Skip to content
FineShyn

Legal

Privacy Notice

1. Who we are

FineShyn Ltd ("FineShyn", "we", "our", "us") is the data controller for your personal data when you use the FineShyn customer app (Shyn), the FineShyn Shyner operator app, or this website (fineshyn.co.uk).

  • Company No. 16822407, registered in England & Wales.
  • Registered office: 124-128 City Road, London EC1V 2NX.
  • ICO registration: ZC146807.
  • Contact: support@fineshyn.co.uk.

2. What data we collect

We collect personal data you give us directly and data generated automatically when you use the apps:

  • Identity & contact: name, email, phone (verified via SMS at signup), date of birth where required for vetting.
  • Customer-specific: vehicle make/model/year/colour/registration, addresses, payment method tokens (Stripe — we never see your card number).
  • Operator-specific (Shyners): business registration, insurance certificate, DBS check outcome, identity documents, portfolio, Stripe Connect KYC data, tax info.
  • Bookings & transactions: what you booked, when, with whom, photos (pre/post-job), messages exchanged in-app, ratings, payments, refunds.
  • Device & usage: device type, OS version, app version, crash reports (via Sentry — PII-scrubbed), aggregated event analytics.
  • Location (operators): GPS during active jobs only, for proximity verification.
  • Communications: support emails, in-app messages (routed via Twilio masked numbers — content visible to our ops team for dispute resolution under our retention schedule).

3. Why we use it (lawful basis)

  • To deliver the service (Art 6(1)(b) — contract): matching bookings, processing payments, sending booking notifications, supporting disputes.
  • To meet legal duties (Art 6(1)(c)): tax records, HMRC reporting, GDPR rights handling, AML where applicable.
  • Legitimate interests (Art 6(1)(f)): fraud prevention, platform safety, service improvement, aggregate analytics.
  • Consent (Art 6(1)(a)): marketing communications, photo use in marketing (separate opt-ins).

4. Who we share it with

We share personal data only with processors who help us deliver the service, and only the minimum needed:

  • Stripe (payment processing, Stripe Connect payouts to operators).
  • Twilio (SMS verification, masked phone numbers between customer and operator).
  • Supabase + Cloudflare (hosting, EU/UK region).
  • Postmark + SendGrid (transactional and marketing email).
  • Sentry (error reporting with PII scrubbing).
  • DBS, identity-verification, insurance, and accountancy partners (operator vetting and platform compliance).

We never sell your data. We don't share it with advertisers. We don't use third-party tracking pixels.

5. International transfers

All personal data is stored in the UK or EU. A small number of processors (e.g. Stripe, Sentry) may transfer data to the US under standard contractual clauses or adequacy decisions. Where this happens, the safeguards required by UK GDPR Chapter V are in place.

6. How long we keep it

  • Active accounts: while your account is active.
  • Account deletion: 30-day soft delete (recoverable), Day 31 hard delete and anonymisation.
  • Booking and transaction records: 6 years (HMRC).
  • Photos: 24 months from upload.
  • Marketing contact data: 24 months after last interaction.
  • Operator vetting records: 2 years post-off-boarding.
  • Anonymous aggregate data: indefinite.

7. Your rights

Under UK GDPR you have the right to:

  • Access your data (right to access — Art 15).
  • Correct inaccurate data (rectification — Art 16).
  • Delete your data (erasure — Art 17). You can self-serve this in-app under Settings → Delete account.
  • Restrict or object to processing (Art 18/21).
  • Export your data in a portable format (portability — Art 20). Self-serve in-app under Settings → Export my data.
  • Withdraw consent at any time where consent is the lawful basis (e.g. marketing emails — one-click unsubscribe).
  • Complain to the ICO at ico.org.uk or 0303 123 1113.

We respond to subject-access and erasure requests within 30 days.

8. Photos in the apps

Three layers of photo handling:

  • Pre/post-job photos: mandatory for damage-dispute resolution. Camera-only capture, EXIF data stripped before upload, encrypted at rest.
  • Customer receives photos automatically at job completion.
  • Marketing use: strictly opt-in. You can withdraw consent for marketing use at any time without affecting the service.

9. Tracking and analytics

We use Cloudflare Web Analytics, which is cookieless and does not track individual users. We do not use third-party tracking pixels (no Meta pixel, no Google Analytics, no LinkedIn Insight Tag). The apps do not show the iOS App Tracking Transparency (ATT) prompt because we do not engage in cross-app or cross-site tracking.

10. Cookies

See our Cookies notice. We only set strictly necessary cookies (session for waitlist forms). No consent banner is required under PECR Regulation 6.

11. Children

FineShyn is not directed at children under 18. We do not knowingly collect data from users under 18. If you believe a child has provided us with personal data, contact us at support@fineshyn.co.uk and we will delete it promptly.

12. Security

We use Cloudflare and Supabase security primitives: TLS everywhere, encryption at rest, row-level security on every user-owned table, password hashing via Supabase Auth, optional TOTP MFA, audit logging on sensitive operations, and incident-response playbooks for breach scenarios.

13. Changes to this notice

When we change this notice we'll update the version number and the "Effective from" date. Material changes will be notified in-app and/or by email. The current version is always available at fineshyn.co.uk/legal/privacy.

14. Contact us

Email: support@fineshyn.co.uk
Post: Data Protection, FineShyn Ltd, 124-128 City Road, London EC1V 2NX.
ICO complaint: ico.org.uk/make-a-complaint.