Privacy Policy

This is a template policy. Mario Auto Keys should have it reviewed by a solicitor before relying on it for live business.

Effective date: April 2026. Last updated: April 2026.

1. Who we are

This website, https://www.marioautokeys.co.uk, is operated by Mario Auto Keys ("we", "us", "our"), a mobile auto locksmith business trading as a sole trader and serving West Sussex and surrounding South Coast towns in England. For the purposes of the UK GDPR and the Data Protection Act 2018, Mario Auto Keys is the data controller of personal data collected through this website and through our services.

You can contact us about this policy or any privacy matter at:

2. Data Protection Officer

We are not required to appoint a Data Protection Officer under Article 37 of the UK GDPR. A DPO is mandatory only where a controller is a public authority, where core activities involve regular and systematic large-scale monitoring, or where core activities involve large-scale processing of special category or criminal offence data. None of these apply to us. Enquiries should be sent to the contacts above.

3. The personal data we collect

When you contact us or book a job, we typically collect and use:

  • Identity and contact data — your name, phone number, email address, and the address or postcode where work is required.
  • Vehicle data — make, model, year, registration number, and (for key replacement or programming) VIN or key code details provided by you or by authorised sources.
  • Proof of ownership / identity documents — such as photo ID and V5C logbook or insurance document, which we may view (and occasionally record the reference of) as an anti-theft safeguard before carrying out work.
  • Job notes — a short record of the work performed, parts used, and any relevant observations.
  • Photographs — occasionally of the vehicle, lock or key for diagnostic or record purposes.
  • Payment records — the amount, date, and method of payment (cash, card or bank transfer). If you pay by card, card details are handled directly by our payment provider; we do not store full card numbers.
  • Communications — messages exchanged by phone call, WhatsApp, SMS or email.

We do not knowingly collect special category data (as defined in Article 9 of the UK GDPR) and ask you not to send us any.

4. Why we use your data and our lawful basis

  • To provide a quote and perform the service you have booked — lawful basis: performance of a contract (Article 6(1)(b)), or steps taken at your request prior to entering a contract.
  • To verify vehicle ownership or authorisation before cutting or programming keys — lawful basis: legitimate interests (Article 6(1)(f)) in preventing vehicle theft and complying with industry good practice; and in some cases legal obligation (Article 6(1)(c)) where required to assist law enforcement.
  • To take payment and keep accounting records — lawful basis: legal obligation under HMRC requirements, and performance of a contract.
  • To respond to enquiries and handle complaints or warranty claims — lawful basis: contract and legitimate interests in running our business and defending legal claims.
  • To keep our website functional and secure — lawful basis: legitimate interests.

Where we rely on legitimate interests, we have balanced those interests against your rights and do not consider our processing to cause unwarranted impact.

5. Who we share data with

We keep your data confidential and only share it where necessary:

  • Payment provider — if you pay by card, the transaction is processed by our card provider (for example Stripe, SumUp or Zettle) acting as a data processor or independent controller for payment purposes.
  • Accountant and HMRC — to meet our tax and accounting obligations.
  • Google — our website embeds Google Maps and uses Google Fonts. When the map is loaded or interacted with, Google may receive your IP address and limited technical data in order to deliver the map and fonts.
  • Insurers, legal or professional advisers, or law enforcement — only where lawfully required, for example to investigate suspected vehicle crime.

6. International transfers

Some of our service providers (notably Google and card processors) are based in, or transfer data to, the United States or other countries outside the UK. Where this happens, transfers are protected by an appropriate safeguard recognised under the UK GDPR, such as the UK Extension to the EU-US Data Privacy Framework (adequacy), the UK International Data Transfer Agreement, or Standard Contractual Clauses with supplementary measures where needed.

7. How long we keep data

  • Financial and tax records — 6 years from the end of the relevant accounting period, in line with HMRC rules.
  • Job records and warranty notes — up to 6 years, to support warranty and limitation-of-claims periods under English law.
  • General enquiries that do not result in a job — up to 12 months.
  • Photographs taken for diagnostic purposes — deleted once the job is completed and invoiced, unless needed for a dispute or warranty claim.

8. Your rights

Under UK data protection law you have the right to: be informed; access your data; have inaccurate data corrected; have data erased; restrict processing; object to processing (including processing based on legitimate interests); data portability; and withdraw consent where we rely on consent. To exercise any right, contact us at marioautokeys@gmail.com. We will respond within one month.

You also have the right to complain to the Information Commissioner's Office (ICO):

  • Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • Helpline: 0303 123 1113
  • Website: ico.org.uk

We would, however, appreciate the chance to address your concerns first.

9. Automated decision-making

We do not carry out automated decision-making or profiling that produces legal or similarly significant effects.

10. Children

Our services are aimed at adult vehicle owners. We do not knowingly market to, or collect data from, children under 18. If you believe a child has provided us with personal data, please contact us and we will delete it.

11. Security

We use reasonable technical and organisational measures to protect personal data, including device passcodes, up-to-date software, limited access, and encrypted communications where available. No system is perfectly secure, and we continue to review our measures.

12. Cookies and similar technologies

Our own website does not set any non-essential cookies and does not use analytics, advertising or tracking tools. We therefore do not display a cookie banner.

The embedded Google Maps iframe may set cookies in your browser when you interact with it (for example panning or zooming), and Google Fonts may be requested from Google's servers. These are controlled by Google, not by us. You can manage or block cookies through your browser settings. If we add analytics or other non-essential tracking in future, we will introduce a compliant cookie-consent mechanism as required by the Privacy and Electronic Communications Regulations 2003 (PECR).

13. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top will always show when it last changed. Significant changes will be brought to your attention by a notice on the site or, where appropriate, by direct contact.