PRIVACY POLICY
1. INTRODUCTION
You are reading the Carsmart Limited (“Carsmart” or “we” or “us”) privacy
policy (“Policy”). Carsmart respects your privacy and is committed to protecting
your Personal Data. This Policy will inform you as to how we look after your
Personal Data when you contact us, when you do business with us, or when you
otherwise engage with us, or we engage with you, including visiting the Website, or
making enquiries of us or when we market our goods and services to you and tell you
about your privacy rights and how the law protects you.
Please ensure that
you read this Policy in conjunction with the Website’s Terms of Use, as located at
trycarsmart.com/Privacypolicy.
2. DEFINITIONS AND INTERPRETATION
In this Policy, the following definitions are used:
Data:
means, collectively, all information that you submit to Carsmart by means
of the Website, or any other means. This definition incorporates, where applicable,
the definitions provided in the Data Protection Laws;
Data Protection Laws:
means any applicable law relating to the processing of Personal Data,
including but not limited to the Directive 96/46/EC (Data Protection Directive) or
the GDPR, and any national or international implementing laws, regulations and
secondary legislation;
GDPR:
means the General Data Protection Regulation (EU) 2016/679;
Personal Data:
has the meaning assigned to it in clause 4 of this Policy;
Website
means the website that you are currently using, www.trycarsmart.com, and
any sub-domains of this site unless expressly excluded by their own terms and
conditions; and
you/your:
means any third party that accesses the Website and is not either (i)
employed by Carsmart and acting in the course of their employment or (ii) engaged as
a consultant or otherwise providing services to Carsmart and accessing the Website
in connection with the provision of such services.
3. IMPORTANT INFORMATION AND WHO WE ARE
Purpose of this Policy
This Policy aims to give you information on how Carsmart collects and
processes your Personal Data when you interact with us, or when we interact with
you.
It is important that you read this Policy together with any other
policy or notice we may provide on specific occasions when we are collecting or
processing Personal Data about you so that you are fully aware of how and why we are
using your Data.
This Policy was issued on 12/12/2024.
Children and Minors
Carsmart does not knowingly collect or solicit Personal Data from children
and minors. Anyone under the age of eighteen (18) will not be knowingly allowed to
register for any service on the Website or to purchase any products or service on
the Website.
If you are under eighteen (18), please do not attempt to
register on the Website or send any Personal Data to us. This is information about
yourself, including your name, e-mail or home address, house telephone number,
mobile number or other contact details. No one under the age of eighteen (18) may
provide any personal information to the Website or receive any services on
Carsmart’s Website.
In the event that we become aware or informed that we
have collected Personal Data from a child under the age of eighteen (18) without
verification of parental consent, we will delete that information as quickly as
possible.
Data Controller
For purposes of the applicable Data Protection Laws, Carsmart is the "Data
Controller". This means that Carsmart determines the purposes for which, and the
manner in which, your Data is processed, and undertakes to abide by and act in
accordance with all relevant Data Protection Laws in such capacity. If you have any
questions about this Policy, including any requests to exercise your legal rights,
please contact Carsmart using the details set out below.
Contact Details
Our full details are:
Full name of legal entity: Carsmart Limited
Name of responsible internal team: Data Protection and Privacy Team Email address:
customerservices@trycarsmart.com Postal address: 128 City Road, London, EC1V 2NX
Third-Party Links
Our Website may include links to third-party websites, plug-ins and
applications. Clicking on those links or enabling those connections may allow third
parties to collect or share Data about you. We do not control these third-party
websites and are not responsible for their privacy statements. When you leave the
Website, we encourage you to read the Policy of every website you visit.
4. THE DATA WE COLLECT ABOUT YOU
“Personal Data”, or personal information, means any
information about an individual from which that person can be identified. It does
not include Data where the identity has been removed (anonymous Data).
We
may collect, use, store and transfer different kinds of Personal Data about you
which we have grouped together as follows:
· Identity Data includes
first name, last name, customer code or identifier, title, date of birth and gender.
· Contact Data includes
billing address, delivery address, email address and telephone numbers.
· Financial Data includes
bank account and payment card details.
· Transaction Data includes
details about payments to and from you and other details of products and services
you have purchased from us.
· Profile Data includes
purchases or orders made by you, the nature of your business, your business
interests, preferences, feedback and survey responses.
· Usage Data includes
information about how you use the Website, products and services.
· KYC Data includes
information about the source of funds you may use to purchase products or services
from us, credit scores, reputation in the market, and other Data we require in order
to verify your suitability as a client or supplier for us, and in deciding whether
we may need some additional safeguards when doing business with you.
· Marketing and Communications
Data includes your preferences in receiving marketing from us and our
third parties and your communication preferences.
We also collect, use and
share Aggregated Data such as statistical or
demographic Data for any purpose. Aggregated Data may be derived from your Personal
Data but is not considered Personal Data in law as this Data does not directly or
indirectly reveal your identity. For example, we may aggregate your Usage Data to
calculate the percentage of users accessing a specific website feature or perhaps
buying a certain type of product. However, if we combine or connect Aggregated Data
with your Personal Data so that it can directly or indirectly identify you, we treat
the combined Data as Personal Data which will be used in accordance with this
Policy.
We do not collect any Special Categories of
Personal Data about you (this includes details about your race or
ethnicity, religious or philosophical beliefs, sex life, sexual orientation,
political opinions, trade union membership, information about your health and
genetic and biometric Data). Nor do we collect any information about criminal
convictions and offences.
5. HOW IS YOUR PERSONAL DATA COLLECTED?
We use different methods to collect Data from and about you including
through:
Direct interactions. You may give us your Identity, Contact and
Financial Data by filling in forms or by corresponding with us by post, phone, email
or otherwise. This includes Personal Data you provide when you:
· apply for our products or services;
· meet with us either at our offices, your premises, or in
other locations, and express an interest in our products or services;
· create an account with us;
· subscribe to any of our services or publications;
· request marketing to be sent to you;
· complete a survey; or
· give us some feedback.
Third parties or publicly available sources. We may
receive Personal Data about you from various third parties and public sources as set
out below:
· Contact, Financial and Transaction Data from providers
of technical, payment and delivery services.
· Identity and Contact Data from Data brokers or
aggregators including business directories.
· Identity and Contact Data from publicly availably
sources such as Companies House and the Electoral Register based inside the EU.
6. HOW WE USE YOUR PERSONAL DATA
We will only use your Personal Data when the law allows us to. Most
commonly, we will use your Personal Data in the following circumstances:
· Where we need to perform or manage the contract we are
about to enter into or have entered into with you, which includes sharing your
information with sellers of vehicles if you have placed a bid.
· Where it is necessary for our legitimate interests (or
those of a third party) and your interests and fundamental rights do not override
those interests.
· Where we need to comply with a legal or regulatory
obligation.
Generally we do not rely on consent as a legal basis for
processing your Personal Data other than in relation to sending third party direct
marketing communications to you via email or text message or where you are an
individual customer and we wish to send you marketing materials. You have the right
to withdraw consent to marketing at any time by contacting us.
7. YOUR CONSENT
By submitting your information on the Website you consent to the use of
that information as set out in this Policy. If we change our Policy, we will post
the changes on this page or on the Website, and may place notices on other pages of
the Website, so that you may be aware of the Personal Data we collect and how we use
it at all times.
You agree that you do not object to us contacting you for
any of the purposes of processing our services or your orders, statistical or survey
purposes to improve this Website and its services to you, provision of Website
content and advertisements to you, administration of this Website and where you
consent, to notify you of services, products or special offers that may be of
interest to you. You consent to such contact whether by telephone, e-mail or in
writing and you confirm that you do not and will not consider any of the above as
being a breach of any of your rights under any applicable Data Protection Laws.
8. PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL
DATA
We have set out below, in a table format, a description of all the ways we
plan to use your Personal Data, and which of the legal bases we rely on to do so. We
have also identified what our legitimate interests are where appropriate.
Note that we may process your Personal Data for more than one lawful ground
depending on the specific purpose for which we are using your Data. Please contact
us if you need details about the specific legal ground we are relying on to process
your Personal Data where more than one ground has been set out in the table below.
- cookies that make the Website work properly for you and enable you to browse the Website securely;
- cookies that collect data about your use of the Website which is used to help Carsmart to improve online products and/or services;
- cookies that remember your preferences and make the Website easier for you to use; and
- cookies that are placed by third party services we make use of to enhance the information we presents online. Carsmart has no control over these third party cookies.
These cookies are placed on your device either by us or by the third
parties whose services we use as part of the Website.
Some cookies are
retained in your browser for only as long as you visit the Website, while others
persist for a longer specified or unspecified period.
5. HOW LONG WILL COOKIES STAY ON MY DEVICE?
The length of time a cookie will stay on your computer or mobile device
depends on whether it is a “persistent” or “session” cookie. Session cookies will
only stay on your device until you stop browsing. Persistent cookies stay on your
computer or mobile device until they expire or are deleted.
6. WHAT TYPES OF COOKIES ARE USED BY US?
We use several types of cookies. Some are essential, while others you can
disable or block. Disabling or blocking some cookies may affect the functionality of
the online products and/or services, and of the Website.
The below
explanations should help you to make informed choices about the information you
provide to us and any third parties when you visit the Website.
Strictly necessary
cookies
These are cookies that are required for the operation of
our Website. They include, for example, cookies that help ensure the content of the
pages you request load quickly. We want you to understand these essential cookies,
and why we use them, but your consent is not required for us to use them on our
Website as we use these cookies only to provide you with services that you have
requested.
We use the following strictly necessary cookies:
| Purpose/Activity | Type of Data | Lawful basis for processing including basis of legitimate interest |
|---|---|---|
| To register you as a new customer or supplier | a) Identity b) Contact c) KYC |
a) and b) Performance of a contract with you and to facilitate and
collect bids with respect to vehicle purchases. c) Our legitimate interests, to ensure our business is properly protected when transacting. In some cases this is also to fulfil a legal requirement. |
| To identify and register you as a potential customer or supplier | a) Identity b) Contact c) Profile |
Where you have made an enquiry, in anticipation of entering into a contract with you. Where you have not, our legitimate interests in growing our customer base or in seeking new suppliers. |
| To facilitate the sale and purchasing of vehicles | a) Identity b) Contact c) Profile d) Financial |
When you sign up to use our services, and again whenever you purchase a
vehicle, we (or our third-party payments provider) will collect bank
account details from you to enable us to both send and receive payments
to or from you for our services. We will also keep a record of any
purchases you make through the Carsmart platform. We will further utilise your Contact and address details to ensure delivery of any relevant vehicle as required. |
| To manage our relationship with you which will include: a) Notifying you about changes to our terms or Policy b) Asking you to leave a review or take a survey |
a) Identity b) Contact c) Profile d) Marketing and Communications |
a) Performance of a contract with you b) Necessary to comply with a legal obligation c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) |
| To enable you to complete a survey | a) Identity b) Contact c) Profile d) Usage e) Marketing and Communications |
a) Performance of a contract with you b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business) |
| To administer and protect our business | a) Identity b) Contact c) KYC |
a) and b) Necessary for our legitimate interests c) Either for our legitimate interests, or necessary to comply with a legal obligation |
| To deliver relevant marketing materials to you, invite you to events, and measure or understand the effectiveness of the advertising we serve to you | a) Identity b) Contact c) Profile d) Usage e) Marketing and Communications |
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy) |
| To make suggestions and recommendations to you about goods or services that may be of interest to you | a) Identity b) Contact c) Usage d) Profile |
Necessary for our legitimate interests (to develop our products/services and grow our business) |
| To archive and back up our IT systems, and in order to protect our business assets | All Data | a) Necessary to comply with our legal obligations b) Necessary for our legitimate interests in protecting our business assets |
9. MARKETING
We strive to provide you with choices regarding certain Personal Data uses,
particularly around marketing and advertising.
Promotional offers from us
We may use your Identity, Contact, Technical, Usage and Profile Data to
form a view on what we think you may want or need, or what may be of interest to
you. This is how we decide which products, services and offers may be relevant for
you (we call this marketing).
You will receive marketing communications
from us if you have requested information from us or purchased goods or services
from us and, in each case, you have not opted out of receiving that marketing. we
may also contact you if you are a business and you have not asked us not to contact
you, and we believe you may be interested in our goods and services.
Third-party marketing
We will get your express opt-in consent before we share your Personal Data
with any company outside our group of companies for marketing purposes.
Opting out
You can ask us or third parties to stop sending you marketing messages by
contacting us at any time.
Where you opt out of receiving these marketing
messages, this will not apply to Personal Data provided to us as a result of a
product/service purchase, warranty registration, product/service experience or other
transactions.
10. CHANGE OF PURPOSE
We will only use your Personal Data for the purposes for which we collected
it, unless we reasonably consider that we need to use it for another reason and that
reason is compatible with the original purpose. If you wish to get an explanation as
to how the processing for the new purpose is compatible with the original purpose,
please contact us.
If we need to use your Personal Data for an unrelated
purpose, we will notify you and we will explain the legal basis which allows us to
do so.
Please note that we may process your Personal Data without your
knowledge or consent, in compliance with the above rules, where this is required or
permitted by law.
11. COOKIES
The Website may place and access certain ‘cookies’ on your computer,
information about which can be found at our cookie policy available here
trycarsmart.com/cookiepolicy.
12. DISCLOSURES OF YOUR PERSONAL DATA
We may have to share your Personal Data with third parties for the purposes
set out in the table in clause 8 above. These include:
· third party providers of Data and other services to us,
such as credit agencies, and third party archival, cloud and backup providers.
· third party providers of professional services, such as
accountants, bankers, insurers and lawyers.
· HM Revenue and Customs, and other regulatory
authorities.
· third parties to whom we may choose to sell, transfer,
or merge parts of our business or our assets. Alternatively, we may seek to acquire
other businesses or merge with them. If a change happens to our business, then the
new owners may use your Personal Data in the same way as set out in this Policy.
· a seller of a vehicle if you have placed a bid for that
vehicle. If you proceed with the purchase of a vehicle, we will receive certain
information about your transaction from the relevant seller of the vehicle, such as
the date of collection and the final purchase price you paid, for billing and
reporting purposes.;
· service providers, such as our transport partners and
their drivers, payments processing providers, data analytics and technical support
providers, data storage providers, content and data providers and customer
management and support providers (including our outsourced customer service centre)
(please see heading below for more details);
· law enforcement agencies or authorities where we believe
this is necessary for the prevention, detection or enforcement of a crime; and
· our professional advisers and investors.
We
require all third parties to respect the security of your Personal Data and to treat
it in accordance with the law. We do not allow our third-party service providers to
use your Personal Data for their own purposes and only permit them to process your
Personal Data for specified purposes and in accordance with our instructions.
Specifics on Service Providers:
We use carefully selected service
providers which process personal information about you on our behalf as described
below:
· Transport partners: We use
a network of trusted transport companies to provide you with Collection Services.
They will receive the seller vehicle data, along with details of the seller, your
delivery address, contact details, and preferred drop-off time.
· Payments: Where you are
set up to make payments through the Carsmart platform, you will be required to
provide certain personal information to our third-party payments processing
provider, “Payment Provider”). The Payment Provider will be required to process your
personal information in order for them to provide a payment account and provide
services under the Smart Wallet & Provider Payment Terms[CG2] . The Payment Provider
is a Data Controller and shall only use your personal data for this purpose. The
Payment Provider’s privacy policy is available in your Smart Wallet account.
· Data analytics and technical
support providers: Such providers assist us in better understanding your
use of our Website, the Carsmart platform, and our services.
· Data storage providers:
Such providers help operate the functionality of the Website and enable us to
provide user accounts. They also provide backup, debugging and logging services.
· Content and data
providers: Such providers assist us to, for example, verify your email
address and telephone number, use your town/city to calculate routes between you and
the seller of a vehicle, and use your postcode to geocode your approximate location.
· Customer management and support
providers (including our outsourced customer service centre): Such
providers deliver personalised email or SMS reminders to you in relation to your
cars available for sale, and collect reviews of our services.
13. INTERNATIONAL TRANSFERS
We ensure your Personal Data is protected by requiring all our group
companies to follow the same rules when processing your Personal Data.
Whenever we transfer your Personal Data out of the EEA, we ensure a similar degree
of protection is afforded to it by ensuring at least one of the following safeguards
is implemented:
· We will only transfer your Personal Data to countries
that have been deemed to provide an adequate level of protection for Personal Data
by the European Commission. For further details, see European Commission: Adequacy
of the protection of Personal Data in non-EU countries.
· Where we use certain service providers, we may use
specific contracts approved by the European Commission which give Personal Data the
same protection it has in Europe. For further details, see European Commission:
Model contracts for the transfer of Personal Data to third countries.
· Where we use providers based in the US, we may transfer
Data to them if they enter into the ICOs model/standard clause contract – details of
which can be found here. Please contact us if you want further information on the
specific mechanism used by us when transferring your Personal Data out of the EEA.
14. DATA SECURITY
We have put in place appropriate security measures to prevent your Personal
Data from being accidentally lost, used or accessed in an unauthorised way, altered
or disclosed. In addition, we limit access to your Personal Data to those employees,
agents, contractors and other third parties who have a business need to know. They
will only process your Personal Data on our instructions and they are subject to a
duty of confidentiality.
We have put in place procedures to deal with any
suspected Personal Data breach and will notify you and any applicable regulator of a
breach where we are legally required to do so.
15. DATA RETENTION
How long will we use your Personal Data for?
We will only retain your Personal Data for as long as necessary to fulfil
the purposes we collected it for, including for the purposes of satisfying any
legal, accounting, or reporting requirements.
To determine the appropriate
retention period for Personal Data, we consider the amount, nature, and sensitivity
of the Personal Data, the potential risk of harm from unauthorised use or disclosure
of your Personal Data, the purposes for which we process your Personal Data and
whether we can achieve those purposes through other means, and the applicable legal
requirements.
By law we have to keep basic information about our customers
(including Contact, Identity, KYC, Financial and Transaction Data) for six (6) years
after they cease being customers for tax and accounting purposes.
In some
circumstances you can ask us to delete your Data: see clause 17 below for further
information.
In some circumstances we may anonymise your Personal Data (so
that it can no longer be associated with you) for research or statistical purposes
in which case we may use this information indefinitely without further notice to
you.
16. REQUESTS
What we may need from you
Following any request made by you we may need to request specific
information from you to help us confirm your identity and ensure your right to
access your Personal Data (or to exercise any of your other rights). This is a
security measure to ensure that Personal Data is not disclosed to any person who has
no right to receive it. We may also contact you to ask you for further information
in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one (1) month.
Occasionally it may take us longer than a month if your request is particularly
complex or you have made a number of requests. In this case, we will notify you and
keep you updated.
17. YOUR LEGAL RIGHTS
You have the right to:
Be informed of how your Personal Data is being
utilised by us, as set out in this Policy.
Request access to your Personal Data (commonly known
as a "Data subject access request"). This enables you to receive a copy of the
Personal Data we hold about you and to check that we are lawfully processing it.
Request correction of the Personal Data that we hold
about you. This enables you to have any incomplete or inaccurate Data we hold about
you corrected, though we may need to verify the accuracy of the new Data you provide
to us.
Request erasure of your Personal Data. This enables
you to ask us to delete or remove Personal Data where there is no good reason for us
continuing to process it. You also have the right to ask us to delete or remove your
Personal Data where you have successfully exercised your right to object to
processing (see below), where we may have processed your information unlawfully or
where we are required to erase your Personal Data to comply with local law. Note,
however, that we may not always be able to comply with your request of erasure for
specific legal reasons which will be notified to you, if applicable, at the time of
your request.
Object to processing of your Personal Data where we
are relying on a legitimate interest (or those of a third party) and there is
something about your particular situation which makes you want to object to
processing on this ground as you feel it impacts on your fundamental rights and
freedoms. You also have the right to object where we are processing your Personal
Data for direct marketing purposes. In some cases, we may demonstrate that we have
compelling legitimate grounds to process your information which override your rights
and freedoms.
Request restriction of processing of your Personal
Data. This enables you to ask us to suspend the processing of your Personal Data in
the following scenarios: (a) if you want us to establish the Data's accuracy; (b)
where our use of the Data is unlawful but you do not want us to erase it; (c) where
you need us to hold the Data even if we no longer require it as you need it to
establish, exercise or defend legal claims; or (d) you have objected to our use of
your Data but we need to verify whether we have overriding legitimate grounds to use
it.
Request the transfer of your Personal Data to you or
to a third party. We will provide to you, or a third party you have chosen, your
Personal Data in a structured, commonly used, machine-readable format. Note that
this right only applies to automated information which you initially provided
consent for us to use or where we used the information to perform a contract with
you.
Withdraw consent at any time where we are relying on
consent to process your Personal Data. However, this will not affect the lawfulness
of any processing carried out before you withdraw your consent. If you withdraw your
consent, we may not be able to provide certain products or services to you. we will
advise you if this is the case at the time you withdraw your consent.
No fee usually required
You will not have to pay a fee to access your Personal Data (or to exercise
any of the other rights).
It is important that the Data we hold about you
is accurate and current. Please keep us informed if your Data changes during the
period for which we hold it.
18. GENERAL
You may not transfer any of your rights under this Policy to any other
person. We may transfer our rights under this Policy where we reasonably believe
your rights will not be affected.
If any court or competent authority finds
that any provision of this Policy (or part of any provision) is invalid, illegal or
unenforceable, that provision or part-provision will, to the extent required, be
deemed to be deleted, and the validity and enforceability of the other provisions of
this Policy will not be affected.
Unless otherwise agreed, no delay, act or
omission by a party in exercising any right or remedy will be deemed a waiver of
that, or any other, right or remedy.
This Policy will be governed by and
interpreted according to the law of England and Wales. All disputes arising under
this Policy will be subject to the exclusive jurisdiction of the English and Welsh
courts.
19. CHANGES TO THIS POLICY
Carsmart reserves the right to change this Policy as we may deem necessary
from time to time or as may be required by law. Any changes will be immediately
posted on the Website and you are deemed to have accepted the terms of the Policy on
your first use of the Website following the alterations.
You may contact
Carsmart by email at help@trycarsmart.com.