Legal

Privacy Policy

Last updated: 29 April 2026

AutoLock — Privacy Policy

Last updated: 29 April 2026

This policy explains how AutoLock ("we", "us", "our") collects and uses your personal data when you use the AutoLock mobile app and the companion web application at https://app.autolock.online ("the Service"). AutoLock is a job, customer and stock management tool for self-employed locksmiths and small locksmith businesses.

We are the data controller for the personal information described in this policy. You can contact us at support@autolock.online.

1. Who this policy applies to

This policy applies to two groups of people:

  1. Locksmiths and their staff — the users who sign in to the AutoLock app to manage their business. Throughout this policy we call you the "User".
  2. The User's customers — people whose details a User adds to the app (name, address, phone number, job notes, photos of work performed). We process this data on behalf of the User. The User is the controller of their customers' data; we are the processor.

2. What information we collect

2.1 Account information (from the User)

When you sign up we collect:

  • Full name
  • Email address
  • Mobile phone number (optional, for two-factor security)
  • Business name and trading address
  • A password (stored hashed, never in plain text)
  • A biometric template reference (only the OS-level reference — the biometric data itself never leaves your device)

2.2 Job, customer and stock data (entered by the User)

You enter information about your customers and jobs into the app. This includes:

  • Customer name, address, phone number, email
  • Job notes, status, scheduled time, photos
  • Stock items, quantities, prices, suppliers
  • Deposits, payments, invoices

2.3 Device and usage data

Automatically collected when you use the app:

  • Device model, operating system version, app version
  • Crash reports (if a screen errors out we record what page you were on)
  • Login timestamps and IP address (security audit trail)
  • Push notification token (so we can send job alerts)

2.4 Location data

If you grant location permission, the app uses your device's location to:

  • Pre-populate the "From" location when you tap a job address for directions
  • Time-stamp arrival at a job site (only if you tap "Arrived")

We do not track your location continuously and we do not store your location history on our servers. Each location read is one-shot and used immediately.

2.5 Photos

If you take photos of a job (before/after pictures, signed receipts) they are uploaded to our secure storage. We never look at them; only you and the people you grant access to your AutoLock account can see them.

2.6 Payment information

If a User pays for an AutoLock subscription, the payment itself is handled by Stripe. We never see or store your card details — only Stripe does. Stripe's policy: https://stripe.com/gb/privacy

We may store the last four digits of your card and the card expiry date, returned to us by Stripe, so you can identify the card in your account settings.

2.7 Sensors and other permissions we don't use

We do not access:

  • Contacts
  • Calendar (the in-app calendar only stores AutoLock data)
  • Microphone
  • Camera (other than when you explicitly take a job photo)
  • SMS or call logs
  • Files outside the app's own sandbox

3. Why we process your data — and the legal basis

Purpose Data used Lawful basis (UK GDPR)
Provide the Service to you Account info, job data, device data Contract (Art 6(1)(b))
Send job reminder push notifications Push token, job data Contract (Art 6(1)(b))
Send security alerts (new login etc.) Email, IP, device Legitimate interest (Art 6(1)(f)) — keeping your account secure
Detect fraud and abuse Device data, IP Legitimate interest
Comply with HMRC and Companies House obligations Invoice + tax data Legal obligation (Art 6(1)(c))
Send product updates and tips by email Email address Consent (Art 6(1)(a)) — opt-in only, unsubscribe any time
Anonymous usage statistics Crash reports, anonymised page views Legitimate interest

4. Where your data is stored

All AutoLock data is stored on infrastructure located in the United Kingdom (AWS London region, eu-west-2). Database hosting is provided by Supabase, who process data under our written instructions.

We do not transfer your data outside the UK or the EEA.

5. Who we share your data with

We share data only with the following processors, all of whom are contractually bound by UK GDPR:

Processor What they do Where they're based
Supabase Database + photo storage UK (eu-west-2)
Stripe Subscription payment processing UK / Ireland
Firebase Cloud Messaging Push notification delivery EU
Postmark Transactional email (sign-up, password reset) EU

We never sell your data. We never share it with advertisers or data brokers. We never use it to train AI models.

We may disclose data when legally required — for example, if served a valid court order or if HMRC requests it. We will tell you about such requests unless we are forbidden from doing so by law.

6. How long we keep your data

Data type Retention
Active account data While your account exists
Closed account — job + invoice history 7 years (HMRC requirement)
Crash reports 90 days
Login audit logs 12 months
Marketing email list Until you unsubscribe

If you close your account, your customers' personally identifying information (names, addresses, phone numbers) is deleted within 30 days. Anonymised job statistics may be retained indefinitely.

7. Your rights under UK GDPR

You have the right to:

  1. Access — get a copy of the data we hold on you
  2. Rectification — correct anything that's wrong
  3. Erasure — ask us to delete your data ("right to be forgotten")
  4. Restriction — limit how we use it
  5. Portability — get your data in a machine-readable format
  6. Object — to processing based on legitimate interest
  7. Withdraw consent — for anything we process on consent
  8. Complain — to the Information Commissioner's Office (ICO) at https://ico.org.uk if you think we've handled your data badly

To exercise any of these rights, email support@autolock.online. We respond within 30 days. There is no charge for reasonable requests.

8. Children

AutoLock is a business tool. We do not knowingly collect data from anyone under 18. If you believe a child has given us their data, contact us and we will delete it immediately.

9. Cookies and tracking technologies

The AutoLock web app uses:

  • Essential cookies — to keep you logged in. We don't ask consent for these because the law allows them without consent.
  • No analytics cookies — we do not use Google Analytics or any third-party tracker.
  • No advertising cookies — none, ever.

The mobile app uses local storage (IndexedDB) to keep your data available offline. This is not a tracker — it never leaves your device unless you explicitly sync.

10. Security

We protect your data with:

  • TLS 1.3 encryption for all data in transit
  • AES-256 at rest in Supabase
  • Hashed passwords (bcrypt)
  • Two-factor authentication (optional, recommended)
  • Regular security reviews
  • Access controls — only authorised AutoLock staff can access production systems, and only when troubleshooting your reported issue

If a data breach happens that affects you, we will notify you within 72 hours of becoming aware, as required by UK GDPR.

11. Changes to this policy

We may update this policy. If we make material changes (anything that affects your rights or the data we process) we will email you and show a notice in the app. Continued use after the change date means you accept the new policy.

12. Contact

AutoLock
support@autolock.online
https://autolock.online

If you have a complaint we cannot resolve, you can contact the ICO:

  • Information Commissioner's Office
  • Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  • 0303 123 1113
  • https://ico.org.uk