Privacy Policy
1. Who We Are
TestGrab ("we", "us", "our") is a UK-based service operated via testgrab.co.uk. We are the data controller for the personal information we collect through the TestGrab mobile app and website.
We are registered with the UK Information Commissioner's Office (ICO registration number: pending). We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy explains what data we collect, why we collect it, who we share it with, how long we keep it, and what your rights are. If anything here is unclear, contact us at support@testgrab.co.uk.
2. Data We Collect
We collect the following personal data when you use TestGrab:
- Email address — for account creation, login, and service communication.
- DVSA driving licence number — encrypted with AES-256 at rest before being stored. Used to authenticate you on the DVSA website.
- DVSA booking reference — encrypted with AES-256 at rest. Used to identify and modify your existing test booking.
- Search preferences — preferred dates, times, days of week, and test centres you want monitored.
- Postcode — for finding nearby test centres and complying with DVSA's 3-nearest-centre rule (effective 9 June 2026).
- Payment information — collected and stored by Stripe (our PCI-DSS Level 1 payment processor). We hold a Stripe payment method ID; we never see or store your card number or CVV.
- Push notification token — provided to OneSignal so we can alert you when a test slot is found.
- Service usage data — scanner activity logs, booking lifecycle events (created, cart-added, confirmed, charged, refunded), in-app game scores.
- Authentication metadata — Supabase Auth tracks IP, user-agent, and login timestamps to detect and prevent abuse.
3. Legal Basis for Processing
Under UK GDPR Article 6, we rely on the following legal grounds:
| Data | Lawful basis |
|---|---|
| Email, DVSA credentials, search preferences, payment data | Contract performance — necessary to deliver the service you signed up for |
| Scanner activity logs, error reports | Legitimate interest — service operation, debugging, fraud prevention |
| Push notifications | Consent — only sent if you grant the OS-level permission. Revoke any time in device settings. |
| Marketing emails (currently none) | Consent — opt-in only |
We do not carry out profiling or fully automated decision-making with legal or similarly significant effects.
4. How We Use Your Data
Your personal data is used solely to:
- Monitor the DVSA system for cancellations matching your saved preferences
- Surface matching slots via push notification, in-app browser, or (on the Auto plan) book them on your behalf
- Process payment for your selected plan when a successful booking is made
- Send transactional notifications (slot found, booking confirmed, payment processed, error)
- Provide customer support
- Detect and prevent abuse, fraud, and duplicate-account creation
We never sell, rent, share, or otherwise disclose your personal data to third parties for their own marketing purposes.
5. Third-Party Service Providers (Data Processors)
We use the following named third parties to operate TestGrab. Each is bound by a UK-GDPR-compliant data-processing agreement and receives only the minimum data necessary for its function.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database, authentication, edge functions | EU | UK-GDPR compliant; data resident in EU |
| Stripe | Payment processing (PCI-DSS Level 1) | US (with EU presence) | UK IDTA / Standard Contractual Clauses |
| OneSignal | Push notifications | US | Standard Contractual Clauses |
| Firebase Cloud Messaging | Push delivery (via OneSignal) | Google global infrastructure | Standard Contractual Clauses |
| NopeCHA | Captcha solving during DVSA flow | EU/US | Processes encrypted DVSA-page snippets only; no personal identifiers |
| SOAX | Residential proxy for DVSA access | UK/EU | Sees only DVSA traffic, not your personal data |
| Expo / EAS | App build infrastructure | US | Receives no user data; build-time only |
Full privacy policies of each processor are available on request, or directly via the processor's website.
6. Data Security
- DVSA credentials are encrypted with AES-256 before storage and only decrypted in-memory when needed for active scanning.
- All data is transmitted over TLS 1.2 or higher.
- Database access is gated by Supabase Row-Level Security policies — your data is invisible to other authenticated users.
- Payment data is held entirely by Stripe; our servers see only a Stripe payment method ID.
- Authentication uses time-limited JSON Web Tokens.
- We monitor edge-function logs for anomalous activity.
No system is 100% secure. We follow industry-standard practices but cannot guarantee absolute security.
7. Data Retention
| Data | Retention |
|---|---|
| Account data (email, preferences) | While your account is active; deleted within 30 days of account closure |
| DVSA credentials | Deleted immediately when you disconnect DVSA in the app, or within 30 days of account closure |
| Booking history | 6 years (UK financial-records requirement under HMRC rules) |
| Scanner activity logs | 90 days, then automatically pruned |
| Payment records | 6 years (held by Stripe) |
| Push notification tokens | While your account is active; deleted on closure |
You can request earlier erasure at any time — see section 8.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of all data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure ("right to be forgotten") — request deletion of your data
- Right to restrict processing — ask us to pause processing while a query is resolved
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
- Right to withdraw consent — for any processing based on consent (e.g. push notifications)
Most rights can be exercised directly from the in-app Settings screen (delete account, change preferences). For formal requests, email support@testgrab.co.uk. We respond within 30 days as required by UK GDPR.
9. International Transfers
Most processing happens in the UK or EU. Where we use US-based processors (Stripe, OneSignal, Expo, parts of Firebase), data transfers are protected by the UK International Data Transfer Agreement (IDTA) and/or Standard Contractual Clauses (SCCs) approved by the European Commission.
We carry out a transfer impact assessment before adding any new US processor.
10. Children and Young People
TestGrab is designed for people aged 17 and over (the minimum driving age in Great Britain). We do not knowingly collect data from anyone under 17. If we discover we have collected data from a child under 17, we will delete it promptly.
11. Cookies and Tracking
- The TestGrab mobile app does not use cookies, advertising trackers, or behavioural-profiling tools.
- The testgrab.co.uk website may use essential, functional cookies (auth session). It does not use third-party advertising cookies.
12. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We'd appreciate the chance to address your concerns first — please contact us at support@testgrab.co.uk before escalating.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Substantive changes will be notified via the app or by email at least 14 days before they take effect. The "Last updated" date above always reflects the latest revision.
14. Contact Us
- Email: support@testgrab.co.uk
- Website: testgrab.co.uk
- Data controller: TestGrab, a UK-based sole-trader service. Operator name + correspondence address available on request via support@testgrab.co.uk or via the public ICO register once registration is complete.