Legal

Privacy Policy

Last updated: 18 July 2026

Operator details requiring confirmation before production publication: confirm the company's registered/contact address, company registration number, privacy contact and whether a data protection officer or EU/UK representative is required. These details have not been invented here.

1. Who this policy is for

This policy describes personal data handled through oembrain, a workshop management service operated by OEM DRIVE LTD. For account, billing and service-administration data, the operator will generally determine why and how that data is used. A subscribing workshop will generally determine why and how it uses customer, vehicle, job and invoice data entered into its workspace; the operator handles that data to provide the service on the workshop's instructions.

Privacy contact: [email protected]. [Company contact/registered address to be confirmed.] [DPO or privacy lead details to be confirmed, if applicable.]

2. Data handled

  • Account data, including name, email, password hash, verification state, language and consent records.
  • Workshop details, subscription state and billing-provider references.
  • Workshop records entered by users, such as customer contact details, vehicles, jobs, notes, invoices and payments.
  • Security and operational data, including session identifiers, IP addresses in limited audit/rate-limit records, timestamps and technical error logs.
  • Integration data when enabled, including DVLA/DVSA lookup results, Xero organisation details and encrypted OAuth credentials, and Stripe billing events.
  • Optional marketing consent. Marketing is not a condition of using the service.

3. Why data is used

Data is used to create and secure accounts, provide workshop features, generate documents and exports, operate requested integrations, administer subscriptions, respond to support requests, prevent abuse, maintain audit trails and meet applicable legal obligations. The appropriate legal basis depends on the relationship and activity and may include performance of a contract, legitimate interests in operating and securing the service, compliance with law, or consent where consent is specifically requested. Workshops are responsible for identifying and communicating their own lawful basis for customer data they place in oembrain.

4. Sharing and service providers

Data is not described as sold. It may be disclosed to service providers only as needed to run requested features—for example hosting/database providers, email delivery, Stripe for billing, Xero when connected, and UK vehicle-data services for lookups. Public pages currently load Bootstrap assets from jsDelivr. Data may also be disclosed where required by law or during a properly managed business transaction.

[Confirm the production hosting, email and other processor list, their locations, and applicable data-processing/international-transfer safeguards before publication.]

5. Retention

Data is kept while needed to provide and secure the service and for applicable legal, accounting, dispute and fraud-prevention needs. A fixed retention schedule is not stated because the production schedule has not yet been confirmed. Deletion requests are reviewed before action so that active billing, backups, integration records and records subject to retention obligations can be handled safely. [Confirm and publish the production retention and backup-erasure schedule.]

6. Security

The application uses controls including tenant-scoped database access, password hashing, CSRF protection, restricted cookies, role checks and audit records. No internet service can guarantee absolute security. Workshop owners should control user access and protect downloaded exports.

7. Your choices and rights

Depending on applicable law and the circumstances, individuals may have rights to access, correct, erase or restrict data, object to some processing, obtain portable data, withdraw consent, and complain to a supervisory authority. These rights can have exceptions. Workshop customers should normally contact the workshop first because the workshop controls their service records. Account owners can export workshop data and submit a guarded deletion request from Privacy & workshop data settings. Other requests can be sent to [email protected]; identity and authority may need to be verified.

[Confirm the lead supervisory authority and include its current contact details before publication.]

8. International access and changes

Service providers may process data outside the user's country. Any production transfers must use safeguards required by applicable law; the exact arrangements must be confirmed with the final provider inventory. Material policy changes will be dated here and, where appropriate, communicated in the service.

Read the Cookie Policy