carVertical

Privacy notice on the processing of vehicle data

1. For whom is this privacy notice intended?

1.1. We care about privacy and personal data security. This privacy notice (hereinafter - ‘the Privacy Notice’) explains our policy of handling vehicle data. This document contains important information, which hopefully you are going to read.

1.2. In accordance with Article 11(2) Sentence 1 of the General Data Protection Regulation 2016/679 (EU) (hereinafter – the ‘GDPR’), we are informing You to be aware that we cannot directly link vehicle data to the owner or holder of that vehicle. Although in such cases we are under no obligation under Article 11(1) of the GDPR to inform about the ways your vehicle data is processed, being committed to the highest possible transparency we would like to provide You with the relevant information.  

1.3. ‘You’ in this Privacy Notice shall mean the owner (natural person) or holder (natural person) of the vehicle about which we collect data.  

1.4. This Privacy Notice may be subject to change. We will post the changes on the online vehicle history checking website www.carvertical.com or its Android and iOS mobile application (hereinafter the website and mobile application are jointly referred to as the ‘Platform’).

1.5. If You use our Platform, you are also welcome to read the privacy notice for Platform visitors and users (customers) of our services.

2. Data controllers

2.1. The vehicle data is controlled by UAB “cV Group”, legal entity code 303134915, address Aukštaičių Str. 7, LT-11341 Vilnius, Lithuania and/or carVertical OÜ, legal entity code 14416655, address Narva mnt. 5 Tallinn, 10117 Estonia (hereinafter jointly referred to as carVertical or us). Both companies are joint controllers in the sense of Article 26(1) of the GDPR. 

2.2. Contact details of the Data Protection Officer: dpo@carvertical.com

3. Purposes and legal basis for data processing

3.1. We process vehicle data to create a transparent market of used vehicles in order to protect used car buyers from fraud and contribute to the safety of road traffic and road users. This purpose covers our commitment to:

  1. 3.1.1. provide clear and understandable information about the vehicle of interest to the individual that would otherwise be costly, difficult or impossible to verify independently;
  2. 3.1.2. collect and control information on vehicles, and to administer/develop internal databases to provide relevant information in reports.

3.2. We process vehicle data on the basis of our legitimate interest or the legitimate interest of a third party (a user of our services, a purchaser of a report, a road user, etc.) (Article 6(1)(f) of the GDPR) with intend our services to help:

  1. 3.2.1. proper identification of the vehicle on which the information is collected;
  2. 3.2.2. the recipient of a carVertical report to obtain, in a quick, convenient and cost-effective manner, a better knowledge of the history and condition of vehicles, based on data from a variety of different sources and countries;
  3. 3.2.3. to protect the recipient of a carVertical report from possible fraud due to incomplete information, i.e., attempts to sell a stolen vehicle, to falsify the mileage of a vehicle, to sell a damaged vehicle, or to conceal defects in a vehicle which are essential to the safety of the vehicle and to the individual’s decision to purchase it;
  4. 3.2.4. ensure that unsafe or stolen vehicles do not enter civil circulation or road traffic;
  5. 3.2.5. to make more informed, cost-effective decisions when the recipient of a carVertical report chooses/buys/sells/operates a vehicle;
  6. 3.2.6. reduce the number of disputes between sellers and buyers of vehicles;
  7. 3.2.7. increase transparency of the used vehicle market and trust among market participants;
  8. 3.2.8. to develop and improve our services, database, quality of reports, to provide data-based and accurate information on the condition of the vehicle.

3.3. We use some vehicle data for the following additional purposes: to train artificial intelligence tools, to analyse relevant performance statistics, and to handle and control disputes and claims relevant to our business and to establish, exercise or defend legal claims and defend our company’s business interests. We process the data for these additional purposes based on our legitimate interest to develop our business, to ensure the quality of our services, to resolve disputes (Article 6(1)(f) of the GDPR). We also may be subject to a legal obligation in a specific circumstance (for example, to comply with a court order) and will then process personal data to comply with our legal obligations (Article 6(1)(c) of the GDPR).

4. Personal data processed

4.1. When collecting information about vehicles, we process the following categories of data:

  1. 4.1.1. vehicle identification and technical parameters of vehicles: vehicle VIN, licence plate number, registration data, model, year of manufacture, emissions, specs and equipment;
  2. 4.1.2. vehicle service and event data: service, event (damage), import/export, usage purpose records also mileage, warranty, insurance, theft and accident data;
  3. 4.1.3. financial data on the vehicle: date (when the financing started), type (leasing, hire purchase, etc.), term of financing, etc;
  4. 4.1.4. other data: photos of the vehicle, data on the change of ownership (fact of change of registration), publicly available information;
  5. 4.1.5. data contained in carVertical reports: vehicle records according to clauses 4.1.1 - 4.1.4 (after the expiry date of the report (30 days after the acquisition), we have no way to determine what data was provided in a specific report when it was purchased, and we process the vehicle data contained in the report in the same way as any other vehicle data).

4.2. The reports we provide are produced using an automated task solution (data aggregation), based on a query from the customer who ordered a report. We use a VIN-oriented data analysis approach and link the information to a specific vehicle according to its VIN. For the preparation of reports, we select and organize information on the vehicle as an object (asset) and do not collect information on its owners or holders.

5. Data recipients and data transmission

5.1. We provide aggregated vehicle data to the persons who have ordered it.

5.2. We may transfer vehicle data to data processors who assist us in our activities, such as cloud hosting, database management, etc. The main data processors:

  1. 5.2.1. Cloud hosting service providers: (i) Amazon Web Services, Inc. Data is processed in EEA (ii) MongoDB, Inc. Data is processed in EEA;
  2. 5.2.2. Database management: Atlan Pte. Ltd. Data is processed in EEA.

5.3. We may provide data to law enforcement and pre-trial investigation authorities, courts and other dispute resolution authorities, and other persons exercising functions under the law, in accordance with the procedures provided by law. We provide information to these entities as required by law or as specified by the entities themselves.

5.4. We may also transfer data to:

  1. 5.4.1. companies within the group of companies to which we belong, or joint data controllers, if any;
  2. 5.4.2. if necessary, to companies intending to buy or acquire our business or make joint ventures or other forms of cooperation with us, as well as companies established by us.

5.5. We generally process personal data within the EU/EEA but in some cases this data may be transferred outside the EU/EEA. Personal data outside the EU/EEA is transferred based on:

  1. 5.5.1. a data processing or supply agreement that describes such transfer and includes Standard Contractual Clauses for international transfers (to request a copy, please reach out to our Data Protection Officer); or
  2. 5.5.2. an adequacy decision adopted by the European Commission, which means that the European Commission has recognised the country or sector in which the third party is established and/or carries out its activities as providing an adequate level of protection of personal data; or
  3. 5.5.3. a specific authorisation by the State Data Protection Inspectorate of the Republic of Lithuania to carry out such transfer.

5.6. carVertical reports do not link the vehicle data to a specific person. If other data known to the recipient of the report allows the content of the report to be directly linked to a specific person, we consider such direct linking to be carried out independently by the recipient of the carVertical report.

6. Data sources

6.1. We process data from a variety of sources, such as official vehicle registers, maintenance and vehicle repair service providers, authorised repairers, vehicle dealers, insurance claims administrators, and information publicly available on the internet.

7. Data retention period

7.1. Personal data will be retained for as long as it is necessary for one of the purposes indicated in this Privacy Notice.

7.2. As a rule of thumb, data relating to vehicles shall be retained for 30 years from the date then carVertical receives the vehicle data. This retention period is in line with the lifespan of an average vehicle.

8. Application of automated data processing solutions

8.1. We may use an automated data processing solution to process vehicle data, for example, to analyse or aggregate vehicle information, to ensure the quality of the reports we provide at carVertical, or to train the artificial intelligence solution we use.

8.2. Automated decision-making means processing of personal data using a software code or algorithm, an artificial intelligence solution that does not require human intervention. We regularly review the methods we use to make such decisions to ensure that they are fair, efficient, and impartial. If a data subject objects to the results provided by an automated solution, they are evaluated by our specialists.

9. Your rights

9.1. You have the following rights:

  1. 9.1.1. the right to have access to your personal data and to receive information about the processing of your personal data;
  2. 9.1.2. the right to rectify your personal data if it has changed or if it is inaccurate or incorrect. We may ask you to provide evidence that the information is inaccurate or incorrect;
  3. 9.1.3. the right to erasure (right to be forgotten) unless we are obliged to retain the data or our interests in the processing continue to prevail;
  4. 9.1.4. the right to restrict the processing of the data under certain conditions set out in the GDPR;
  5. 9.1.5. the right to object to the processing of your personal data when it is processed for legitimate interests;
  6. 9.1.6. the right to lodge a complaint with the data protection supervisory authority if you believe that your data is not processed properly.

9.2. If you wish to exercise the rights listed above, you can contact us by email at info@carvertical.com  or contact the Data Protection Officer at dpo@carvertical.com.

9.3. When you make a request to exercise your data subject rights, we will ask you to provide information about your identity and relation to a particular vehicle (e.g., the vehicle registration document). We need such information as we do not collect data that allow direct identification of a data subject.

9.4. In order to better understand your request, we may ask you to fill in the relevant request form, ask you to provide a request signed with a smart or qualified electronic signature, or send your request by post.

9.5. We may refuse to let you exercise your rights, such as the right to provide, rectify or erase the data that you have requested, where fulfilment of such request is not authorised under the GDPR, if we have established that our legitimate interest or that of a third party overrides the likely impact of the data processing on the protection of your rights, or if we are unable to identify you, where identification is necessary for us to comply with your request.

9.6. We do not normally charge any fee for exercising your rights. However, the law allows us to charge a reasonable fee or to refuse to comply with your request if it is manifestly unfounded or excessive.

9.7. Upon receipt of your request, we will provide you with a response no later than 1 month from the date of the request and will carry out the actions set out in the request or inform you of our grounds for refusal to do so. If necessary, the time limit may be extended by a further 2 months depending on the complexity and number of requests. In this case, we will inform you of the extension within 1 month of receipt of your request.

9.8. If personal data is erased, we may retain copies of the information if it is necessary to protect our legitimate interests and those of others, to comply with obligations of public authorities, to resolve disputes, to identify disruptions or to comply with agreements.

10. Contact us

10.1. You can contact us in relation to any data processing issues by email at info@carvertical.com, by contacting the Data Protection Officer at dpo@carvertical.com, or by registered mail addressed to UAB “CV Group”, Aukštaičių Str. 7, LT-11341 Vilnius or by phone +370 68903070.

Date of last update: 02/06/2024