bitstream/fuel-alert
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Update legal pages with ICO registration, query logging, push notifications, and automated recommendations disclosure
Some checks are pending
linter / quality (push) Waiting to run
Details
tests / ci (8.3) (push) Waiting to run
Details
tests / ci (8.4) (push) Waiting to run
Details
tests / ci (8.5) (push) Waiting to run
Details

Browse Source 
- Add ICO registration reference (00014395133) to privacy policy, terms of service, and refund policy
- Document search/query logging (hashed IP, location, fuel type, result count) with 24-month retention under legitimate interests
- Add push notification data section (OneSignal endpoints, encryption keys, preferences) to privacy policy
- Add new section on automated recommendations explaining fill-up timing algorithm is informational only without legal effects
- Clarify IP address collection context: security/abuse/fraud only, not individual profiling
- Update retention periods: security logs 12 months, query logs 24 months, push subscriptions until unsubscribe
- Expand data processor descriptions (OneSignal push data, Umami cookieless commitment)
- Add commercial use restrictions to terms: no scraping, mirroring, or republishing compiled data/rankings without permission
- Clarify downstream data aggregator role and upstream data feed limitations
- Add prohibition on using service while operating motor vehicle
- Remove annual billing references (monthly only)
- Add VAT status notice and downgrade-to-free-tier behavior on cancellation
- Add data controller contact details to privacy policy footer
This commit is contained in:
Ovidiu U
2026-06-10 13:15:43 +01:00
parent ad2230728c
commit 8fe3461adf
3 changed files with 113 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files

89
resources/views/legal/privacy.blade.php
View File

@@ -13,8 +13,8 @@
is the <strong>data controller</strong> for personal data collected through this service.
</p>
<p>
As the data controller, Ovidiu Ungureanu is registering with the UK Information
Commissioner's Office (ICO). Our registration number will be published here once issued.
Ovidiu Ungureanu is registered with the UK Information Commissioner's Office (ICO) as a
data controller. <strong>ICO registration reference: 00014395133.</strong>
</p>
<p>
If you have any questions about this policy or how we handle your personal data, contact us at
@@ -31,8 +31,8 @@
<h3 class="font-semibold text-zinc-900">Contact data for alerts</h3>
<p>
If you opt in to WhatsApp or SMS alerts, your mobile phone number. We collect it only to
send the alerts you have requested, and only after you confirm the number through an
opt-in step.
send the alerts you have requested, and only after you verify the number through a
one-time passcode (OTP) sent to that number.
</p>
<h3 class="font-semibold text-zinc-900">Location data</h3>
@@ -64,6 +64,15 @@
</li>
</ul>
<h3 class="font-semibold text-zinc-900">Search and query logs</h3>
<p>
When you search for stations or prices, we log the approximate search location, fuel
type selected, result count, timestamp, a one-way hashed IP address, and basic device
information (browser type, device type). We use these logs for abuse prevention,
troubleshooting, and aggregate service statistics. We do not use them to build a profile
of your individual behaviour. Logs are retained for a maximum of 24 months.
</p>
<h3 class="font-semibold text-zinc-900">Payment data</h3>
<p>
Payment card details are collected and processed by <strong>Stripe</strong>, our payment
@@ -72,16 +81,25 @@
renewal date).
</p>
<h3 class="font-semibold text-zinc-900">Push notification data</h3>
<p>
If you opt in to push notifications via OneSignal, we store your push subscription
endpoint (a browser-specific URL), the encryption keys needed for secure message
delivery, and your notification preferences. This data is retained until you unsubscribe,
revoke browser permission, or your subscription becomes stale.
</p>
<h3 class="font-semibold text-zinc-900">Usage data</h3>
<p>
Features you use, queries you make, and alerts you configure used to deliver the
service and improve it.
Features you use and alerts you configure used to deliver the service and improve it.
</p>
<h3 class="font-semibold text-zinc-900">Technical data</h3>
<p>
IP address, browser type and version, device type, and operating system used for
security, fraud prevention, and basic analytics.
IP address, browser type and version, device type, and operating system. IP address is
collected alongside account actions and searches for security, abuse prevention, and
fraud detection (lawful basis: legitimate interests, Art. 6(1)(f)). We do not use IP
addresses to identify you as an individual in any other context.
</p>
<h3 class="font-semibold text-zinc-900">Marketing preferences</h3>
@@ -97,7 +115,8 @@
<li><strong>Finding stations near you on request (device location)</strong> &mdash; consent (Art. 6(1)(a)), given through your browser's location permission and withdrawable at any time.</li>
<li><strong>Storing your saved location as a registered user</strong> &mdash; contract (Art. 6(1)(b)).</li>
<li><strong>Payment processing</strong> &mdash; contract (Art. 6(1)(b)).</li>
<li><strong>Security and fraud prevention</strong> &mdash; legitimate interests (Art. 6(1)(f)).</li>
<li><strong>Security, abuse prevention, and fraud detection (including IP address logging)</strong> &mdash; legitimate interests (Art. 6(1)(f)).</li>
<li><strong>Search and query logging for aggregate statistics and troubleshooting</strong> &mdash; legitimate interests (Art. 6(1)(f)).</li>
<li><strong>Aggregated, non-identifying analytics and product improvement</strong> &mdash; legitimate interests (Art. 6(1)(f)).</li>
<li><strong>Marketing emails</strong> &mdash; consent (Art. 6(1)(a)). You can withdraw consent at any time.</li>
</ul>
@@ -118,7 +137,19 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">5. Who we share data with</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">5. Automated recommendations</h2>
<p>
FuelAlert generates fill-up timing recommendations (for example, "fill up now" or "wait")
using an algorithm that analyses local price trends, historical patterns, and market
signals. These recommendations are <strong>informational only</strong> and are produced
automatically without human review. They do not have legal or similarly significant
effects on you, and we do not use them to make decisions that affect your rights or
interests in any material way.
</p>
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">6. Who we share data with</h2>
<p>We use the following processors to deliver the service. We do not sell your data to anyone.</p>
<ul class="list-disc space-y-2 pl-6">
<li>
@@ -131,15 +162,17 @@
<strong>Umami Analytics</strong> &mdash; we run our own self-hosted Umami instance to
collect aggregated, cookieless usage metrics (pages viewed, referrer, country, device
type). It does not store data that identifies you as an individual, and no analytics
data is shared with third parties.
data is shared with third parties. We periodically review our analytics setup to
confirm it remains cookieless; if this changes we will update our Cookie Policy and
request consent before setting any non-essential cookies.
</li>
<li><strong>Vonage</strong> &mdash; delivers WhatsApp and SMS alerts if you opt in to those channels. Your phone number is shared only to send messages you have requested. See <a class="text-accent underline" href="https://www.vonage.co.uk/legal/privacy-policy/" target="_blank" rel="noopener">Vonage's privacy policy</a>.</li>
<li><strong>OneSignal</strong> &mdash; delivers web push notifications if you opt in to push alerts. See <a class="text-accent underline" href="https://onesignal.com/privacy_policy" target="_blank" rel="noopener">OneSignal's privacy policy</a>.</li>
<li><strong>OneSignal</strong> &mdash; delivers web push notifications if you opt in to push alerts. Push subscription data (endpoint, encryption keys, device type) is processed by OneSignal on our behalf. See <a class="text-accent underline" href="https://onesignal.com/privacy_policy" target="_blank" rel="noopener">OneSignal's privacy policy</a>.</li>
</ul>
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">6. International transfers</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">7. International transfers</h2>
<p>
Some of our processors &mdash; including Stripe, Vonage and OneSignal &mdash; operate
outside the UK and EEA, including in the United States. Where personal data is transferred
@@ -150,18 +183,22 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">7. How long we keep data</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">8. How long we keep data</h2>
<ul class="list-disc space-y-1 pl-6">
<li><strong>Active account data:</strong> for as long as your account is open, plus 12 months after closure.</li>
<li><strong>Saved location (registered users):</strong> while your account is active; deleted when you delete your account.</li>
<li><strong>Alert and notification preferences:</strong> while your account is active; deleted when you close your account or remove the preference.</li>
<li><strong>Push notification subscriptions:</strong> until you unsubscribe, revoke browser permission, or the subscription becomes stale.</li>
<li><strong>Payment records:</strong> 6 years, to meet HMRC requirements for self-employed traders.</li>
<li><strong>Marketing data:</strong> until you withdraw consent.</li>
<li><strong>Logs and analytics:</strong> a maximum of 24 months.</li>
<li><strong>Security and fraud logs (including IP records):</strong> a maximum of 12 months.</li>
<li><strong>Search and query logs:</strong> a maximum of 24 months.</li>
<li><strong>Aggregated analytics:</strong> retained indefinitely in anonymised, non-identifiable form only.</li>
</ul>
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">8. Your rights under UK GDPR</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">9. Your rights under UK GDPR</h2>
<p>You have the following rights in relation to your personal data:</p>
<ul class="list-disc space-y-1 pl-6">
<li><strong>Right of access</strong> &mdash; ask for a copy of the data we hold about you.</li>
@@ -170,7 +207,7 @@
<li><strong>Right to restrict processing</strong> &mdash; ask us to pause processing in certain circumstances.</li>
<li><strong>Right to data portability</strong> &mdash; receive your data in a machine-readable format.</li>
<li><strong>Right to object</strong> &mdash; object to processing based on legitimate interests.</li>
<li><strong>Rights related to automated decision-making</strong> &mdash; we do <strong>not</strong> make solely automated decisions with legal or similarly significant effects on you.</li>
<li><strong>Rights related to automated decision-making</strong> &mdash; our fill-up timing recommendations are generated algorithmically but are informational only and do not have legal or similarly significant effects on you.</li>
<li><strong>Right to withdraw consent</strong> &mdash; where we rely on consent (for example, device location or marketing).</li>
</ul>
<p>
@@ -181,7 +218,7 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">9. Cookies</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">10. Cookies</h2>
<p>
We use only a small number of essential cookies to operate the service, and self-hosted,
cookieless analytics. Full details are in our
@@ -190,7 +227,7 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">10. Security</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">11. Security</h2>
<p>
All traffic between your device and our service is encrypted with HTTPS. Passwords are
stored as one-way hashes &mdash; we never see your plaintext password. Sensitive fields in
@@ -201,7 +238,7 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">11. Children</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">12. Children</h2>
<p>
FuelAlert is not directed at children. We do not knowingly collect data from anyone under
16. If you believe a child has provided us with personal data, contact us and we will
@@ -210,7 +247,7 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">12. Complaints</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">13. Complaints</h2>
<p>
We hope you'll contact us first if you have a complaint, so we can try to put it right.
You also have the right to lodge a complaint with the UK Information Commissioner's Office
@@ -223,7 +260,7 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">13. Changes to this policy</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">14. Changes to this policy</h2>
<p>
We may update this policy from time to time. If we make material changes we will notify
registered users by email. Non-material changes will be shown by an updated "Last updated"
@@ -232,10 +269,14 @@
</section>
<section class="space-y-3">
<h2 class="font-display text-2xl font-bold text-zinc-900">14. Contact</h2>
<h2 class="font-display text-2xl font-bold text-zinc-900">15. Contact</h2>
<p>
For any privacy queries, email
For any privacy or data protection queries, email
<a href="mailto:hello@fuel-alert.co.uk" class="text-accent underline">hello@fuel-alert.co.uk</a>.
</p>
<p class="text-sm text-zinc-600">
Data controller: Ovidiu Ungureanu trading as FuelAlert, Peterborough, United Kingdom.
ICO registration reference: 00014395133.
</p>
</section>
</x-layouts.legal>