Privacy Policy & GDPR
Last updated: April 2026. This policy explains how VehFinder collects, uses, and protects your personal data.
1. Data controller
VehFinder (vehfinder.com) is operated by BlueDevLabs, a UK-registered limited company. BlueDevLabs is the data controller for personal data collected through this platform. For all data protection enquiries contact: admin@vehfinder.com
This policy applies to all users of VehFinder regardless of location. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations 2003 (PECR), and where applicable the EU General Data Protection Regulation (EU GDPR 2016/679).
2. What personal data we collect
Email address only. We use magic link authentication — no passwords are stored. Your email is used to authenticate you and to send service emails (magic links, alert notifications).
Legal basis: Contract (Art. 6(1)(b) UK GDPR) — necessary to provide the service you requested.
Vehicle details (registration plate, VIN, make, model, colour, year), location stolen, date stolen, and any optional details you provide. This information is displayed publicly on the platform by design — it is the core purpose of VehFinder.
Legal basis: Legitimate interests (Art. 6(1)(f)) — the legitimate interest of vehicle owners and the public in tracing stolen vehicles, balanced against minimal personal data in the public report (reporter identity is not displayed).
Photos of your vehicle you optionally upload. These are stored in Cloudflare R2 (EU region) and displayed publicly on your report page to help the community identify your vehicle. Do not upload photos that show personal information such as faces or home addresses.
Legal basis: Consent (Art. 6(1)(a)) — you choose to upload photos.
When you choose to verify ownership, you upload a vehicle ownership document (such as a UK V5C logbook, US title, or equivalent) and a photo ID. These are stored encrypted in a private, publicly inaccessible storage location. They are reviewed only by our admin team and are permanently deleted immediately upon approval or rejection of your claim. They are never shared publicly or with third parties other than in the form of an identity note visible to verified police officers.
Legal basis: Consent (Art. 6(1)(a)) and legitimate interests — verifying vehicle ownership to prevent fraudulent claims.
Special category data: Photo ID may constitute biometric data. We minimise processing — we view only the name field and confirm it matches the ownership document. Documents are deleted on completion.
Sightings, comments, and suspicious vehicle reports you submit. These include the location you entered and any notes. Your email address is never associated with public community contributions. Your IP address is logged with contributions for abuse prevention and is subject to the 90-day retention limit below.
Legal basis: Legitimate interests — abuse prevention and platform integrity.
IP addresses (used for rate limiting, abuse prevention, and IP ban enforcement), session cookies (for authentication), and standard server-side request logs. IP addresses in all user-generated content tables are automatically nulled out after 90 days via an automated nightly process.
Legal basis: Legitimate interests — platform security and abuse prevention.
For police officers: your police.uk email address, force name, collar number, and application details. This is used to verify and manage your police-tier access. Activity logs are maintained for all police access to personal report data.
Legal basis: Legitimate interests — facilitating law enforcement access to stolen vehicle intelligence in the public interest.
We use Google Analytics 4 to understand how the platform is used. GA4 collects anonymised usage data including pages visited, session duration, and approximate geographic location (country/region level). GA4 uses cookies. We load GA4 only after you have consented via our cookie banner. You can withdraw consent at any time by clearing cookies or using a GA opt-out extension.
Legal basis: Consent (PECR regulation 6 / Art. 6(1)(a) UK GDPR).
3. Data retention
| Data type | Retention period |
|---|---|
| Account email | Until account deletion request |
| Theft reports | Indefinitely (core platform data) unless removal is requested |
| Vehicle photos | Indefinitely unless report is removed or photo deleted |
| Verification documents (ownership document + ID) | Deleted immediately upon approval or rejection |
| Identity notes (police-visible) | Until report is removed or account deleted |
| Session cookies | 30 days from last activity |
| Magic link tokens | 15 minutes |
| IP addresses in content tables | 90 days — then automatically nulled |
| Admin audit logs | 12 months |
| Analytics (GA4) | 14 months (Google default, consent-gated) |
4. Who we share data with
We do not sell your data. We do not share data with advertisers. We share limited data only with:
- Verified police officers — on the police portal, approved officers can see reporter email addresses, full sighting coordinates, and identity verification notes for the purpose of investigating vehicle theft. Police access is logged in our audit system.
- Our admin team — staff managing VehFinder have access to all data for platform administration, moderation, and support purposes.
- Railway — hosting infrastructure. Your data is stored on Railway-managed PostgreSQL. Railway is bound by their DPA and compliant with GDPR.
- Cloudflare R2 — file storage for vehicle photos (public bucket) and verification documents (private bucket). Cloudflare is GDPR-compliant. EU region storage is used.
- Resend — transactional email delivery (magic links, notifications). Resend processes your email address to deliver messages.
- OpenCage — location text entered in reports and sightings is geocoded via the OpenCage API to obtain coordinates. No account data is sent.
- DVLA (Driver and Vehicle Licensing Agency) — when you use the vehicle lookup feature, we query the DVLA Vehicle Enquiry Service API with the registration number you enter. This returns publicly available vehicle information (make, model, colour, MOT/tax status). No account data is sent to the DVLA.
- Google Analytics — anonymised usage analytics, consent-gated. Google acts as a data processor under our GA4 configuration.
We may disclose data to law enforcement or regulatory authorities if required by law or court order.
5. International transfers
Some of our third-party processors may transfer data outside the UK and EU. Where this occurs, transfers are subject to UK GDPR-compliant safeguards including Standard Contractual Clauses (SCCs) or adequacy decisions. Google Analytics data may be processed in the United States; this is governed by Google's data processing terms and the EU-US Data Privacy Framework.
6. Your rights under UK GDPR
You have the following rights regarding your personal data. To exercise any of these rights, contact us at admin@vehfinder.com. We will respond within one calendar month.
You can request a copy of the personal data we hold about you.
You can ask us to correct inaccurate or incomplete personal data.
You can request deletion of your account and associated personal data. Note: public theft report data may be retained where we have a legitimate interest in keeping records of stolen vehicles on behalf of the community, or where retention is required by law. We will inform you what can and cannot be deleted and why.
You can ask us to limit how we use your data in certain circumstances.
You can request a copy of your data in a structured, machine-readable format. Email us to request a JSON export of your account data.
You can object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.
VehFinder does not make decisions about you based solely on automated processing that produces legal or similarly significant effects.
Where processing is based on consent (analytics cookies, optional uploads), you can withdraw consent at any time without affecting the lawfulness of prior processing.
7. Cookies
| Cookie | Type | Purpose | Expiry |
|---|---|---|---|
| vehfinder.sid | Essential | Authentication session — required to stay signed in | 30 days |
| vf_cookie_consent | Essential | Records your cookie consent preference | 12 months |
| _ga, _ga_* | Analytics (consent required) | Google Analytics — anonymised usage tracking | 2 years / 24 hours |
The session cookie is strictly necessary for the service to function and does not require consent. Analytics cookies are only set after you consent via our cookie banner. You can manage cookies through your browser settings or a GA opt-out browser extension.
8. Security
We implement appropriate technical and organisational security measures including:
- All connections encrypted over HTTPS with HSTS enforced
- Session cookies set as HttpOnly and Secure
- Rate limiting on all public endpoints to prevent abuse
- IP address banning for malicious actors
- Verification documents encrypted at rest and stored in a private, non-public-accessible location
- AES-256 encryption for sensitive stored field values
- No passwords stored — magic link authentication only
- Admin audit logging of all sensitive data access
No system is completely secure. If you believe you have found a security vulnerability in VehFinder, please report it responsibly to admin@vehfinder.com before any public disclosure.
9. Children
VehFinder is not intended for users under 18 years old. We do not knowingly collect data from children. If you believe a child has submitted data to VehFinder, please contact us at admin@vehfinder.com and we will delete it promptly.
10. Right to complain
If you have concerns about how we handle your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
We would, however, appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at admin@vehfinder.com.
11. Changes to this policy
We may update this policy from time to time. We will notify registered users of material changes by email or by a prominent notice on the platform at least 14 days before changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
12. Contact
Data controller: BlueDevLabs (operator of VehFinder)
Email: admin@vehfinder.com
Website: vehfinder.com