Security & Data Protection

For customer data captured through the booking service, the dealership is the data controller and DriveSlots is the data processor, processing data only on the dealership's instructions. A Data Processing Agreement (DPA) is available and forms part of every engagement.

Customer name, email and phone; enquiry details (vehicle of interest, budget, timing, intent); appointment date, time, status and notes; and technical data such as IP address for security and rate limiting. We process only what is needed to run the booking and reminder service.

• All traffic encrypted in transit (HTTPS/TLS).
• Passwords stored only as bcrypt hashes; minimum length enforced and common/guessable passwords rejected; optional two-factor authentication (2FA) for staff logins.
• Strict multi-tenant isolation — every record is scoped to a single dealership, and staff can only ever access their own dealership's data.
• Role-based access control (manager vs sales executive).
• Audit logging of sensitive actions.
• Rate limiting and input validation on public endpoints.

Customer enquiry and appointment data is automatically deleted after a configurable retention period (default 24 months) from last interaction. Individual records can be erased on request at any time, and all of a dealership's data can be deleted when the service ends.

• Vercel — application hosting
• Neon — database hosting
• Resend — transactional email (EU region)
• Firetext — SMS, where enabled

We support the dealership in fulfilling access, correction, erasure, restriction and portability requests from their customers, using the erasure and export tools built into the service.

In the event of a personal data breach affecting a dealership's data, DriveSlots will notify the dealership without undue delay so they can meet their 72-hour reporting obligation to the ICO, and will assist with investigation and remediation.

Data protection enquiries: privacy@driveslots.com. A copy of our DPA and sub-processor list is available on request.