Privacy Policy

Last updated: 30 June 2026.

This policy explains what data the Drive&Check mobile app and website collect about you, why we collect it, who we share it with, how long we keep it, and what rights you have over it. It is written for UK users under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

The short version. We collect the minimum we need to run a driver companion app: your account email, the vehicles you add, where you fuel up, and where you ask us to look for stations or chargers. We use UK government APIs (DVLA, DVSA, Fuel Finder) and open data sources (OpenStreetMap, OpenChargeMap). We never sell your data. We do not use it for automated decisions. You can delete your account from inside the app or from this page at any time, and you can complain to the Information Commissioner's Office (ICO) if you think we've got something wrong.

1. Who we are

Drive&Check is a trading name of Cherya Holdings Limited, a company registered in England and Wales (company number 17203315). We are the data controller for the personal data described in this policy.

Registered office:
Cherya Holdings Limited
167–169 Great Portland Street, 5th Floor
London W1W 5PF
United Kingdom

We are a small company and do not have a statutory Data Protection Officer. Privacy questions are handled directly by a named member of the leadership team via the email above.

2. The data we collect

2.1 Information you give us

Account details — email address, password (hashed with Argon2id; we never see the plain value), and an optional display name.
Vehicle details — the registration plate(s) you add to your account. We pass the plate to the DVLA Vehicle Enquiry Service and the DVSA MOT History API to fetch the public records associated with it (make, model, fuel type, tax status, MOT due date, MOT history, advisories) and we cache those results so the app stays fast.
Fuel-up and charging records — when you log a fill-up or charging session: the station/charger, fuel type, volume, total cost, mileage, optional notes, and (on Premium) an optional receipt photo.
Service records — service date, mileage, garage, cost, category, and (on Premium) an optional photo.
Saved places, alerts, and routes — names and coordinates of places you save (home, work, custom pins), price-alert thresholds, and saved trip waypoints.
Fleet membership data — for Fleet customers, the fleet you belong to, your role inside it (admin or driver), and any vehicles assigned to you.
Reviews — any star ratings or text reviews you submit for fuel stations or EV charging points. Reviews are public to other Drive&Check users. You can choose to post anonymously, in which case your account is not displayed alongside the review.

2.2 Information we collect automatically when you use the app

Location data — your approximate or precise device location when you ask us to find nearby stations, chargers, or parking, or when you log a fill-up at a forecourt (we verify you are within 300 metres of the station so a forecourt operator cannot mass-log false visits to their venue). Foreground only — we never request background location, and we never run a continuous tracker. Location data is used to answer your query and is not retained as a movement history.
Device information — operating system version, device model, app version, locale, time zone. Used to keep error reports useful and to serve the right map tiles.
Crash and error data — when something goes wrong, our error tracker (Sentry) captures the stack trace and a redacted snapshot of the app state. Precise location coordinates, registration plates, email addresses, and authentication tokens are scrubbed from these reports before they leave the device.
Advertising identifier and IP address — on free-tier accounts only, our advertising partner Appodeal and its bidding network partners read your device's resettable advertising identifier (Apple IDFA on iOS, Android Advertising ID on Android) and IP address to select and serve ads. In the UK and EEA you are asked to consent to this on first launch through Appodeal's Stack Consent Manager (a Google-accredited IAB TCF v2.2 consent platform). If you decline, you will see non-personalised ads instead. Premium and Fleet users see no ads at all, and Appodeal is not initialised for those accounts.

2.3 Information from third parties

DVLA Vehicle Enquiry Service — public vehicle records (make, model, fuel type, colour, tax status, MOT due date) keyed by the registration plate you provided. No keeper personal data is returned.
DVSA MOT History API — public MOT test history (results, advisories, recorded mileage) for the registration plate you provided. No keeper personal data is returned.
UK Fuel Finder open data scheme — live fuel prices and station metadata for the ~8,300 UK retail forecourts.
OpenChargeMap — community-maintained EV charging point data.
OpenStreetMap — parking, garage, and amenity data.
Apple App Store / Google Play — when you subscribe to Premium or Fleet, your store provides us with a receipt of purchase so we can unlock the right entitlement on your account. We do not see your card details, your full billing address, or any payment information.
Google Sign-In — if you choose to sign in with Google, Google sends us your verified email address and (with your consent) your display name. We do not request any other Google profile field.

3. Why we use your data (lawful bases under UK GDPR)

What we do	Lawful basis
Provide the app's core functions (account, vehicle lookup, fuel search, route planning, logbook)	Performance of a contract — you opened an account to use these features (UK GDPR Art 6(1)(b))
Send service emails (account verification, password reset, subscription receipts, renewal failures, account deletion confirmation)	Performance of a contract (UK GDPR Art 6(1)(b))
Keep the service secure (rate limiting, fraud detection, abuse handling, login monitoring)	Legitimate interests — running a safe service that protects you and other users (UK GDPR Art 6(1)(f))
Diagnose and fix bugs from crash reports	Legitimate interests — keeping the app working for you (UK GDPR Art 6(1)(f))
Send marketing emails or marketing push notifications	Consent — opt-in, you can withdraw any time (UK GDPR Art 6(1)(a) and PECR reg. 22)
Show personalised ads on the free tier	Consent — given in the in-app consent prompt on first launch (PECR reg. 6 and UK GDPR Art 6(1)(a)). Non-personalised ads are shown if you decline.
Optionally retain your business-flagged fuel and service records after account deletion (opt-in business archive)	Consent — only if you have explicitly turned the feature on in Settings (UK GDPR Art 6(1)(a))
Defend or pursue legal claims, comply with valid law-enforcement requests, respond to lawful court orders	Legal obligation / legitimate interests (UK GDPR Art 6(1)(c) and (f))

Where we rely on legitimate interests, we have considered your rights and freedoms and concluded the processing does not override them. You have the right to object to this processing — see §7 below.

4. Who we share your data with

We do not sell your data. We use a small number of processors who handle data on our behalf, under written data-processing terms:

Processor	What they do	Location
EU/UK cloud hosting provider	Hosts our application server and database	EU or UK region
S3-compatible object storage provider	Stores receipt photos and other user-uploaded images. The bucket is private; reads are mediated by short-lived presigned URLs.	EU or UK region
Mapbox	Map tiles, postcode and place geocoding, route directions	United States (under appropriate transfer safeguards)
Appodeal (free tier only) and its mediated bidding partners	Selects and serves ads on free-tier accounts via real-time bidding across ~70 demand networks. See Appodeal's privacy policy for the partner list and their individual policies.	Various (predominantly United States and European Union, under appropriate transfer safeguards)
Sentry	Crash and error reporting (PII-scrubbed)	European Union
Apple, Google	Process App Store / Google Play subscriptions and deliver push notifications	United States and Republic of Ireland (under appropriate transfer safeguards)
Google (for Google Sign-In, optional)	Verifies your Google identity if you choose Sign in with Google	United States (under appropriate transfer safeguards)

As we grow we may add further processors (for example a transactional email provider, a subscription receipt validator, a self-hosted analytics tool). When we do, we will update this page and, if the change is material, tell you in-app at least 14 days before it takes effect.

We never share your data with other Drive&Check users except in these specific cases:

Reviews you submit on stations or chargers are public — though you can opt to display them as "Anonymous".
If you are a Fleet driver, your fleet admin can see fill-ups and charging sessions you log against fleet vehicles assigned to you. They cannot see your private location history or any vehicles outside the fleet.

5. How long we keep your data

Account data, vehicles, alerts, saved places, routes — for as long as your account exists, plus up to 30 days after deletion to allow recovery from accidental removal.
Fill-up, charging session, and service records — for as long as your account exists. On account deletion they are removed within 30 days unless you have explicitly turned on the optional business archive in Settings, in which case the records you flagged as "business" are retained for 6 years to support your own HMRC self-assessment. You can switch the archive off at any time, which immediately deletes the archived records.
Receipt and service photos — retained for the lifetime of the parent record (deleted when the fill-up or service record is deleted).
Refresh tokens — 30 days from issue, or until you sign out, whichever is first.
Crash and error reports (Sentry) — 90 days.
Server logs — 30 days.
Backup snapshots — kept for up to 35 days then permanently destroyed; deletions are propagated to backups during the normal backup-rotation cycle.

HMRC requires you, the taxpayer, to keep records relevant to your tax return for five years after the 31 January submission deadline. HMRC does not require us to keep them for you. The business-archive feature is provided as a convenience; if you would rather hold the records yourself, you can export your logbook to CSV from inside the app at any time.

6. Cookies and similar technologies

This website (the pages you are reading now) does not use cookies. It serves the same static HTML to every visitor, embeds no analytics or marketing scripts, and sets no cookies or local-storage entries. No PECR-style consent banner is therefore required.

Inside the mobile app:

Secure storage — we store your refresh token and signed-in session in the device's secure storage (iOS Keychain, Android Keystore). This is necessary to keep you signed in between launches.
App preferences — your theme, units (litres / gallons), home postcode, and similar preferences are stored locally on the device. They never leave it unless you ask us to sync.
Advertising identifier — see §2.2 above.

7. Your rights

Under UK GDPR you have the right to:

Be informed about how we process your data — this policy.
Access the data we hold about you (data subject access request).
Rectification — ask us to correct anything inaccurate.
Erasure — delete your account and associated data via the Delete account page.
Restrict processing — ask us to pause certain processing while we look at a rectification request or objection.
Data portability — receive your data in a machine-readable format. The app's built-in CSV export covers fill-ups, charging sessions, and service records; broader exports are available on request.
Object to processing we base on legitimate interests (including bug diagnosis), and to direct marketing (you can simply opt out — we have to stop).
Withdraw consent — for anything we did based on consent (marketing, personalised ads, business archive). Withdrawing consent does not affect processing that already happened lawfully.
Not be subject to a solely automated decision with legal or similarly significant effect (UK GDPR Art 22). We do not make any such decisions about you — see §9.

To exercise any of these rights, email contact@kybrium.com from the account email address on file (we use this to verify the request). We will respond within one calendar month, in line with UK GDPR Art 12(3). There is no fee for a first request.

8. Marketing communications

We will not send you marketing email or marketing push notifications unless you have opted in. You can opt in from Settings in the app, and you can opt out again at any time from the same place — or by using the "unsubscribe" link in any marketing email. Service emails (account verification, receipts, security alerts) are not marketing and will continue regardless of your marketing preferences.

9. Automated decision-making and profiling

We do not make any decisions about you that produce legal or similarly significant effects using solely automated means. We do not use your data to train machine-learning models. We do not profile you for credit, employment, or insurance purposes. Appodeal and its mediated bidding partners, on the free tier, may use the advertising identifier and IP address to choose which ads to show you — that is the only profiling-style processing in the product, it is consent-based, and you can decline it.

10. Security

All data is encrypted in transit (HTTPS, TLS 1.2 or higher) between your device and our servers, and between our servers and our processors.
Passwords are hashed with Argon2id (the modern, memory-hard hashing standard) and never stored in plain text.
Refresh tokens on your device live in the device's secure enclave (iOS Keychain, Android Keystore).
Sensitive actions (account deletion, subscription changes, data exports) require recent authentication.
Personal data is not logged. Location coordinates, registration plates, and email addresses are scrubbed from error reports before they leave the device.
We restrict access to production data to named engineers, log every access, and require MFA on all administrative accounts.

11. International transfers

Some of our processors (Mapbox, Appodeal, Sentry, Apple, Google) may transfer or process data outside the United Kingdom, typically in the European Union or the United States. Where data leaves the UK, we rely on appropriate transfer safeguards under UK GDPR Art 46 — for example the UK Extension to the EU–US Data Privacy Framework (where the processor has self-certified to it), the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses. You can ask us for a copy of the safeguards we rely on for any specific processor.

12. Children

Drive&Check is designed for licensed drivers in the UK and is not directed at children. The minimum age to hold a UK provisional driving licence is 15 years and 9 months, with full driving beginning at 17. We do not knowingly create accounts for, or process data about, children under 13 (the minimum age for digital consent under the Data Protection Act 2018).

We have considered the ICO's Age Appropriate Design Code (the Children's Code) in the design of the service: we do not run targeted advertising at known minors, we do not nudge users into weaker privacy settings, and the default ad tier (when consent is declined) is non-personalised. If you believe a child has created an account, please email contact@kybrium.com and we will remove it.

13. Complaints and the ICO

If you think we have processed your data in a way that breaks the law, we would like to hear about it first so we can put it right — email contact@kybrium.com.

You also have the right to lodge a complaint at any time with the UK Information Commissioner's Office (ICO):

Online: ico.org.uk/make-a-complaint
Helpline: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Changes to this policy

We update this page when our practices change. The "Last updated" date at the top of the page reflects the most recent change. Material changes (new processors, new categories of data, change of lawful basis) will be announced in-app and, where appropriate, by email at least 14 days before they take effect.

15. Contact

For anything related to your data — questions, corrections, removal requests, transfer-safeguard copies, or anything else — email us at contact@kybrium.com and we will handle it.