SERMI Vault

Privacy Policy

Last updated: 21 May 2026

SERMI Vault is a compliance workspace for automotive workshops. It helps workshops create repair order records, attach evidence documents, export compliance packages and, where enabled, upload completed packages to the workshop's own Google Drive.

SERMI Vault is independent. We are not affiliated with, endorsed by, approved by, or part of SERMI UK, SERMI EU, the Institute of the Motor Industry, the Independent Garage Association, or any organisation involved in governing, administering, approving, auditing or enforcing SERMI policy. The service exists to help independent workshops capture repair records and evidence for their own compliance processes.

Who controls the data

For workshop account data, billing administration, service security and support, SERMI Vault acts as the data controller. For repair order records, customer identity details and evidence handled through the service, the workshop is normally the data controller and SERMI Vault acts as a processor providing the software on the workshop's instructions.

Workshops are responsible for deciding what customer data they enter, their lawful basis for doing so, the privacy information they give to their customers, how long records are kept and how exported records are stored.

Information we store

We store the information needed to operate the service, including account email addresses, workshop names, billing email addresses, subscription status, Stripe customer or subscription identifiers, repair order form data, audit log activity, Google Drive connection status and Google Drive connection tokens where Drive Auto Upload is enabled.

Repair order form data may include vehicle details, registration numbers, VIN details, customer names, identity document type, identity reference number, keeper details, fleet or lease details, declarations and completion status.

Information we do not store

We do not store full payment card numbers, bank details or card security codes. Payments, subscriptions and invoices are processed by Stripe.

Uploaded identity, ownership and evidence files are not stored in our application database as part of normal local export use. They are stored in the user's browser storage on that device until the user removes them, clears browser storage or exports them. If Drive Auto Upload is used, those files are transmitted through SERMI Vault only to upload the completed package to the workshop's connected Google Drive. We do not intentionally retain copies of those uploaded evidence files on our own storage.

How we use information

Information is used to provide the SERMI Vault service, authenticate users, keep repair order records available to the relevant workshop, create PDF and ZIP exports, support subscription billing, operate Google Drive uploads, maintain security, record audit activity and respond to support requests.

Our usual lawful bases for account, billing and service administration are contract, legitimate interests and legal obligation. Repair order and customer record processing is carried out on the workshop's instructions, and the workshop is responsible for its own lawful basis for that customer data.

Access to workshop records

Workshop records are separated by account. We do not sell workshop data, and we do not use repair order records or uploaded evidence for advertising. We do not routinely browse workshop repair orders. Access to production systems is restricted, and any exceptional access to workshop information is limited to what is necessary for support requested by the workshop, security, abuse prevention, legal obligations, service maintenance or incident investigation.

Google Drive

If a workshop connects Google Drive, SERMI Vault uses the Google Drive permission granted by the user to create a SERMI Compliance folder and upload completed compliance package files to that workshop's Drive. We store Google connection tokens so the app can maintain the connection and perform uploads. The workshop is responsible for choosing the correct Google account and for managing sharing, access permissions, retention and security inside its own Google Drive.

Cookies and browser storage

SERMI Vault uses essential authentication cookies to keep users signed in and a short-lived Google OAuth state cookie when connecting Google Drive. These are required for the service to work. The app also uses browser storage, including IndexedDB, to hold uploaded evidence files locally on the user's device before export or Drive upload. We do not currently use advertising cookies or analytics cookies that profile users.

Service providers

We use service providers to operate the product, including Vercel for hosting and deployment, Supabase for authentication and database services, Stripe for payments and billing, Google for Drive upload and OAuth services, and GitHub for private source code hosting. These providers process information only as needed to deliver their services to us or to the workshop.

International processing

Some service providers may process information outside the United Kingdom or European Economic Area. Where this happens, we rely on the safeguards offered by those providers, such as adequacy decisions, standard contractual clauses or equivalent lawful transfer mechanisms.

Security

We use account authentication, row-level access controls, restricted administrative access, server-side service keys and audit logging to help protect workshop data. No internet service can guarantee perfect security. Workshops should use strong passwords, keep account access limited and store downloaded exports or Google Drive folders securely.

Retention and deletion

Repair order form data remains available to the workshop until it is deleted through the product or the account is closed, subject to any legal, billing, security or audit retention we are required to keep. Account, subscription, audit and security records may be retained where needed for service administration, legal compliance, accounting, fraud prevention or dispute handling.

Evidence files held in browser storage remain on the user's device until the user removes them, clears browser storage or changes device/browser. Google Drive files remain in the workshop's own Google Drive until the workshop deletes or manages them there. Disconnecting Google Drive removes the active connection from SERMI Vault but does not delete files already uploaded to the workshop's Drive.

Marketing and advertising

If we introduce sponsored placements or advertising in the future, they will be general placements inside the service. Advertisers will not receive workshop repair orders, customer records, identity details or evidence files, and we will not use repair order data to target adverts.

Your rights

Depending on the context and applicable law, individuals may have rights to access, correct, delete, restrict or object to processing of their personal data. Where a request relates to a workshop's customer or repair order record, we may direct the individual to the relevant workshop because that workshop controls the record.

If you are unhappy with how personal data is handled, you can contact us first. You may also have the right to complain to the Information Commissioner's Office at ico.org.uk/make-a-complaint.

Contact

For privacy questions, contact admin@yorkshirevwagretrofits.co.uk.