Car Show Expert
Sign in Get started

Privacy Policy

Last updated: May 2026

Car Show Expert ("we", "us", or "our") is a car show management platform operated by Alan Macfarlane. This Privacy Policy explains what personal information we collect, why we collect it, how we use it, and the choices you have. We aim to be clear and direct — if you have any questions, email us at privacy@carshowexpert.com.

This policy applies to personal information we process as a data controller (for example, organiser account data). It does not govern the processing of show registrant data submitted through car show registration forms — the organiser who runs that show is the data controller for that data. If you have questions about how your registration data is being used, please contact the organiser of the relevant show directly.

1. Who we are

Car Show Expert is operated by Alan Macfarlane. For the purposes of UK data protection law (UK GDPR and the Data Protection Act 2018), Alan Macfarlane is the data controller for personal data collected from account holders.

Contact: privacy@carshowexpert.com

2. The controller/processor distinction

Important

Car Show Expert operates in two different capacities depending on whose data is involved. For organiser account data — we are the data controller. For registrant data collected through show registration forms — the organiser is the data controller and we act as the data processor on their behalf. This policy covers our role as controller. Registrants should contact the relevant organiser about how their data is used.

Data we control: organiser account data

When an organiser creates an account, we collect and control that data. This policy sets out how we handle it.

Data we process on organisers' behalf: registrant data

When an organiser uses our platform to collect data from show entrants, volunteers, vendors, or spectators, we store and process that data under the organiser's instructions. The organiser is the data controller; we are the data processor. We do not use registrant data for our own purposes. Organisers are required under our Terms of Service to have a lawful basis for collecting registrant data and to provide registrants with an appropriate privacy notice.

3. Information we collect

Organiser account data

When you create an organiser account we collect:

  • Name and email address
  • Password (stored as a one-way bcrypt hash — we never have access to your password in plain text)
  • Organisation or club name and subdomain
  • Billing information — card details are processed and held by Stripe; we store only a payment method reference and billing status, not card numbers

Show and event data

When you create and manage shows through our platform, we collect data you enter including show details, class lists, entry type configuration, judging criteria, and any custom fields you set up. This data is associated with your account and processed on your behalf.

Show registrant data (processed on organisers' behalf)

When someone registers for a show through a public registration form, data is collected on behalf of the organiser and may include:

  • Name, email address, and phone number
  • Vehicle details (year, make, model, colour, description)
  • Selected entry type, class, and registration preferences
  • Responses to any custom fields the organiser has configured
  • Check-in status and assigned car number
  • Judging scores (where digital judging is used)
  • People's Choice votes (anonymised)

This data is held on behalf of and controlled by the organiser. Please refer to the organiser's own privacy notice for information about how they use your registration data.

Show notification subscribers

If you subscribe to show notifications (alerts about upcoming car shows), we collect:

  • Email address and name
  • Postcode or zip code (used to calculate distance to shows)
  • Latitude and longitude derived from your postcode (stored to power distance-based filtering)
  • Notification preferences (instant alerts, weekly digest, or both)

Usage and technical data

We collect standard server and access logs including IP addresses, browser type and version, operating system, pages visited, and timestamps. We use this data to maintain and improve the Service, diagnose problems, and detect abuse. We do not use this data for advertising targeting. Log data is processed by Cloudflare's infrastructure, which means requests may be handled at edge nodes located globally.

4. How we use your information

We use the personal data we control for the following purposes, together with our lawful basis under UK GDPR:

  • To provide and operate the Service — processing is necessary to perform our contract with you (UK GDPR Art. 6(1)(b))
  • To process payments via Stripe — necessary to perform our contract with you
  • To send transactional emails (account confirmations, password resets, billing receipts, subscription notifications) — necessary to perform our contract with you
  • To send show notification emails (alerts and weekly digests) to subscribers who have opted in — based on your consent (UK GDPR Art. 6(1)(a)), which you can withdraw at any time
  • To respond to support and legal requests — our legitimate interest in operating the business (UK GDPR Art. 6(1)(f))
  • To improve and develop the platform based on aggregated usage patterns — our legitimate interest in improving our Service
  • To comply with legal obligations — for example, retaining billing records as required by law (UK GDPR Art. 6(1)(c))

We do not sell your personal information. We do not use your data for advertising targeting on third-party platforms. We do not use registrant data submitted through show registration forms for any purpose other than providing the Service to the organiser.

5. Sharing your information

We do not sell, rent, or trade personal information. We share data only with the following trusted service providers who help us operate the platform, and only to the extent necessary to provide the Service:

  • Supabase — database hosting and authentication. Data is stored on Supabase's infrastructure. See Supabase's privacy policy
  • Cloudflare — edge computing and infrastructure. Your requests are processed through Cloudflare's global network of edge servers. See Cloudflare's privacy policy
  • Resend — transactional email delivery. Email content and recipient addresses are passed to Resend for delivery. See Resend's privacy policy
  • Stripe — payment processing. Stripe processes card transactions independently and is subject to its own privacy and data handling policies. See Stripe's privacy policy

We may also disclose personal data if required to do so by law, court order, or regulatory authority, or to protect the safety of users or third parties or the integrity of the Service.

We do not share your data with any other third parties except as described above.

6. International data transfers

The Service is operated using infrastructure that may process data globally. In particular:

  • Cloudflare processes requests through edge nodes worldwide, including outside the UK and EEA
  • Supabase stores data on servers located in the United States
  • Resend may process email data in the United States

Where personal data is transferred outside the UK or EEA, we rely on appropriate safeguards including standard contractual clauses approved by the UK Information Commissioner (or the European Commission, as applicable), or adequacy decisions where available. You may contact us at privacy@carshowexpert.com to request further information about the specific transfer mechanisms we rely on.

7. Email communications

We send two categories of email:

  • Transactional emails — these are necessary to operate the Service and include account confirmations, password resets, billing receipts, subscription change notifications, and (for organisers) alerts about their shows. You cannot opt out of transactional emails while your account is active
  • Show notification emails — alerts and weekly digests sent only to people who have explicitly subscribed to show notifications. Every notification email includes a one-click unsubscribe link. You can also update your preferences at any time by clicking the link in any notification email

Emails are delivered through Resend. We do not track whether you open individual transactional emails, though Resend may collect delivery and bounce data for operational purposes.

8. Data retention

  • Organiser account data — retained while your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal or regulatory reasons (for example, billing records may be retained for up to 7 years)
  • Registrant data — retained for as long as the organiser's account is active and as instructed by the organiser. Organisers can delete individual registrations at any time. If an organiser deletes their account, associated registrant data is deleted within 30 days
  • Show notification subscriber data — retained until you unsubscribe or request deletion
  • Server and access logs — retained for up to 90 days for operational and security purposes
  • Billing records — retained for 7 years as required by law

9. Your rights

If you are located in the UK or European Economic Area, you have the following rights in relation to your personal data:

  • Right of access — you can request a copy of the personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate or incomplete data
  • Right to erasure — you can ask us to delete your personal data in certain circumstances
  • Right to restriction — you can ask us to restrict how we use your data in certain circumstances
  • Right to data portability — you can request your data in a structured, machine-readable format
  • Right to object — you can object to processing based on legitimate interests
  • Right to withdraw consent — where processing is based on your consent (for example, show notification emails), you can withdraw consent at any time without affecting the lawfulness of prior processing

To exercise any of these rights, email privacy@carshowexpert.com. We will respond within 30 days. We may need to verify your identity before processing your request.

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

Note: If your request relates to show registrant data (data you submitted through a car show registration form), you should contact the organiser of the relevant show — they are the data controller for that data, not us.

10. Cookies

We use a small number of cookies strictly necessary to operate the Service:

  • Session cookie — keeps you authenticated while you are logged in to your organiser account
  • CSRF token — a security token that protects against cross-site request forgery attacks

We do not use advertising cookies, analytics cookies that track your behaviour across third-party websites, or any other non-essential cookies. Because we use only strictly necessary cookies, we are not required to seek cookie consent, though you should be aware these cookies are set when you use the Service.

11. Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures including:

  • All connections to the Service use HTTPS (TLS encryption)
  • Passwords are hashed using bcrypt and are never stored or transmitted in plain text
  • Access to production systems and databases is restricted and audited
  • We use Cloudflare's infrastructure, which provides DDoS protection and additional network-level security

No system is completely secure. We cannot guarantee the absolute security of your data. If you suspect a security vulnerability or data breach, please contact us immediately at security@carshowexpert.com. We will notify affected users and the ICO where required by law.

12. Children's privacy

The organiser dashboard is not directed at children under 13, and we do not knowingly collect personal information from children under 13 through the account registration process. If we become aware that a child under 13 has created an account, we will delete it promptly.

Show registration forms may be submitted by, or on behalf of, entrants of any age. In those cases the organiser is the data controller and is responsible for complying with applicable rules regarding the collection of children's personal data.

If you believe a child has submitted data to us inappropriately, please contact privacy@carshowexpert.com and we will investigate promptly.

13. Links to other websites

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policy of any website you visit.

14. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes that affect your rights or how we use your data, we will notify account holders by email before the changes take effect. The "Last updated" date at the top of this page will always reflect the most recent revision.

Your continued use of the Service after changes take effect constitutes acceptance of the revised policy. If you do not agree with the changes, you should stop using the Service and, if applicable, delete your account.

15. Contact and complaints

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

If you are not satisfied with our response to a privacy concern, you have the right to complain to the UK Information Commissioner's Office (ICO):