Privacy Policy

Last Updated: 30 December 2025

1. Introduction

TestSwap ("we", "us", "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and share your information when you use our driving test appointment swap service.

We are the data controller responsible for your personal data. This policy is written in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using TestSwap, you agree to the collection and use of information in accordance with this Privacy Policy.

2. Information We Collect

We collect and process the following categories of personal data:

2.1 Account Information

  • Full name
  • Email address
  • Phone number (for Plus and Pro tier subscribers)
  • Password (stored in hashed format)
  • Date of birth
  • Postcode

2.2 Driving Test Information

  • Current test centre location
  • Current test date and time
  • Desired test centre locations (1-5 depending on subscription tier)
  • Desired test date ranges and time preferences
  • DVSA booking reference number
  • Driver licence number
  • Test type (Car, Motorcycle, etc.)
  • Transmission preference (Manual/Automatic)
  • Test attempt number

2.3 Subscription and Payment Information

  • Subscription tier (Starter, Plus, Pro)
  • Payment method details (processed by Stripe/GoCardless, we do not store full card numbers)
  • Billing address
  • Transaction history
  • Refund requests and outcomes

2.4 Match and Communication Data

  • Match history and compatibility scores
  • Match acceptance status and timestamps
  • Digital signatures (for match agreements)
  • Communication preferences (email, SMS)
  • Messages exchanged through our platform

2.5 Technical and Usage Data

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and time spent on pages
  • Referral source
  • Cookies and similar tracking technologies

2.6 Reactivation and Test Outcome Data

  • Test pass/fail status (if provided)
  • Reactivation status and preferences
  • Number of test attempts
  • Previous listing history

3. How We Use Your Information

We process your personal data for the following purposes and on the following legal bases:

3.1 Service Provision (Contractual Necessity)

  • Creating and managing your account
  • Running our matching algorithm to find compatible swap partners
  • Facilitating communication between matched users
  • Processing subscription payments and managing billing
  • Providing customer support

3.2 Communications (Contractual Necessity / Legitimate Interest)

  • Sending match notifications via email and SMS (Plus/Pro tiers)
  • Sending test follow-up emails to determine pass/fail status
  • Sending reactivation reminders for pending rebookings
  • Providing DVSA swap instructions after match acceptance
  • Sending service updates and important announcements

3.3 Service Improvement (Legitimate Interest)

  • Analyzing usage patterns to improve matching accuracy
  • Monitoring system performance and reliability
  • Developing new features based on user behavior
  • Conducting internal research and analytics

3.4 Legal and Security (Legal Obligation / Legitimate Interest)

  • Preventing fraud and abuse of the service
  • Complying with legal obligations and court orders
  • Enforcing our Terms and Conditions
  • Protecting the rights and safety of our users
  • Resolving disputes between users

3.5 Marketing (Consent / Legitimate Interest)

  • Sending promotional emails about service updates (you can opt out)
  • Requesting testimonials and reviews from satisfied customers
  • Running referral programs and community growth initiatives

4. How We Share Your Information

We share your personal data in the following circumstances:

4.1 With Your Match Partner

When both parties accept a match, we share limited contact information (name, email, phone number if provided) to enable you to coordinate the DVSA swap. This is essential to the service you have contracted for.

4.2 With Payment Processors

We use Stripe and GoCardless to process payments. These third parties have access to your payment information solely to process transactions on our behalf. They are bound by strict data protection obligations and cannot use your data for other purposes.

4.3 With Communication Service Providers

  • Email: SMTP service (primary) and Resend (fallback) for sending transactional and marketing emails
  • SMS: Voodoo SMS (UK provider) for sending match notifications to Plus and Pro tier subscribers

4.4 With Infrastructure and Hosting Providers

  • Railway: Cloud hosting platform (UK-EU region)
  • Backblaze B2: File storage
  • Cloudflare: CDN and security services

4.5 With Error Monitoring Services

We use Sentry for error tracking and monitoring. They may receive technical data and error logs that could contain personal information.

4.6 Legal and Safety Purposes

We may disclose your information if required by law, court order, or to protect the rights, property, or safety of TestSwap, our users, or the public.

4.7 Business Transfers

If TestSwap is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

Important: We do NOT share your data with the DVSA or any government agencies except as required by law. TestSwap is not affiliated with or endorsed by the DVSA.

5. International Data Transfers

Our primary infrastructure is hosted in the UK and EU (Railway UK-EU region). However, some of our service providers may process data outside the UK:

  • Stripe: May transfer data to the US under Standard Contractual Clauses (SCCs)
  • Sentry: May store error logs in the US under SCCs

Where we transfer data outside the UK, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO)
  • Data processing agreements with third parties
  • Adequacy decisions (where applicable)

6. Data Retention

We retain your personal data for the following periods:

6.1 Active Accounts

While your account is active, we retain all account and listing data to provide the service.

6.2 Inactive Accounts

If you cancel your subscription or do not use the service for 12 months, we may anonymize or delete non-essential data. Account credentials and basic profile information are retained for 2 years after last activity.

6.3 Match History

Completed match records are retained for 7 years for legal and dispute resolution purposes. After this period, they are anonymized.

6.4 Financial Records

Transaction records and invoices are retained for 7 years to comply with UK tax and accounting regulations.

6.5 Deleted Accounts

When you request account deletion, we delete or anonymize your personal data within 30 days, except where we are legally required to retain it (e.g., financial records).

6.6 Marketing Data

If you opt out of marketing communications, we retain a suppression record of your email address to ensure we don't contact you again.

7. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

7.1 Right of Access

You can request a copy of all personal data we hold about you. We will provide this within one month of your request.

7.2 Right to Rectification

You can update inaccurate or incomplete data through your account settings or by contacting us.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data, subject to certain exceptions (e.g., legal obligations to retain financial records).

7.4 Right to Restrict Processing

You can request that we limit how we use your data in certain circumstances (e.g., while we verify accuracy of disputed data).

7.5 Right to Data Portability

You can request a copy of your data in a structured, machine-readable format (e.g., JSON, CSV) to transfer to another service.

7.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will stop processing unless we have compelling legitimate grounds.

7.7 Rights Related to Automated Decision-Making

Our matching algorithm uses automated processing. You have the right to request human intervention, express your point of view, and contest decisions made solely by automated means.

7.8 Right to Withdraw Consent

Where processing is based on consent (e.g., marketing emails), you can withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

How to Exercise Your Rights:

  • Contact us through our internal messaging system (create an account and access via "Contact Us" in the dashboard)
  • Use the "Delete Account" option in your account settings
  • Update your communication preferences in account settings

We will respond to all requests within one month. If your request is complex, we may extend this by two months and will notify you.

8. Data Security

We implement industry-standard security measures to protect your personal data:

  • Encryption: All data in transit is encrypted using TLS/SSL. Passwords are hashed using bcrypt.
  • Access Controls: Role-based access controls (RBAC) limit employee access to personal data on a need-to-know basis.
  • Database Security: PostgreSQL databases are secured with authentication and network isolation.
  • Monitoring: We use Sentry to monitor for security incidents and system errors.
  • Regular Backups: Daily automated backups with 30-day retention.
  • Secure Development: Code reviews, security testing, and vulnerability scanning.

Despite our safeguards, no method of electronic storage or internet transmission is 100% secure. We cannot guarantee absolute security, but we will notify you and the ICO of any data breaches as required by law.

9. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

9.1 Essential Cookies

Required for authentication, security, and basic service functionality. These cannot be disabled.

  • next-auth.session-token - Session authentication (NextAuth)
  • next-auth.csrf-token - CSRF protection

9.2 Analytics Cookies (Optional)

Help us understand how users interact with the service. You can opt out in your browser settings.

9.3 Third-Party Cookies

  • Stripe: Payment processing and fraud prevention
  • Cloudflare: Security and CDN services

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features of the service.

10. Children's Privacy

TestSwap is intended for users aged 17 and above (the minimum age to hold a provisional driving licence in the UK). We do not knowingly collect personal data from anyone under 17.

If we become aware that we have collected data from a person under 17, we will delete it immediately. If you believe we have data from a minor, please contact us through our internal messaging system.

11. Third-Party Links

Our service may contain links to third-party websites, including:

  • DVSA official website (gov.uk/book-driving-test)
  • Social media platforms for sharing successes
  • Payment processor portals

We are not responsible for the privacy practices of these third-party sites. We encourage you to review their privacy policies before providing any personal information.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

When we make material changes, we will:

  • Update the "Last Updated" date at the top of this page
  • Notify you via email if you have an active account
  • Display a prominent notice on the website for 30 days

Your continued use of the service after changes take effect constitutes acceptance of the updated policy. If you do not agree with changes, you should stop using the service and request account deletion.

13. Complaints and Regulatory Authority

If you have concerns about how we handle your personal data, please contact us first through our internal messaging system (accessible via your dashboard). We will investigate and respond within 30 days.

You also have the right to lodge a complaint with the UK's data protection authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Contact Information

If you have any questions about this Privacy Policy or how we process your personal data, please contact us:

Data Protection Contact

To contact us regarding data protection matters, please create an account and use our internal messaging system.

Access messaging via: Dashboard → Contact Us

We will respond to all privacy-related inquiries within 30 days.

Acknowledgment and Consent

By using TestSwap, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal data as described herein.

If you do not agree with this Privacy Policy, you must not use our service.

← Back to Home

Related Legal Documents:

Terms and ConditionsContact SupportICO Website
Privacy Policy | TestSwap