Privacy Policy

TestSwap ("we", "us", "our") is the data controller for personal data collected through this platform. If you have any questions about this Privacy Policy or how we handle your data, contact us at [email protected].

Account data (all users):

• Full name and email address (required for registration)
• Password (stored as a one-way bcrypt hash — never readable)
• UK postcode (used for regional matching context)
• Phone number (optional; used for SMS alerts if purchased)

Test booking data:

• DVSA test centre, booking date, and time
• DVSA booking reference — stored encrypted using AES-256 encryption. Only decrypted at the moment of a confirmed swap and released to the matched party. Never stored in plaintext.
• Preferred swap date range and centre preferences

Instructor-specific data:

• ADI licence number — stored as a one-way SHA-256 hash only. The raw number is never stored.
• Business name (optional)

Payment data:

• We do not store payment card details. All payment processing is handled by Stripe, who are PCI-DSS compliant. We retain transaction records (amount, status, Stripe payment intent ID) for financial compliance.

Usage data:

• IP address and browser/device information (stored in audit logs for fraud prevention and security)
• Platform activity (swap requests submitted, matches agreed, notifications read)

We use your data for the following purposes, all of which are necessary to fulfil our contract with you or comply with legal obligations:

• Account management: Creating and maintaining your account, verifying your identity
• Matching: Running the swap matching engine against your preferences
• Swap completion: Decrypting and releasing your DVSA booking reference to your matched party after payment, and releasing their reference to you
• Notifications: Sending match alerts, payment prompts, and swap status updates by email and SMS (where purchased)
• Payments: Processing optional add-on purchases and instructor subscription payments via Stripe. Swapping itself is free.
• Fraud prevention: Detecting duplicate accounts, DVSA reference collisions, and suspicious activity
• Legal compliance: Retaining financial records as required by HMRC and applicable UK law

We will never use your data for advertising, profiling for third-party marketing, or AI model training.

Under UK GDPR, our lawful basis for processing is:

• Contract: Processing necessary to provide the swap matching service you have registered for
• Legitimate interests: Fraud prevention, security, and platform integrity
• Legal obligation: Retaining financial records for tax and regulatory purposes
• Consent: Marketing emails (separate opt-in at registration)

We share your data only where necessary:

• Your matched swap partner: After both parties pay, we release your first name, booking date, test centre, and DVSA booking reference to the other party. This is the core function of the platform and is necessary to complete the swap. The data is available for a maximum of 12 hours after release.
• Stripe: Payment processing. Stripe's privacy policy applies to data they hold.
• Email and SMS providers: Used to deliver transactional notifications. We use reputable providers under data processing agreements.
• Your linked instructor (if applicable): If you confirm a link to a driving instructor, they can see your swap request status and match status. They cannot see the other matched party's personal details.

We do not sell your data. We do not share your data with data brokers, advertisers, or any third party beyond those listed above.

We retain data for the following periods:

• Account data: Until you delete your account, plus 90 days for backup recovery purposes
• DVSA booking reference (encrypted): Deleted 90 days after a swap is completed. The decrypted version shown in swap instructions is wiped within 12 hours of release.
• Financial records (swap transactions, subscription records): 7 years, as required by HMRC
• Audit logs: 7 years, for fraud and compliance purposes
• Notification records: 12 months

Under UK GDPR you have the following rights. To exercise any of them, email us at [email protected]:

• Right of access: Request a copy of all personal data we hold about you
• Right to rectification: Ask us to correct inaccurate data
• Right to erasure: Ask us to delete your account and personal data. Note: financial records must be retained for 7 years and cannot be erased early.
• Right to data portability: Request your data in a machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw marketing email consent at any time via the unsubscribe link in any email

We will respond to all requests within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We take data security seriously:

• DVSA booking references are encrypted at rest using AES-256-CBC encryption
• All data is transmitted over HTTPS/TLS
• Passwords are hashed using bcrypt and never stored in plaintext
• ADI licence numbers are stored as one-way SHA-256 hashes only
• Access to sensitive data is role-restricted and every access is audit logged
• Swap instruction details are automatically wiped 1 hour after release

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware.

TestSwap uses only the following cookies:

• Session cookie: Strictly necessary. Keeps you logged in during a session. Expires when you close your browser.
• CSRF token: Strictly necessary. Protects against cross-site request forgery attacks.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required as all cookies are strictly necessary.

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

For any privacy-related questions or to exercise your rights:

[email protected]