Reco privacy policy, cookie policy & data processing agreement

Last updated: February 2026

This document sets out how HYBRID ATHLETE CLUB LTD (trading as Reco) ("Reco", "we", "us", "our") collects, uses, processes, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Company details

Legal entity: HYBRID ATHLETE CLUB LTD (t/a Reco)
Company number: 15049462
Registered address: Chalice House, Bromley Road, Elmstead, Colchester, England, CO7 7BY
Email: team@recoengine.co.uk

Reco acts as a Data Controller for account and marketing data, and a Data Processor when processing data on behalf of its customers.

2. Scope

This policy applies to:

Users of the Reco platform
Customers (dealerships)
Website visitors
Prospective customers

3. Types of data we collect

3.1 Account & contact data

Name
Email address
Phone number
Dealership name

3.2 Authentication data

3.3 Behavioural & usage data

Platform interactions (clicks, views, selections)
Search activity
Preferences and feedback
Usage patterns

3.4 Technical data

IP address
Device type
Browser type

3.5 User input data

Notes, feedback, and manually entered data

4. Purposes of processing

We process data for the following purposes:

4.1 Service delivery

Account creation and authentication
Providing platform access
Generating recommendations

4.2 Product functionality

Analysing behaviour to generate recommendations
Building user profiles (“Buyer DNA”)

4.3 Product improvement

Enhancing recommendation accuracy
Improving system performance

4.4 Customer support

Responding to enquiries
Resolving issues

4.5 Communications

Service updates
Marketing communications (where applicable)

4.6 Analytics

Understanding platform usage
Improving user experience

5. Legal basis for processing

Under UK GDPR, we rely on:

Contract (Article 6(1)(b))

To provide the Reco service.

Legitimate interest (Article 6(1)(f))

To:

Improve our platform
Analyse usage
Enhance recommendations

Consent (Article 6(1)(a))

For:

Marketing communications (where required)

6. Automated processing & profiling

Reco uses automated processing to generate recommendations. This includes:

Analysing behavioural data
Identifying purchasing patterns
Ranking vehicle listings

This profiling:

Does not produce legal effects
Does not make binding decisions

All purchasing decisions remain the responsibility of the user.

7. “Buyer DNA” (profiling)

Reco creates a behavioural model (“Buyer DNA”) based on:

Purchase history
User behaviour
Preferences

This is used solely to:

Improve recommendations
Enhance relevance

This constitutes profiling under UK GDPR, but does not involve automated decision-making with legal or significant effects.

8. Third-party processors

We use the following processors:

Supabase – authentication
Zume – hosting infrastructure
Google Analytics & Amplitude – analytics
Brevo – email communications
Stripe – payments

All processors:

Are contractually bound
Comply with data protection laws

9. Data storage & transfers

Data is stored in the UK/EU (London region)
We do not transfer data outside the UK/EU without safeguards
Where required, appropriate safeguards (e.g. SCCs) will be implemented

10. Data retention

We retain data:

During the active account period
For up to 90 days after termination

Exceptions:

Financial records (retained for legal compliance)
Security logs (retained where necessary)

12. Data subject rights

You have the right to:

Access your data
Correct inaccurate data
Request deletion
Restrict processing
Object to processing
Data portability

Requests can be made via team@recoengine.co.uk. We respond within 30 days.

13. Security measures

We implement appropriate technical and organisational measures:

Secure authentication via Supabase
Password hashing (no plain-text storage)
Token-based sessions (1-hour expiry)
Access controls
Infrastructure security

We follow industry-standard security practices.

14. Cookies policy

Reco currently does not use cookies for tracking or marketing.

If cookies are introduced, they will fall into:

Essential cookies
Analytics cookies
Performance cookies

Users will:

Be notified
Provide consent where required

15. Children’s data

Reco is not intended for use by individuals under 18.

We do not knowingly collect data from children.

16. Changes to this policy

We may update this policy from time to time.

Where changes are material, users will be notified.

17. Data processing agreement (DPA)

This section forms a binding agreement where:

Customer = Controller
Reco = Processor

17.1 Scope

Reco processes personal data only:

To provide services
In accordance with customer instructions

17.2 Nature of processing

Collection
Storage
Analysis
Recommendation generation

17.3 Categories of data

Contact data
Behavioural data
Technical data

17.4 Confidentiality

Reco ensures:

Personnel are bound by confidentiality
Data access is restricted

17.5 Security

Reco implements:

Encryption
Secure authentication
Access controls
Monitoring

17.6 Sub-processors

Reco uses:

Supabase
Zume
Google Analytics
Amplitude
Brevo
Stripe

Reco operates a general authorisation model and may update sub-processors with notice.

17.7 International transfers

Data is stored in the UK/EU.

Where transfers occur, appropriate safeguards are applied.

17.8 Data subject rights assistance

Reco will assist the Customer in fulfilling:

Access requests
Deletion requests
Correction requests

17.9 Data breach notification

Reco will notify the Customer within 72 hours of becoming aware of a breach.

17.10 Audit rights

Customers may:

Request reasonable evidence of compliance
Review security practices

17.11 Data deletion

Upon termination:

Data is deleted within 90 days
Unless legally required to retain

18. Contact

For all privacy-related queries:

team@recoengine.co.uk