Privacy Policy.

Published by: Arroket Intelligence Ltd
Version: 1.6
Effective date: 12 June 2026
Hosted at: ridervaultapp.co.uk/privacy
General contact: admin@arroketintelligence.com
Security and data-protection contact: security@arroketintelligence.com

Plain English summary

This is a summary. Full legal detail follows in the numbered sections below.

Rider Vault is a motorcycle management app. We collect and use your data solely to provide you with the service — nothing more.

We hold your email address so you have an account. Your bike details, service history, and photos stay on your device — we don't keep them on our servers.
We use your vehicle registration number to look up MOT, tax (VED), and recall data from official government sources when you open the app.
We don't ask for your VIN or V5C reference number. We don't need them, so we don't collect them.
We do not sell your data or share it with advertisers or use it for profiling.
You can delete your account and all your data from within the app at any time.
The account data we do hold is stored in the United Kingdom.
For general queries and data subject rights requests, contact admin@arroketintelligence.com. For security and data-protection matters — including suspected data breaches — contact security@arroketintelligence.com.

1. Who we are

Arroket Intelligence Ltd ('we', 'us', 'our') is the data controller for personal data processed through Rider Vault (the mobile application and any associated service). Registered in England and Wales.

Registered address

71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

Company No.

17137573

General contact

admin@arroketintelligence.com

Security and data-protection contact

security@arroketintelligence.com

ICO registered

C1907107

2. What data we collect and why

We collect only what is necessary to deliver the service. Each category below states what we collect, why, and the lawful basis under UK GDPR.

2.1 Account credentials

Rider Vault uses Sign in with Apple as the only way to access your account. Your Apple ID is the credential that opens your account.

Authentication assets we hold: a stable per-app Apple identifier (an opaque string supplied by Apple when you sign in) and a session token. Both are necessary to keep you signed in and to associate your account with the data you put in the app. The Apple identifier is used solely to look up your account on sign-in; it is not used for advertising, profiling, or any purpose beyond authentication. Lawful basis: Art. 6(1)(b) — Performance of contract.

Authentication assets we do not hold: no password, no recovery key or any fragment of one, no recovery share, no biometric template, no device-pair token, and no behavioural profile. Recovery of access runs through your Apple ID, not through us. The full position is set out in our Recovery Policy at ridervaultapp.co.uk/recovery-policy.

Authentication-derived signals — not collected. Geolocation patterns from sign-in events, device-pair patterns, session timing patterns, and behavioural signatures are not collected, not transmitted, not stored, and not used as inputs to any scoring or assessment the App produces. This is a deliberate non-collection decision recorded in our internal compliance log.

2.2 Vehicle data

Data

Purpose

Lawful Basis

Registration (plate)

Used to query the DVLA Vehicle Enquiry Service and DVSA MOT History APIs for tax status, MOT history, and recall information on your behalf. The lookup runs on demand — when you open the app — and the registration number is passed to our server only to make that real-time request; it is not stored on our servers as a per-user record. The registration number is the sole vehicle identifier we use.

Art. 6(1)(b)

Make, model, year, variant

Entered by you and held on your device. Used to build your bike profile and to calculate your health score. Sent to our server only momentarily to compute a score, and not stored there.

Art. 6(1)(b)

Purchase date, current mileage

Entered by you and held on your device. Used for service-interval calculations and your health score, on the same momentary, not-stored basis.

Art. 6(1)(b)

VIN and V5C reference number — not collected. We do not ask for, transmit, or store either identifier. Neither is required to query the DVLA or DVSA APIs (both query on registration number only), and the legal change-of-vehicle-ownership process is handled by DVLA via the V5C document — not by Rider Vault. This is a deliberate data minimisation choice.

2.3 Service and maintenance records

Service logs you enter — service type, date, mileage, workshop, and notes — are stored on your device only. When a health score is calculated, a derived figure (such as distance since last service) may be sent to our server momentarily for that calculation; the service notes themselves are never transmitted to, or stored on, our servers. These records are not parsed for advertising or profiling. They are used solely to generate your health scores and reminders, on your device.

2.4 Photographs

Optional. If added, photos are stored on your device only using secure on-device storage. Photo files never reach our servers, and no filename, reference, or photo metadata is stored on our servers — photos and their details stay on your device. EXIF metadata (which may include GPS location) is stripped before the photo is written to device storage.

2.5 Location data

Rider Vault uses location in one limited way today, and one planned way in future:

On-device weather (active). With your permission, the app uses your device location to fetch local weather for display. This location is used on your device and is not sent to Arroket or any third party in a way that lets them keep it. The permission prompt states this. Because the location is processed on-device and not transmitted to us, we do not "collect" it.

GPS mileage tracking (future update — not yet active). When GPS mileage tracking is introduced, explicit consent will be required, only derived mileage figures will be stored (not raw GPS coordinates), and consent can be withdrawn from Settings at any time.

2.6 Crash and error data (Sentry)

Crash logs collected via Sentry for app reliability. Configured for crash reporting only — not behavioural analytics. Device identifiers are not linked to user accounts. Retained for 90 days. Does not constitute tracking under Apple ATT rules. Lawful basis: Art. 6(1)(f) — Legitimate interests.

3. How we use your data

Delivering the service

Calculating your health score, checking MOT/tax/recall status via government APIs when you open the app, and surfacing upcoming expiries and reminders.

Account management

Authentication, subscription state tracking, and customer support. Payments are handled by Apple via In-App Purchase; we do not process payment information.

App reliability

Crash reporting via Sentry. No behavioural analytics.

Legal compliance

Retaining records as required by UK law.

We do not use your data for advertising, profiling, behavioural targeting, or any purpose beyond operating the service. We do not sell your data.

4. Data architecture and security

Where your data lives

Your bike profile, service history, and photos are held on your device, not on our servers. The account data we do hold is stored in the United Kingdom (London region, AWS eu-west-2). No cross-border transfer outside UK or EEA.

Photo storage

On-device only. Photo files never reach our servers.

Vehicle identifiers — data minimisation

Registration number is the sole vehicle identifier we collect. VIN and V5C reference number are not collected, transmitted, or stored.

Database isolation

Row-level security is enabled on every table. Each user can access only their own data. Enforced at the database level independent of application controls.

Session tokens

Authentication tokens are held in iOS Secure Enclave-backed storage with short access-token lifetimes and refresh token rotation.

Breach notification

Users notified within 72 hours per UK GDPR Art. 33/34 in the event of a relevant breach.

No ad tracking

Rider Vault does not use ad networks, cross-app tracking, or behavioural profiling. Apple ATT not triggered.

5. Third-party data processors

All processors have been selected with UK data residency and security in mind.

Processor

Purpose

Data and Residency

Supabase

Database and authentication hosting

UK (AWS eu-west-2). Processes email and account/authentication data (the Apple identifier, session tokens, and membership/trial status). Registration numbers pass through only transiently for a real-time lookup. Bike profile, service records, and photos are not stored — they are held on your device.

Railway

API server hosting (Fastify backend)

Processes registration numbers in transit only; no persistent personal data storage.

Sentry

Crash reporting

May receive device identifiers. Crash-reporting only; not linked to user accounts.

Apple (App Store)

App distribution, subscriptions, and payment processing

Apple's terms apply to users directly. Subscription payments are handled entirely by Apple via In-App Purchase; we receive no card or payment information.

DVLA (VES API)

Vehicle data query — government API

Receives registration number only. Returns vehicle data. No other account data transmitted to DVLA.

DVSA (MOT History API)

MOT history query — government API

Receives registration number only. Returns MOT history. No other account data transmitted to DVSA.

MET Norway (met.no)

Rider-facing weather display

Queried device-direct by coordinates; your location is used on-device and not sent to Arroket. Data used under Creative Commons Attribution 4.0 (CC BY 4.0).

Open-Meteo

Weather input to the scoring engine

Queried server-side to feed the health-score engine's environmental input. No account data sent.

6. Data retention

Account data

Retained for the life of the account. Deleted within 30 days of account deletion.

Service records

Held on your device. Removed when you delete them in-app or uninstall the app. Not retained on our servers.

Crash logs (Sentry)

90 days.

DVLA / DVSA lookups

Looked up on demand and shown to you; not retained on our servers as a per-user record.

Photos

On-device only. Removed when the user deletes photos or uninstalls the app.

7. Your rights

You have the following rights under UK GDPR. To exercise any right, contact admin@arroketintelligence.com or use the in-app controls where indicated. We will respond within 30 days. Security or data-protection enquiries — including suspected breaches — should be sent to security@arroketintelligence.com.

Access (SAR)

Request a copy of all personal data we hold about you. Email admin@arroketintelligence.com.

Rectification

Correct inaccurate data. Most data is self-serviceable directly within the app.

Erasure

Delete your account and all personal data via Settings > Delete Account (two-step confirmation). Also available by email. Data removed within 30 days. Irreversible.

Restriction

Request that processing be restricted while a dispute is resolved. Contact us by email.

Data portability

You can save a portable backup file of your data from within the app (Settings > Save a backup file) and restore it on a new device; on-device backup (iCloud and a portable backup file) is provided. For a copy to transfer to another service, email admin@arroketintelligence.com and we will provide your data in a structured, machine-readable electronic format within 30 days.

Object

Object to processing based on legitimate interests (e.g. crash analytics). Contact us by email.

Withdraw consent

On-device weather location, and (Phase 9, not yet active) GPS mileage: withdrawable from app Settings at any time without affecting prior lawful processing.

Complain to ICO

If we cannot resolve a complaint: ico.org.uk · 0303 123 1113 · Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

8. Government and data-source attribution

Vehicle and MOT data displayed within the app is sourced from official UK government APIs and is reproduced with permission:

Contains public sector information licensed under the Open Government Licence v3.0.

DVLA Vehicle Enquiry Service · DVSA MOT History API

Rider-facing weather is supplied by MET Norway (met.no) and is used under the Creative Commons Attribution 4.0 International Licence (CC BY 4.0). Attribution is shown wherever weather is displayed.

9. Changes to this policy

We will notify registered users of material changes via the email address on their account. The current version is always available at ridervaultapp.co.uk/privacy. Continued use of the app after notification constitutes acceptance of the revised policy.

10. Contact us

General queries and data subject rights requests

admin@arroketintelligence.com

Security and data-protection enquiries (including suspected breaches)

security@arroketintelligence.com

Registered address

71–75 Shelton Street, Covent Garden, London, WC2H 9JQ

Company No.

17137573