Privacy Policy
How we collect, use, and protect your personal information
Last updated: 13 October 2025
1. Who We Are
Wee Horsebox Hire ("we", "us", "our") is a horsebox hire business. We are the data controller responsible for your personal data.
Contact Details
- Business Name: Wee Horsebox Hire
- Email: hire@wee-horseboxhire.co.uk
- Phone: 01368 492024
- Website: wee-horseboxhire.co.uk
If you have any questions about this privacy policy or how we handle your data, please contact us using the details above.
2. What Personal Data We Collect
We collect and process the following categories of personal data:
2.1 Identity Information
- Full name (first name and surname)
- Date of birth (from driving license)
- Driving license number
- Driving license category and entitlements
- License endorsements (penalty points, convictions)
- Photographs (from uploaded driving license)
2.2 Contact Information
- Email address
- Phone number (mobile and landline)
- Home address (from utility bill)
- Postal address
2.3 Financial Information
- Payment card details (last 4 digits only - we don't store full card numbers)
- Billing address
- Payment transaction records
- Stripe customer ID (for payment processing)
2.4 Booking Information
- Booking dates (collection and return)
- Vehicle selected
- Add-ons and extras selected
- Booking reference number
- Special requirements or notes
2.5 Document Images
- UK driving license (front and back photocard)
- Utility bill or bank statement (for proof of address)
- Digital signatures on rental agreements
2.6 Verification Data
- AI verification results and confidence scores
- DVLA API verification results
- Document authenticity checks
- Fraud detection flags
- Manual review notes (if applicable)
2.7 Technical Information
- IP address
- Browser type and version
- Device information
- Usage data (pages visited, time on site)
- Cookies (see Section 9)
3. How We Use Your Personal Data
We use your personal data for the following purposes, each with a legal basis under GDPR:
3.1 Processing Your Booking
- Legal Basis: Contract performance (necessary to fulfill your booking)
- To create and manage your booking
- To confirm availability and allocate vehicles
- To send booking confirmations and reminders
- To coordinate collection and return
3.2 Verifying Your Eligibility
- Legal Basis: Legal obligation (insurance requirements) and contract performance
- To verify you meet age requirements (23+ years old)
- To verify you hold the correct driving license category
- To check license validity and status
- To assess insurance eligibility
- To detect fraudulent or altered documents
3.3 Processing Payments
- Legal Basis: Contract performance
- To process rental payments
- To authorise security deposits
- To issue refunds where applicable
- To generate invoices and receipts
3.4 Communication
- Legal Basis: Contract performance and legitimate interests
- To send booking confirmations
- To send pre-collection reminders
- To send deposit authorisation requests
- To respond to inquiries and support requests
- To send important updates about your booking
3.5 Legal Compliance
- Legal Basis: Legal obligation
- To comply with insurance requirements
- To comply with road traffic laws
- To respond to legal requests or court orders
- To maintain records for tax and accounting purposes
3.6 Business Operations
- Legal Basis: Legitimate interests
- To improve our services and website
- To analyze booking patterns and trends
- To prevent fraud and misuse
- To maintain business records
3.7 Marketing (with consent only)
- Legal Basis: Consent
- To send promotional emails (only if you opt-in)
- To send special offers and discounts
- You can unsubscribe at any time
4. AI-Powered Document Verification
To verify your eligibility quickly and accurately, we use AI-powered verification systems. This section explains what happens when you upload your documents.
4.1 Anthropic Claude API
What it is: Claude is an advanced AI system developed by Anthropic that can analyze images and extract information.
What data we send to Claude:
- Images of your UK driving license (front and back)
- Images of your utility bill or bank statement
- Your name and address (for verification matching)
What Claude does:
- Extracts text from documents (OCR - Optical Character Recognition)
- Verifies document authenticity (checks for tampering or alterations)
- Confirms name, address, date of birth match across documents
- Checks license categories and entitlements
- Detects potential fraud or fake documents
- Assigns a confidence score (0-100%) to the verification
Data processing by Anthropic:
- Anthropic processes your data in accordance with their Privacy Policy
- Data is encrypted in transit (HTTPS)
- Anthropic does NOT use your data to train their AI models (as per their commercial terms)
- Data is processed temporarily and not retained by Anthropic after analysis
- Processing occurs on Anthropic's secure servers (AWS US/Europe)
4.2 DVLA Driver View API
What it is: The official UK Driver and Vehicle Licensing Agency (DVLA) API for verifying driving licenses.
What data we send to DVLA:
- Your driving license number
- Your date of birth
- Your DVLA "check code" (if provided - this is a code you generate on the DVLA website)
What DVLA provides:
- Official confirmation of license validity
- License status (full, provisional, revoked, suspended)
- License categories and entitlements (e.g., C1 for 7.5T vehicles)
- Endorsements (penalty points and convictions)
- License expiry date
Data processing by DVLA:
- DVLA processes your data in accordance with UK government data protection standards
- Data is used solely for license verification
- Check codes expire after 21 days for security
- DVLA maintains official records of all UK drivers
4.3 How AI Verification Decisions Are Made
Under GDPR Article 22, you have the right to know about automated decision-making.
Our AI verification system makes automated decisions based on confidence scores:
- ≥90% confidence: Auto-approved (documents accepted automatically)
- 70-89% confidence: Flagged for manual review by our team
- <70% confidence: Auto-rejected (you'll be asked to re-submit or contact us)
Your rights: If your documents are auto-rejected and you believe this is incorrect, you can request human review by contacting us at hire@wee-horseboxhire.co.uk. Our team will manually review your documents and override the AI decision if appropriate.
4.4 Data Security During AI Verification
- All document images are encrypted before transmission to AI services
- Data is sent over secure HTTPS connections
- AI providers do not retain your data after processing (per their terms)
- We store AI verification results (not original images) for 6 months
- Access to verification data is restricted to authorised staff only
4.5 Why We Use AI Verification
Legal Basis: Legitimate interests and legal obligation
- Insurance compliance: Our insurer requires verified licenses
- Fraud prevention: Detects fake or altered documents
- Speed: Faster verification (usually within minutes vs. days for manual checks)
- Accuracy: AI can detect subtle alterations humans might miss
- Consistency: Objective, consistent verification criteria
- Cost-effectiveness: Reduces operational costs, keeping prices competitive
4.6 Your Options
If you are not comfortable with AI verification, you can contact us to arrange alternative verification methods (manual review). However, this may delay your booking approval by 24-48 hours.
5. Who We Share Your Data With
We share your personal data with the following third parties:
5.1 Essential Service Providers
- What we share: Name, email, payment card details, billing address
- Why: To process payments and pre-authorisations
- Privacy Policy: stripe.com/privacy
- Data location: EU/UK (GDPR compliant)
- What we share: Document images, name, address, date of birth
- Why: To verify document authenticity and extract data
- Privacy Policy: anthropic.com/legal/privacy
- Data location: US/EU (AWS servers)
- Data retention: Not retained after processing
- What we share: License number, date of birth, check code
- Why: To verify license validity and entitlements
- Authority: UK Government official service
- Data location: UK
- What we share: All booking and account data
- Why: To store and manage your data securely
- Privacy Policy: supabase.com/privacy
- Data location: EU (Frankfurt, Germany)
- Security: Encrypted at rest and in transit
5.2 Legal Obligations
We may share your data with:
- Law enforcement agencies (if required by law)
- Courts or tribunals (if subject to legal proceedings)
- Regulatory authorities (e.g., ICO if requested)
- Tax authorities (HMRC for accounting purposes)
5.3 Insurance Providers
- We share minimal necessary data with our insurance provider
- This includes: name, date of birth, license details, booking dates
- Required for insurance coverage validation
5.4 No Marketing Third Parties
We do NOT sell, rent, or share your data with third-party marketers.You will only receive marketing from us (and only if you opt-in).
6. How We Protect Your Data
We take data security seriously and implement industry-standard measures:
6.1 Technical Measures
- Encryption: All data encrypted in transit (HTTPS/TLS) and at rest (AES-256)
- Secure storage: Documents stored in Supabase secure storage with access controls
- Database security: PostgreSQL with row-level security (RLS) policies
- Authentication: Secure authentication via Supabase Auth
- Regular backups: Automated daily backups with encryption
- Firewall protection: Web application firewall (WAF) to prevent attacks
6.2 Organizational Measures
- Access controls: Staff access limited to necessary data only
- Staff training: All staff trained on data protection
- Confidentiality agreements: Staff bound by confidentiality clauses
- Regular reviews: Security practices reviewed quarterly
- Incident response: Data breach procedures in place
6.3 Third-Party Security
- All third-party processors are GDPR-compliant
- Data Processing Agreements (DPAs) in place with all processors
- Regular security audits of third-party services
7. How Long We Keep Your Data
We retain your data for different periods depending on the type:
Retention Periods
| Data Type | Retention Period | Reason |
|---|---|---|
| Booking records | 7 years | Tax and accounting legal requirement |
| Financial transactions | 7 years | Tax and accounting legal requirement |
| Document images | 6 months | Document reuse for repeat bookings |
| AI verification results | 6 months | Audit trail and compliance |
| Account data | Until deletion requested | Ongoing service provision |
| Marketing consent | Until withdrawn | Ongoing marketing permission |
| Website analytics | 26 months | Standard analytics retention |
After Retention Period
Once the retention period expires:
- Data is securely deleted or anonymized
- Document images are permanently deleted from storage
- Backups containing old data are purged
- AI verification data is deleted
Exception: We may retain anonymized, aggregated data indefinitely for statistical analysis (e.g., "100 bookings in January"). This cannot identify you personally.
8. Your Data Protection Rights
Under UK GDPR, you have the following rights:
You can request a copy of all personal data we hold about you (Subject Access Request - SAR).
How: Email hire@wee-horseboxhire.co.uk with "SAR" in subject line
Response time: Within 1 month (free of charge)
You can ask us to correct inaccurate or incomplete data.
How: Log in to your account and update your profile, or contact us
Response time: Immediately for account data, within 1 month for other data
You can request deletion of your data in certain circumstances.
Limitations: We may need to retain some data for legal obligations (e.g., 7-year tax records)
How: Email hire@wee-horseboxhire.co.uk with "Delete My Data" in subject
Response time: Within 1 month
You can ask us to restrict processing while we verify or investigate your concerns.
You can request your data in a machine-readable format (e.g., JSON, CSV) to transfer to another service.
How: Email hire@wee-horseboxhire.co.uk with "Data Export" in subject
You can object to processing based on legitimate interests, including marketing.
Marketing: Click "unsubscribe" in any email or email us
You have the right to object to automated decision-making (including AI verification).
How: Email us to request manual review of your documents instead of AI verification. Note: This may delay processing by 24-48 hours.
If you're unhappy with how we handle your data, you can complain to the UK Information Commissioner's Office (ICO).
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
10. Changes to This Policy
We may update this privacy policy from time to time to reflect changes in our practices or legal requirements.
How We Notify You
- We'll update the "Last updated" date at the top of this page
- For significant changes, we'll email you (if we have your email)
- We may show a notification banner on the website
We encourage you to review this policy periodically. Continued use of our services after changes constitutes acceptance of the updated policy.
11. Contact Us
If you have any questions, concerns, or requests regarding your personal data:
Email (Recommended)
Please include "DATA PRIVACY" in the subject line for faster response
Post
Wee Horsebox Hire
Response Time: We aim to respond to all data protection requests within 1 month. If your request is complex, we may extend this by 2 months and will notify you.