Privacy Policy
Effective date: 1 January 2025 | Last updated: March 2026
This Privacy Policy explains how CarScan.ie (“we”, “us”, “our”) collects, uses, stores, and protects your personal data. It applies to all users of our website and services. We are committed to complying with Regulation (EU) 2016/679 (General Data Protection Regulation — GDPR) and the Irish Data Protection Act 2018.
1. Data Controller
The data controller responsible for your personal data is:
If you have any questions about this policy or how we handle your data, please contact us at the address above.
2. Personal Data We Collect
We collect only the data necessary to provide our vehicle history report services. Depending on how you use CarScan.ie, we may collect:
2.1 Consumer Users
- Vehicle registration numbers you look up
- Email address (where provided, e.g. to receive report delivery)
- Payment information — processed exclusively by Stripe; we never see or store your card details, only a Stripe-generated transaction reference and masked card summary
- IP address and browser/device metadata (collected automatically on each visit)
- Cookie identifiers and session tokens (see Section 9)
- Report purchase history and timestamps
2.2 Dealer / Business Accounts
- Business name and trading name
- Contact name, email address, and phone number
- VAT registration number
- Business address
- Team member names and email addresses (where team access is enabled)
- Wallet top-up and transaction history
- Volume usage data for billing and pricing purposes
2.3 Data We Do Not Collect
We do not collect special category data (health, ethnicity, biometric data, etc.) and we do not knowingly collect data from persons under 18. If you believe a minor has submitted data to us, please contact privacy@carscan.ie immediately.
3. Lawful Bases for Processing
Under Article 6 GDPR, we rely on the following lawful bases:
| Processing Activity | Lawful Basis |
|---|---|
| Delivering purchased vehicle reports | Contract performance (Art. 6(1)(b)) |
| Processing payments via Stripe | Contract performance (Art. 6(1)(b)) |
| Retaining payment/transaction records for 7 years | Legal obligation — Irish tax law (Art. 6(1)(c)) |
| Fraud prevention and security monitoring | Legitimate interests (Art. 6(1)(f)) |
| Service analytics and performance improvement | Legitimate interests (Art. 6(1)(f)) |
| Sending marketing emails and product updates | Consent (Art. 6(1)(a)) — you may withdraw at any time |
| Dealer account management and invoicing | Contract performance (Art. 6(1)(b)) |
4. Third-Party Data Processors
We engage the following processors who handle personal data on our behalf. All processors are contractually bound by data processing agreements consistent with GDPR requirements.
Stripe (Stripe Payments Europe, Ltd.)
Payment processing. Stripe handles all card data directly; we receive only a token reference. Stripe is PCI-DSS Level 1 certified. Data may be processed in the US under Standard Contractual Clauses. Stripe Privacy Policy
Brevo (formerly Sendinblue)
Transactional and marketing email delivery. Processes email addresses and email content on our behalf. Data is processed within the EU. Brevo Privacy Policy
OneAutoAPI / Cartell / Brego
Vehicle data providers. Registration numbers are transmitted to these providers to retrieve history data. These queries may be logged by the providers under their own privacy policies. We do not share personal identifiers (email, name) with vehicle data providers.
Hosting & Infrastructure Provider
Our website and database infrastructure is hosted by a cloud provider operating within the EEA or under appropriate safeguards. Server logs and session data may reside on their infrastructure.
We do not sell personal data to third parties. We do not share your data with advertisers or data brokers.
5. International Data Transfers
Some of our processors (notably Stripe) may transfer data outside the European Economic Area (EEA). Where this occurs, we ensure that appropriate safeguards are in place as required by Chapter V GDPR — typically the European Commission’s Standard Contractual Clauses (SCCs) or an adequacy decision.
6. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected, or as required by law.
| Data Type | Retention Period |
|---|---|
| Vehicle report data and search history | 90 days |
| User account data | While account is active, plus 6 months after closure |
| Payment and transaction records | 7 years (required by Irish tax law — Taxes Consolidation Act 1997) |
| Server and access logs (IP, timestamps) | 30 days |
| Marketing consent records | Until consent is withdrawn, then promptly deleted |
| Dealer account and invoicing data | Duration of contract plus 7 years (tax obligations) |
After the applicable retention period, data is securely deleted or anonymised. Some data may be retained longer if required for an active legal dispute or regulatory investigation.
7. Your Data Subject Rights
Under GDPR (Articles 15–22), you have the following rights in respect of your personal data:
Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you and information about how we process it.
Right to Rectification (Art. 16)
You have the right to request that we correct inaccurate or incomplete personal data without undue delay.
Right to Erasure / “Right to be Forgotten” (Art. 17)
You may request deletion of your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent, or where processing is unlawful. This right is subject to exceptions, including legal obligations (e.g. retention of financial records).
Right to Restriction of Processing (Art. 18)
You may request that we restrict how we use your data in certain circumstances, for example while we verify the accuracy of data you have contested.
Right to Data Portability (Art. 20)
Where processing is based on consent or contract and carried out by automated means, you have the right to receive your data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
Right to Object (Art. 21)
You have the right to object to processing based on our legitimate interests at any time. You also have an absolute right to object to processing for direct marketing purposes, including profiling related to direct marketing.
Right to Withdraw Consent (Art. 7(3))
Where we rely on your consent as the lawful basis (e.g. marketing emails), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. You can unsubscribe via any marketing email or by contacting privacy@carscan.ie.
To exercise any of these rights, please contact us at privacy@carscan.ie. We will respond within one month of receiving your request. We may ask you to verify your identity before processing the request.
8. Right to Lodge a Complaint
If you believe we have processed your personal data in violation of GDPR, you have the right to lodge a complaint with the relevant supervisory authority. In Ireland, this is the:
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie
Phone: +353 57 868 4800
We would, however, appreciate the opportunity to address your concerns before you approach the DPC, so please contact us first at privacy@carscan.ie.
9. Cookies
We use cookies and similar technologies on our website. A cookie is a small text file stored on your device. We use the following categories of cookies:
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Essential | Maintains your login session and cart state | Session (expires on close) |
| Cookie consent preference | Essential | Remembers your cookie consent choice | 12 months |
| Stripe (__stripe_mid, __stripe_sid) | Functional / Security | Fraud detection and secure payment processing by Stripe | 1 year / session |
We do not currently use advertising or tracking cookies. Essential and security-related cookies are set without consent as they are strictly necessary for the service to function. You can manage or delete cookies via your browser settings, but disabling essential cookies may affect site functionality.
10. Data Security
We implement appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. These include encryption in transit (TLS), access controls, and regular security reviews. However, no system is entirely secure. If you believe your data has been compromised, please contact us immediately at privacy@carscan.ie.
11. Automated Decision-Making
We do not make decisions that produce significant legal or similar effects based solely on automated processing, including profiling, as defined in Article 22 GDPR. Fraud detection algorithms may flag unusual account activity, but human review follows before any account suspension.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by displaying a prominent notice on our website before the changes take effect. The “Last updated” date at the top of this policy reflects the most recent revision.
13. Contact Us
For any privacy-related enquiries, to exercise your data subject rights, or to raise a concern: