Privacy Policy
1. Who We Are
TestGrab ("we", "us", "our") is a UK-based service operated via testgrab.co.uk. We are the data controller for the personal information we collect through the TestGrab mobile app and website.
We are registered with the UK Information Commissioner's Office (ICO registration number: pending). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy explains what data we collect, why we collect it, who we share it with, how long we keep it, and what your rights are. If anything here is unclear, contact us at support@testgrab.co.uk.
2. Data We Collect
We collect the following personal data when you use TestGrab:
- Email address - for account creation, login, and service communication.
- DVSA driving licence number - encrypted with AES-256 at rest before being stored. Used to access and manage your existing DVSA test booking.
- DVSA booking reference - encrypted with AES-256 at rest. Used to identify and modify your existing test booking.
- Search preferences - preferred dates, times, days of week, and test centres you want monitored.
- Postcode - for finding nearby test centres and complying with DVSA's 3-nearest-centre rule (effective 9 June 2026).
- Payment information - collected and stored by our PCI-DSS Level 1 payment processor. We hold only a payment-method reference; we never see or store your card number or CVV.
- Push notification token - used by our push-notification provider so we can alert you when a test slot is found.
- Service usage data - scanner activity logs, booking lifecycle events (created, cart-added, confirmed, charged, refunded), in-app game scores.
- Authentication metadata - our authentication system records IP address, device/browser information, and login timestamps to detect and prevent fraud and abuse.
3. Legal Basis for Processing
Under UK GDPR Article 6, we rely on the following legal grounds:
| Data | Lawful basis |
|---|---|
| Email, DVSA credentials, search preferences, payment data | Contract performance - necessary to deliver the service you signed up for |
| Scanner activity logs, error reports | Legitimate interest - service operation, debugging, fraud prevention |
| Push notifications | Consent - only sent if you grant the OS-level permission. Revoke any time in device settings. |
| Marketing emails (currently none) | Consent - opt-in only |
We do not carry out profiling or fully automated decision-making with legal or similarly significant effects.
4. How We Use Your Data
Your personal data is used solely to:
- Monitor the DVSA system for cancellations matching your saved preferences
- Surface matching slots via push notification and our in-app guided booking flow, so you can move your existing booking
- Process payment for your selected plan when a successful booking is made
- Send transactional notifications (slot found, booking confirmed, payment processed, error)
- Provide customer support
- Detect and prevent abuse, fraud, and duplicate-account creation
We never sell, rent, share, or otherwise disclose your personal data to third parties for their own marketing purposes.
5. Third-Party Service Providers (Data Processors)
We share the minimum necessary personal data with a small number of service providers who process it on our behalf, each under a UK-GDPR-compliant data-processing agreement. We disclose these by category of provider:
| Category of processor | Purpose | Safeguards |
|---|---|---|
| Cloud hosting & database provider | Stores your account data and runs the service backend | EU-hosted; UK-GDPR-compliant DPA |
| Payment processor (PCI-DSS Level 1) | Processes your payment | UK IDTA / Standard Contractual Clauses for any non-UK transfer |
| Push-notification provider | Delivers app notifications to your device | Standard Contractual Clauses for any non-UK transfer |
| Error & performance monitoring | Diagnoses crashes and faults; may receive your email and technical diagnostic data | Standard Contractual Clauses for any non-UK transfer |
The technical infrastructure we use to monitor the DVSA website does not receive your personal identity. We never sell, rent, or share your personal data for any third party's own marketing purposes.
6. Data Security
- Your DVSA credentials are encrypted with AES-256 and are only decrypted briefly, when needed to act on your behalf.
- All data is encrypted in transit using industry-standard protocols.
- Access to your data is restricted by strict access controls; your information is not visible to other users.
- Payment data is held entirely by our PCI-DSS Level 1 payment processor; our servers never hold your card details.
- We apply appropriate technical and organisational security measures and monitor our systems for unusual activity.
No system is 100% secure. We follow industry-standard practices but cannot guarantee absolute security.
7. Data Retention
| Data | Retention |
|---|---|
| Account data (email, preferences) | While your account is active; deleted within 30 days of account closure |
| DVSA credentials | Deleted immediately when you disconnect DVSA in the app, or within 30 days of account closure |
| Booking history | 6 years (UK financial-records requirement under HMRC rules) |
| Scanner activity logs | 90 days, then automatically pruned |
| Payment records | 6 years (held by our payment processor) |
| Push notification tokens | While your account is active; deleted on closure |
You can request earlier erasure at any time - see section 8.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access - request a copy of all data we hold about you
- Right to rectification - ask us to correct inaccurate data
- Right to erasure ("right to be forgotten") - request deletion of your data
- Right to restrict processing - ask us to pause processing while a query is resolved
- Right to data portability - receive your data in a machine-readable format
- Right to object - object to processing based on legitimate interests
- Right to withdraw consent - for any processing based on consent (e.g. push notifications)
Most rights can be exercised directly from the in-app Settings screen (delete account, change preferences). For formal requests, email support@testgrab.co.uk. We respond within 30 days as required by UK GDPR.
9. International Transfers
Most processing happens in the UK or EU. Where we use US-based processors, data transfers are protected by the UK International Data Transfer Agreement (IDTA) and/or Standard Contractual Clauses (SCCs) approved by the European Commission.
We carry out a transfer impact assessment before adding any new US processor.
10. Children and Young People
TestGrab is designed for people aged 17 and over (the minimum driving age in Great Britain). We do not knowingly collect data from anyone under 17. If we discover we have collected data from a child under 17, we will delete it promptly.
11. Cookies and Tracking
- The TestGrab mobile app does not use cookies, advertising trackers, or behavioural-profiling tools.
- The testgrab.co.uk website may use essential, functional cookies (auth session). It does not use third-party advertising cookies.
12. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We'd appreciate the chance to address your concerns first - please contact us at support@testgrab.co.uk before escalating.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Substantive changes will be notified via the app or by email at least 14 days before they take effect. The "Last updated" date above always reflects the latest revision.
14. Contact Us
- Email: support@testgrab.co.uk
- Website: testgrab.co.uk
- Data controller: TestGrab Ltd, a company registered in England and Wales (company number 17243655). Contact support@testgrab.co.uk. ICO registration: [[ICO NUMBER — pending]].