Legal

Data Processing Agreement

Last updated: 15 April 2026

1. Purpose of This Agreement

This Data Processing Agreement ("DPA") forms part of the contract between AutoGanticHub Ltd ("Data Processor") and you ("Data Controller") for the provision of our SaaS services, including the Garage Booking SaaS, Inventory Management tools, and Customer Portal.

This DPA sets out the obligations of both parties regarding the processing of Personal Data in connection with our services, in compliance with the UK General Data Protection Regulation (UK GDPR).

2. Definitions

In this DPA, the following terms have the meanings set out below:

  • "Personal Data" means any information relating to an identified or identifiable natural person (data subject), as defined in UK GDPR
  • "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction
  • "Data Controller" means the entity that determines the purposes and means of processing Personal Data
  • "Data Processor" means the entity that processes Personal Data on behalf of the Data Controller
  • "Sub-processor" means any third party engaged by the Data Processor to process Personal Data
  • "Data Subject" means the individual whose Personal Data is processed

3. Roles of the Parties

3.1 Data Controller

You, as the client using our services, act as the Data Controller. This means you:

  • Determine the purposes and means of processing Personal Data processed through your use of our services
  • Are responsible for establishing the lawful basis for processing
  • Must ensure you have the necessary rights and consents to share Personal Data with us for processing
  • Are responsible for responding to Data Subject requests

3.2 Data Processor

AutoGanticHub Ltd acts as the Data Processor. This means we:

  • Process Personal Data only on documented instructions from you
  • Do not use Personal Data for any purpose other than providing the contracted services
  • Implement appropriate technical and organisational measures to protect Personal Data
  • Assist you in meeting your GDPR obligations where possible

4. Scope of Processing

4.1 Subject Matter

The processing of Personal Data through our SaaS services relates to:

  • Customer and client information for bookings and transactions
  • Vehicle registration numbers (VRNs) for DVLA lookups and service records
  • Contact details for communication and marketing (where consent is given)
  • Business contact information for account management

4.2 Nature and Purpose

We process Personal Data for the following purposes:

  • Providing and maintaining the booking SaaS functionality
  • SMS reminder delivery
  • DVLA vehicle lookup services
  • Job card and service record management
  • Invoice and payment processing
  • Customer communication related to bookings

4.3 Categories of Data Subject

  • Customers of your automotive business
  • Vehicle owners providing VRNs for service bookings
  • Your employees or contractors using the SaaS
  • Your business contacts

4.4 Types of Personal Data

  • Name and contact details (email, phone, address)
  • Vehicle registration numbers (VRNs)
  • Vehicle information (make, model, year, mileage)
  • Booking and service history
  • SMS communication records
  • Payment information (processed by third-party payment providers)

5. Obligations of AutoGanticHub (Data Processor)

We commit to:

5.1 Processing Instructions

Process Personal Data only on the documented instructions of the Data Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law.

5.2 Confidentiality

Ensure that personnel authorised to process Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.

5.3 Security Measures

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encrypted data transmission and storage
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures
  • Staff training on data protection

5.4 Sub-processors

We may engage sub-processors to process Personal Data, subject to:

  • Prior written consent (general or specific) from the Data Controller
  • The same data protection obligations as set out in this DPA
  • Written contracts with sub-processors imposing equivalent obligations

Current sub-processors include hosting providers, SMS delivery services, and DVLA lookup services. A list of current sub-processors is available on request.

5.5 Data Subject Rights Assistance

Taking into account the nature of processing, assist the Data Controller by implementing appropriate technical and organisational measures to fulfil the Data Controller's obligation to respond to requests to exercise Data Subject rights.

5.6 Deletion and Return

At the choice of the Data Controller, either delete or return all Personal Data after the provision of services, and delete existing copies unless applicable law requires storage.

5.7 Audit Rights

Make available to the Data Controller all information necessary to demonstrate compliance with the obligations set out in this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

6. Obligations of the Data Controller

You commit to:

  • Ensure you have the lawful basis (consent, contract, legitimate interest, or legal obligation) to process all Personal Data you provide to us
  • Ensure Data Subjects are informed about how their data will be processed, including through your own privacy notices
  • Maintain records of processing activities as required by UK GDPR
  • Notify us promptly (and within 24 hours) if you become aware of a Personal Data breach
  • Ensure that VRN data provided for DVLA lookups is done so lawfully and in accordance with DVLA guidelines

7. Vehicle Registration Numbers (VRNs)

Specific provisions for VRN processing:

  • VRNs are processed solely for vehicle identification purposes in connection with booked services
  • VRN data is processed in accordance with DVLA's conditions for MOT and vehicle data access
  • VRNs are not used for any purpose other than that specifically authorised by the Data Controller and consented to by the Data Subject
  • VRN data is retained only for as long as necessary for the service being provided, or as required by law

8. Personal Data Breaches

In the event of a Personal Data breach, AutoGanticHub will:

  • Notify the Data Controller without undue delay upon becoming aware of the breach
  • Provide information about the nature, categories, and approximate number of Data Subjects affected
  • Describe the likely consequences and measures taken or proposed to address the breach

The Data Controller remains responsible for notifying the ICO and affected Data Subjects if required.

9. Liability

Each party's liability in connection with this DPA is subject to the limitations of liability set out in the main service agreement between the parties.

AutoGanticHub's liability for breach of this DPA is limited to direct damages up to the total fees paid by the Data Controller in the 12 months preceding the breach.

10. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

11. Contact

For questions about this DPA or to request our sub-processor list:

Data Protection Officer:
Email: enquiries@autogantichub.com
Post: AutoGanticHub Ltd, 123 Digital Quarter, Birmingham, West Midlands, B1 1AA, United Kingdom

AutoGanticHub Support

Online

Hey! I'm here to help. 👋

Ask me anything about our parts store websites, garage booking system, templates, pricing, or getting started.

What would you like to know?