Privacy Statement
Car Hire and Ground Transportation Services
This Privacy Statement sets out details of the personal data relating to you that we collect through this website and any mobile sites and applications relating to this car hire and ground transportation services platform (the “Platform”), how we will process such data and to whom it may be disclosed. This notice also explains your rights under applicable data protection law, including the EU General Data Protection Regulation (“GDPR”) and if applicable to you, the California Consumer Privacy Act (CCPA), in relation to our processing of your data.
About Us
The operator of this website / application is the controller of the personal data which is described in this Privacy Statement (the “Controller”). References to “we”, “us” and “our” in this notice are references to the Controller and our service provider ETrawler Unlimited Company t/a CarTrawler, with VAT number 4693898K and registered address at CarTrawler, Classon House, Dundrum Business Park, Dundrum, Dublin 14, Ireland. CarTrawler acts on the Controller’s behalf as a processor to introduce customers to vehicle rental and other ground transportation services such as bus, rail and taxi transfers (“Transportation”) and ancillary travel related products and services. Once your personal details are transferred to the Transportation Provider, they become a separate data controller.
You can contact us using the details at the end of this statement.
Personal Data that We Process, Purposes and Legal Basis
In order for us to process your Transportation booking or your booking of any ancillary services we will ask you for certain information, such as your name, address, email address, payment information and booking details. We also collect certain information from the device you use to access our Platform, such as your IP address, what browser you use and what type of device you are using. In addition to the information that we collect ourselves, we sometimes receive information that is collected on our behalf by third parties, such as when you see an advert relating to our services which is displayed on a third-party site.
The following are further details of our processing and the legal basis which justifies this processing of personal data:
Transportation Quote – If you seek a quote for Transportation, we will collect your name, e-mail address, and quote reference. Where you have contacted us by phone, we will also collect your phone number and a recording of your call with us. We process this data on the basis that it is necessary in order to take steps at your request prior to potentially entering into a Transportation contract.
Abandonment E-mails and Phone Calls – If you commence but do not complete a booking, we will still have collected limited details such as your name, e-mail address and phone number (depending on your method of communication with us). We process this data in order to contact you and clarify whether you encountered any issues when seeking to make a booking. We do this on the basis of our legitimate interest in ensuring quality customer service and that there are no issues with our Platform.
Booking Details - When you make a booking with us we will ask you for information that we need in order to process the booking or to process refunds. This will include your name, address, email address, phone number and your payment details. Where we process personal data for this purpose we will do so either on the basis that it is necessary for entering into or for the performance of a contract in providing our Transportation booking service.
Queries and Complaints - If you contact our Customer Service team with a query or a complaint, we will record details of the query or complaint and how it is dealt with on our systems. We may also seek further details about the query or complaint from the relevant Transportation or other service provider, which we will also record on our systems. Calls are recorded for training and quality purposes on the basis of our legitimate interest. Where we process personal data in the context of a query or complaint we will do so on the basis of our legitimate interest in resolving customer queries and complaints. We do not generally process health data in the context of our business but there may be circumstances where we may request documents for proof to qualify for a refund and we will process that personal data on the basis that it is necessary to fulfil the performance of a contract. In the limited circumstances we process health data, this is on the basis that you explicitly consent to us using it in order to resolve your query or complaint.
Insurance Policy – If you take out an insurance policy with one of our insurance partners, we will collect your name, address, e-mail address, phone number, booking reference, IP address and payment details to facilitate the purchase of your insurance policy. Where we process personal data for this purpose we will do so either on the basis that it is necessary for entering into or for the performance of a contract with you in providing you with that service.
Other ancillary products and services – If you book or purchase any other ancillary service, such as parking, we will ask you for information that we need in order to process your request. This will include your name, address, e-mail address, phone number, booking reference, IP address and payment details. Where we process personal data for this purpose we will do so either on the basis that it is necessary for entering into or for the performance of a contract with you in providing you with that service.
Mobility Booking Details - When you use our mobility app and services on a mobile device, we will collect your name, e-mail address, phone number, loyalty ID (if relevant), password and payment details. We will also gather your location data when you use our app and during taxi journeys. This is on the basis of entering into or for the performance of a contract.
Location Data - If you are using our services on a mobile device and you have enabled location services, we will record your location to help you find local Transportation or other services on the basis of entering into or for the performance of a contract. We also use your IP address to determine what country you are in when you make a booking.
Loyalty Programme Data - If you are a member of our airline Partners loyalty programme, and the loyalty programme is integrated with Transportation services, we will store details of your loyalty membership number and your historic booking references in order to administer the loyalty programme, to add/deduct loyalty points and to notify you of loyalty rewards. We process this data on the basis that it is necessary for the performance of a contract with you.
Marketing – We will record your preferences for receiving marketing communications from us regarding our car rental products and services, as well as those of third parties. We send this marketing based on your consent.
Analysis/Reporting - We use data in relation to bookings in order to create internal reports regarding how our business is operating. We also use this data for other commercial analysis purposes, and to try to predict future trends that may affect our business. This processing is undertaken on an aggregated basis, so you are not identifiable from the reports or analysis that is produced.
Advertising - We want to ensure that when you see an advert relating to our services it will be relevant to you and your interests, whether the advert appears on a Platform we operate, in our marketing emails or on a third-party site. We may also use the same information to show you adverts for carefully selected third-party products and services. When you are using our Platform we may use the searches you have made in order to tailor our adverts to your interests. For example, if you have been searching for vehicle rental options in Berlin, we might use this information to display adverts to you on our Platform and on third party websites for vehicles to rent in Berlin that may be of interested to you. We may also use data about your past transactions on our Platform to tailor our advertising. We process your personal data for this purpose on the basis of legitimate interest and in some cases consent.
Surveys - If you participate in a survey, we will record your responses to the survey along with your name and e-mail address. We process your data on the basis of our legitimate interest to get feedback and improve the service we provide to customers.
Fraud Detection and Financial Crime Prevention – We may use your personal data for the purpose of preventing and detecting fraud and completing sanction screening on the basis of our legitimate interest.
Profiling - We use your personal information to recommend vehicles and services that might be of interest to you, identify your preferences, personalise your experience with us and for fraud prevention.
Automated Decision-Making - We process your personal data to assess the risk of fraud associated with each rental transaction. If the system detects a high likelihood of fraudulent activity based on the analysis of the collected data, it may result in an automated decision to deny access to the car for hire. If an automated decision is made that significantly affects you, you have the right to request human intervention, express your point of view, and contest the decision. We may personalise the pricing for services available through the booking engine on the basis of automated decision-making.
When you use our Platform, we use various technologies to automatically capture details about the device you are using and how you interact with the Platform. This information includes:
Device Details and how you interact with the Platform - We automatically collect details about the device you are using, including its IP address, its device ID, the browser you are using, and the operating system that the device uses. We record details about how you use our Platform, e.g. the date and time that you visit, what pages you visit, how long you stay on the pages, where you have clicked on a page, and details of any crashes or system bugs you may have encountered We use this data in order to deliver our services and personalise your experience. We also use the data to test new features that we are thinking about introducing, to analyse how our Platform is used, and to evaluate and improve our services. Where possible we use this data on an anonymous basis. This processing of your personal data is on the basis of our legitimate interests in operating, improving and securing our services.
How You Reached the Platform - Where we can, we record how you arrived on our Platform (e.g. whether you arrived from a search engine, or by clicking on one of our adverts). We collect cookie consent to allow for this processing.
Sources of Personal Data
Although we mainly collect information directly from you, there are circumstances where we collect information from third party sources. These circumstances may include:
Third Parties – We may operate a programme under which third parties advertise our Platform on our behalf. If you click on one of those advertisements you are directed to our Platform using a technology that allows us to understand which third party referred you. We then track if you make a booking, and if you do we attribute that booking to the relevant third party for the purposes of paying them a commission. However, we do not provide the third party with any personal information in relation to you.
Service Provider - If there are any issues with your Transportation or other service provider, the service provider may contact us with information about the issue.
Advertisements - If we work with third parties to display advertisements we may use technologies like cookies or pixel tags to record details of your interaction with those advertisements. This data is sometimes sent to us through cookies and pixel tags that are set on our behalf by those third parties.
Other individuals – Where you provide us with personal data on behalf of someone else, you confirm you have their consent to do so and will provide them with a copy of this Privacy Statement.
Personal Data that We Require You to Provide
You are not obliged to provide us with any of your personal data. However, if you want to make a Transportation booking, or avail of an ancillary service, you will need to provide us with the information that is requested on our booking engine. If you don't provide us with this information, we will not be in a position to process your booking. Similarly, you may be required to provide certain information if you contact our customer services team with a query or complaint. We will inform you where such information is required.
Recipients of Data
In order to process your booking, we have to send your details to the relevant Transportation provider. If you contact us with a query or complaint in relation to a booking, we may also share details of the query or complaint with the Transportation provider so that we can resolve it.
If you purchase another service, we may need to share personal data with the third-party service provider so that they can provide you with that service. If you make a claim under an insurance policy, we may need to share personal data with the underwriter or other appointed claims handler.
In line with our obligations to partners, such as airlines, we may share personal data with the partner to analyse bookings and ensure quality customer service.
We also use a number of service providers to assist us in providing our services, some of whom will have access to your data (e.g. we use various software service providers who host our data as part of their services). Where we engage a third party to process your data on our behalf, we make sure that they respect your privacy rights and that they process data in accordance with data protection law. Further details are as follows:
Hosting Providers - We use various cloud service and co-location providers to help us host and manage our data.
Payment Processors - We use third-party payment processors and providers in order to assist us processing payments on our Platform. AIB Merchant Services, Worldpay, Klarna and PayPal are separate data controllers. Their respective privacy policies can be found here:
AIB MS: https://www.aibms.com/privacy/
Worldpay: https://www.fisglobal.com/en/privacy
Klarna: https://www.klarna.com/international/privacy-policy/
PayPal: https://www.paypal.com/myaccount/privacy/privacyhub
Technology Providers - This includes service providers who provide services such as a translation tool, helping us to secure our network, systems and emails, and help us manage your data subject rights requests.
Customer Service Providers – We use a third-party service provider to provide customer service outside working hours and third-party platforms for processing customer correspondence.
Auditors - We have an internal and external audit function that is provided by third parties. The auditors help us to ensure that we are complying with our legal obligations, including in relation to our processing of personal data. In certain circumstances this may mean that they have access to our systems that process personal data, or that they might need to review how we have processed certain personal data.
Fraud and screening databases – We may use external fraud detection and prevention databases and screening tools that are available in the industry and publicly available information to prevent and detect possible criminal activity, sanctions or fraud.
Law Enforcement Agencies – We may share your data with law enforcement agencies in order for them to investigate, detect or prevent possible criminal or fraudulent activity on the basis of complying with a legal obligation.
Transfers Abroad
In respect of personal data that is (i) processed in the EU or (ii) processed in connection with individuals based in the EU, such that GDPR applies, there are certain circumstances where we will transfer your personal data outside of the European Union to a country which is not recognised by the European Commission as providing an equivalent level of protection for personal data as is provided for in the European Union. The most common of these is where we transfer personal data to a Transportation provider in the country you have chosen so that they can fulfil your booking. This transfer would fall under Derogation 49 1) b) where the transfer is occasional and necessary for the transportation service to be provided to the customer. Similarly some of our payment providers are based in the US and the transfer would fall under derogation 49 1) b) where the transfer is occasional and necessary so that the data subject can pay the fee associated with the transportation. We may also transfer your personal data outside of the European Union in connection with the operation of our business, namely when we use a service provider that is based in the US, Egypt or the UK. If we transfer your personal data outside of the European Union, we will ensure that appropriate measures are in place to protect your personal data and comply with our obligations under applicable data protection law. Where we transfer personal data to the US and Egypt, we enter into contracts in the form approved by the European Commission with the entity to whom we have transferred personal data. Where we transfer personal data to the UK, this is based on an adequacy decision delivered by the EU Commission, where the EU Commission decided the UK ensures an adequate level of protection for EU personal data. The following categories of data are transferred to our email security software system in the UK: Name, booking reference, telephone number, address, email address, IP Address and customer correspondence. You can find further information on this adequacy decision here: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_3183
On 4 June 2021 the European Commission published new standard contractual clauses (SCCs) to incorporate the requirements of GDPR and the Schrems II decision. CarTrawler has updated our data protection agreements with third parties to implement the new SCCs, where we rely on this mechanism and has adopted contractual, organisational and technical measures in line with the EDPB Recommendations, including but not limited to state of the art encryption on data in transit and at rest, malicious code detection software, an intrusion detection monitoring process, network and application level scanning and penetration testing, security access controls, annual staff compliance training, Transfer Impact Assessments in place for all processing that takes place outside the EEA and a Law Enforcement Request policy in place in the event it receives a request for personal data from a law enforcement agency. CarTrawler ensures that third parties we transfer data to implement similar measures to ensure all personal data has an adequate level of protection when transferred outside the EEA.
Retention
We retain your personal data in accordance with our record retention policy. The record retention policy operates on the principle that we keep personal data for no longer than is necessary for the purpose for which we collected it, and in accordance with any requirements that are imposed on us by law. This means that the retention period for your personal data will vary depending on the type of personal data. For example:
Transaction Data – We retain details of your bookings and your interaction with us in relation to such bookings for as long is necessary to facilitate your booking and resolve any issues that may arise. Where your marketing preferences are such that we are able to send you marketing messages, then such data will still be retained as per the details below.
Loyalty Programme Data – We retain data relating to loyalty programmes for as long is necessary to facilitate administration of the loyalty programme.
Email Marketing - We will keep a copy of personal data that is required in order to send you marketing messages for as long as necessary to facilitate your marketing preferences. As part of this we will also retain certain information in relation to your transactions in order to allow us to customise our marketing messages.
Managing legal claims – When we assess how long we keep personal data we take into account whether that data may be required in order to bring or defend any legal claims. If such data is required, we may keep it until the statute of limitations runs out in relation to the type of claim that can be made (which varies from 2 years to 12 years).
Sale of Personal Data
If you are resident in California and subject to the CCPA, we are required to say if we sell your personal data. We do not and will not sell personal information within the scope of application of the CCPA to any third parties.
Cookies
This Platform uses cookies. Cookies are small, simple text files that are sent from a website and stored on your computer, tablet or mobile phone when you visit a website. Information related to your visit of a website is recorded in these cookies. To find out more about the cookies we use, please view the cookies policy that is available on this website.
Other websites
This Platform may contain links to other websites or you may have arrived here via a link from another website. This Privacy Statement only applies to this Platform and the services operated by CarTrawler in connection with the Platform. When you link to other websites you should read their own privacy statements.
Important Information about Consent
In circumstances where we process your personal data on the basis of your consent, you are free to withdraw that consent at any time. You can withdraw your consent by contacting us using the contact details at the bottom of this statement. If your consent relates to receiving email marketing you can use the unsubscribe link in the email. Please note that if you withdraw your consent we may not be able to continue to provide the related service to you.
Your Rights
You have the following rights, in certain circumstances, in relation to your personal data:
Right to access the data - You have the right to request a copy of the personal data that we hold about you, together with other information about our processing of that personal data.
Right to rectification - You have the right to request that any inaccurate data that is held about you is corrected, or if we have incomplete information you may request that we update the information such that it is complete.
Right to erasure - You have the right to request us to delete personal data that we hold about you. This is sometimes referred to as the right to be forgotten.
Right to restriction of processing or to object to processing - You have the right to request that we no longer process your personal data for particular purposes, or to object to our processing of your personal data for particular purposes.
Right to data portability - You have the right to request us to provide you, or a third party, with a copy of your personal data in a structured, commonly used machine readable format.
about you. This is sometimes referred to as the right to be forgotten.
Right to Non-Discrimination – You have the right not to be discriminated against, for exercising any of your data protection rights.
In order to exercise any of the rights set out above, please contact us using the contact details at the bottom of this statement or click on the following link:
https://privacyportalde-cdn.onetrust.com/dsarwebform/d542f8c6-e8f4-416b-8125-62a18e5fc649/9ee201c6-e6ac-41c4-bd6c-3e7787691a53.html
Changes to our Privacy Statement
We keep our privacy statement under regular review and we will place any updates on this web page.
Accessibility
If you would like to access this policy in an alternative format, please contact us using one of the channels listed in the “Questions and Complaints” section below.
Questions and Complaints
If you have any queries or complaints in connection with our processing of your personal data, you can get in touch with CarTrawler (acting on our behalf) using the following contact details:
By post: Data Protection Officer, CarTrawler, Classon House, Dundrum Business Park, Dundrum, Dublin 14, Ireland
By email: dpo@cartrawler.com
Website: www.cartrawler.com
In order to respond to and process your request, you may need to provide us with personal information in order for us to verify your identity.
You also have the right to lodge a complaint with your local data protection supervisory authority if you are unhappy with any processing of your personal data by us.
Updated at: Fri, 02 Aug 2024 12:14:22 GMT