← All legal documents

Privacy Notice

Last updated: 15 July 2026

This notice explains how CarSpark collects, uses, shares, and retains personal data belonging to drivers who pay for parking through CarSpark, and hosts who run car parks on CarSpark. It applies wherever you interact with CarSpark — scanning a QR sign, paying for a session, using the host dashboard, or using the warden view.

1. Who we are

CarSpark is operated by Cú Chulainn Tech Limited, a private company limited by shares, incorporated in the Republic of Ireland, incorporated 2 April 2026 (registration number CRO 812722). Registered office: Farrannamoreen, Glasson, Athlone, Co. Westmeath, N37 W215, Ireland.

For the purposes of data protection law, Cú Chulainn Tech Limited is the controller of the personal data described in this notice, except where this notice says a host is the controller (see section 6).

Privacy contact: [email protected](this alias is being set up; if it hasn't gone live yet, use the contact details on the /legal index page), attention [[PRIVACY CONTACT NAME]]. A statutory Data Protection Officer is not required at CarSpark's current scale — this is a named privacy contact, not a DPO.

2. Scope of this notice

This is one notice covering both audiences CarSpark serves, with sections clearly marked:

  • Drivers — anyone who scans a CarSpark QR sign and pays for parking, with or without leaving an email address.
  • Hosts — the car park operator/business that signs up for a CarSpark account, connects a Stripe account, and uses the dashboard, sign generator, and warden view.

CarSpark is launched Ireland-first. Irish drivers and hosts are covered by the EU GDPR as implemented in Ireland; UK drivers and hosts (should CarSpark operate in the UK) are covered by UK GDPR and the Data Protection Act 2018 — both regimes are materially the same, and this notice flags the handful of places they differ.

3. What we collect

We collect the following categories of personal data:

  • Vehicle registration marks (VRMs). A VRM is personal data — it can be linked to a registered keeper — and we treat it as such throughout our systems, this notice, and our retention policy, even though it is not itself a name or an account.
  • Incident photos. If a host logs an incident (an unpaid or overstayed vehicle) they may attach a photo of the vehicle and its plate. These are personal data and may incidentally capture people or other vehicles in shot.
  • Optional driver email, if a driver chooses to receive an email receipt, a calendar reminder link, or a session-extend link.
  • Vehicle enrichment data — make, model, colour, year, and county, looked up from the reg via third-party government sources (see section 5). This is derived, not collected from the driver directly.
  • Host account data — name, business/site details, and email. Identity verification and payout/bank details are collected directly by Stripe as part of Stripe Connect onboarding — CarSpark does not collect or store this data itself (see section 6).
  • Technical data — IP address, device/browser information, warden-token access logs, rate-limiting and anti-fraud telemetry (see our Acceptable Use Policy and the anti-quishing measures referenced there), and general request logs.

What we never see: full card or payment-wallet details. Card data is entered directly into Stripe's payment element and goes straight to Stripe — it never passes through, or is visible to, CarSpark.

4. Why we use it, and our lawful basis

Each use of personal data has a specific purpose and legal basis:

  • Taking payment, issuing proof-of-payment, and receipts — necessary to perform our contract with the driver for the payment/proof service (Article 6(1)(b)). Note this is the contract for the payment service specifically; the parking contract itself is between the driver and the host, not CarSpark (see our Driver Terms).
  • VRM enrichment, the live dashboard, warden checks, rate-limiting, and anti-fraud/anti-quishing telemetry— our legitimate interest in operating a safe, functional payment platform and helping hosts see which vehicles are paid (Article 6(1)(f)). We have weighed this against drivers' and hosts' interests and consider it proportionate: the data used is limited to the VRM and session state, retention is time-bound (section 8), and drivers can always park without engaging with enrichment at all.
  • Optional email receipts, calendar reminders, and extend links — we only use an email address a driver chooses to give us, for the purpose they gave it for (contract/consent, Article 6(1)(a)/(b)). No email is collected unless offered.
  • Incident records and photos— CarSpark holds these under legitimate interest, as the platform providing the storage and log utility. The host's own use of that record for enforcement rests on the host's own lawful basis, which is the host's responsibility, not ours (see section 6).

No special category data is processed, and CarSpark does not carry out automated decision-making with legal or similarly significant effects (Article 22). Showing a driver "Silver Volkswagen Golf" is an indicative confirmation display, not a decision made about them, and is never relied on for payment or enforcement.

5. Vehicle data and enrichment sources

To show a helpful vehicle description (and to help hosts identify vehicles), CarSpark looks up a submitted reg against government vehicle data sources:

  • UK regs — the DVSA MOT History API. Contains public sector information licensed under the Open Government Licence v3.0.
  • Irish regs— the Irish Department of Transport's public "Check My Vehicle" service.

In both cases the VRM is sent to the relevant government source to retrieve make, model, colour and similar details. Lookups are cached permanently, platform-wide, once made for a given reg (one lookup per unique reg, ever) — this reduces load on these free public services and speeds up the driver page. If a lookup fails or a source is unavailable, the core product still works fully: no vehicle description is shown, and payment is unaffected.

6. Who we share data with

CarSpark shares personal data with a small number of named recipients, never for their own marketing purposes:

  • Stripe(payment processing, host identity verification/KYC, and payouts) — Stripe is based in the US; see section 7 for how this transfer is safeguarded. Stripe acts as the merchant of record on the host's own connected account; CarSpark itself never holds driver payment data.
  • Cloudflare (DNS, content delivery, email routing and sending, and backups) — also a US-based recipient; see section 7.
  • Hetzner (application and database hosting, within the EU) — no international transfer for our primary data store.
  • DVSA MOT History API (UK government) and the Irish "Check My Vehicle" service (Department of Transport) — recipients of the VRM lookup query described in section 5.
  • Hosts — a host sees the paid-vehicle list, reg search results, and incident log for their own site(s), and anyone the host shares a warden-view token with.

Hosts are independent controllers, not our processors.CarSpark determines the purposes and means of the platform processing described in this notice — collecting the VRM, enriching it, retaining and anonymising sessions, issuing proof-of-payment tokens, and running anti-fraud telemetry. A host does not instruct CarSpark to do any of this on the host's behalf, so CarSpark is not the host's processor. Equally, CarSpark and a host are not jointcontrollers, because they act for different purposes on the same underlying data: CarSpark's purpose is operating the payment platform; a host's purpose, when it uses the paid list, warden view, or incident log to decide whether to pursue an overstaying or unpaid vehicle, is enforcing its own parking terms on its own land. Under GDPR guidance, parties that process shared data for genuinely different purposes are separate, independent controllers, not joint controllers. Each host must therefore have its own lawful basis and its own transparency information for how it uses CarSpark-supplied data for enforcement, and must not use it unlawfully (for example, to issue parking charges without proper accreditation — see our Host Terms). This exact position is stated identically in our Host Terms.

7. International transfers

Stripe and Cloudflare both transfer some personal data to the United States. Both companies self-certify under the EU–US Data Privacy Framework, and its UK extension (the UK–US Data Bridge), and both maintain Standard Contractual Clauses (and the UK International Data Transfer Addendum) as a fallback safeguard. CarSpark relies on this adequacy framework, with the contractual fallback in place, for these transfers. We are aware the EU–US Data Privacy Framework has an ongoing legal challenge in progress at EU level; if the adequacy decision were ever withdrawn, the contractual safeguards (SCCs/UK IDTA) already in place with Stripe and Cloudflare would continue to apply.

8. How long we keep it

  • Session records, including the VRM — retained for approximately 13 months, after which the reg/VRM fields are anonymised. The anonymised record may be kept for aggregate reporting (e.g. host revenue history) without identifying a vehicle.
  • Incident photos and records — kept on the same retention and anonymisation schedule as session records.
  • Vehicle enrichment cache — kept indefinitely, keyed to the VRM. Once decoupled from any live driver session, we treat this as vehicle reference data rather than an active driver record, but a VRM is still, in principle, capable of being linked to a person, so we will delete cached entries on a substantiated request (section 9).
  • Host account data— kept for the life of the host's account, plus a reasonable period after closure for legal and accounting purposes.
  • Financial/tax records (anything forming part of the payment audit trail) — kept for 6 years, in line with UK and Irish tax record-keeping requirements.

9. Your rights

Subject to the usual legal conditions and exemptions, you have the right to: access the personal data we hold about you; have inaccurate data corrected; have data erased; restrict or object to our processing; and receive a portable copy of data you provided under contract or consent. To exercise any of these, email [email protected]. We aim to respond within one month.

Because most drivers use CarSpark without ever creating an account, we identify a driver's record by VRM and/or the unique session/proof-of-payment token — please include enough of this information in your request for us to locate the relevant record.

10. Source of data

Most data is collected directly from you (your reg, optional email, any incident details a host adds). Vehicle enrichment data (make/model/colour/year/county) comes from the third-party government sources named in section 5, not from you directly. Incident photos may be taken by a host, not by you.

11. Cookies and on-device storage

We use a small number of cookies and local-storage items, described in full in our Cookie & Storage Notice. In short: a host login/session cookie is strictly necessary; a driver's remembered reg and proof-of-payment link are stored only on their own device, never sent to our servers except when needed to complete a payment or show a proof-of-payment page.

12. Automated decisions and children

CarSpark does not make any decision about you using automated processing that has a legal or similarly significant effect. Enrichment display (e.g. "Silver Volkswagen Golf") is indicative only, shown back to a driver as a typo-catching confirmation, and is never used to accept, reject, or price a payment.

CarSpark is not directed at children. We expect users of the driver flow to be adult vehicle keepers or drivers, and hosts to be adults running a business.

13. Complaints

You can always contact us first at [email protected] with any privacy complaint, and we will acknowledge it within 30 days.

Ireland (primary, for our launch): Irish data subjects can complain to the Data Protection Commission (DPC), the supervisory authority for CarSpark at launch — dataprotection.ie.

If you operate in / park in the UK (applies if/when CarSpark operates in the UK — not required for the Ireland-first launch): UK data subjects can complain to the Information Commissioner's Office (ICO). UK law requires you to complain to CarSpark first and give us a chance to respond before escalating to the ICO. CarSpark's ICO data-protection fee registration number will be published here once CarSpark operates in the UK: [[ICO REGISTRATION NUMBER]].

14. Changes to this notice

We will update this notice as CarSpark's data practices evolve, and will update the "Last updated" date above whenever we do.