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Service — account creation, workshop management, job tracking, invoicing | Account data, customer data, vehicle data, work order data, financial data | Contract performance (Article 6(1)(b)) — necessary to provide the Service you subscribed to |
| Customer communications — sending work order updates, appointment reminders, and quote notifications to End Customers on behalf of the Workshop | Contact details, communication preferences, message content | Legitimate interest (Article 6(1)(f)) — the Workshop’s interest in communicating with their customers about active jobs |
| Marketing communications — sending promotional messages to End Customers on behalf of the Workshop | Contact details, marketing consent | Consent (Article 6(1)(a)) — End Customers must opt in via the Workshop’s consent settings |
| WhatsApp messaging — enabling Workshops to communicate with End Customers via WhatsApp | Phone numbers, WhatsApp verification status, message content | Consent (Article 6(1)(a)) — End Customers must have WhatsApp consent enabled |
| AI diagnostic assistance — providing AI-powered vehicle diagnostic suggestions to Staff Users | Vehicle context (make, model, year, fuel type), diagnostic queries, conversation history | Legitimate interest (Article 6(1)(f)) — improving service quality and diagnostic accuracy |
| Service improvement & analytics — understanding how the Service is used, fixing bugs, improving features | Usage data, error reports, aggregated analytics | Legitimate interest (Article 6(1)(f)) — improving our Service for all users |
| Security & fraud prevention — protecting accounts, detecting abuse, rate limiting | IP addresses, session data, authentication logs | Legitimate interest (Article 6(1)(f)) — keeping the Service secure |
| Legal & regulatory compliance — tax records, audit trails, responding to lawful requests | Financial records, audit logs, consent records | Legal obligation (Article 6(1)(c)) — compliance with UK tax, accounting, and data protection law |
| Customer portal access — enabling End Customers to view job progress, approve quotes, manage preferences | Portal session data, consent preferences, communication history | Legitimate interest (Article 6(1)(f)) — providing transparency to End Customers about their vehicle service |
Where we rely on legitimate interest, we have conducted balancing tests to ensure our interests do not override the rights and freedoms of data subjects. You may request details of these assessments by contacting us.
7. Data Sharing and Third-Party Processors
We do not sell your personal data. We do not share personal data with third parties for their own marketing purposes.
We share personal data only in the following circumstances:
7.1 Sub-Processors
We use trusted third-party service providers to operate the Service. Each sub-processor is bound by a Data Processing Agreement (DPA) and processes data only on our instructions.
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication, file storage | All Service data | EU (Frankfurt) |
| Vercel | Application hosting and delivery | Technical/usage data | Global CDN (primary: EU) |
| Twilio | WhatsApp Business API, SMS delivery | Phone numbers, message content | US (with EU processing) |
| Resend | Transactional email delivery | Email addresses, email content | US |
| Inngest | Background job processing | Job metadata (minimal PII) | US |
| Sentry | Error monitoring and performance | Error context (PII filtered — see Section 10) | US |
| Anthropic | AI diagnostic assistance | Vehicle context, diagnostic queries (no customer PII) | US |
| Upstash | Rate limiting | IP addresses (hashed) | EU |
7.2 Government & Regulatory
We may disclose personal data where required by law, regulation, legal process, or enforceable governmental request.
7.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity. We will notify affected users before any such transfer.
7.4 Workshop Access
Workshops (as Data Controllers) have access to all data they and their staff enter into the Service. Torqueflow does not access End Customer data except as necessary to provide, maintain, or troubleshoot the Service.
8. International Data Transfers
Our primary database is hosted in the EU (Frankfurt, Germany) by Supabase. Some of our sub-processors are based in the United States (see Section 7.1).
Where personal data is transferred outside the United Kingdom, we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreements (IDTAs) with relevant sub-processors
- EU-US Data Privacy Framework certifications where applicable
- Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner’s Office
You may request a copy of the relevant transfer safeguards by contacting privacy@torqueflow.app.
9. Data Retention
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. The following retention periods apply:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account & Staff User data | Duration of subscription + 90 days | Service provision; 90-day grace period for reactivation |
| End Customer & Vehicle data | Duration of Workshop’s subscription + 90 days | Processed on behalf of the Workshop |
| Financial records (invoices, payments) | 7 years from date of transaction | UK tax and accounting requirements (HMRC) |
| Communication records (messages, WhatsApp) | Duration of subscription + 90 days | Service provision |
| Consent audit logs | 7 years from date of record | Regulatory compliance and dispute resolution |
| General audit logs | 3 years from date of entry | Security and accountability |
| AI diagnostic conversations | 2 years from creation (configurable) | Service improvement |
| Error monitoring data (Sentry) | 90 days | Bug fixing and performance monitoring |
| Usage analytics | 24 months (aggregated) | Service improvement |
| Backup data | 30 days after deletion from live systems | Disaster recovery |
When a Workshop cancels their subscription, we will:
- Retain data for a 90-day grace period in case of reactivation
- After 90 days, permanently delete or anonymise all Workshop data and associated End Customer data
- Financial records subject to the 7-year HMRC retention period will be retained in a restricted, archived state
- Backup systems will purge deleted data within 30 days of live deletion
End Customers may request deletion of their personal data by contacting the Workshop directly or by emailing us at privacy@torqueflow.app.
10. Data Security
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
- Encryption in transit — all data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
- Encryption at rest — sensitive data fields (e.g., API tokens, WhatsApp access tokens) are encrypted using AES-256
- Database security — row-level security (RLS) policies ensure multi-tenant data isolation; each Workshop can only access their own data
- Authentication — secure authentication via Supabase Auth with session management and httpOnly cookies
- Access controls — capability-based permission system restricting staff access to authorised features only
- Error monitoring — Sentry is configured to automatically filter and redact passwords, tokens, PINs, cookies, and authorisation headers from error reports
- Backups — regular encrypted backups with point-in-time recovery
- Soft deletes — customer and staff records are deactivated rather than permanently deleted, preventing accidental data loss
- Portal security — token-based access (no passwords), httpOnly encrypted session cookies, automatic expiry
While we implement commercially reasonable security measures, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but will notify affected parties and the ICO within 72 hours in the event of a personal data breach, as required by UK GDPR.
11. Cookies and Tracking Technologies
11.1 Website (torqueflow.app)
Our Website uses cookies and similar technologies. We categorise these as follows:
| Category | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Essential for the Website/App to function (authentication, session management, security) | No |
| Analytics & Performance | Help us understand how visitors use the Website (e.g., page views, feature usage) | Yes |
| Marketing | Used to deliver relevant advertisements and measure campaign effectiveness | Yes |
11.2 Application & Portal
The Torqueflow App and customer portal use only strictly necessary cookies for authentication and session management. We do not use tracking or advertising cookies within the App or Portal.
11.3 Your Choices
When you first visit our Website, you will be presented with a cookie consent banner allowing you to accept or reject non-essential cookies. You can change your preferences at any time through the cookie settings link in the Website footer.
You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of the Website.
For full details of the cookies we use, please see our Cookie Policy.
12. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | Description |
|---|---|
| Right of Access | You can request a copy of the personal data we hold about you (a Subject Access Request or “SAR”) |
| Right to Rectification | You can request correction of inaccurate or incomplete personal data |
| Right to Erasure | You can request deletion of your personal data where there is no compelling reason for continued processing |
| Right to Restrict Processing | You can request that we limit how we use your data in certain circumstances |
| Right to Data Portability | You can request your personal data in a structured, commonly used, machine-readable format |
| Right to Object | You can object to processing based on legitimate interest or for direct marketing purposes |
| Right to Withdraw Consent | Where processing is based on consent, you can withdraw consent at any time without affecting the lawfulness of prior processing |
| Rights Related to Automated Decision-Making | You have the right not to be subject to decisions based solely on automated processing. We do not currently make any solely automated decisions that produce legal or similarly significant effects |
How to Exercise Your Rights
To exercise any of these rights, please contact us at:
- Email: privacy@torqueflow.app
- Post: Torqueflow, Pilgrims, The Convent, Newton Abbot, TQ13 0DR
We will respond to your request within one month. In exceptional circumstances (e.g., complex or numerous requests), we may extend this by a further two months, but we will inform you within the initial one-month period.
There is usually no fee for exercising your rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. We may also need to verify your identity before processing your request.
Right to Complain
If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF Tel: 0303 123 1113 Website: https://ico.org.uk
We would appreciate the opportunity to address your concerns before you contact the ICO, so please reach out to us first.
13. Customer Portal & End Customer Communications
13.1 Consent Framework
Torqueflow provides Workshops with a built-in consent management system for End Customer communications. Consent is managed across four categories:
- Transactional — work order updates, appointment confirmations, vehicle collection notifications
- Service Reminders — MOT and service due reminders
- Marketing — promotional offers and workshop news
- WhatsApp — enabling the WhatsApp communication channel
Each consent category is independently controlled. End Customers can manage their preferences through the customer portal or by contacting their Workshop. All consent changes are recorded in an immutable audit log.
13.2 Portal Access
The customer portal uses token-based access (no passwords required). Portal links are sent by the Workshop and expire after 90 days following work order completion plus a 30-day buffer. Portal sessions are managed via encrypted, httpOnly cookies.
14. Children’s Privacy
The Service is designed for business use by automotive workshops and their adult customers. It is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18 years of age. If we become aware that we have collected personal data from a child, we will take steps to delete that data promptly.
15. Third-Party Links
Our Website and the Service may contain links to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policy of every site you visit.
16. Changes to This Privacy Policy
We may update this privacy policy from time to time to reflect changes in our practices, the Service, or applicable law. We will notify you of any material changes by:
- Posting the updated policy on our Website with a revised “Last updated” date
- Sending an email notification to Subscribers for significant changes
We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy.
17. Contact Us
If you have any questions about this privacy policy or our data practices, please contact us:
Email: privacy@torqueflow.app
Post: Torqueflow Pilgrims, The Convent Newton Abbot TQ13 0DR United Kingdom
This privacy policy was last reviewed on 27 February 2026.