Legal

Platform Privacy Notice

This notice explains how Vitara Commerce Ltd handles personal data when you use the Bookar platform as a garage subscriber or an authorised user — and how we act as a data processor for your own customers’ data.

Version 1.0 — Effective July 2026

Just visiting our website? See our Website Privacy Notice instead, which covers bookar.uk visitors, cookies, and enquiries.

Booked a service with a garage? This notice isn’t for you — the garage is the controller of your data, so please see that garage’s own privacy notice (see Section 13 below).

01Overview

Vitara Commerce Ltd (“we”, “us”, “our”) provides the Bookar platform to garages and automotive service providers. This Platform Privacy Notice explains how we handle personal data in connection with your use of the platform as a subscribing business (“Customer”) or as an authorised user of a Customer.

We act in two distinct roles:

  • As a controller — for the personal data of our subscribers and their staff: account details, logins, usage, and billing. This notice (Sections 1–12) describes that processing.
  • As a processor — for the personal data of your own customers (the motorists who book with you). There, you are the controller and Bookar processes that data on your instructions. Section 13 explains this.

This notice is issued in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

02Who We Are

The data controller for the account, staff, and billing data described in this notice is:

Vitara Commerce Ltd

1 Balloon Street, Manchester, M4 4BE

Company number: 08613144

ICO registration number: By request

Email: privacy@bookar.uk

03Data We Collect

As a controller, we collect and process the following categories of personal data about subscribers and their authorised users:

CategoryExamplesPurpose
Identity dataName, job title, usernameAccount creation and platform access
Contact dataEmail address, phone number, business addressCommunication, support, notifications
Account & usage dataLogin history, feature usage, settings, preferencesPlatform operation and improvement
Billing dataSubscription details, invoice records, payment historyBilling and financial record-keeping
Technical dataIP address, browser type, device identifiers, cookiesSecurity, performance, diagnostics
Communications dataSupport tickets, emails, chat transcriptsCustomer support and dispute resolution

We do not collect any special categories of personal data (such as health, biometric, or criminal records data) about subscribers or their users. The personal data of your own customers is dealt with separately in Section 13.

04How We Collect It

We collect personal data through the following means:

  • Directly from you — when you subscribe, create or manage user accounts, contact support, or use the platform.
  • Automatically — through server logs and platform telemetry as you use the platform.
  • From your business — where a subscriber creates accounts on behalf of its staff.

05How We Use It

We use this personal data for the following purposes:

  • To create and manage your Bookar account and provide platform access.
  • To process subscription payments and manage billing.
  • To provide support and respond to your queries.
  • To operate, secure, monitor, and improve the platform.
  • To send service-related communications about your account, the platform, or these terms.
  • To send you marketing about Bookar where you have not opted out (B2B), which you can stop at any time.
  • To comply with our legal and regulatory obligations, and to detect and prevent fraud or misuse.

06Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR to process this personal data:

  • Contract — processing necessary to provide the platform to you and to process your payments.
  • Legitimate interests — processing necessary to secure, operate, and improve the platform, to prevent fraud, and for B2B marketing, where not overridden by your rights.
  • Legal obligation — processing necessary to comply with our legal obligations, such as financial record-keeping.
  • Consent — where we rely on consent, you may withdraw it at any time without affecting prior processing.

07Sharing Your Data

We do not sell your personal data. We may share it with the following categories of third parties (our processors and sub-processors), strictly as necessary:

  • Hosting and infrastructure providers — cloud servers and databases used to run the platform.
  • Payment processors — to handle subscription billing securely (e.g. Stripe).
  • Vehicle data providers — third-party VRM lookup services used for vehicle identification.
  • Communications providers — SMS and email delivery services.
  • Analytics providers — to help us understand platform performance and usage.
  • Professional advisers — solicitors, accountants, and auditors under duties of confidentiality.
  • Law enforcement or regulators — where required by law or court order.

All sub-processors are bound by data processing agreements requiring UK GDPR-equivalent protection. A current list of sub-processors is available on request, and we notify subscribers of intended changes so they may object (see Section 13).

08Retention

We retain personal data only for as long as necessary for the purposes in this notice, or as required by law. Our general retention periods are:

  • Account and usage data — retained for the duration of the subscription and deleted within 90 days of account closure, unless a longer period is required by law.
  • Billing and transaction records — retained for 7 years in accordance with UK tax and accounting legislation.
  • Support communications — retained for 3 years from the date of last contact.
  • Technical logs — retained for up to 12 months for security and diagnostic purposes.
  • Your customers' booking data — retained and deleted in accordance with your instructions as controller (see Section 13).

09Your Rights

Under UK GDPR, you have the following rights in relation to the personal data we hold about you as a subscriber or user:

Right of access
Request a copy of the personal data we hold about you.
Right to rectification
Ask us to correct inaccurate or incomplete data.
Right to erasure
Ask us to delete your data where there is no compelling reason to continue processing it.
Right to restrict processing
Ask us to pause processing your data in certain circumstances.
Right to data portability
Receive your data in a structured, machine-readable format and transfer it elsewhere.
Right to object
Object to processing based on legitimate interests or for direct marketing purposes.
Rights related to automated decisions
Not be subject to a decision made solely by automated means where it produces a significant effect on you.
Right to withdraw consent
Withdraw consent at any time where processing is based on consent, without affecting prior processing.

To exercise any of these rights, contact us at privacy@bookar.uk. We will respond within one calendar month and may need to verify your identity first. If your request relates instead to data we process on behalf of a garage (your own customers’ data), see Section 13.

10Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction, or alteration. These include:

  • Encryption of data in transit using TLS.
  • Encryption of sensitive data at rest.
  • Access controls limiting data access to authorised personnel only.
  • Regular security reviews and vulnerability assessments.
  • Incident response procedures for data breaches.

In the event of a personal data breach likely to result in a risk to individuals’ rights and freedoms, we will notify the ICO within 72 hours where we are the controller, and — where we are acting as your processor — will promptly notify you as controller so you can meet your own obligations.

11International Transfers

Personal data is primarily processed and stored within the United Kingdom and the European Economic Area (EEA). Where we use service providers based outside the UK or EEA, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations confirming the destination country provides equivalent protection.
  • The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as issued by the ICO.
  • Binding corporate rules where applicable.

12Cookies

The Bookar platform is a secure, logged-in application. The cookies it uses are essential to its operation — session management, authentication tokens, and security cookies — and cannot be disabled without preventing the platform from working. Cookies and analytics on our public website (bookar.uk) are described in our Website Privacy Notice.

13Bookar as Your Data Processor

A large part of the personal data that flows through the platform is the personal data of your own customers — the motorists who book services with you. For that data, you (the garage) are the data controller and Bookar (Vitara Commerce Ltd) is your data processor.

We process that data only on your documented instructions, to provide the Services. The terms that govern this — your data processing agreement under UK GDPR Article 28 — are set out in Section 10 (Data Protection) of the Bookar Terms & Conditions.

What we process on your behalf

Typical end-customer personal data we process for you includes:

  • Names and contact details (phone, email, address).
  • Vehicle registration and vehicle details.
  • Booking, appointment, and service history.
  • Related communications (confirmations, reminders, and messages sent on your behalf).

Sub-processors

We use vetted sub-processors (such as hosting, SMS, email, payments, and vehicle-lookup providers) under data protection terms no less protective than those we owe you. A current list is available on request, and we will notify you of any intended changes, giving you a reasonable opportunity to object.

Need a signed DPA?

The processor terms in our Terms & Conditions are binding on us. If you also need a separate signed Data Processing Agreement — for your records or a tender — contact privacy@bookar.uk.

If you are a member of the public

If you booked a service with a garage that uses Bookar, that garage — not Bookar — is the controller of your personal data. Please refer to that garage’s own privacy notice, and direct any request to access, correct, or delete your data to them. If you contact us directly, we will pass your request on to the relevant garage as controller.

14Changes to This Notice

We may update this notice from time to time to reflect changes in our practices, technology, or legal requirements. We will notify subscribers of any material changes by email or by displaying a prominent notice within the platform at least 30 days before the changes take effect. The “Effective” date at the top of this page will always reflect the most recent version.

15Contact & Complaints

If you have any questions about this notice or how we handle your personal data, please contact us:

Vitara Commerce Ltd — Data Enquiries

1 Balloon Street, Manchester, M4 4BE

Email: privacy@bookar.uk

Making a data protection complaint

If you have a concern about how we handle your personal data, you can make a complaint to us directly using the contact details above — please tell us you are making a data protection complaint so we can handle it appropriately. We will acknowledge your complaint within 30 days of receiving it, investigate it, and keep you informed of the outcome.

If you are not satisfied with our response, or believe we are processing your personal data unlawfully, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

Join Our Newsletter

Subscribe to receive the latest news, updates and software insights, directly to your inbox.