Privacy Policy

Last updated: 23 June 2026  |  FrameLogic Limited (Companies House: 17193146)

1. Who we are

This Privacy Policy is issued by FrameLogic Limited (“we”, “us”, “our”), a company registered in England and Wales (Companies House number 17193146) with registered office at 58 Rochester Avenue, Feltham, TW13 4EJ, United Kingdom. We are the data controller for personal data we collect about Autera users (workshop owners, technicians, and team members). For personal data your workshop holds about its own customers, your workshop is the controller and we act as a processor (see section 8).

We are registered with the UK Information Commissioner’s Office (ICO), registration number ZC180026.

For privacy queries, contact: privacy@getautera.com.

2. Data we collect

About workshop owners and team members

• Name, email address, phone number
• Workshop name, business address, VAT number, company number
• Authentication data (password hashes managed by Firebase, session tokens)
• Profile preferences and settings

About workshops’ customers, technicians, and vehicles

You enter this data into Autera when running your workshop. We process it on your behalf as a processor (see section 8). Typical fields include customer name, contact details, vehicle registration and make/model, job and invoice records, and uploaded documents.

Vehicle data we obtain from third parties

When you look up a vehicle by its registration, Autera retrieves vehicle data from official UK sources: the DVLA Vehicle Enquiry Service (VES) and the DVSA MOT history service. The categories obtained include make, model, colour, fuel type, year of manufacture, tax and MOT status, and MOT test history. We did not collect this data directly from you or from the vehicle keeper; we obtain it from these public-sector sources by registration lookup. We use it to populate and verify vehicle records in your workshop and to power MOT-due reminders. This data is provided by DVLA and DVSA, and we are not responsible for its accuracy.

Automatic data

• IP address, browser type, device type, approximate location (city level)
• Pages viewed, features used, in-app actions (for product analytics and audit)
• Server logs and error reports (for debugging and security monitoring)

Payment data

Card details are collected and stored by Stripe, our payment processor. We never see or store your card number; we only see the last 4 digits, expiry date, and a Stripe customer ID.

Photos and camera access (mobile app)

The Autera Android and iOS apps request camera and photo-library access so you can attach photos to a job (e.g. before/after shots, damage records, parts received). Photos you capture or pick are uploaded to Autera and stored against the job they were attached to. We do not access the camera or your photo library at any other time, and we never upload photos in the background. You can revoke camera or photo-library access at any time in your device settings; the app will still work, you just won't be able to capture or pick photos until you re-enable it.

Notifications (mobile app)

The Autera mobile apps request permission to send push and local notifications. When granted, we may notify you about workshop events you've opted into, e.g. a job assigned to you, a new booking request, an invoice paid, or an MOT-due reminder for one of your customers' vehicles. Notification content is generated from your own workshop data; we never include third-party advertising. You can revoke notification permission at any time in your device settings.

3. Purposes we use data for

• Providing and operating Autera (running your workshop, displaying your data, sending notifications)
• Processing payments via Stripe
• Sending transactional emails (account verification, billing, password reset, data export delivery) via Resend
• Customer support and troubleshooting
• Security monitoring, fraud prevention, and abuse investigation
• Improving the product (using anonymised, aggregated data only)
• Complying with legal obligations (HMRC, Companies House, court orders)

4. Legal bases (UK GDPR)

• Contract: Processing necessary to provide Autera under the Terms of Service.
• Legitimate interest: Security monitoring, abuse prevention, product improvement using aggregated data, and limited support access. We balance these against your interests.
• Legal obligation: Tax records, money-laundering checks, and responding to lawful requests from authorities.
• Consent: Optional marketing emails (you can opt in and out at any time).

5. Who we share data with

We use these third-party processors:

• Stripe (payments): stripe.com/privacy
• Resend (transactional email): resend.com/legal/privacy-policy
• Cloudflare R2 (file storage and backups): cloudflare.com/privacypolicy
• Firebase (Google) (user authentication, and push notification delivery to Android devices via Firebase Cloud Messaging; push payloads can include a customer name, vehicle registration, and job or invoice details): firebase.google.com/support/privacy
• Apple (APNs) (push notification delivery to iOS devices via the Apple Push Notification service; payloads can include a customer name, vehicle registration, and job or invoice details): apple.com/legal/privacy
• Browser push providers (Google, Mozilla, Apple) (delivery of web (PWA) push notifications via the browser’s push endpoint; payloads can include a customer name, vehicle registration, and job or invoice details)
• IONOS SE (UK-based VPS hosting; primary database and application hosting): ionos.co.uk/terms-gtc/privacy-policy
• Xero (Xero Limited) (accounting sync, only when your workshop connects Xero; we push customer name, email, phone, address and invoice line items): xero.com/uk/legal/privacy
• Intuit QuickBooks Online (Intuit Inc.) (accounting sync alternative, only when your workshop connects QuickBooks; we push customer name, email, phone, address and invoice line items): intuit.com/privacy/statement
• Anthropic (Claude API) (the optional “tidy up job notes” AI feature; we send the advisor’s note text plus the vehicle registration, make and model): anthropic.com/legal/privacy
• PostHog (PostHog Inc., EU region) (product analytics and session replay on the marketing site, loaded only after you accept the cookie banner): posthog.com/privacy
• Sentry (Functional Software Inc.) (error and exception tracking, including workshop and user identifiers and IP address): sentry.io/privacy
• Trustpilot (Trustpilot A/S) (review-invite emails sent via Trustpilot’s feedback service; we share recent customers’ email and name): trustpilot.com privacy terms
• Calendly (Calendly LLC) (the demo-booking widget on our demo page; prospect contact details entered into the widget): calendly.com/privacy
• Cloudflare Turnstile (bot challenge on the signup form; IP address and browser signals): cloudflare.com/privacypolicy
• Telegram (internal operational tooling; we receive internal alerts that can include workshop identifiers): telegram.org/privacy

We may also share data with law enforcement, regulators, or in response to a court order when legally required to do so. We will challenge requests we believe to be improper and notify you where we are legally permitted to.

We do not sell your personal data, and we do not share it with advertisers.

6. International transfers

Some of our processors (including Stripe, Resend, Firebase, Apple, Intuit QuickBooks, Anthropic, Sentry, Trustpilot and Calendly) operate in the United States. Where personal data is transferred outside the UK, we rely on the UK’s adequacy decision (where one applies), the UK International Data Transfer Agreement, or Standard Contractual Clauses with appropriate safeguards. Our primary database and file storage remain in the UK and EU (IONOS and Cloudflare), and our product analytics use PostHog’s EU region.

7. Data retention

We keep personal data only as long as needed for the purposes set out in section 3, in line with the retention timelines in section 8 of our Terms of Service:

• Active workshop data: retained for the life of the subscription
• Trash: 30 days, then cold storage 30 days, then permanent deletion
• Cancelled accounts: 60 days read-only grace, then 30 days cold storage, then deletion
• Backups: daily 30 days, weekly 12 months, monthly 12 months
• Audit logs: 3 years (for legal and security purposes)
• Financial records: 6 years (HMRC requirement)

8. Customer data your workshop holds

For personal data your workshop enters about its own customers (motorists), technicians, and suppliers, your workshop is the data controller and Autera acts as a data processor. Our obligations as a processor are set out in our Data Processing Agreement, which forms part of these Terms.

Your workshop is responsible for: providing privacy notices to its own customers; having a lawful basis for the data it processes; and handling data subject rights requests received from those customers. We will assist you where reasonably required.

9. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate or incomplete data
• Erasure (“right to be forgotten”) where applicable
• Portability: receive your data in a machine-readable format. Use the “Download my data” button in your settings, or contact us
• Restriction of processing in some circumstances
• Object to processing based on legitimate interest
• Withdraw consent at any time, where processing is based on consent
• Lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk

To exercise these rights, email privacy@getautera.com. We will respond within one calendar month.

10. Security

• Data is encrypted in transit using TLS 1.2 or higher.
• Database backups are encrypted at rest using AES-256.
• File downloads use signed URLs that expire after a short time.
• Authentication is handled by Firebase with secure session cookies.
• We log all internal staff access to workshop data and audit it (see section 11).
• We follow industry-standard secure development practices.
• No security control is perfect, so we cannot guarantee absolute security, but we work continuously to maintain it.

Data breaches

Where we are the controller (for example, for the account data of workshop owners and team members), if a personal data breach occurs we will notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it, where the breach is likely to result in a risk to people’s rights and freedoms. Where a breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay. Where your workshop is the controller of the data affected (data about its own customers), our breach obligations to you as a processor are set out in our Data Processing Agreement.

11. Internal access by Autera staff

Authorised Autera staff may access workshop data solely to provide customer support, troubleshoot issues, or comply with legal obligations. All such access is logged and auditable. Staff cannot modify customer data without your explicit request.

12. Cookies

For information about cookies and tracking technologies we use, see our Cookie Policy.

13. Children

Autera is a business product not intended for children. We do not knowingly collect personal data from anyone under 18.

14. Contact

Privacy queries: privacy@getautera.com
General contact: hello@getautera.com
Postal: FrameLogic Limited, 58 Rochester Avenue, Feltham, TW13 4EJ, United Kingdom

15. Changes to this policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email and post a banner in the app. The “Last updated” date at the top of this page reflects the latest version.

16. Data Protection Officer

At our current scale we are not required to appoint a statutory Data Protection Officer. Privacy matters are handled by Narcis Bujor, Director, who can be reached at privacy@getautera.com.