Data Protection Policy

Last updated: 18 December 2025

Your privacy matters

DrivingTests collects only the data we need to operate the website platform ("the Platform"). We do not sell your data to third parties. We do not use your data for advertising or any other purpose other than for the purposes of operating the Platform, as set out below. This policy explains what we collect, why, and your rights under UK GDPR and the Data Protection Act 2018.

1. Who We Are

DrivingTests ("we", "us", "our") is operated from the UK by Skyline Europe Limited, a UK company (company number 14853892). Driving Tests is the data controller for personal data collected through the Platform. If you have any questions about this Privacy Policy or how we handle your data, contact us at compliance@drivingtests.co.uk.

2. What Data We Collect

Account data (all users):

  • Full name and email address (required for registration)
  • Password (stored as a one-way bcrypt hash — never readable)
  • UK postcode (used for regional matching context)
  • Phone number (optional; used for SMS alerts if purchased)

Test booking data:

  • DVSA test centre, booking date, and time
  • DVSA booking reference — stored encrypted using AES-256 encryption. Never stored in plaintext. This data is collected to verify the legitimacy of your test booking but is not shared with your swap partner.
  • Preferred swap date range and centre preferences

Instructor-specific data:

  • ADI licence number — stored as a one-way SHA-256 hash only. The raw number is never stored.
  • Business name (optional)

Payment data:

We do not store payment card details. All payment processing is handled by Stripe, who are PCI-DSS compliant. We retain transaction records (amount, status, Stripe payment intent ID) for financial legal compliance.

Usage data:

  • IP address and browser/device information (stored in audit logs for fraud prevention and security)
  • Platform activity (swap requests submitted, matches agreed, notifications read)

3. How We Use Your Data

We use your data for the following purposes, all of which are necessary to fulfil our contract with you or comply with legal obligations:

  • Account management: Creating and maintaining your account, verifying your identity
  • Matching: Running the swap matching system against your preferences
  • Swap completion: Sharing your first name, email address, and mobile number with your matched party after payment so that you can coordinate calling the DVSA together
  • Notifications: Sending match alerts, payment prompts, and swap status updates by email and SMS (where purchased)
  • Payments: Processing swap fees and instructor subscription payments via Stripe
  • Fraud prevention: Detecting duplicate accounts, DVSA reference collisions, and suspicious activity
  • Legal compliance: Retaining financial records as required by HMRC and applicable UK law

We will never use your data for advertising, profiling for third-party marketing, or AI model training.

4. Lawful Basis

Under UK GDPR, our lawful basis for processing is:

  • Contract: Processing necessary to provide the swap matching service you have registered for
  • Legitimate interests: Fraud prevention, security, and platform integrity
  • Legal obligation: Retaining financial records for tax and regulatory purposes
  • Consent: In accordance with your specific consent given to us. Also for marketing emails (separate opt-in at registration)

5. Who We Share Your Data With

We share your data only where necessary:

  • Your matched swap partner: After both parties pay, we share your first name, email address, and mobile number with the other party. This is the core function of the platform and is necessary to enable you to coordinate calling the DVSA together to complete the swap.
  • Stripe: Payment processing. Stripe's privacy policy applies to data they hold.
  • Email and SMS providers: Used to deliver transactional notifications. We use reputable providers contracted by us under data processing agreements.
  • Your linked instructor (if applicable): If you confirm a link to a driving instructor, they can see your swap request status and match status. They cannot see the other matched party's personal details.

We do not sell your data. We do not share your data with data brokers, advertisers, or any third party beyond those listed above.

6. Data Retention

We retain data for the following periods:

  • Account data: Until you delete your account, plus a maximum of 90 days for backup recovery purposes.
  • DVSA booking reference (encrypted): Deleted maximum 90 days after a swap is completed or your account is closed.
  • Financial records (swap transactions, subscription records): 7 years, as legally required by HMRC.
  • Audit logs: 7 years, for fraud and compliance purposes, as required by law.
  • Notification records: 12 months.

7. Your Rights

Under UK GDPR you have the following rights. To exercise any of them, please email us at compliance@drivingtests.co.uk:

  • Right of access: Request a copy of all personal data we hold on you.
  • Right to rectification: Ask us to correct inaccurate data.
  • Right to erasure: Ask us to delete your account and personal data. Note: financial records must be retained for 7 years and cannot be erased early.
  • Right to data portability: Request your data in a machine-readable format.
  • Right to object: Object to processing based on legitimate interests.
  • Right to withdraw consent: Withdraw marketing email consent at any time via the unsubscribe link in any email.

We will respond to all requests within 30 days. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We take data security seriously:

  • DVSA booking references are encrypted at rest using AES-256-CBC encryption.
  • All data is transmitted over HTTPS/TLS.
  • Passwords are hashed using bcrypt and never stored in plaintext.
  • ADI licence numbers are stored as one-way SHA-256 hashes only.
  • Access to sensitive data is role-restricted and every access is audit logged.
  • Contact details shared during a swap are limited to the minimum necessary (first name, email, mobile number).

In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours of us becoming aware.

9. Cookies

DrivingTests uses only the following cookies:

  • Session cookie: Strictly necessary. Keeps you logged in during a session. Expires when you close your browser.
  • CSRF token: Strictly necessary. Protects against cross-site request forgery attacks.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required as all cookies are strictly necessary.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email at least 14 days before they take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

11. Contact

For any privacy-related questions or to exercise your rights:

compliance@drivingtests.co.uk