Carable Inc. Privacy Policy

Last updated: 25th May 2018

Thanks for using our websites and services. Personal integrity is important to us and we take your privacy seriously.

Here you will find out for example what personal data we process about you, why and how we do it, where it came from, who is involved, and how it is lawful for us to do it.

This is where we explain how we process your personal data and what we do to respect your integrity! We encourage you to read this Privacy Policy and to use it to help you make informed decisions.

Please read this Privacy Policy carefully – by continuing to use our websites and services, you confirm that you have read and understood this Privacy Policy in its entirety. By reading this Privacy Policy, we hope you feel confident that we work hard to live up to your expectations.

Please contact us if you have any questions regarding this Privacy Policy or in general questions regarding your personal data. You can always contact us by sending an email to: info@carable.com

Carable Inc. 1601 Elm Street. Dallas TX 75201. USA. (“Carable Inc”, “we”, “our” or “us”), is committed to protecting and respecting the privacy of any individual whose personal data we process as part of us providing our products and services (altogether “services” below”).

This Privacy Policy aims to provide you with sufficient information regarding our use of your personal data, including providing you with answers to the following questions:

What is personal data?

Personal data is all kind of information directly or indirectly identifying a physical person being alive. This means that e.g. name, address, phone number but also log data and encrypted data and other types of electronic ID’s (e.g. IP-addresses) is personal data in the event they can be connected to a physical person being alive may be personal data.

What is processing of personal data?

Processing of personal data is every action that is taken in relation to personal data, irrespective of if it is done in an automated way or not. Examples of common processing actions is collection, registration, organization, structuring, storing, adaptation, transfer and deletion.

Who should read this Privacy Policy?

This Privacy Policy is relevant for anyone visiting our websites, using our services, products or otherwise interacting with us.

Does this Privacy Policy cover all our processing activities?

No, it only concerns the processing of personal data for which we are the data controller – in other words, where we decide the purposes (why the personal data is collected) and means(which personal data is collected, for how long it is stored, etc.) of the processing.

What does this Privacy Policy not cover?

It doesn’t cover any processing of personal data that we conduct as a data processor – meaning, where we process data on e.g. your behalf and following your instructions when you use our services and you are the one collecting personal data and deciding the purpose for the processing of such personal data. For those activities our Data Processing Agreement to our Payment Terms and Conditions applies.

In relation to whom is Carable a data controller?

Merchant

Carable is the data controller for personal data processed when our customers register for and/or use our services and when our customers purchase products by using the services provided by Carable to purshase i.e a car from one private person to another, if they are a natural person (“Merchant”).

This means that we are a data controller for any personal data that we process about you as a sole trader or an individual.

Website visitors and individuals telephoning or e-mailing our support

For existing customers visiting our website:

Behavioural and tracking details: e.g. location data, behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites.

Carable is furthermore the data controller for personal data processed when someone telephones to our customer support or uses our website or otherwise contacts us through our support channels.

This means that Carable is the data controller for personal data processed about website visitors (i.e. the people that merely browse our websites).

What information do we process about you, for what purposes and how is it lawful for us to do it?

Categories of personal data we process

  • Identification information: e.g. identification number, ID, passwords or equivalent
  • Contact information: e.g. name, address, phone number, email or equivalent
  • Financial information: e.g. information related to invoices that we have issued between buyer and seller
  • Information related to legal requirements: e.g. customer due diligence and anti-money laundering requirements, bookkeeping
  • Behavioural and tracking details: e.g. location data, behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites
HOW DO WE USE IT (PURPOSE OF PROCESSING)LEGAL BASIS FOR THE PROCESSING (WHY THE DATA PROCESSING IS NECESSARY)
To provide our services and products, to fulfil relevant agreements with you and to otherwise administer our business relationship with you.Fulfil our contractual obligations towards you, to comply with applicable laws and to pursue the legitimate interests of Carable
To confirm your identity and verify your personal and contact details.Fulfil our contractual obligations towards you and to comply with applicable laws
To prove that transactions have been executed.Fulfil our contractual obligations towards you and to comply with applicable laws
To establish, exercise or defend a legal claim or collection procedures.Fulfil our contractual obligations towards you, to comply with applicable laws and to pursue the legitimate interests of Carable
To comply with internal procedures.Fulfil our contractual obligations towards you and to comply with applicable laws
To administer your payment for products and/or services and the customer relationship i.e. to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information, products and services that you request from us.Fulfil our contractual obligations towards you, to comply with applicable laws and to pursue the legitimate interests of Carable
To assess which payment options and payment services to offer you, for example by carrying out internal and external credit assessments using partner financial serviceFulfil our contractual obligations towards you, to comply with applicable laws and to pursue the legitimate interests of Carable
For customer analysis, to administer Carable´s services, and for internal operations, including troubleshooting, data analysis, testing, research and statistical purposes.Fulfil our contractual obligations towards you and to pursue the legitimate interests of Carable
To ensure that content is presented in the most effective way for you and your device.Fulfil our contractual obligations towards you and to pursue the legitimate interests of Carable
To prevent misuse of Carable´s services as part of our efforts to keep our services safe and secure.Pursue the legitimate interests of Carable
To carry out risk analysis, fraud prevention and risk management.Pursue the legitimate interests of Carable
To improve our services and for general business development purposes, such as improving credit risk models in order to e.g. minimize fraud, develop new products and features and explore new business opportunities.Pursue the legitimate interests of Carable
Marketing, product and customer analysis. This processing forms the basis for marketing, process and system development, including testing. This is to improve our product range and to optimize our customer offering.Pursue the legitimate interests of Carable
To comply with applicable laws, such as anti-money laundering and bookkeeping laws and regulatory capital adequacy requirements and rules issued by our designated banks and relevant card networks. We also carry out sanction screening, report to tax authorities, police enforcement authorities, enforcement authorities, supervisory authorities.Comply with applicable laws and to pursue the legitimate interests of Carable
To administer your order and/or purchase.Fulfil our contractual obligations towards you
To be able to administer participation in competitions and/or events.Pursue the legitimate interests of Carable
Risk management obligations such as credit performance and quality, insurance risks and compliance with capital adequacy requirements under applicable law.Comply with applicable laws and to pursue the legitimate interests of Carable
To administer payments carried out by using our services from a partner.Comply with applicable laws and to pursue the legitimate interests of Carable
To communicate with you in relation to our services.Fulfil our contractual obligations towards you and to pursue the legitimate interests of Carable

Merchants

Categories of personal data we process

  • Identification information: we do not process any identification information about you.
  • Contact information: e.g. your name, phone number, address and email address or equivalent.
  • Financial information: we dont process credit and debit card information such as card number, expiry date and CVV code, card holder name, financial transactions or equivalent, details about what products and/or services you have purchased.
  • Information related to legal requirements: e.g. customer due diligence and anti-money laundering requirements, bookkeeping.
  • Behavioural and tracking details: e.g. location data, behavioural patterns, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites
HOW DO WE USE IT (PURPOSE OF PROCESSING)LEGAL BASIS FOR THE PROCESSING (WHY THE DATA PROCESSING IS NECESSARY)
If you are an End-customer we dont process personal data obtained if you choose to pay by card using our partner or through the use of any other payment method that our partners provides from time to time, including alternative payment solutions provided by third parties.Comply with applicable laws and to pursue the legitimate interest of Carable
Processing payment.We never process your personal data if you have chosen to pay (i)by card through the use a third party partner on the Carable marketplace using smartphone, tablet, PC or other compatible device. We process personal data in order to be able to process the payment transaction and carry out a invoice for the transaction, including for the purpose of risk management and the prevention of fraud and other criminal acts.Comply with applicable laws and to pursue the legitimate interest of Carable
We never share your billing and contact information with the relevant parties Merchant holding the relevant Online Store in order for the Merchant to be able to execute and administer your purchase, including for handling potential complaints and disputes.Comply with applicable laws and to pursue the legitimate interest of Carable
Provide receipts. You can choose to have a receipt sent to you via e-mail or text message when you pay for the services and/or products provided by Carable. If you provide your e-mail address or mobile number to a partner on Carable marketplace, we will not remember your details for the next time you buy something on the Carable marketplace, if you use the same payment card. This is regardless of if you have previously bought something or not. This means that your e-mail address or mobile number will be pre-filled in the receipt view for your convenience the next time you buy something on the Carable marketplace. We will only use your e-mail address or mobile number to send information to you connected to the Carable services and partners. Carable will not use your contact details for any other purpose, and will not share them with anyone else, without obtaining your written consent first or inform you prior to initiating any processing for new purposes or a purpose that is compatible with the purpose for which we collected the personal data, all in accordance with applicable laws and regulations.To pursue the legitimate interest of Carable

Website visitors and individuals telephoning or e-mailing our customer support

Categories of personal data we process

  • Contact information: e.g. name, address, phone number, email or equivalent
  • For existing customers visiting our website:

  • Behavioural and tracking details: e.g. location data, behavioural patterns, personal preferences, IP-number, cookie identifiers, unique identifier of devices you use to access and use the services and our websites
HOW DO WE USE IT (PURPOSE OF PROCESSING)LEGAL BASIS FOR THE PROCESSING (WHY THE DATA PROCESSING IS NECESSARY)
To confirm your identity and verify your personal and contact details.Comply with applicable laws and pursue the legitimate interest of Carable
To provide and market our services and/or products to you.Pursue the legitimate interests of Carable
To provide the support you seek from us.Pursue the legitimate interests of Carable

What Personal Data do we collect from third parties?

We process personal data obtained from selected third parties such as credit bureaus, lenders, fraud detection agencies, other financial institutions and other information providers, and from publicly available sources (such as population registers and registers held by tax authorities, company registration offices, enforcement authorities etc). Third parties from which we obtain personal data can also be e.g. social networks or similar that you have linked your Carable account with. In connection with payments we never collect information from e.g. banks, payment service providers and others.

Other external resources from which we may collect information are sanctions lists (held by international organisations such as the EU and UN as well as national organisations such as Office of Foreign Asset Control (OFAC), registers held by credit-rating agencies and other commercial information providers providing information on e.g. beneficial owners and politically exposed persons.

How will we not use the information about you?

We will never use your personal data for any other purposes than those listed in this Privacy Policy, unless we collect your written consent or inform you prior to initiating any processing for new purposes or a purpose that is compatible with the purpose for which we collected the personal data, all in accordance with applicable laws and regulations.

What we will not do with your personal data:

We will not share personal data with third parties for them to use for their own marketing purposes without ensuring that there is a lawful ground to do so.

We will not sell your personal data to third parties.

What about automated decision making?

Currently, Carable does not carry out any such processing that is defined as solely automated decision making, including profiling, under the General Data Protection Regulation (“GDPR”) that has ”legal effects” or otherwise similarly significantly affect you.

Want to know more about our policy of sharing data with third parties?

Carable Inc.

We may share personal information with partners for the purposes set out in this Privacy Policy.

Partners.

If you are an End-customer, Carable may share your data with the partners from which you made a purchase. Such personal data is necessary for the partners to execute and administer your purchase, including for handling potential complaints and disputes. For the personal data shared with partners, the partners data protection policy and personal data handling procedures apply. This means that Carable may share personal data pertaining to such End-Customers that purchase something on the Carable marketplace using a partner service on the marketplace.

Third party service providers.

To provide our services we disclose personal data about you which is necessary to identify you and perform an assignment or agreement with companies that we cooperate with in order to perform our services. These services include, but are not limited to, appointment scheduling, vehicle inspection centres, escrow payment facilitators and financial lenders.

We share your personal information with the following 3rd parties:

Our designated banks and relevant card networks may also come to process your personal data for their own fraud prevention and risk management.

Third parties that are data processors.

Some of the third parties that we share personal data with are data processors. A data processor is such a party that processes personal data on our instructions and on our behalf.

We collaborate with selected suppliers, which include processing of personal data on behalf of us. Examples include suppliers of IT development, maintenance, hosting and support but also suppliers supporting us with marketing.

When we share your personal data with data processors we only share them for purposes compatible with the purposes for which we have collected the data (such as performance of a contract). We always control all data processors and ensure that they can provide adequate guarantees as regards security and confidentiality of personal data. We have written agreements in place with all data processors through which they guarantee the security and confidentiality of personal data that they process on our behalf and limitations as regards third country transfers.

Third parties that are data controllers.

Some of the third parties that we share personal data with are independent data controllers. This means that we are not the ones that dictate how the data that we provide shall be processed. Examples are authorities, credit bureaus, acquirers and other financial institutions. When your data is shared with independent data controllers their data policies and personal data processing principles apply.

Authorities.

We also disclose personal data to authorities to the extent we are under a statutory obligation to do so. Such authorities include tax authorities, police authorities, enforcement authorities and supervisory authorities in relevant countries. We may also be required to provide competent authorities information about your use of our services, e.g. revenue or tax authorities, as required by law, which may include personal data such as your name, address and information regarding card transactions processed by us on your behalf through your use of our services.

What about transfers to a third country?

If we transfer your personal data to a third country, i.e. a country inside of the European Economic Area (“EEA”), or outside the USA we will comply with all applicable laws in respect of such transfer, including making sure that your personal data is kept secure, and ensure that appropriate safeguards are in place to ensure there is adequate protection, such as entering into contracts in the form approved by the European Commission.

Our preferred basis for transfer is the use of Standard Contractual Clauses. You can access a copy of the relevant EU model-clauses used by us for transfers by browsing to www.eur-lex.europa.eu and searching for 32010D0087.

We transfer your data to service providers in the US and we base such transfer on Standard Contractual Clauses and Privacy Shield. To learn more about Privacy Shield, which is an agreement on protection of personal data between the EU and the US, please read here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en or https://www.privacyshield.gov/welcome

We also transfer your data to service providers in Australia and we base such processing on Standard Contractual Clauses.

Security and Integrity - how do we protect your Personal Data?

We take security seriously.

We always process personal data in accordance with applicable laws and regulations, and we have implemented appropriate technical and organizational security measures to prevent that your personal data is used for non-legitimate purposes or disclosed to unauthorized third parties and otherwise protected from misuse, loss, alteration or destruction. The technical and organizational measures that we have implemented are designed to ensure a level of security appropriate to the risks that are associated with our data processing activities, in particular accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to your personal data including access control to premises, facilities, systems and data, disclosure control, input control, job control, availability control and segregation control.

How long do we store your personal data?

We will not process personal data for a longer period than is necessary for fulfilling the purpose of such processing, as set out in this Privacy Policy. We only retain your personal data to ensure compliance with our legal and regulatory requirements. Your personal data will be anonymized or deleted once it is no longer relevant for the purposes for which it was collected.

This means that we as an example will only keep your data for as long as necessary for the performance of a contract and as required by applicable laws. If we keep your data for other purposes than those of the performance of a contract, such as anti-money laundering purposes, bookkeeping and regulatory capital adequacy requirements, we keep the data only if necessary and/or mandated by laws and regulations for the respective purpose.

The data retention obligations will differ within Carable subject to applicable local laws.

See below for examples of the retention periods that we apply:

  • Preventing, detecting and investigating money laundering, terrorist financing and fraud: minimum five (5) years after termination of the business connection
  • Bookkeeping regulations: seven (7) years
  • Details on performance of an agreement: up to ten (10) years after end of customer relationship to defend against possible claims
  • Recorded telephone calls to our support: up to ninety (90) days from telephone call to support.

The above is only for explanatory purposes and the retention times may differ from country to country.

What say do you have in how we process your data (aka. your rights)?

We might be the ones in the driver's seat on the processing of your personal data when you use our websites or services. But that doesn’t mean that you can’t do anything about it. You have rights and they are important to us!

Generally, we believe you have the right to have your data processed only in accordance with your expectations. But you also have rights laid down by applicable law. Below you can read more about your rights, in the order we believe might be most relevant for you.

The rights we believe are most relevant for you

  • You have the right to be informed about certain details on the processing of your personal data. We provide this information through this Privacy Policy.
  • You have the right to receive a copy of the personal data we process about you. You can receive this data by reaching out to us.
  • You have the right to correct the personal data we process about you if you see that it is inaccurate.
  • You have the right to object to our processing of your personal data.

Please note that there are exceptions to the rights below, so access may be denied, for example where we are legally prevented from making a disclosure.

Your rights in connection to your personal data

Right to be informed

You have the right to be informed about how we process personal data about you. We do this in this Privacy Policy. You may however always contact us if you have any further questions.

Right of access

You have the right to access the personal data that we hold about you. In this respect, you may receive a copy of the personal data that we hold about you. For any further copies, we reserve the right to charge a reasonable fee based on our administrative costs. To exercise this right, please contact us as set out below. Please note that much of the personal data that we process about you is available and visible for you in your Carable Account.

This right means that you have a right to:

  • receive a confirmation about what personal data that we process about you
  • get access to your personal data, and
  • receive such supplementary information (which corresponds to the information that is provided in this Privacy Policy)

Please note that we might have to ask you to provide further information about yourself in order for us to be able to identify you and handle the request in an efficient and secure way. This may mean that we may require you to send in a copy of a valid ID, which we will also require you to sign.

Right to rectification

We ensure that inaccurate or incomplete Personal Data is erased or rectified. You have the right to rectification of inaccurate or incomplete personal data that we hold about you.

Right to erasure of your personal data (”Right to be forgotten”)

You have the right to erasure if:

  • the personal data is no longer necessary for the purposes it was collected or processed for (and no new lawful purpose exists)
  • your particular situation gives you the right to object to processing on grounds of legitimate interest (see more below) and there is no justified reason for continuing the processing;
  • the lawful basis for the processing is your consent, and you withdraw your consent, and no other lawful grounds exist,
  • processing the personal data has been unlawful, or
  • there is a legal obligation for us to erase the data.

Please note that due the fact that we are in many cases obliged to retain personal data on you during your customer relationship, and even after that, e.g. to comply with a statutory obligation or where processing is carried out to manage legal claims. This means that we will keep any KYC data that we have about you during such time period as we are required according applicable anti-money laundering regulations.

Right to restrict the processing of your personal data

You have the right to request us to restrict the processing of your data (meaning that the personal data may only be held by us and may only be used for limited purposes) if:

  • the personal data we have about you is inaccurate,
  • the processing is unlawful and you ask us to restrict the use of the personal data instead of erasing it,
  • we no longer need the personal data for the purposes of the processing, but if we still need it for the establishment, exercise or defence of legal claims, or
  • you have objected to the processing claiming that the legal basis of legitimate interest is invalid and are waiting for the verification of this claim.

Right to object to the processing of your personal data

Where our lawful basis for processing your data is our legitimate interests, you have the right to object to the processing of your data if:

  • you can show that your interests, rights and freedoms regarding the personal data outweigh our interest to process your personal data, or
  • we process your personal data for direct marketing purposes, including but not limited to profiling.

This means that we will cease such processing unless we:

  • demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or
  • require the personal data in order to establish, exercise or defend legal rights.

If you choose to object to our further processing of your personal data as described in this Privacy Policy, please note that we may no longer be able to provide you with the services you have requested and may therefore terminate relevant agreements with you, see relevant terms and conditions for more information. In addition, we may continue to process your personal data for other legitimate purposes, such as to fulfil an agreement with you, to protect our interests in connection with legal proceedings and to fulfil our legal obligations.

If you have received marketing from us, you may at any time object to the marketing by contacting us at info@carable.com or opt out by following the instructions in the marketing material.

Right to data portability

You have the right to data portability:

  • for personal data that you provided to us, and
  • if the legal basis for the processing of the personal data is the fulfilment of contract or consent.

We will send a copy of your data in a commonly used and machine-readable format to you or a person/organization appointed by you, where technically feasible and where the exercise by you of this right does not adversely affect the rights and freedoms of others.

How do you exercise your rights and how can you contact us or the data protection authority?

Send us an email at info@carable.com and we’ll do our best to figure it out together.

Attn: Privacy, 1601 Elm Street. Dallas TX 75201. USA.

If you are unhappy with our processing of your personal data you may lodge a complaint with or send a letter to Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom or send an e-mail to ICO by following this link: https://ico.org.uk/global/contact-us/email/.

You may also seek a remedy through local courts if you believe your rights have been breached.

What about cookies?

Cookies are text files placed on your computer to collect standard internet log information and visitor use of the website and to compile statistical reports on website activities. You may set your browser not to accept cookies. However, in a few cases some of our website features may not function as a result.

Our website thus uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our website. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.

What about other third-party websites and services?

Our websites and services may from time to time contain links to third party websites that are not controlled by us. If you visit such websites or use such services, please be aware that this Privacy Policy does not apply for such third parties’ processing, and we encourage you to carefully review how such third parties process personal data before using their websites or services.

How may we change this Privacy Policy?

We are constantly working on improving and developing our services, products and websites, so we may change this Privacy Policy from time to time. We will not diminish your rights under this Privacy Policy or under applicable data protection laws in the jurisdictions in which we operate. If the changes are significant, we will provide a more prominent notice, when we are required to do so by applicable law. Please review this Privacy Policy from time to time to stay updated on any changes.