This Data Processing Agreement ("DPA") forms part of, and is incorporated into, the Terms & Conditions between you ("Customer", "you") and Gears and Motor Ltd (company number 16220676), registered office 1 Beauchamp Court, 10 Victors Way, Barnet, Hertfordshire, EN5 5TZ, United Kingdom ("PitCRM", "we", "us"). It sets out the terms on which we process personal data on your behalf when you use the PitCRM service (the "Service"). Where there is any conflict between this DPA and the Terms & Conditions in respect of data protection, this DPA prevails.
"Data Protection Laws" means all laws applicable to the processing of personal data under this DPA, including the UK GDPR, the Data Protection Act 2018, and, where applicable, the EU GDPR and any equivalent local data protection laws. "Controller", "Processor", "Data Subject", "Personal Data", "Processing" and "Personal Data Breach" have the meanings given in the Data Protection Laws. "Customer Personal Data" means personal data that PitCRM processes on your behalf under the Terms, as described in Schedule 1. "Sub-processor" means any third party engaged by PitCRM to process Customer Personal Data.
For Customer Personal Data — the personal data you enter into the Service about your own customers (for example, their names, contact details, vehicles, service records, and messages) — you are the Controller and PitCRM is the Processor. Where you are yourself a processor acting on behalf of another controller, PitCRM is a sub-processor and you warrant that you have the authority to engage us on those terms. For your account and billing data, PitCRM is the Controller and processes that data in accordance with its Privacy Policy.
PitCRM will process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case we will, where legally permitted, inform you first). Your instructions are constituted by the Terms, this DPA, your configuration and use of the Service, and any further written instructions you give. We will inform you if, in our opinion, an instruction infringes the Data Protection Laws. We will not sell Customer Personal Data, and we will not use it to train any artificial intelligence or machine learning models.
PitCRM will ensure that any person authorised to process Customer Personal Data (including our personnel and the authorised staff referred to in our Privacy Policy) is subject to an appropriate duty of confidentiality and processes that data only as necessary to provide and support the Service.
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, PitCRM implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Schedule 3. We regularly review these measures and may update them provided the level of protection is not materially reduced.
You provide general authorisation for PitCRM to engage the Sub-processors listed in Schedule 2 to process Customer Personal Data in order to provide the Service. We impose data protection terms on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for each Sub-processor's performance of its obligations. We will give you reasonable notice (for example, by updating Schedule 2 or by email or in-app notice) before adding or replacing a Sub-processor, and you may object on reasonable data protection grounds; if we cannot resolve a reasonable objection, you may terminate the affected part of the Service.
Taking into account the nature of the processing, PitCRM will assist you by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights under the Data Protection Laws. The Service provides functionality enabling you to access, correct, export, and delete Customer Personal Data directly. Where a Data Subject contacts PitCRM directly about data you control, we will, where appropriate, direct them to you and assist you in responding.
PitCRM will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide you with information reasonably available to us to help you meet your own obligations to report to a supervisory authority or affected Data Subjects. We will take reasonable steps to mitigate and, where possible, remedy the breach.
Taking into account the nature of the processing and the information available to us, PitCRM will provide reasonable assistance to you with any data protection impact assessments and any prior consultations with a supervisory authority that you are required to carry out under the Data Protection Laws in respect of the Service.
Customer Personal Data is stored in the United Kingdom. Where PitCRM or a Sub-processor transfers Customer Personal Data outside the UK (or, where the EU GDPR applies, outside the EEA), such transfers are made subject to appropriate safeguards under the Data Protection Laws — such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses, or a transfer to a jurisdiction covered by applicable adequacy regulations.
On termination or expiry of the Terms, and at your choice, PitCRM will delete or return Customer Personal Data, and delete existing copies, unless we are required by law to retain it. Account deletion within the Service removes Customer Personal Data from our active systems within 30 days, as described in our Data Deletion page; residual copies in encrypted backups are overwritten in the ordinary backup cycle. We may retain a limited set of records where required by law (for example, invoices for accounting and tax purposes) for the period the law requires.
PitCRM will make available to you information reasonably necessary to demonstrate compliance with this DPA and the obligations in Article 28 of the UK GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. To minimise disruption, such audits will be on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a Personal Data Breach), during business hours, and subject to confidentiality; we may satisfy audit requests by providing relevant documentation or third-party certifications where available.
Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms & Conditions.
This DPA takes effect when you accept the Terms and continues for as long as PitCRM processes Customer Personal Data on your behalf. This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, save where the Data Protection Laws require otherwise.
| Subject matter | Provision of the PitCRM vehicle workshop management Service. |
|---|---|
| Duration | For the term of the Terms and until Customer Personal Data is deleted or returned in accordance with clause 11. |
| Nature and purpose | Hosting, storage, organisation, structuring, retrieval, use, and transmission of Customer Personal Data in order to provide vehicle workshop management functions — including customer and vehicle records, jobs, quotes, invoices, bookings, inspections, deposits and payments, scheduling, and customer messaging by SMS, email and WhatsApp. |
| Types of Personal Data | Names; contact details (phone, email, address); vehicle details (registration, make, model, year, and related lookup data); service, job, quote, invoice, booking and inspection records; deposit and payment records; the content of communications (SMS, email, WhatsApp) and associated media (photos, voice notes, documents); and delivery/read metadata. |
| Categories of Data Subjects | The Customer's own end-customers and other individuals whose personal data the Customer enters into the Service (for example, vehicle owners and named contacts). |
| Sub-processor | Purpose |
|---|---|
| Supabase | Database and authentication hosting (United Kingdom — AWS London, eu-west-2) |
| Cloudflare | API infrastructure and file/media storage (R2) |
| Vercel | Web application and landing-page hosting |
| Stripe | Subscription billing and, via Stripe Connect, customer card payments and deposits |
| Twilio | SMS message delivery |
| Resend | Transactional email delivery |
| Meta Platforms (WhatsApp Business Platform) | WhatsApp message delivery |
| DVLA / vehicle-data lookup provider | Vehicle registration lookups |
| QuickBooks; Xero | Accounting integrations, only where the Customer chooses to connect them |