Legal
Privacy Policy
How we collect, use, store, and protect your personal data.
Last updated: 24 March 2026
1. Who we are
PassReady is operated by StagHill Software Ltd, a company registered in England, based in Sudbury, Suffolk. We are the data controller for personal data processed through the PassReady platform at passready.co.uk.
ICO registration number: [To be added — registration pending]
If you have any questions about this policy or your data, contact us at hello@staghillsoftware.co.uk.
2. What data we collect
We collect the following personal data depending on how you use PassReady:
Instructor accounts
- Full name and email address
- Phone number
- Business information (ADI badge number, areas covered, pricing)
- Vehicle data (make, model, year, MOT/tax/insurance expiry dates)
- Payment information processed via Stripe (we never see your full card or bank details)
- Expense and income records
Student accounts
- Full name and email address
- Phone number
- Pickup postcode and address
- Provisional licence details
- Lesson booking history and progress data
- Payment information processed via Stripe
- Test date and test centre
Waitlist signups
- Name, email address, and teaching area
3. Why we collect your data
We use your data for the following purposes:
- Service delivery — to operate the booking platform, connect instructors with students, and process lessons
- Booking management — to schedule lessons, manage cancellations, and track progress
- Payment processing — to process payments through Stripe and manage refunds
- Email notifications — to send booking confirmations, lesson reminders, cancellation notices, and account-related emails via Brevo
- Dispute resolution — to investigate and resolve payment disputes and chargebacks
- Fraud prevention — to identify and prevent fraudulent activity, including maintaining records of banned accounts
- Legal obligations — to retain financial records as required by HMRC
- Platform improvement — to understand how the platform is used and improve it
4. Legal basis for processing
Under UK GDPR, we process your data on the following legal bases:
| Purpose |
Legal basis |
| Operating the platform for instructors and students |
Contract performance (Article 6(1)(b)) |
| Processing payments via Stripe |
Contract performance (Article 6(1)(b)) |
| Sending transactional emails (reminders, confirmations) |
Contract performance (Article 6(1)(b)) |
| Retaining financial records for HMRC |
Legal obligation (Article 6(1)(c)) |
| Retaining dispute and chargeback records |
Legal obligation (Article 6(1)(c)) |
| Fraud prevention (banned account records) |
Legitimate interest (Article 6(1)(f)) |
| Platform analytics and improvement |
Legitimate interest (Article 6(1)(f)) |
| Marketing communications |
Consent (Article 6(1)(a)) |
5. How we use Stripe
All payments on PassReady are processed by Stripe, a PCI Level 1 certified payment processor. This is the highest level of payment security certification available.
When you make a payment or set up a Stripe Connect account:
- Your card details are entered directly into Stripe's secure payment form
- We never see, store, or have access to your full card number, CVV, or bank details
- Stripe processes the payment and sends us only a confirmation with a transaction reference
- Stripe may store your payment details under their own privacy policy
For more information, see Stripe's Privacy Policy.
6. Data sharing and sub-processors
We share your data only with the following third parties, and only as necessary to operate the platform:
| Sub-processor |
Purpose |
Data processed |
| Stripe |
Payment processing |
Payment details, transaction data. Stripe acts as an independent data controller for payment data. |
| Firebase / Google Cloud |
Hosting, database, authentication |
All platform data. Google acts as a data processor under their Cloud Data Processing Addendum. |
| Brevo |
Transactional email delivery |
Name, email address, booking details for email content. Brevo acts as a data processor on our behalf. |
We do not:
- Sell your personal data to anyone
- Share your data with third-party marketing companies
- Use your data for advertising purposes
7. International data transfers
Our primary infrastructure runs on Firebase (Google Cloud), EU region. Some data may be processed in other jurisdictions by our sub-processors:
- Stripe processes payment data in accordance with their global privacy framework and is certified under the UK Extension to the EU-US Data Privacy Framework.
- Google Cloud data is stored in the EU region. Google's Cloud Data Processing Addendum includes Standard Contractual Clauses for any transfers outside the UK/EEA.
- Brevo processes email data in the EU.
All transfers are protected by appropriate safeguards as required by UK GDPR.
8. Data retention
- Active accounts — your data is retained for as long as your account is active
- Inactive accounts — if your account has been inactive for 2 years, we will delete your personal data
- Financial records — transaction records, invoices, and expense data are retained for 6 years after the relevant tax year, as required by HMRC
- Dispute and chargeback records — retained for 6 years from the date of the dispute, as required for financial record-keeping under UK law
- Banned user data — where an account has been banned for fraudulent activity, we retain enough data (name, email, payment identifiers) to prevent re-registration. This is processed under legitimate interest (Article 6(1)(f) UK GDPR) and is retained indefinitely for fraud prevention purposes
- Account deletion — you can request immediate deletion of your account and data at any time (see Section 9), subject to the retention periods above
9. Your rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of all personal data we hold about you
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (subject to legal retention requirements)
- Right to restriction — request that we limit how we process your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest
You can exercise your rights directly through the PassReady platform (account settings include data export and account deletion), or by emailing hello@staghillsoftware.co.uk.
We will respond to all data rights requests within 30 days. Data exports requested by email will be provided within 14 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
10. Under 18s
PassReady may be used by students under the age of 18 (learner drivers can start lessons from age 17). Where a student is under 18:
- Parental or guardian consent is required to create an account
- The student controls whether their progress data is shared with parents or guardians
- We collect only the minimum data necessary to operate the booking service
11. Cookies and local storage
PassReady uses only essential cookies required for the platform to function:
- Firebase Auth session cookie — keeps you logged in. This is strictly necessary and does not require consent under UK GDPR.
We do not use:
- Google Analytics or any analytics cookies
- Facebook Pixel or any advertising cookies
- Any third-party marketing or tracking cookies
For full details, see our Cookie Policy.
12. Data controller
The data controller for PassReady is:
StagHill Software Ltd
Sudbury, Suffolk
ICO registration: [To be added — registration pending]
Email: hello@staghillsoftware.co.uk
Website: passready.co.uk
13. Changes to this policy
We may update this privacy policy from time to time. If we make significant changes, we will notify you by email or through a notice on the platform. The "last updated" date at the top of this page will always reflect the most recent version.
14. Contact
If you have any questions about this privacy policy, your data, or your rights, contact us at:
StagHill Software Ltd
Sudbury, Suffolk
hello@staghillsoftware.co.uk