← Bonafied

Privacy Policy

Last updated: 11 May 2026

This policy explains how Bonafied Cars Ltd handles your data when you use our websites and the Open Score Check service. We've written it in plain English. If anything is unclear, email us at [email protected] or call 0330 133 9029.

What this policy covers

This policy applies to:

• bonafied.co.uk — our main site, landing page and mailing list signup
• osc.bonafied.co.uk — the Open Score Check service where you submit a plate and receive a score
• bonafied.uk — the permanent result page URLs that score cards link to

Who we are

Bonafied Cars Ltd is a private limited company registered in Scotland, company number SC883330. Our registered office is 12 Broomhill Crescent, Stonehaven, AB39 3UZ.

We're the data controller for any personal data we hold about you. We're registered with the Information Commissioner's Office (ICO) under reference ZC141856.

We are not required to appoint a Data Protection Officer under UK GDPR Article 37. Data protection queries should be directed to [email protected].

What we don't collect

You don't need to register, log in, or give us any personal information to run an Open Score Check. We never collect or process keeper details, and the DVLA does not share keeper information with us.

What we collect, and why

Vehicle registration numbers

When you submit a registration number we send it to the DVSA (for MOT history) and the DVLA (for vehicle data). Registration numbers identify a vehicle, not a person, and aren't personal data under UK GDPR.

Each completed score check is stored as a record indefinitely. This is because each score check generates a permanent result URL that must continue to resolve as long as the score card is referenced anywhere. The record contains vehicle data only, not personal data.

The vehicle “fingerprint” on score cards

Score cards displayed in seller listings show partial plate, make, model, colour, year, last MOT date and mileage. This combination intentionally identifies the vehicle, so a buyer can verify that the listing in front of them matches the score card. It does not identify the seller or keeper. The seller controls when and where to display the score card.

IP addresses

We log your IP address briefly to rate-limit free score checks (a small number per IP per 24 hours, to keep the service running for everyone). IP records are kept for a rolling 24-hour window and then deleted automatically.

Email addresses

If you sign up to our mailing list we store your email address in Mailchimp with double opt-in confirmation. You can unsubscribe at any time using the link in any email. We don't use mailing list emails for any other purpose.

Score check audit data

For each score check we record: the registration submitted, timestamp, score, tier, score breakdown by criterion, and the scoring engine version. We use this to monitor service quality, debug problems, and handle any complaints. Retained for 6 years.

Cookies

We use cookies in three categories:

• Essential cookies (always on). Set by our infrastructure provider, Cloudflare, to deliver the site reliably and protect against attacks. Without these, the site won't work.
• Analytics cookies (only with your consent). We use Google Analytics 4 to understand how the site is used. IP addresses are anonymised. We don't use these for cross-site tracking or advertising.
• Marketing cookies (only with your consent). We use the Meta Pixel to measure how our adverts perform when we run them on Facebook or Instagram, and to help Meta show our adverts to similar people. Declining means no Meta data is sent.

You can change your cookie preferences any time by clicking “Change cookie preferences” in the site footer.

How we use your data

We use the data we collect to:

• Provide the Open Score Check service: look up vehicle history, score it, and render the result page
• Maintain the permanent result URLs that score cards link to
• Prevent abuse via rate limiting
• Send mailing list emails (only if you've signed up)
• Improve the service, diagnose issues, and handle complaints
• Measure marketing effectiveness (only if you've consented to marketing cookies)

Our legal basis for processing

Under UK GDPR we need a lawful basis for each thing we do with your data:

• Delivering the Open Score Check — legitimate interest. You've actively requested the service.
• Rate limiting via IP address — legitimate interest. Without it, the service can be abused.
• Audit logs and service quality — legitimate interest. Necessary to operate the service reliably.
• Mailing list emails — consent. You opt in, you can opt out.
• Analytics cookies — consent. PECR requires this.
• Marketing cookies (Meta Pixel) — consent. PECR and UK GDPR require this.
• Affiliate click tracking — consent. Triggered when you click the link.

Where we rely on legitimate interest, we've assessed that our interest doesn't override your rights and freedoms. You can object to processing based on legitimate interest at any time (see “Your rights” below).

Who we share data with

We share data only as needed to operate the service:

• DVSA to retrieve MOT history (registration number only)
• DVLA to retrieve vehicle data (registration number only)
• Cloudflare for hosting, content delivery and security
• Mailchimp (Intuit Inc.) for mailing list management, if you've signed up
• Google for analytics, if you've consented to analytics cookies
• Meta Platforms Ireland Ltd for advertising measurement, if you've consented to marketing cookies

We don't sell your data, share it with data brokers, or use it for purposes beyond running and improving the service.

Affiliate links

When you click a link to a partner (for example a history check provider, mechanic booking service, or car insurance comparison site), the partner's affiliate network may set cookies and receive standard tracking parameters in the URL to attribute the referral. We don't pass your personal data to partners ourselves, but a click identifier is created so we can be paid a commission if you go on to buy. We work with several affiliate networks and some direct partner relationships. These cookies and tracking parameters are governed by the partner's own privacy policy.

You can decline affiliate cookies by declining the cookie banner, or simply by not clicking affiliate links.

International data transfers

Some of our service providers are based outside the UK. When personal data is transferred outside the UK we rely on the following safeguards:

• Cloudflare (US) — UK extension to the EU-US Data Privacy Framework
• Mailchimp / Intuit (US) — UK extension to the EU-US Data Privacy Framework
• Google (US) — UK extension to the EU-US Data Privacy Framework
• Meta Platforms (Ireland / US) — UK extension to the EU-US Data Privacy Framework

How long we keep data

• Score check records (vehicle data, score, breakdown) — indefinitely. Each record powers a permanent result URL. Not personal data.
• Raw DVSA/DVLA API responses — not retained beyond the scoring run.
• IP addresses for rate limiting — rolling 24-hour window, then deleted.
• Email addresses on the mailing list — until you unsubscribe.
• Audit logs — 6 years, aligned to statutory time limits for contract and consumer claims.
• Cookie consent records — 12 months, then we re-ask.

Your rights under UK GDPR

You have the right to:

• Access any personal data we hold about you
• Rectification: ask us to correct inaccurate data
• Erasure: ask us to delete your personal data (“right to be forgotten”)
• Restrict processing in certain circumstances
• Data portability: receive your data in a machine-readable format
• Object to processing based on legitimate interest
• Withdraw consent at any time, where processing is based on consent

A note on erasure. Because score check records don't contain personal data identifying you, the right to erasure doesn't apply to them. It does apply to your email address (if you've signed up to the mailing list), which we'll delete on request, and to anything else we hold about you personally.

To exercise any of these rights, email us at [email protected]. We'll respond within one month.

Source of vehicle data

MOT history data comes from the DVSA. Vehicle data comes from the DVLA. Both are published under the Open Government Licence v3.0, which permits commercial use with attribution. We attribute on every public-facing page.

Children

The service isn't directed at children under 16, and we don't knowingly collect data from under-16s. If you believe a child has provided data to us, contact us and we'll delete it.

Security

We use HTTPS site-wide, store API keys in secret managers (never in source code), rate-limit our public endpoints, and apply the OWASP Top 10 as a minimum standard. No system is perfect. If we discover a breach affecting your personal data, we'll notify you promptly and follow our obligations under UK GDPR.

Complaints

If you have concerns about how we handle your data, contact us first at [email protected] or call 0330 133 9029. If you remain unhappy you have the right to complain to the Information Commissioner's Office at ico.org.uk or by calling 0303 123 1113.

Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top tells you when it was last changed. Material changes will be communicated via a site banner or by email (if you've signed up to the mailing list).

Contact

Questions? Email [email protected] or call 0330 133 9029.