Legal

Privacy Policy

Effective date: 30 April 2026

This policy explains what personal information forDocSake handles, why, and what rights you have. It is written in plain language and is not legal advice.

1. Who we are

forDocSake is a software service that helps independent auto dealerships manage vehicle inventory, track deal expenses, generate dealership paperwork — including purchase agreements, AS-IS disclosures, customer privacy notices, and Oregon DMV bills of sale — and store those documents securely in the cloud.

The service is operated by forDocSake Ltd, a company registered in England and Wales (company number 17166802), with a service address at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. You can reach us at admin@fordocsake.com for any privacy question, request, or complaint.

2. Scope of this policy

We handle personal information for two different groups, and our legal role differs:

  • Dealership users - the dealers who visit our site, sign up, or subscribe. For their personal information, we are the controller.
  • Buyers and transaction contacts - the individuals whose information a dealership enters into forDocSake to generate documents. For that information, the dealership is the controller and we act as a processor on the dealership's behalf.

If you are a vehicle buyer asking about your information, please contact the dealership you bought from. They control that data; we process it for them.

3. What we collect

We collect only what we need to run and secure the service.

From dealership users

  • Account information - name, work email, dealership name, and for paid plans, billing details.
  • Uploaded branding and settings - dealership logos, addresses, license numbers, and similar materials you choose to upload. Logos are stored in a private cloud storage bucket.
  • Payment information - handled by Stripe. Card numbers and similar payment credentials are collected and stored by Stripe, not by us. We receive limited billing status and tokenized references. See Stripe's privacy policy for their handling.
  • Google sign-in information - if you choose Google to sign in, your request is handled via Supabase's authentication service. Google shares your name, email address, and a Google account ID with Supabase, which passes the result to us. We do not receive your Google password.
  • Support correspondence - if you email us, we keep the message and our reply.

From dealers' use of the app

  • Referral information - each dealership account is assigned a unique referral code. If you refer another dealership, we record that relationship and track any referral credits earned on your account. Referral codes are not shared publicly beyond what you choose to share yourself.
  • Buyer and transaction details - buyer name, mailing address, city, state, zip, county, phone numbers (home, work, and mobile), and email address; co-signer name and mailing address (city, state, zip) where applicable; VIN; vehicle details (year, make, model, color, odometer, stock number, condition); sale price, down payment, service contract amounts, additional products or accessories, and itemised fees (title, registration, processing fee, and others). This information is used by the dealership to generate documents and is stored for later retrieval.
  • Generated documents - the PDF document packets generated from each deal (purchase agreement, AS-IS disclosure, customer privacy notice, Oregon DMV bill of sale) are stored in a private, access-controlled cloud storage bucket. They remain available for download by the dealership for as long as the account is active.
  • Sensitive identifiers - the service is not designed to collect Social Security numbers, driver's license numbers, or similar sensitive identifiers. If a dealership chooses to enter this information (for example, in a notes field), we treat it as sensitive and apply the safeguards described in section 8. Dealerships should only enter this information where they have a lawful basis to do so.

Automatically, from your browser

  • Technical and security data - standard server and hosting logs such as IP address, browser and device details, and requested pages. We use this to keep the service available, diagnose problems, and prevent abuse.
  • Analytics and advertising data from the public site - if you allow optional cookies, we may collect page views, referral details, campaign parameters, ad click identifiers such as gclid, wbraid, gbraid, and fbclid, consent status, and interactions with sign-up links. Google tags may also send limited cookieless signals while consent is denied so Google can receive consent state and model aggregate performance without setting ad or analytics cookies.

4. How we use it

  • To provide the service, including generating and storing documents.
  • To process payments and manage subscriptions, including referral credits.
  • To respond to support requests and service notices.
  • To maintain, secure, and improve the product.
  • To measure traffic, understand campaign performance, and run advertising where you have allowed optional cookies.
  • To prevent abuse, fraud, and unauthorized access.
  • To comply with legal, tax, and regulatory obligations.

We do not use Customer Data (the information dealers enter about their buyers and transactions) to train machine-learning models, and we do not sell personal information for money.

6. Sharing

We share personal information only with service providers who help us operate, and only to the extent needed:

  • Stripe - payment processing, subscription billing, and customer billing portal (United States).
  • Supabase - database, authentication, dealer profile data, uploaded dealer logos (stored in the private "logos" bucket), and generated PDF documents (stored in the private "documents" bucket) (infrastructure in the United States).
  • Railway - API server and application hosting (United States).
  • Vercel - website and frontend hosting (United States).
  • Google - if you choose Google sign-in, the OAuth flow is handled via Supabase's authentication service. Google shares your name, email address, and account ID with Supabase, which passes the result to us. We do not receive your Google password. We also use Google Tag Manager, Google Analytics, and Google Ads on the public site to manage tags, measure traffic, and measure advertising performance subject to your consent choices (United States and other locations where Google processes data).
  • Meta - Meta Pixel may be used on the public site to measure Meta advertising performance and support targeted advertising, but only after marketing consent is granted (United States and other locations where Meta processes data).
  • Email provider - transactional and support email.
  • NHTSA (National Highway Traffic Safety Administration) - VIN decoding. When a dealer enters a VIN, it is submitted to the public NHTSA API solely to return vehicle year, make, and model. Only the VIN itself is transmitted; no personal information is sent. The NHTSA API requires no account or API key. See the NHTSA privacy policy at nhtsa.gov.

We may also disclose information if legally required, or if needed to protect our rights, property, safety, or those of our users.

We do not sell personal information for money. If you allow marketing cookies, our use of advertising pixels and ad platforms may be considered targeted advertising or a "share" under some US state privacy laws. You can opt out through the "Your Privacy Choices" link in the footer.

7. International transfers

forDocSake Ltd is based in the United Kingdom and most of our dealership customers are in the United States. Depending on where you are, your data may be transferred to and processed in the UK, the United States, or the EEA.

Where data leaves the UK or EEA, we rely on the UK-US Data Bridge, the EU-US Data Privacy Framework, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or Standard Contractual Clauses, as appropriate to each provider.

8. Security safeguards

We use reasonable technical and organizational measures to protect personal information:

  • Encryption in transit (TLS) and at rest.
  • Role-based access controls and least-privilege administration.
  • Multi-tenant isolation so each dealership only accesses its own data.
  • Private, access-controlled object storage for logos and generated documents — files are not publicly accessible.
  • Logging and monitoring of administrative activity.
  • Routine review of our subprocessors and security posture.
  • Incident response procedures, including notification of affected dealers without undue delay if a breach affecting their data occurs.

No service can be perfectly secure. Please use a strong password and keep your credentials private.

A note for dealerships: if your business arranges financing, you may be subject to the US Gramm-Leach-Bliley Act Safeguards Rule or similar rules. forDocSake does not currently process financing documents or credit applications, and you should not enter that information into the service. You remain responsible for your own compliance with GLBA, state privacy laws, and the privacy notices you give to your buyers.

9. Retention

  • Account information - kept while your account is active and for up to 90 days after cancellation, then deleted.
  • Customer Data (buyer and transaction data, co-signer information, deal financials, and stored PDF documents in the documents bucket) - kept while your account is active. For 30 days after cancellation you may export it. At 90 days after cancellation we hard-delete it from live systems, including stored files. Backups containing deleted data are overwritten on routine rotation within approximately 35 days of deletion.
  • Referral records - kept while your account is active and for 90 days after cancellation, consistent with other account data.
  • Support messages - kept for up to 2 years for quality and reference.
  • Financial and tax records - kept for 7 years as required by UK tax law.

A dealership may request earlier deletion of specific Customer Data by contacting us.

10. Your rights

UK, EEA, and Swiss residents

Under the UK GDPR and EU GDPR, you may have rights to:

  • Access your personal information.
  • Correct inaccurate or incomplete information.
  • Delete your information in certain circumstances.
  • Restrict or object to certain processing.
  • Port your information to another provider.
  • Withdraw consent you previously gave.
  • Complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

Oregon residents (OCPA)

Under the Oregon Consumer Privacy Act, you may have rights to:

  • Confirm whether we process your personal data and access it.
  • Correct inaccurate personal data.
  • Delete personal data you provided to us or we obtained about you.
  • Receive a portable copy of your personal data.
  • Obtain a list of the categories of third parties we have shared personal data with.
  • Opt out of the sale of personal data, targeted advertising, and certain profiling. We do not sell personal data for money; if optional advertising technologies are enabled, you can opt out of targeted advertising through "Your Privacy Choices" in the footer.

California residents (CCPA/CPRA)

Under the California Consumer Privacy Act, you may have rights to:

  • Know what personal information we collect and how we use it.
  • Access and receive a copy of your personal information.
  • Correct inaccurate personal information.
  • Delete personal information, subject to legal exceptions.
  • Opt out of the sale or sharing of personal information. We do not sell personal information for money; if optional advertising technologies are enabled, you can opt out of sharing for cross-context behavioral advertising through "Your Privacy Choices" in the footer.
  • Be free from discrimination for exercising your rights.

Other US state residents

If you live in a US state with a comprehensive privacy law, you may also have rights to access, correct, delete, or limit certain uses of personal information.

How to exercise your rights

Email admin@fordocsake.com from the address associated with your account. We may need to verify your identity before acting on certain requests, and we will respond within the timeframes required by applicable law (generally 30 to 45 days). You may authorize an agent to make a request on your behalf.

If you are a buyer whose data was entered by a dealership, please contact that dealership first - they control your data and are the right first stop.

You can withdraw optional analytics or marketing consent at any time by using "Cookie Preferences" or "Your Privacy Choices" in the footer. Where required, we also respect browser-based opt-out signals such as Global Privacy Control for targeted advertising choices.

11. Cookies and tracking

Public marketing site. We use a consent banner to let you control optional analytics and advertising technologies on the public site. Strictly necessary technologies are used to keep the site secure, remember your consent choice, and provide core page functionality.

Analytics. If you allow analytics, Google Analytics may measure page views, referral sources, campaign parameters, and interactions with sign-up links so we can understand site performance.

Marketing and advertising. If you allow marketing, Google Ads and Meta Pixel may be used to measure ad performance, attribute visits to campaigns, and support targeted advertising. We may pass campaign parameters and click IDs such as gclid, wbraid, gbraid, and fbclid from the public site to the sign-up page so the app can later attribute conversions.

Google Consent Mode. We default optional analytics and advertising storage to denied until you make a choice. Google tags may still send limited cookieless pings while consent is denied to communicate consent state and support aggregate conversion modelling, but ad and analytics cookies are not granted unless you consent.

You can change your choice at any time through "Cookie Preferences" or "Your Privacy Choices" in the footer. Rejecting optional cookies does not prevent standard hosting and security logs from being created when you load the site.

Inside the signed-in app. We use a small number of strictly necessary cookies so the service works:

  • A session cookie to keep you logged in.
  • Origin-based request validation is used to protect against cross-site request forgery; no separate CSRF token cookie is set.
  • A preference cookie that remembers small UI settings.

12. Children

forDocSake is a business tool for licensed dealerships. The service is not directed to children under 18, and we do not knowingly collect personal information from children. If you believe a child has given us personal information, contact us and we will delete it.

13. Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify active account holders by email and post a notice in the service. The effective date at the top of this page always reflects the current version.

14. Contact and complaints

Privacy questions, requests, or complaints can be sent to admin@fordocsake.com.

  • UK residents may complain to the UK Information Commissioner's Office at ico.org.uk .
  • Oregon residents may contact the Oregon Attorney General's office.
  • California residents may contact the California Privacy Protection Agency or the California Attorney General's office.
  • Other US residents may contact their state Attorney General.