Privacy Policy
Last updated: 2 April 2026
This privacy policy explains how Cant Park There ("we", "us", "our") collects, uses, stores, and protects your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Data Controller
Cant Park There is the data controller for personal data collected through this website. If you have questions about how your data is handled, please contact us using the details in Section 13.
2. What Data We Collect
a) Account Information
- Full name
- Email address
- Password (stored as a secure one-way hash)
b) Report Submissions
- Vehicle registration number
- Type of parking offence
- Description / notes
- Location data (GPS coordinates and address label) — from browser geolocation, manual entry, or photo EXIF data
- Reporter name (may be anonymous) and email address
- Photographs uploaded as evidence
c) Photo Metadata
When you upload images, we extract and store EXIF metadata including:
- GPS coordinates (latitude, longitude)
- Date and time the photo was taken
- Camera make and model
- Technical settings (ISO, aperture, focal length)
This data helps verify the location and timing of reports. If you do not wish to share EXIF data, strip it from your images before uploading.
d) Technical Data
- IP Address: We collect and store your IP address when you:
- Register an account (stored as Registration IP)
- Log in to your account (stored as a history of login events)
- Submit a parking report (linked to that specific report)
- Interact with automated emails (logged for security and audit purposes)
- Usage Data: We may collect data from Cloudflare, our Content Delivery Network (CDN), including your IP address and browser headers to protect against DDoS attacks and ensure service availability.
- Session data: (see our Cookie Policy)
e) Payment Data
Payments for report removal are processed by Stripe. We do not collect or store your card details. Stripe handles payment data under their own privacy policy. We receive only confirmation of payment along with the vehicle registration and report ID from session metadata.
3. Lawful Basis for Processing
| Purpose | Lawful Basis |
|---|---|
| Operating the reporting service | Legitimate interest |
| Creating and managing your account | Contract performance |
| Processing removal payments | Contract performance |
| Sending service emails (verification, notifications) | Legitimate interest / consent |
| Preventing spam and abuse (reCAPTCHA, IP tracking) | Legitimate interest / Legal obligation |
| Audit and security (Login & Email logs) | Legitimate interest / Legal obligation |
| DVLA vehicle lookups | Legitimate interest |
4. Third-Party Services
We share data with the following third parties only as necessary to operate the service:
a) DVLA Vehicle Enquiry Service
Vehicle registration numbers are sent to the DVLA API to retrieve publicly available vehicle details (make, colour, MOT and tax status). This data is cached for up to 30 days.
b) Stripe
Payment processing for report removals. Stripe receives your payment details directly. We receive payment confirmation and session metadata only.
c) Google reCAPTCHA
We use Google reCAPTCHA v2 to protect forms from automated abuse. When you interact with reCAPTCHA, Google may collect your IP address, browser information, and cookies. See Google's Privacy Policy.
5. Email Communications
We send transactional emails for:
- Account verification
- Password resets
- Report approval notifications
- Admin alerts
Our emails may include a small tracking pixel to monitor delivery and open rates for service reliability. You can prevent this by disabling image loading in your email client.
You can unsubscribe from non-essential emails at any time using the link provided in each email.
6. Data Retention
| Data Type | Retention Period |
|---|---|
| User accounts | Until account deletion is requested |
| Reports and images | Indefinitely, or until removed/hidden |
| DVLA cached data | 30 days (automatically refreshed) |
| Email verification tokens | 48 hours |
| IP addresses & Login history | Stored while account is active |
| Email Audit logs | 12 months |
7. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of the data we hold about you. You can do this directly via our Manage Data Rights page.
- Right to rectification — request correction of inaccurate data.
- Right to erasure — request deletion of your data (subject to legal obligations).
- Right to restrict processing — request that we limit how we use your data.
- Right to data portability — receive your data in a structured, machine-readable format via our Export Tool.
- Right to object — object to processing based on legitimate interest.
To exercise any of these rights, contact us using the details in Section 13. We will respond within one month.
8. Account Deletion
You may delete your account at any time via your Dashboard or the unsubscribe link in our emails. This will permanently remove your user account and all associated reports from our systems. This action cannot be undone.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Password hashing (bcrypt)
- IP address hashing (SHA-256)
- CSRF token protection on all forms
- HTTPS encryption in transit
- HTTP-only, SameSite session cookies
10. International Transfers
Your data is primarily stored and processed within the United Kingdom. Where third-party services (Stripe, Google reCAPTCHA) process data outside the UK, they do so under appropriate safeguards as required by UK GDPR.
11. Children's Privacy
This service is not intended for individuals under the age of 18. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this policy from time to time. Changes will be reflected by the "last updated" date above. Continued use of the service constitutes acceptance of the updated policy.
13. Contact & Complaints
For privacy enquiries or to exercise your rights, contact us at the email address provided on the site.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113