Privacy Policy

Privacy Policy

The protection of Personal Data is a high priority for us. We want users to know when which data is processed by us, on what basis and for what purpose.

What is Personal Data?

Personal Data is all information that relates to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly (in particular by means of an association with an identifier such as a name, an identification number, location data or an online identifier).

What law applies?

In principle, we will only use your Personal Data in accordance with the applicable data protection laws, in particular the UK`s Data Protection Act 2018 (“DPA”) and the EU`s General Data Protection Act (“GDPR”) and only as described in this Privacy Policy.

The person responsible (“Data Controller”)

The person responsible for the processing of Personal Data is CarVanBike LTD of 10 Bank Top, Blackburn, England, BB2 1TB (hereinafter “CarVanBike”, “we”, “us”, or “our”).

Please read this Privacy Policy together with our Cookie Policy and e-mail if you have any questions.

Purpose and legal basis of processing

In accordance with the DPA and the GDPR we need to have both a purpose and a legal basis to process Personal Data. The purposes are:

  • the provision of the website and its functions and contents,
  • responding to contact requests and communicating with users,
  • providing our services, and
  • security measures.

Of course, we can only do that if we have at least one of the following legal bases or in other words lawful reasons to do so. Unless specifically described below, we typically link the above purposes to one of the following:

  • Consent: you have given clear consent to process Personal Data for a specific purpose.
  • Contract: the processing is necessary for a contract or because you have asked us to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations). 
  • Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your Personal Data which overrides those legitimate interests.

General Principles

  1. Security

Our website uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data or contact requests that you send to us.

You can recognise an encrypted connection if the address line of your browser contains a "https://" instead of a "http://" and also has a lock symbol. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

We have also implemented numerous security measures (“technical and organisational measures”) to ensure the most complete protection of Personal Data processed through this website.

Nevertheless, internet-based data transmissions can always have security gaps, so that absolute protection cannot be guaranteed. And databases or data sets that include Personal Data may be breached inadvertently or through wrongful intrusion.

Upon becoming aware of a data breach, we will notify all affected individuals whose Personal Data may have been compromised, and the notice will be accompanied by a description of the action being taken to reconcile any damage as a result of the data breach. Notices will be provided as expeditiously as possible after which the breach was discovered.

  1. Retention and Storage 

We will retain your Personal Data as necessary in connection with the purposes described in this Privacy Policy, and in accordance with the UK`s Statutory Retention Periods and other applicable laws for up to 6 years.

  1. Minors

Persons under the age of 18 should not transmit any Personal Data to us without the consent of their parents or legal guardians. We do not request Personal Data from minors and children and do not knowingly collect such data or pass it on to third parties.

  1. Automated decision-making

Automated decision-making including profiling does not take place.

  1. Do Not Sell

We do not sell your Personal Data.

  1. Special Category Data

Unless specifically required and consent is obtained, for a particular service, we do not process Special Category Data.

  1. Social Media

We are present on social media on the basis of our legitimate interest (currently Facebook and Instagram). If you contact us via social media platforms, we and the relevant social media platform are jointly responsible for the processing of your data and enter into a so-called joint controller agreement. The legal basis for the use of the relevant social media platform is our legitimate interest, your consent or, in the case of a (pre) contractual relationship with us, the initiation of a contractual service, if any.

  1. Marketing

Insofar as you have also given us your consent to process your Personal Data for marketing and advertising purposes, we are entitled to contact you for these purposes via the communication channels you have given your consent to.

  1. International Transfer

In the course of our website operation, we process data. We usually do not transfer Personal Data to countries outside the UK and the EEA. However, if we do, we ensure that processing of your Personal Data is governed by Processing Agreements that include Standard Contractual Clauses to ensure a high level of data protection.

  1. Sharing and Disclosure

We will not disclose or otherwise distribute your Personal Data to third parties unless this is a) necessary for the performance of our services, b) you have consented to the disclosure, c) or if we are legally obliged to do so e.g., by court order or if this is necessary to support criminal or legal investigations or other legal investigations or other legal proceedings; as required by law or regulation; if CarVanBike (or a part of CarVanBike) is sold to or merged with another company; or proceedings at home or abroad or to fulfil our legitimate interests.

Data Processing

  1. Access to the website

Every time the website is accessed and every time a file is retrieved, data about this process is processed for a limited time in a log file for backup purposes and, with your consent, also for statistical purposes. On the basis of our legitimate interest in a secure website, we are entitled to store this log file to protect against attacks on our website beyond the time of your visit. This data is used to initiate legal and criminal prosecution in the event of attacks on the communications technology. In detail, the following data is processed about each access/retrieval:

  • domain/appearance called up
  • IP address (automatically deleted after 90 days at the latest)
  • date and time
  • HTTP method (e.g. GET/POST)
  • Resource that was accessed (URLUniform Resource Locator)
  • HTTP protocol version
  • Referrer URLUniform Resource Locator (referring website/address)
  • Browser (user agent sent along, usually browser type, version and language, operating system, device type, model and brand)
  1. Use of cookies

In order to make our website as pleasant as possible for you, we use cookies. Cookies are small text files that enable recognition of the user so that you do not have to identify yourself each time. Cookies can also help us to tailor our offers to your interests. For further information on the cookies, we use please refer to our Cookie Policy.

  1. Hosting

To provide our website, we use the services YP Solutions Limited who processes all data to be processed in connection with the operation of this website, including logfiles on our behalf. The legal basis is our legitimate interest.

  1. Contacting us

Personal Data is processed depending on the contact method. In addition to your name and e-mail address, IP address or telephone number, we usually collect the context of your message which may also include certain Personal Data. The Personal Data collected when contacting us is processed for the purpose of dealing with your request and the legal basis is your consent. The use of your IP address takes place exclusively in the context of law enforcement and security measures in compliance with our legal requirements.

We also offer to contact us via the messaging services of WhatsApp. If you contact us via WhatsApp we store and use the mobile phone number, you use and - if provided - your first and last name in accordance with the provision of a contractual or pre-contractual measure to process and respond to your request.

  1. Account Registration 

If you register, we will request mandatory and, where applicable, non-mandatory data in accordance with our registration form (Full Name, Email Address, Account Type, Phone Number, Postcode, and chosen Password, and business-related data if you are a Seller). The entry of your data is encrypted so that third parties cannot read your data when it is entered. The basis for this storage is our legitimate interest and to fulfil our contractual obligations.

  1. When using our services

We process the data of our registered users in order to be able to provide our contractual services as well as to ensure the security of our services and to be able to develop it further. This includes in particular our support, correspondence with you, invoicing, fulfilment of our accounting and tax obligations. Accordingly, the data is processed on the basis of fulfilling our contractual obligations as well as to fulfil our legal obligations.

Some of the data you choose to provide may be considered non-Personal Data and/or “special” or “sensitive” in certain jurisdictions, for example your racial or ethnic origins, sexual orientation, and religious beliefs. By choosing to provide this data, you consent to our processing of that data.

Where any Personal Data relates to a third party, you represent and warrant that the Personal Data is up-to-date, complete, and accurate and that you have obtained the third party’s prior consent for our collection, use and disclosure of their Personal Data for the Purposes. You agree that you shall promptly provide us with written evidence of such consent upon demand by us.

Unless otherwise specified the purposes of processing are contractual performance and service, contact requests and communication, office and organisational procedures, administration, and response to requests, visit action evaluation. The legal basis for the data processing is the fulfilment of our contractual obligations and, in individual cases, the fulfilment of our legal obligations as well as your consent.

You may withdraw your consent and request us to stop using and/or disclosing your personal and special category data by submitting your request to us in writing.

When you make or receive payment, your payment related data will be processed via the payment service providers PayPal, Inc. or Stripe Inc.. Payment data will solely be processed through Stripe or Stripe as selected by you, and we have no access to any Payment Data you may submit. The legal basis for the provision of a payment system is the establishment and implementation of the user contract for the use of the service.

  1. Contacting others

Of course, we also process your chats and communications with other users as well as the content you publish, as necessary for the operation of the services. In addition to the information, you may provide us directly, we receive information about you from others. Users may provide information about you as they use our services, for instance as they interact with you or if they submit a report involving you. 

We also share some users’ information with service providers and partners who assist us in operating the services. You share information with other users when you voluntarily disclose information on the service (including your profile). Please be careful with your information and make sure that the content you share is stuff that you’re comfortable being visible. The legal basis for the data processing is the fulfilment of our contractual obligations and, in individual cases, the fulfilment of our legal obligations as well as your consent. 

  1. Newsletter

If you have consented to receive our newsletter, we will use your e-mail address and, if applicable, your name to send you information about promotions, services, and news. You can revoke your consent to receive the newsletter or to the creation of personalised user profiles at any time with effect for the future. You will find the unsubscribe link at the end of each newsletter. Same as with the Service Notifications mentioned above, our newsletters are sent by Mailchimp by Intuit Inc on our behalf.

Your Rights and Privileges 

  1. Privacy rights 

Under the DPA and GDPR, you can exercise the following rights:

  • Right to information
  • Right to rectification
  • Right to object to processing
  • Right to deletion
  • Right to data portability
  • Right of objection
  • Right to withdraw consent
  • Right to complain to a supervisory authority
  • Right not to be subject to a decision based solely on automated processing.

If you have any questions about the nature of the Personal Data we hold about you, or if you wish to request the erasure or rectification of Personal Data we hold about you, or to exercise any of your other rights as a data subject, please contact us.

  1. Updating your information

If you believe that the information, we hold about you is inaccurate or that we are no longer entitled to use it and want to request its rectification, deletion, or object to its processing, please do so by contacting us.

  1. Withdrawing your consent 

You can revoke consents you have given at any time by contacting us. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

  1. Access Request 

In the event that you wish to make a Data Subject Access Request, you may inform us in writing of the same. We will respond to requests regarding access and correction as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will let you know in writing within thirty (30). If we are unable to comply with your request, we will tell you why (except where we are not required to do so under the respective legal regulations mentioned above).

  1. Complaint to a supervisory authority

You have the right to complain about our processing of Personal Data to a supervisory authority responsible for data protection. The supervisory authority in the UK is: The Information Commissioner`s Office (ICO) is located at Wycliffe House, Water Ln, Wilmslow SK9 5AF, UK


We may update this Privacy Policy from time to time. If we make changes to this Privacy Policy or materially change our use of your Personal Data, we will revise the Privacy Policy accordingly. This Cookie Policy was last updated on Saturday, 11 February 2023.


We encourage you to periodically review this Privacy Policy to be informed of how we use and protect your Personal Data. If you would like to contact us regarding our privacy practices for any reason, please use or write to us at the above address.