Privacy Policy
Effective Date: 1 January 2026
Last Updated: 28 March 2026
1. Introduction and Data Controller
Welcome to the privacy policy of Carvantage Ltd (“Carvantage”, “we”, “our”, “us”). We are committed to protecting and respecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you visit our website at carvantageltd.com (the “Website”), use our services, or otherwise interact with us. It also explains your rights and how the law protects you.
Data Controller Details
CARVANTAGE LTD
Company Number: 16879932
Registered in England and Wales
Registered Office: 128 City Road, London, United Kingdom, EC1V 2NX
Email: carvantageltd@gmail.com
Carvantage Ltd is the data controller responsible for your personal data. This means we determine the purposes and means of processing your personal data.
Data Protection Contact
For all data protection matters, including exercising your rights, please contact our designated Data Protection Lead:
Email: carvantageltd@gmail.com
Post: Data Protection Lead, Carvantage Ltd, 128 City Road, London, EC1V 2NX
We aim to respond to all data protection enquiries within 72 hours and to all formal data subject requests within one calendar month, as required by the UK GDPR.
2. Information We Collect
We collect and process different categories of personal data depending on how you interact with us. We only collect personal data that is necessary for the purposes set out in this policy.
2.1 Information You Provide Directly
When you contact us, request a service, or complete a form on our Website, you may provide:
| Category | Data Elements | When Collected |
|---|---|---|
| Identity Data | Full name, title | Contact form, service enquiry, consultation booking |
| Contact Data | Email address, telephone number, postal address | Contact form, email correspondence, phone enquiry |
| Vehicle Data | Vehicle preferences, make/model requirements, budget range, registration numbers for vehicle checks | Service consultation, vehicle search engagement |
| Transaction Data | Service fees paid, payment method details (processed by our payment provider), invoices | Service engagement, payment processing |
| Communication Data | Contents of emails, messages, and notes from phone calls | All correspondence with us |
| Identity Verification Data | Government-issued ID documents, proof of address (where required for compliance purposes) | High-value transactions, regulatory compliance checks |
2.2 Information Collected Automatically
When you visit our Website, we automatically collect certain technical data:
- Technical Data: IP address, browser type and version, operating system, device type, screen resolution, time zone setting, and browser plug-in types and versions
- Usage Data: Pages visited, time spent on each page, page interaction information (such as scrolling, clicks, and mouse-overs), referring URL, exit pages, and date/time of your visit
- Cookie Data: Information collected through cookies and similar technologies as described in our Cookie Policy
2.3 Information from Third Parties
We may receive personal data about you from third parties, including:
- Vehicle history and data providers: Information about vehicles you are interested in purchasing, including MOT history, mileage records, and outstanding finance checks
- Analytics providers: Anonymised website usage data from Google Analytics
- Referral partners: Your contact details if you have been referred to us by a third party (with your knowledge)
2.4 Special Category Data
We do not intentionally collect any special category data (also known as sensitive personal data), such as data about your race, ethnicity, religious beliefs, political opinions, health, sexual orientation, or trade union membership. If you voluntarily provide such data to us (for example, in a message), we will only process it with your explicit consent and for the specific purpose you have indicated.
3. Purposes and Legal Basis for Processing
Under the UK GDPR, we must have a valid legal basis for processing your personal data. The table below sets out the purposes for which we process personal data and the corresponding legal basis.
| Purpose | Data Used | Legal Basis (UK GDPR Article 6) |
|---|---|---|
| Responding to your enquiries and providing customer support | Identity, Contact, Communication | Legitimate interest (Art. 6(1)(f)) — to respond to potential and existing clients |
| Providing our vehicle search, evaluation, and acquisition services | Identity, Contact, Vehicle, Transaction, Communication | Contract performance (Art. 6(1)(b)) — necessary to fulfil our service agreement with you |
| Providing automotive consulting and deal support | Identity, Contact, Vehicle, Communication | Contract performance (Art. 6(1)(b)) |
| Processing payments and managing accounts | Identity, Contact, Transaction | Contract performance (Art. 6(1)(b)) |
| Sending marketing communications (newsletters, offers, service updates) | Identity, Contact | Consent (Art. 6(1)(a)) — you can withdraw consent at any time |
| Improving our Website and services | Technical, Usage, Cookie | Legitimate interest (Art. 6(1)(f)) — to improve user experience and service quality |
| Complying with legal obligations (tax, accounting, AML) | Identity, Contact, Transaction, Identity Verification | Legal obligation (Art. 6(1)(c)) — including the Companies Act 2006, Money Laundering Regulations 2017, and HMRC requirements |
| Preventing fraud and ensuring security | Identity, Contact, Technical, Transaction | Legitimate interest (Art. 6(1)(f)) — to protect our business, clients, and Website from fraudulent activity |
| Identity verification and due diligence for high-value transactions | Identity, Identity Verification, Transaction | Legal obligation (Art. 6(1)(c)) — compliance with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 |
| Establishing, exercising, or defending legal claims | All relevant categories | Legitimate interest (Art. 6(1)(f)) — to protect our legal rights |
Where we rely on legitimate interest as our legal basis, we have conducted a Legitimate Interest Assessment (LIA) to ensure our interests do not override your rights and freedoms. You may request details of these assessments by contacting our Data Protection Lead.
4. Anti-Money Laundering and Regulatory Compliance
As a UK-registered business involved in high-value goods transactions, Carvantage Ltd is committed to complying with all applicable anti-money laundering (AML) and counter-terrorist financing (CTF) legislation, including but not limited to:
- The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (as amended)
- The Proceeds of Crime Act 2002
- The Terrorism Act 2000
- HM Treasury Sanctions requirements
In connection with these obligations, we may be required to:
- Verify your identity before entering into certain transactions (Customer Due Diligence)
- Keep records of identification documents and transaction data
- Report suspicious activities to the National Crime Agency (NCA) where required by law
- Screen against UK and international sanctions lists
We are legally prohibited from informing you if we make a report to the NCA about suspicious activity (“tipping off”). Data processed for AML/CTF purposes is retained in accordance with the statutory requirements set out in Section 7 of this policy.
5. Cookies and Tracking Technologies
Our Website uses cookies and similar tracking technologies in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR). Cookies are small text files placed on your device that help us provide and improve our services.
We obtain your consent before placing any non-essential cookies on your device. You can manage your cookie preferences at any time through our cookie consent banner or by visiting our Cookie Policy, which provides detailed information about each cookie we use, including its name, purpose, provider, and duration.
6. Data Sharing and Disclosure
We take your privacy seriously and do not sell, rent, or trade your personal data to third parties. We may share your personal data only in the following circumstances:
6.1 Service Providers (Data Processors)
We engage trusted third-party service providers who process personal data on our behalf under our instructions. These processors are bound by data processing agreements that comply with Article 28 of the UK GDPR. They include:
- Website hosting and infrastructure providers — for hosting our Website securely
- Email service providers — for managing and delivering our communications
- Analytics providers (Google Analytics) — for understanding Website usage patterns
- Payment processors — for processing service fee payments securely (we do not store your full payment card details)
- Vehicle data providers — for conducting vehicle history checks and valuations
- Accounting and bookkeeping software providers — for managing invoices and financial records
6.2 Legal and Regulatory Disclosures
We may disclose your personal data where required by law, regulation, or legal process, including to:
- HM Revenue and Customs (HMRC)
- The National Crime Agency (NCA) under AML obligations
- Law enforcement agencies, courts, or tribunals
- The Information Commissioner's Office (ICO)
- Other regulatory bodies as required by applicable law
6.3 Business Transfers
In the event of a merger, acquisition, reorganisation, sale of assets, or insolvency, your personal data may be transferred to the successor entity. We will notify you of any such transfer and any changes to this Privacy Policy.
6.4 With Your Consent
We may share your personal data with other third parties where you have given your explicit, informed consent to do so. You may withdraw this consent at any time.
7. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. We apply the following specific retention periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Website enquiry data (contact form submissions) | 12 months from date of enquiry | To follow up and respond; legitimate interest |
| Client service records and contracts | 6 years after the end of the business relationship | Limitation Act 1980 (contractual claims); HMRC requirements |
| Financial and transaction records | 6 years from end of the financial year in which the transaction occurred | Companies Act 2006; HMRC tax record-keeping obligations |
| AML/KYC identity verification records | 5 years after the end of the business relationship | Money Laundering Regulations 2017 (Regulation 40) |
| Marketing consent records | Until consent is withdrawn, plus 12 months for audit trail | PECR compliance; demonstrating valid consent |
| Website analytics data | 26 months | Google Analytics default retention; anonymised after expiry |
| Cookie consent preferences | 12 months | PECR compliance; to remember your preferences |
| Complaints and dispute records | 6 years from resolution | Limitation Act 1980; potential legal proceedings |
At the end of the applicable retention period, personal data is either securely deleted or anonymised so that it can no longer be associated with you. We conduct regular reviews of the data we hold to ensure we are not retaining data beyond these periods.
8. International Data Transfers
Your personal data is primarily processed and stored within the United Kingdom. However, some of our third-party service providers (such as Google Analytics) may process data outside of the UK.
Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Article 46, including:
- UK Adequacy Regulations: Transfers to countries deemed by the UK Secretary of State to provide an adequate level of data protection
- International Data Transfer Agreement (IDTA): The UK's approved mechanism for safeguarding international data transfers, replacing Standard Contractual Clauses for UK transfers
- UK Addendum to EU Standard Contractual Clauses: Where applicable, the International Data Transfer Addendum issued by the ICO
You may request further information about the specific safeguards applied to international transfers by contacting our Data Protection Lead.
9. Data Security
We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:
- Encryption: SSL/TLS encryption for all data transmitted between your browser and our Website (HTTPS)
- Access controls: Restricted access to personal data on a need-to-know basis, with role-based permissions
- Secure storage: Personal data stored on secure, access-controlled servers
- Regular reviews: Periodic review of our security practices and data processing activities
- Staff awareness: All personnel with access to personal data are made aware of their data protection responsibilities
- Secure disposal: Secure deletion or destruction of personal data when it is no longer required
While we take all reasonable precautions, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to notifying you and the ICO of any personal data breach that is likely to result in a risk to your rights and freedoms, in accordance with Article 33 of the UK GDPR (within 72 hours of becoming aware of the breach).
10. Your Rights Under UK GDPR
Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain conditions and exceptions.
Right of Access (Article 15)
You have the right to request a copy of the personal data we hold about you (a “Subject Access Request” or SAR). We will provide this within one calendar month, free of charge in most cases.
Right to Rectification (Article 16)
You have the right to request correction of any inaccurate personal data, or completion of any incomplete data we hold about you.
Right to Erasure (Article 17)
You have the right to request deletion of your personal data in certain circumstances (e.g., when the data is no longer necessary, or you withdraw consent). This right does not apply where we are required by law to retain data (e.g., for tax or AML purposes).
Right to Restrict Processing (Article 18)
You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to our processing.
Right to Data Portability (Article 20)
Where processing is based on your consent or a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
Right to Object (Article 21)
You have the right to object to processing based on legitimate interests or direct marketing. Where you object to direct marketing, we will stop processing your data for that purpose immediately.
Right to Withdraw Consent
Where we rely on your consent to process personal data, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. We do not currently use automated decision-making or profiling in our services.
How to Exercise Your Rights
To exercise any of the above rights, please contact our Data Protection Lead at:
- Email: carvantageltd@gmail.com
- Post: Data Protection Lead, Carvantage Ltd, 128 City Road, London, EC1V 2NX
We may need to verify your identity before processing your request. We will respond to your request within one calendar month. In exceptional circumstances (complex or numerous requests), we may extend this by a further two months, but we will inform you within the first month if this is necessary.
There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.
11. Children's Privacy
Our Website and services are not directed to individuals under the age of 18. We do not knowingly collect personal data from children under 18 years of age. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately at carvantageltd@gmail.com, and we will take steps to delete such data promptly.
12. Third-Party Links and Services
Our Website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy practices. We encourage you to read the privacy notice of every website you visit.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons. When we make material changes:
- We will update the “Last Updated” date at the top of this page
- For significant changes, we may notify you by email (if we have your email address) or by placing a prominent notice on our Website
- We encourage you to review this Privacy Policy periodically
Your continued use of our Website or services after any changes to this Privacy Policy constitutes your acceptance of the updated policy.
14. Complaints
We take all privacy concerns seriously. If you believe we have not handled your personal data properly or wish to raise a concern, we encourage you to contact us first so that we can try to resolve the issue:
Carvantage Ltd — Data Protection Lead
Email: carvantageltd@gmail.com
Post: 128 City Road, London, EC1V 2NX
If you are not satisfied with our response, or if you wish to make a complaint directly, you have the right to lodge a complaint with the UK's supervisory authority:
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: https://ico.org.uk
Live chat: https://ico.org.uk/global/contact-us/live-chat
We would, however, appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.
15. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
CARVANTAGE LTD
Company Number: 16879932
Registered Address: 128 City Road, London, United Kingdom, EC1V 2NX
Email: carvantageltd@gmail.com