Privacy Policy
Last updated: February 2026
1. Data Controller
Roundbear Ltd (trading as Pothole Payback), Farthing Corner, West Tytherley, Salisbury SP5 1NR, GB. Contact: ed@potholepayback.com.
2. What Data We Collect
- Account data: email address (used for authentication via magic link)
- Vehicle data: registration number (used to look up MOT and vehicle details via the DVSA API)
- Incident data: photos of damage and the pothole, location (postcode or map pin), date of incident, description of damage, estimated repair cost
- Payment data:processed directly by Stripe — we do not store card numbers
3. How We Use Your Data
| Purpose | Legal Basis |
|---|
| Generate your claim letter | Contract performance |
| Analyse photos with AI | Contract performance |
| Search for prior pothole reports | Contract performance |
| Process payments | Contract performance |
| Send service emails | Contract performance |
| Improve our service | Legitimate interest |
4. Third Parties
We share data with the following processors:
- Supabase(database & authentication) — EU hosted, SOC 2 compliant
- Stripe(payments) — PCI DSS Level 1 compliant
- Google Gemini(AI photo analysis) — data is processed for analysis and letter generation only and is not used to train Google's models
- FixMyStreet API— we query publicly available pothole report data; no personal data is shared
- DVSA MOT History API— we look up publicly available vehicle data using your registration number
- Brevo(email delivery) — used to send transactional emails
- PostHog(analytics) — EU-hosted, used to understand how people use the service. Only active with your consent via our cookie banner
- Vercel(hosting) — our application is hosted on Vercel's edge network; standard web server logs (IP address, browser type) are processed
- Nominatim / OpenStreetMap(geocoding) — used to look up location data from map coordinates you provide
- Postcodes.io(postcode lookup) — used to validate and geocode UK postcodes you enter
5. Data Retention
- Claim data: retained for 7 years (in line with the UK limitation period for civil claims)
- Account data: retained until you request deletion
- Payment records: retained for 7 years (legal requirement)
6. Your Rights
Under UK GDPR, you have the right to:
- Access— request a copy of your personal data
- Rectification— correct inaccurate data
- Erasure— request deletion of your data
- Portability— receive your data in a structured format
- Object— object to processing based on legitimate interest
To exercise any of these rights, email ed@potholepayback.com.
7. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.