Privacy Policy
Effective date: 2026-05-14 Last updated: 2026-05-14 Version: 3.1
Controller: Carsu B.V., Harderwijkerweg 145, 3852 AB Ermelo, The Netherlands (KvK 92122167). Privacy contact: privacy@carsu.com
1. Who this applies to
Carsu B.V. ("Carsu", "we") operates a SaaS platform for the automotive aftermarket. This policy explains how we process personal data, in compliance with the GDPR, UK GDPR, the ePrivacy Directive, and applicable national data-protection law. It applies to:
- Platform users (workshop owners and their staff);
- End customers of those workshops whose data is processed via our platform;
- Website visitors at www.carsu.com and app.carsu.com.
Any subsidiaries, affiliates, or group companies of Carsu B.V. that process personal data in connection with our services adhere to this policy.
2. Our role
| Activity | Carsu's role | Legal basis |
|---|---|---|
| Platform account, billing, payments | Controller | Contract (Art. 6(1)(b)) |
| End-consumer data processed via the platform | Processor (workshop is Controller) | Workshop's basis |
| Messages sent to end-consumers (WhatsApp, SMS, Viber) | Processor | Workshop's basis |
| Google Calendar data synced via OAuth at your election | Controller | Consent (Art. 6(1)(a)) and contract (Art. 6(1)(b)) |
| Website analytics and cookies | Controller | Consent / legitimate interest |
Where Carsu acts as Processor, the workshop remains responsible for the lawfulness of its processing, including obtaining any required consents.
3. Data we process
From you or the workshop: name, email, phone, business name, VAT, billing address, licence plate, vehicle details, service history, appointments, messages, payment identifiers (card details go directly to Stripe — we don't store them).
From Google APIs, with your OAuth consent (optional calendar sync): calendar events you choose to import from your Google Calendar, including event title, start and end time, location, description, attendee email addresses, and recurrence patterns. We access this data only through Google's API using the calendar.events.readonly scope. We never receive your Google password and we never write events back to your Google Calendar. You may disconnect the integration at any time (see §8 and §11).
Collected automatically: IP address, device and browser data, pages visited, feature usage, session duration, cookies (see §10).
4. Legal bases
We rely on contract (Art. 6(1)(b)) to deliver the service, legitimate interest (Art. 6(1)(f)) for security, fraud prevention, product improvement, and service communications, consent (Art. 6(1)(a)) for marketing, non-essential cookies, and optional third-party integrations such as Google Calendar sync, and legal obligation (Art. 6(1)(c)) for tax, accounting, and law-enforcement requests.
5. How we use data
To run and improve the platform; to process payments; to send messages on behalf of workshops; to synchronise and display your Google Calendar events on the Carsu calendar page (where you have authorised this); to provide support (including AI-assisted translation via Intercom — Intercom does not use your data to train its models); to generate anonymised aggregated insights (§7.4); to ensure security and prevent fraud; to meet legal obligations; and — only with your consent — for marketing.
AI use. Our AI features (Intercom translation; Anthropic for de-identified operational use) do not produce legal or similarly significant effects on you, and do not amount to automated decision-making under Art. 22 GDPR. We classify our AI use as minimal risk under the EU AI Act. You can opt out of AI-assisted translation by emailing support@carsu.com. Data obtained from Google APIs is excluded from all AI and machine-learning processing (see §5a).
5a. Google API Services User Data Policy — Limited Use
Carsu's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we use Google Calendar data only to provide and improve the calendar-sync feature visible to you in the Carsu platform. We do not:
- Transfer Google user data to third parties except as necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger, acquisition, or sale of assets with your prior notice;
- Use Google user data for serving advertisements, including retargeting, personalised, or interest-based advertising;
- Sell Google user data to third parties, data brokers, or information resellers;
- Use Google user data to develop, improve, or train generalised or non-personalised artificial-intelligence or machine-learning models.
Human access to Google user data is restricted to (a) cases where we have obtained your specific consent to view specific messages, files, or events; (b) where required for security investigations, abuse prevention, or to comply with applicable law; (c) where the data has been aggregated and anonymised for internal operations in line with this Policy; or (d) where required to provide customer support with your explicit request.
6. Communications
Service-related messages (security alerts, billing, terms changes) are sent on the basis of contract or legitimate interest and cannot be opted out of. Marketing communications are sent only with consent and can be withdrawn at any time via the unsubscribe link or by emailing privacy@carsu.com.
7. Data sharing
7.1 Sub-processors
We use the following sub-processors under GDPR Art. 28 Data Processing Agreements:
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure | EU (West Europe) |
| Stripe | Payments | EU / US (SCC) |
| WhatsApp Business API (Meta) | Messaging | EU / US (SCC) |
| Viber (Rakuten) | Messaging | EU / International (SCC) |
| Twilio | SMS gateway | EU / US (SCC) |
| Intercom | Support & AI translation | US (SCC) |
| Anthropic | AI services (de-identified data) | US (SCC) |
| Mixpanel | In-app product analytics | US (SCC) |
| Cloudflare | CDN, bot mitigation | EU / Global edge (SCC) |
| Google Ireland Ltd. | Website analytics (GA4, GTM) | EU / US (SCC) |
| Microsoft Ireland Operations Ltd. | Website UX analytics (Clarity) | EU / US (SCC) |
| Meta Platforms Ireland Ltd. | Advertising measurement (Meta Pixel) | EU / US (SCC) |
| LinkedIn Ireland Unlimited Company | Advertising measurement (LinkedIn Insight Tag) | EU / US (SCC) |
Google LLC is also an upstream data source (not a sub-processor) when you authorise the optional Google Calendar integration. Data flows from Google to Carsu under your OAuth consent and is governed by §3, §5, and §5a of this Policy. Calendar data is not transferred to any of the sub-processors listed above.
7.2 Sub-processor changes
We notify platform users at least 30 days before engaging or replacing a sub-processor. Objection rights are set out in the DPA in our Terms and Conditions (Annex A, §A5).
7.3 Other recipients
We may share personal data with professional advisors under confidentiality obligations, with law enforcement where legally required, and in connection with a merger or acquisition (with prior notice).
7.4 Anonymised insights
We may share irreversibly anonymised, aggregated insights with industry partners. Recipients are contractually prohibited from attempting re-identification. Because such data is outside the scope of GDPR (Recital 26), it is not a transfer of personal data. Data obtained from Google APIs is excluded from anonymised insights under our Limited Use commitment (§5a).
We do not sell personal data.
8. Your rights
You have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time — without affecting the lawfulness of prior processing. Email privacy@carsu.com to exercise them. We will verify your identity and respond within 30 days (extendable by two months for complex requests).
If a workshop processes your data through our platform, your primary contact is the workshop (as Controller). We will assist them in handling your request.
Google Calendar integration — revocation and deletion. You can revoke Carsu's access to your Google account at any time by either (a) disconnecting the integration from within your Carsu account settings, or (b) removing the Carsu app from your Google account at myaccount.google.com/permissions. Revocation immediately stops further synchronisation. Calendar event data already cached on our servers is deleted within 30 days of disconnection (see §11). To request immediate deletion, email privacy@carsu.com.
9. International transfers
Our primary infrastructure is in the EEA. Where data is transferred outside the EEA or UK, we rely on the Standard Contractual Clauses (Decision 2021/914) or the UK IDTA/Addendum, supplemented by encryption (TLS 1.2+ in transit, AES-256 at rest) and transfer impact assessments. EU–UK transfers rely on the UK adequacy decision (renewed July 2025). You can request a copy of the applicable SCCs from privacy@carsu.com.
10. Cookies
Website. Cookies on www.carsu.com are described in our Cookie Policy.
In-app. When signed into the Carsu platform we use a session cookie, a CSRF protection cookie, and a language preference (all strictly necessary). We use Mixpanel for product analytics on the basis of legitimate interest (Art. 6(1)(f)); you can object by emailing privacy@carsu.com, and we will stop event collection and delete associated records within 30 days. An in-app opt-out toggle is on the roadmap.
11. Retention
| Data | Retention | Reason |
|---|---|---|
| Account and profile data | Subscription + 12 months | Service provision and export window |
| Billing and invoices | 7 years | Dutch / Italian tax law |
| Vehicle and service data | Subscription + 12 months | Service provision |
| Communication logs | 24 months | Service delivery, disputes |
| Support tickets | 36 months | Quality assurance |
| Synced Google Calendar events | Duration of active sync + 30 days after disconnection or account deletion | Service provision; Limited Use compliance |
| Google OAuth tokens | Until you disconnect the integration or revoke access at myaccount.google.com | Required to maintain the sync you authorised |
| Analytics cookies | Up to 13 months | Website improvement |
| Marketing cookies | Up to 12 months | Advertising measurement |
| Marketing consent records | Consent + 3 years | Proof of consent |
After retention we delete or irreversibly anonymise the data. Google API data is deleted, not anonymised, in line with our Limited Use commitment.
12. Security
We apply technical and organisational measures under GDPR Art. 32, including encryption in transit and at rest, role-based access control with least privilege, MFA for all admin and platform access, regular vulnerability assessments, access logging, and documented incident response. We are working toward SOC 2 Type II and ISO 27001. Responsible vulnerability disclosure: security.txt or security@carsu.com.
OAuth tokens for Google API access are stored encrypted at rest and are accessible only to the platform components that perform the calendar sync.
13. Data breaches
Where a breach is likely to result in a risk to your rights, we notify the supervisory authority within 72 hours (Art. 33) and, where the risk is high, you directly without undue delay (Art. 34). Where Carsu acts as Processor, we notify the Controller (workshop) without undue delay.
14. UK residents
UK residents have the same rights as described in §8. Transfers between the EU and UK rely on the EU adequacy decision for the UK (renewed July 2025, valid until 2031). Where UK data protection law conflicts with this policy for UK residents, UK law prevails.
15. Children
Our services are B2B and are not directed at children. We do not knowingly collect data from individuals under 16 (or under 14 in Italy, per D.Lgs. 101/2018). If we discover such data, we delete it promptly.
16. Changes
We update this policy when our practices, technology, or legal obligations change. Material changes are notified by email or in-platform at least 30 days in advance.
17. Complaints
You can complain to the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) — our lead supervisory authority under the GDPR one-stop-shop — or to the data protection authority in your EU country of residence. We'd prefer you contact us first at privacy@carsu.com so we can try to resolve your concern directly.
18. Related documents
This policy should be read alongside our Terms and Conditions (including the Data Processing Agreement in Annex A) and our Cookie Policy.
19. Contact
Privacy: privacy@carsu.com Legal: legal@carsu.com Security: security@carsu.com General: hello@carsu.com Post: Carsu B.V., Harderwijkerweg 145, 3852 AB Ermelo, The Netherlands