PRIVACY STATEMENT FOR EUROPEAN CONSUMERS AND CUSTOMERS
We are CarGurus, Inc., of 2 Canal Park, 4th Floor, Cambridge, MA 02141, USA (and our subsidiaries). Either we or one of our European subsidiaries is the data controller of your personal data. If you have any questions or concerns about the information presented here, or about what we do with personal data, you should email us at firstname.lastname@example.org or write to us at the above address, to the attention of our General Counsel.
Our sites are not intended to be used by children.
In summary, we use personal data:
- to connect consumers interested in listed vehicles with the dealerships that are advertising them for sale
- to operate the interactive features of our websites and mobile applications, such as the discussion forums, saved searches and pricing alerts
- to promote our services, and to help our advertisements appear to people who are more likely to be interested in them
- to manage our customer relationships, handle queries and complaints, prevent fraud and otherwise operate our business.
The rest of this statement provides further details. In order to help you reach the information you want quickly, we have divided this page into different sections according to your different potential interactions with us. You can get to the section you want by following the links below.
What would you like to know more about?
- I want to know what happens when I ask to be put in touch with a dealership about a vehicle listed on your website
- I want to know what happens when I am browsing your websites, or when I create an account, and how you choose the adverts to display to me
- I work at a dealership whose inventory is listed on your site, and I want to know what you know about me and what you do with that information
- I work at another business you work with, such as an advertiser or supplier, and I want to know what you know about me and what you do with that information
- I want to know about other uses of personal data in your business
- I want to know where else in the world you transfer my personal data
- I want to know about my rights and how to exercise them
When you ask to be put in touch with a dealership
You can use our website to be put in contact with a dealership that has a vehicle for sale that you are interested in buying. Our websites have a form for that purpose. We then either connect you with the dealership through our systems, or pass the information that you provide to the dealership to them so they can follow up with you directly. Which of those we do depends on the relationship we have with the dealership.
Where we pass on your details directly, the receiving dealership is then the controller of their copy of your personal data, and they are responsible for what, if anything, they do with it. Typically, we would expect them to contact you by email or phone to see if you wish to take things forward (arrange a test drive, for example).
Where we connect you with the dealership through our systems, we will pass messages back and forth between you and the dealership. Again, the content of those messages will be seen by the dealership, and they are responsible for what, if anything, they do with it. At a point in discussions you will likely engage with the dealership directly, for example for a test drive or to inspect the vehicle in person.
Alternatively, you can call the number for a dealership provided on our website to be connected to the dealership that way. If you do, we will have a record that the call took place, but we do not record the calls themselves and we will not know what was discussed. The dealership is responsible for what they do with any information you give them on the phone. We use the call records that we have only for customer service purposes and to keep dealerships informed of which calls they have received through us.
You can also, if you wish, choose to receive email alerts from us about vehicles listed on the websites, such as price drops or new listings.
We will retain this information for up to 10 years, in case of disputes. Of course, if you have created an account with us, then we will also continue to hold the account information you provided for that reason. You can learn more about that below.
We do these things either on the basis that they are necessary in order to provide our service, or on the basis of our legitimate interest in promoting vehicles listed on our websites.
Browsing our website, CarGurus accounts, and advertising on our website
Cookies and analytics
Our website sets certain “cookies” in your browser and other similar technologies like “beacons”. Some are simply used for statistical analysis (e.g. how many people looked at a particular page), or as a technical mechanism to let you log in to your account or to allow you to use certain interactive features (like alerts or saved searches) without logging in.
For statistical analysis we use the Google Analytics service, which collects this information anonymously, allowing us to see trends without identifying individual users. You can learn more about Google Analytics here.
Cookies and adverts
The third party adverts which appear on our own sites are chosen according to the content of the pages you view on our sites and information about your browsing habits already known to our third party advertising partners; for example, if you are looking at a page showing vehicles made by a particular manufacturer, it is likely that the adverts appearing on that page will be for that manufacturer. We do not share information about you with the third parties who advertise on our site.
We keep the information we gather from analytics cookies for up to 10 years. How long gathered advertising data is retained by our advertising partners is determined by them. We can provide further information on request.
For our login and session cookies, we do this on the basis that it is necessary to provide the features of our websites that require it.
For our analytics cookies, we do this on the basis of our legitimate interest in understanding how people use and interact with our websites.
For our advertising cookies, we do this on the basis of your consent, which we will ask you for in a banner notice the first time you visit our website . You do not have to consent to these advertising cookies, and you will still be able to use our website if you do not. Our cookie banner provides links to control panels which will allow you to withhold consent by changing what our advertising partners do with advertising cookies, or disabling them altogether. You can also access these panels at any time in the future if you want to change your mind through the opt-out pages of the Network Advertising Initiative and the Digital Advertising Alliance.
Certain features of our websites, such as the discussion forums and the “virtual garage”, require you to create an account with us. When you do so, we will use the information you provide when you create the account in order to administer it, and to give you access to those features.
When you have an account with us, you will also have the option to subscribe to a range of email alerts relating to your interactions with us, such as new inventory matching search criteria you specify, and new posts in discussion threads that you have followed or replied to. You can control these email alerts through the control panel here.
We will keep your account information for as long as your account is active, and for up to 10 years afterwards.
We do this on the basis that it is necessary to provide those features of our websites.
The personal data of people working at dealerships
We can come into possession of the personal data of people working at dealerships in a few ways.
For all of our customers and dealerships whose inventory we host, we will have the work contact details of the people we work with there to manage that relationship. We will also have work contact details of anyone working at a dealership who has attended or enrolled in one or our events or webinars or created an account to interact with our tools or services.
In addition, some dealerships provide automated feeds of their inventory via various third party inventory syndicators that we subscribe to. As well as details about the available vehicles, those feeds will typically contain basic contact details for the dealerships, which can in some circumstances include names and work email addresses of individuals at the dealerships whom the dealerships have nominated as sales contacts for the listed vehicles.
We use the provided dealership contact details to connect dealerships with consumers making enquiries about the vehicles they have listed. We also use them to promote our dealership events and webinars and our premium subscription service to the dealerships, via mail, email and phone, and to manage our relationships with them.
We will always remove you from our marketing lists if you ask us to. Typically, the best way to do that is to use the “unsubscribe” link at the bottom of our emails (for marketing emails).
We keep the details of our contacts at dealerships for as long as their inventory is on our site, and for up to 8 years afterwards.
We do this on the basis of our legitimate interest in connecting consumers looking to buy cars with dealerships that have cars for sale, in providing our services to dealerships, in promoting our events and product offerings, and in managing our business.
The personal data of people working at other organisations
When we work with other businesses and organisations, such as our advertising customers, we will have the business contact details of the relevant people who work there, and we will use them to manage our relationship with those businesses and (where relevant) to promote our services to them.
We will also receive the work contact details of people working at actual or potential customers if they attend or enrol in an event or webinar that we host. If they are not already customers, we will use those details to provide the event or webinar, and to promote our services to them.
We keep information about people working and customers or suppliers for as long as the relevant businesses are customers or suppliers (as applicable), and for up to 8 years afterwards, in case of issues or disputes. We also keep the information about people working at a prospective customer for as long as that business is a realistic prospect, and for up to 8 years afterwards, again in case of issues or disputes.
Other uses of personal data at CarGurus
We process personal data ourselves, and share certain personal data with our third party fraud prevention partners, in order to detect fraud and to reduce the incidence of fake reviews on our websites. We do that on the basis of our legitimate interest in preventing fraud and increasing the reliability of the reviews on our websites. We will share information on suspected fraud and illegal activities with the relevant authorities when we consider it appropriate.
Third party service providers
We also share personal data with third parties who need it in order to provide services to us in support of the purposes described above. For example, we use external providers to host our websites and databases, and to operate our email alerts and marketing communications. We also use an external data warehouse provider to store and manage for us the data gathered by our advertising cookies.
International transfers of personal data
Most of our operations are based in the USA, and so we do transfer your personal data to the USA for processing when the relevant business function resides there. In order to safeguard your rights and freedoms, we have put in place contracts with our European subsidiaries in the form approved by the European Commission for these kinds of transfers. We can provide you with a copy of those contracts on request.
We have also taken steps to ensure that suppliers to us who handle personal data, especially suppliers of online services like hosting, are bound to us by contracts which comply with European data privacy standards, and we fully intend to enforce those contracts if necessary to safeguard your rights.
Your rights and how to exercise them
European and/or UK privacy laws give you certain rights in respect of the information that we hold about you. Below is a short overview of those rights.
- With some exceptions, you have the right to have a copy of the personal data that we hold about you. We may make a reasonable charge for additional copies of that data beyond the first copy, based on our administrative costs. For data that you have given to us, you have the right to receive your copy of it in a common electronic format, and to provide copies of it to other people if you wish.
- You have the right to have the personal data we hold about you corrected if it is factually inaccurate.
- In some circumstances, you have the right to have personal data that we hold about you erased (the “right to be forgotten”). This right is not generally available when we still have a valid legal reason to keep the data.
- You have the right to require us to stop using your personal data for marketing purposes.
- You also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, for example, if we are processing it on the basis of our legitimate interest, and you contest our assessment that our interest is not overridden by your fundamental rights and freedoms.
- If we are processing your personal data on the basis of your consent, you have the right to withdraw that consent at any time, in which case we will stop that processing unless we have another legal basis on which to continue.
If you want us to stop sending you marketing emails, the quickest and most efficient way is to use the provided “unsubscribe” links in our emails (although you can also contact us directly if you prefer). Otherwise, if you want to exercise your rights in respect of your personal data, the best way to do so is to contact us by email at email@example.com or to write to us at the address above to the attention of the General Counsel. In order to protect your privacy, when you contact us we may ask you to prove your identity before we take any steps in response to such a request.
In some cases, typically for people who work at dealerships who pay for our products, the actual controller of your personal data might be one of our local subsidiaries, but you can always contact CarGurus, Inc. for help or if you want to exercise your rights, regardless of which of our group companies is technically the controller.
When CarGurus, Inc. itself is the data controller, CarGurus Ireland Limited of First Floor, Styne House, Upper Hatch Street, Dublin 2, Ireland is our representative in Europe for data privacy purposes, and you can also contact them if you have questions or concerns.
You also have the right to lodge a complaint about our handling of your personal data with your local data protection authority, which is:
- In the UK, the Information Commissioner’s Office (http://ico.org.uk)
- In the Republic of Ireland, the Data Protection Commissioner (https://dataprotection.ie)
- In Germany, the data protection commissioner for your home state
- In Italy, the Garante per la Protezione dei Dati Personali (http://www.garanteprivacy.it).
- In Spain, the Agencia Española de Protección de Datos (https://www.agpd.es/)