Privacy Policy

1. Who we are

FlatSix Intelligence is a sole-trader business based in the United Kingdom, operating the website flatsixintelligence.com and providing automated pre-purchase analysis reports for Porsche 911 vehicles listed on third-party websites including Auto Trader.

We are the data controller for the information described in this policy. We are registered with the UK Information Commissioner's Office (ICO) under registration number 00013811807.

Contact: hello@flatsixintelligence.com

2. What data we collect

We deliberately collect the minimum data needed to deliver a report to you. Specifically:

• Your email address — so we can deliver your report and respond to support queries.
• The listing URL you submit — the subject of the report.
• The vehicle registration mark (VRN) — when you order the FlatSix Report (full version), we ask you to provide the VRN of the vehicle in the listing. The VRN is used to query official UK government registers about that specific vehicle (see §5).
• Order metadata generated automatically: a public order reference (e.g. FS-2026-XXXXX), a timestamp, and the status of your order (queued, processing, delivered).

We do not collect your name, postal address, phone number, date of birth, payment card details, or any other personal identifier. Payments are handled entirely by Stripe (see §5) — we never see or store your card data.

A note on the VRN

3. Why we collect it and legal basis

Under the UK GDPR we must have a lawful basis for processing your personal data. The bases we rely on are:

• Performance of a contract (UK GDPR Art. 6(1)(b)): Processing your email, the submitted URL, and the VRN you provide is necessary to generate and deliver the report you have paid for.
• Legitimate interests (Art. 6(1)(f)): Retaining order records for a limited period to handle refund requests, support queries, and fraud prevention.
• Consent (Art. 6(1)(a)): If and when we enable optional analytics (see §6), we will rely on your explicit consent.

4. How long we keep it

We retain your email address, submitted VRN, and order records for 12 months from your last order or interaction, after which the email address and VRN are automatically scrubbed from our database. The report PDF itself may be retained longer in our document storage for your own future reference, but no longer linked to an identifiable customer record once the 12-month window has passed.

If you explicitly request deletion of your data sooner, we will do so within 30 days (see §8).

5. Third parties we share data with

We share the minimum necessary data with the following service providers and external sources. We distinguish between data processors (companies that act on our instructions) and independent data sources (government registers we query about your vehicle).

5a. Data processors

Each processor below acts on our behalf under a written agreement (or equivalent terms in their service contract) that complies with Article 28 of the UK GDPR.

Stripe (payments)

Stripe Payments UK Ltd processes your payment. When you pay, you provide your card details directly to Stripe — we never see them. Stripe also collects your email address at checkout, which is shared back to us so we can deliver your report. Data is processed in the UK and the United States. Stripe's privacy policy.

Resend (email delivery)

Resend (resend.com, operated by Resend, Inc.) is the email delivery service we use to send your report and any support messages to you. Resend processes your email address and the email body (which includes your order reference and a link to your report). Data is processed in the United States. Resend's privacy policy.

Google (Drive — file storage)

Generated PDF reports are stored on Google Drive (Google Ireland Ltd). Google does not receive your email address. Data is processed in the European Economic Area, with onward processing in the United States under Google's standard contractual safeguards. Google's privacy policy.

PDFShift (PDF rendering)

PDFShift converts the HTML version of your report into a PDF document. The HTML content (which contains the listing URL, VRN, and analysis text) is sent to PDFShift, which renders the PDF and returns it. Your email address is not shared with PDFShift. Data is processed in France. PDFShift's privacy policy.

Anthropic (AI analysis)

Report content is generated using Anthropic's Claude AI model. The submitted listing content and VRN are processed by Anthropic to produce the analysis. Your email address is not shared with Anthropic. Data is processed in the United States; Anthropic operates under standard contractual clauses for international transfers from the UK. Anthropic does not retain customer API inputs for model training. Anthropic's privacy policy.

Railway (hosting)

Our application and database are hosted on Railway (Railway Corp.), which stores the operational data described in §2 on secure infrastructure. Data is processed in the United States. Railway's privacy policy.

5b. UK government registers we query about your vehicle

When you submit a VRN, we query two UK government APIs to retrieve official information about that specific vehicle. These are independent data controllers, not our processors. We send only the VRN; we do not send your email address or any other personal information about you.

DVLA — Vehicle Enquiry Service (VES)

The Driver and Vehicle Licensing Agency (DVLA) operates the Vehicle Enquiry Service, which returns information held on the DVLA register about a vehicle: make, model, year of manufacture, fuel type, colour, MOT and tax status, CO₂ emissions, type approval, and export markers. We use this to verify the listing's claims and detect discrepancies. About the DVLA Vehicle Enquiry Service.

DVSA — MOT History API

The Driver and Vehicle Standards Agency (DVSA) operates the MOT History API, which returns the MOT test history for a vehicle: test dates, results, mileage at each test, advisories, and failure reasons. We use this to detect mileage discrepancies, recurring mechanical issues, and gaps in test history. About the DVSA MOT History service.

Both DVLA and DVSA process VRN queries in line with their own published privacy notices. We do not control how these government bodies process the data we send them or how long they retain query logs.

5c. International transfers

Some of the processors above are based in, or transfer data to, countries outside the UK. The countries involved are:

• United States (Stripe, Resend, Anthropic, Railway, and Google's onward processing): the UK Government has issued an adequacy decision for the EU-US Data Privacy Framework (the UK Extension), and where a processor is certified under that framework, transfers rely on it. Where not, transfers are made under the UK Addendum to the EU Standard Contractual Clauses.
• European Economic Area (Google primary processing in Ireland; PDFShift in France): the UK considers the EEA adequate; no additional safeguards are required.

6. Cookies and analytics

Strictly necessary cookies

When you pay through Stripe Checkout, Stripe sets cookies necessary for the payment flow (e.g. fraud prevention). These cookies are set by Stripe on the Stripe domain and are not under our control. They are strictly necessary for the payment function and do not require separate consent.

We do not set any first-party cookies on flatsixintelligence.com.

Analytics (not currently active)

We may in future enable Google Analytics (GA4) or a similar privacy-respecting analytics tool to understand how visitors use the site. At the time this policy is published, no analytics service is active on this website, and no analytics cookies are set.

If and when we enable analytics:

• A cookie consent banner will appear on your first visit, asking you to accept or decline analytics cookies.
• Analytics will not load unless you explicitly opt in.
• Only aggregated, pseudonymised usage data will be collected — for example, which pages are visited and the approximate region a visit came from. We will not attempt to identify individual visitors.
• You will be able to change your preference at any time.

We will update this policy to reflect the specific analytics provider and data collected before enabling it.

7. Automated decision-making

The FlatSix Report is generated by automated software and AI without manual human review of each individual report. The report includes a risk classification (Low, Moderate, Elevated, or High) which is produced algorithmically by combining:

• The content of the listing you submit;
• Information returned by the DVLA Vehicle Enquiry Service for the VRN you provide;
• Information returned by the DVSA MOT History API for the VRN you provide;
• Generation-specific rules about Porsche 911 features, options, and known issues;
• Comparable market data from current Auto Trader UK listings.

Article 22 of the UK GDPR gives you the right not to be subject to a decision based solely on automated processing where that decision produces legal effects or similarly significant effects for you. Our processing falls outside the strict scope of Article 22 because:

• The risk classification is presented as part of an informational report, not a binding decision about you;
• The decision the report informs (whether to view, negotiate on, or buy a vehicle) is made by you, not by us.

We mention this here in the interest of transparency, so you understand both what the automated processing does and what it does not do:

If you would like an explanation of how a specific element of your report was determined, contact us at hello@flatsixintelligence.com quoting your order reference.

8. Your rights

Regardless of where you live, you can contact us at any time to exercise the following rights over the data we hold about you:

• Right of access — request a copy of the data we hold about you.
• Right to rectification — ask us to correct data that is inaccurate.
• Right to erasure — ask us to delete your data. We will do so within 30 days unless we have a legal obligation to retain it (e.g. HMRC tax records).
• Right to object / restrict processing — ask us to pause or stop certain uses of your data.
• Right to data portability — receive your data in a structured, machine-readable format.
• Rights regarding automated decisions — see §7.

To exercise any of these rights, email hello@flatsixintelligence.com. We will respond within 30 days (one calendar month).

9. Jurisdiction-specific rights

UK United Kingdom

This policy is governed by UK data protection law, including the UK GDPR and the Data Protection Act 2018. If you believe we have mishandled your personal data, you have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint. We would, however, appreciate the chance to address your concern first — please contact us before escalating.

10. Security

We take reasonable technical and organisational measures to protect your data:

• All data is transmitted over HTTPS (TLS).
• Our database is not publicly accessible and is hosted on managed infrastructure with restricted access.
• Access to administrative systems is restricted to the sole trader (the only person with access) and protected by two-factor authentication.
• API credentials for DVLA, DVSA, Stripe, Resend, Anthropic, PDFShift, and Google are stored as environment variables in the hosting environment and are never exposed to the browser.
• Payment card data is never stored by us — it is handled entirely by Stripe.

No system is perfectly secure. If we become aware of a data breach that affects your personal data and is likely to result in a risk to your rights, we will notify you and the ICO within 72 hours, in line with UK GDPR requirements.

11. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top reflects the most recent revision. Substantive changes (for example, enabling analytics, adding a new processor, or adding a new category of data) will be notified to existing customers by email where reasonably possible. Continued use of the service after a change constitutes acceptance of the updated policy.

12. Contact