PRIVACY STATEMENT FOR EUROPEAN CONSUMERS AND CUSTOMERS
February 25, 2019
We are CarGurus, Inc., of 2 Canal Park, 4th Floor, Cambridge, Massachusetts 02141, USA (and our subsidiaries). Either we or one of our European subsidiaries is the data controller of your personal data. If you have any questions or concerns about the information presented here, or about what we do with personal data, you should email us at email@example.com or write to us at the above address, to the attention of our General Counsel.
From time to time we update this Privacy Statement so we encourage you to refer back to this page regularly.
Our sites are not intended to be used by children.
In summary, we use personal data:
- to connect consumers interested in listed vehicles with the dealerships that are advertising them for sale
- to operate the interactive features of our websites and mobile applications, such as the discussion forums, saved searches and pricing alerts
- to promote our services, and to help our advertisements appear to people who are more likely to be interested in them
- to manage our customer relationships, handle queries and complaints, prevent fraud and otherwise operate our business.
The rest of this statement provides further details. In order to help you reach the information you want quickly, we have divided this page into different sections according to your different potential interactions with us. You can get to the section you want by following the links below.
What would you like to know more about?
- I want to know what happens when I ask to be put in touch with a dealership about a vehicle listed on your website
- I want to know what happens if I purchase a vehicle I found through your site
- I want to know what happens when I create an account or subscribe to emails
- I want to know what happens when I use the forums
- I work at a dealership whose inventory is listed on your site, and I want to know what you know about me and what you do with that information
- I work at another business you work with, such as an advertiser or supplier, and I want to know what you know about me and what you do with that information
- I want to know about how you use personal data to prevent fraud
- I want to know what kinds of third parties you work with
- I want to know where else in the world you transfer my personal data
- I want to know about my rights and how to exercise them
When you ask to be put in touch with a dealership
You can use our website to be put in contact with a dealership that has a vehicle for sale that you are interested in buying. Our websites have a form for that purpose. We then either connect you with the dealership through our systems, or pass the information that you provide to the dealership to them so they can follow up with you directly. Which of those we do depends on the relationship we have with the dealership.
Where we pass on your details directly, the receiving dealership is then the controller of their copy of your personal data, and they are responsible for what, if anything, they do with it. Typically, we would expect them to contact you by email or phone to see if you wish to take things forward (arrange a test drive, for example).
Where we connect you with the dealership through our systems, we will pass messages back and forth between you and the dealership. Again, the content of those messages will be seen by the dealership, and they are responsible for what, if anything, they do with it. At a point in discussions you will likely engage with the dealership directly, for example for a test drive or to inspect the vehicle in person.
Alternatively, you can call the number for a dealership provided on our website to be connected to the dealership that way. If you do, we will have a record that the call took place, but we do not record the calls themselves, and we will not know what was discussed. The dealership is responsible for what they do with any information you give them on the phone. We use the call records that we have only for customer service purposes and to keep dealerships informed of which calls they have received through us.
You can also, if you wish, choose to receive email alerts or newsletters from us about vehicles listed on the websites.
We will retain this information for up to 10 years, in case of disputes. Of course, if you have created an account with us, then we will also continue to hold the account information you provided for that reason. You can learn more about that here.
We do these things either on the basis that they are necessary in order to provide our service, or on the basis of our legitimate interest in promoting vehicles listed on our websites.
When you buy a vehicle that you found through CarGurus
Some dealerships report sales back to us. We ask dealerships who do that to tell you first, and to give you the opportunity to object. The information they give us will typically be restricted to the vehicle identification number (VIN), the date of the sale and your postcode. We use that information together with our records of searches on our website to produce reports showing correlations between referrals to dealerships from our website and sales for dealerships, in order to help us to demonstrate the value of our paid services to dealerships. We do this on the basis of our legitimate interest in understanding sales conversion rates and promoting our paid services.
Cookies and advertising on our website
Cookies and analytics
We keep the information we gather from cookies for up to 10 years. For our login and session cookies, we do this on the basis that it is necessary to provide the features of our websites that require it. For our analytics cookies, we do this on the basis of our legitimate interest in understanding how people use and interact with our websites.
We work with a number of technology partners to maintain and enhance our websites. The following list describes our most commonly used cookies.
CarGurus may partner with advertising networks, which may use information collected through a variety of data to provide customization, auditing, research and reporting for us and advertisers. We may also act as an advertising network and use information collected through a variety of data technologies while you are on our site and elsewhere where we may be acting as a third party. This data collection takes place both on the site and on third parties’ websites and mobile applications. This process allows CarGurus and third parties to deliver targeted advertising, enhance marketing programs and help track the effectiveness of such efforts. Advertising networks also may use this information for determining or predicting the characteristics and preferences of their respective advertising audiences and for measuring the effectiveness of their advertising in accordance with their privacy policies.
In a nutshell, the effect of these data technologies is that, if you have looked at vehicles on our site, it is more likely that adverts for CarGurus will appear when you are browsing on other websites. The third-party adverts which appear on our own sites are chosen according to the content of the pages you view on our sites and information about your browsing habits already known to our third-party advertising partners. For example, if you are looking at a CarGurus page showing vehicles made by a particular manufacturer, it is likely that the adverts appearing on that page will be for that manufacturer.
We do not provide information that is directly associated with a specific person (such as name and address) to any advertising network when you interact with or view a customized advertisement. However, when you view or interact with an advertisement, the advertiser may make an assumption that you are interested in the subject matter of the advertisement.
The landscape around interest-based advertising is continually changing, both as new laws and regulations are interpreted and applied and also as companies and advertisers create industry standards on acceptable practices. Though some standards have been widely adopted, certain mechanisms around privacy, consent, and transparency differ between various advertisers and advertising associations.
While we may use a variety of service providers to perform advertising services, some of these companies are members of the Network Advertising Initiative (NAI) or the Digital Advertising Alliance (DAA) Self-Regulatory Program for Online Behavioral Advertising. You may see an icon in or around third-party advertisements on the site that use interest-based advertising programs and on pages where data is collected and used for online interest-based advertising. Clicking on this icon will provide additional information about the companies and data practices that were used to deliver the ad. You may want to visit http://www.networkadvertising.org/managing/opt_out.asp, which provides information regarding targeted advertising and the “opt-out” procedures of NAI members. You may also want to visit http://www.aboutads.info/choices/, which provides information regarding targeted advertising and offers an "opt-out" by participating companies in the DAA Self-Regulatory Program.
Some companies participate in the Interactive Advertising Bureau (IAB) Framework and are able to receive and act upon your consent preference as to certain cookie types and advertising vendors available in our Privacy Preference Centre.
We also partner with Amazon to deliver advertisements, and you can opt out of delivery of targeted advertising to you by Amazon by visiting www.amazon.com/adprefs.
Please note that, even if you opt out through one of these mechanisms, you will continue to receive advertisements, but they may not be tailored to your specific interests.
We keep the information we gather from advertising cookies for up to 10 years. How long gathered advertising data is retained by our advertising partners is determined by them. We can provide further information on request. Where required, we use advertising cookies on the basis of your consent, which we will ask you for in a banner notice the first time you visit our website.
You may refuse to accept many cookies from our sites or any other website at any time by activating certain settings on your browser. Most browsers automatically accept cookies, but you can usually modify your browser to decline cookies if you prefer. If you choose to decline cookies, you may not be able to sign in or use other interactive features of our sites that depend on cookies. More information can be found at:
- "Privacy Browsing" in Firefox
- "Incognito" Browsing in Chrome
- "InPrivate" Browsing in Internet Explorer 11
- "InPrivate" Browsing in Microsoft Edge
- "Private Browsing" in Safari
- Safari Mobile (iPhone and iPads)
- How to reset your Apple IDFA
- How to reset your Google Advertising ID
Do Not Track (DNT) signals
We currently do not respond to browser Do Not Track signals but will continue to review the mechanism and may adopt a standardised usage in the future. If we do so, we will provide relevant information in this policy.
Please note that if you choose to do this, you may not be able to access many features on our site, and some parts of the site may not work properly.
CarGurus accounts and emails
Certain features of our websites, such as the discussion forums and the "virtual garage", require you to create an account with us. When you do so, we will use the information you provide when you create the account in order to administer it, and to give you access to those features.
You also have the option to subscribe to a range of email alerts relating to your interactions with us, such as new inventory matching search criteria you specify, and new posts in discussion threads that you have followed or replied to. We use industry tools to help us gauge interest in our email messages, including seeing whether you opened the message. You can control email alerts through the control panel here.
We will keep your account information for as long as your account is active, and for up to 10 years afterwards.
We do this on the basis that it is necessary to provide those features of our websites.
Using message boards and forums
Any information you choose to voluntarily post to message boards and other interactive forums is by its very nature being made publicly available to other users who have access to that portion of the website or service. We would encourage you not to share your personal data. Any disclosures you make are at your own risk. Where you do reveal personal data, it will be processed on the basis of our legitimate interests (to operate our forum) and on the basis that you have made that information publicly available.
The personal data of people working at dealerships
We can come into possession of the personal data of people working at dealerships in a few ways.
For all of our customers and dealerships whose inventory we host, we will have the work contact details of the people we work with there to manage that relationship. We will also have work contact details of anyone working at a dealership who has attended or enrolled in one or our events or webinars or created an account to interact with our tools or services.
Some dealerships provide automated feeds of their inventory via various third-party inventory syndicators that we subscribe to. In addition to details about the available vehicles, those feeds will typically contain basic contact details for the dealerships, which can in some circumstances include names and work email addresses of individuals at the dealerships whom the dealerships have nominated as sales contacts for the listed vehicles.
We use the provided dealership contact details to connect dealerships with consumers making enquiries about the vehicles they have listed. We also use them to promote our dealership events and webinars and our premium subscription service to the dealerships, via mail, email and phone, and to manage our relationships with them. We utilise CRM tools to manage customer relationships, data, and communications. Our third-party service providers are described in further detail here.
We will always remove you from our marketing lists if you ask us to. Typically, the best way to do that is to use the link at the bottom of our emails.
We keep the details of our contacts at dealerships for as long as their inventory is on our site, and for up to 8 years afterwards.
We do this on the basis of our legitimate interest in connecting consumers looking to buy cars with dealerships that have cars for sale, in providing our services to dealerships, in promoting our events and product offerings, and in managing our business.
The personal data of people working at other organisations
When we work with other businesses and organisations, such as our advertising customers, we will have the business contact details of the relevant people who work there, and we will use them to manage our relationship with those businesses and (where relevant) to promote our services to them.
We will also receive the work contact details of people working at actual or potential customers if they attend or enrol in an event or webinar that we host. If they are not already customers, we will use those details to provide the event or webinar, and to promote our services to them.
We keep information about people working and customers or suppliers for as long as the relevant businesses are customers or suppliers (as applicable), and for up to 8 years afterwards, in case of issues or disputes. We also keep the information about people working at a prospective customer for as long as that business is a realistic prospect, and for up to 8 years afterwards, again in case of issues or disputes.
Using personal data to detect and prevent fraud
We process personal data ourselves, and share certain personal data with our third-party fraud prevention partners, in order to detect fraud and to reduce the incidence of fake reviews on our websites. We do that on the basis of our legitimate interest in preventing fraud and in increasing the reliability of the reviews on our websites. We will share information on suspected fraud and illegal activities with the relevant authorities when we consider it appropriate.
One of our third-party fraud prevention partners is MaxMind (https://www.maxmind.com). The data we process and share with MaxMind for this purpose consists chiefly of website usage information such as logs of pages you visit and links you click on, information identifying your browser and/or device, and your approximate geographical location. MaxMind also aggregates some of the data we share with it into its wider fraud prevention databases, which it makes available to its customer base generally. You can read more about MaxMind, what they do with your personal data, how to exercise your rights in respect of their databases and how to contact their data protection officer, here: https://www.maxmind.com/en/privacy-policy.
Third-party service providers
We also share personal data with third parties who need it in order to provide services to us in support of the purposes described throughout this notice. For example, we use external providers to host our websites and databases, to process customer payments, and to operate our email alerts and marketing communications. We also use an external data warehouse provider to store and manage for us the data gathered by our advertising cookies.
We have also taken steps to ensure that suppliers to us who handle personal data, especially suppliers of online services like hosting, are bound to us by contracts which comply with European data privacy standards, and we fully intend to enforce those contracts if necessary to safeguard your rights.
International transfers of personal data
Most of our operations are based in the USA, and so we do transfer your personal data to the USA for processing when the relevant business function resides there. In order to safeguard your rights and freedoms, we have put in place contracts with our European subsidiaries and our suppliers outside of the European Economic Area in the form approved by the European Commission for these kinds of transfers. We can provide you with a copy of those contracts on request.
Your rights and how to exercise them
European and/or UK privacy laws give you certain rights in respect of the information that we hold about you. Below is a short overview of those rights.
- With some exceptions, you have the right to have a copy of the personal data that we hold about you. We may make a reasonable charge for additional copies of that data beyond the first copy, based on our administrative costs. For data that you have given to us, you have the right to receive your copy of it in a common electronic format, and to provide copies of it to other people if you wish.
- You have the right to have the personal data we hold about you corrected if it is factually inaccurate.
- In some circumstances, you have the right to have personal data that we hold about you erased (the "right to be forgotten"). This right is not generally available when we still have a valid legal reason to keep the data.
- You have the right to require us to stop using your personal data for marketing purposes.
- You also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, for example, if we are processing it on the basis of our legitimate interest, and you contest our assessment that our interest is not overridden by your fundamental rights and freedoms.
- If we are processing your personal data on the basis of your consent, you have the right to withdraw that consent at any time, in which case we will stop that processing unless we have another legal basis on which to continue.
If you want us to stop sending you marketing emails, the quickest and most efficient way is to use the links provided in our emails (although you can also contact us directly if you prefer). Otherwise, if you want to exercise your rights in respect of your personal data, the best way to do so is to contact us by email at firstname.lastname@example.org or to write to us at the address above to the attention of the General Counsel. In order to protect your privacy, when you contact us we may ask you to prove your identity before we take any steps in response to such a request.
In some cases, typically for people who work at dealerships who pay for our products, the actual controller of your personal data might be one of our local subsidiaries, but you can always contact CarGurus, Inc. for help or if you want to exercise your rights, regardless of which of our group companies is technically the controller.
When CarGurus, Inc. itself is the data controller, CarGurus Ireland Limited of First Floor, Styne House, Upper Hatch Street, Dublin 2, Ireland is our representative in Europe for data privacy purposes, and you can also contact them if you have questions or concerns.
You also have the right to lodge a complaint about our handling of your personal data with your local data protection authority, which is:
- In the UK, the Information Commissioner’s Office (http://ico.org.uk)
- In the Republic of Ireland, the Data Protection Commissioner (https://dataprotection.ie)
- In Germany, the data protection commissioner for your home state
- In Italy, the Garante per la Protezione dei Dati Personali (http://www.garanteprivacy.it)
- In Spain, the Agencia Española de Protección de Datos (https://www.agpd.es)