Privacy Policy
Effective date: 2026-04-20
Last updated: 2026-04-20
Version: 3.0
Controller: Carsu B.V., Harderwijkerweg 145, 3852 AB Ermelo, The Netherlands (KvK 92122167).
Privacy contact: [email protected]
1. Who this applies to
Carsu B.V. ("Carsu", "we") operates a SaaS platform for the automotive aftermarket. This policy explains how we process personal data, in compliance with the GDPR, UK GDPR, the ePrivacy Directive, and applicable national data-protection law. It applies to:
- Platform users (workshop owners and their staff);
- End customers of those workshops whose data is processed via our platform;
- Website visitors at www.carsu.com and app.carsu.com.
Any subsidiaries, affiliates, or group companies of Carsu B.V. that process personal data in connection with our services adhere to this policy.
2. Our role
| Activity | Carsu's role | Legal basis |
|---|---|---|
| Platform account, billing, payments | Controller | Contract (Art. 6(1)(b)) |
| End-consumer data processed via the platform | Processor (workshop is Controller) | Workshop's basis |
| Messages sent to end-consumers (WhatsApp, SMS, Viber) | Processor | Workshop's basis |
| Website analytics and cookies | Controller | Consent / legitimate interest |
Where Carsu acts as Processor, the workshop remains responsible for the lawfulness of its processing, including obtaining any required consents.
3. Data we process
From you or the workshop: name, email, phone, business name, VAT, billing address, licence plate, vehicle details, service history, appointments, messages, payment identifiers (card details go directly to Stripe — we don't store them).
Collected automatically: IP address, device and browser data, pages visited, feature usage, session duration, cookies (see §10).
4. Legal bases
We rely on contract (Art. 6(1)(b)) to deliver the service, legitimate interest (Art. 6(1)(f)) for security, fraud prevention, product improvement, and service communications, consent (Art. 6(1)(a)) for marketing and non-essential cookies, and legal obligation (Art. 6(1)(c)) for tax, accounting, and law-enforcement requests.
5. How we use data
To run and improve the platform; to process payments; to send messages on behalf of workshops; to provide support (including AI-assisted translation via Intercom — Intercom does not use your data to train its models); to generate anonymised aggregated insights (§7.4); to ensure security and prevent fraud; to meet legal obligations; and — only with your consent — for marketing.
AI use. Our AI features (Intercom translation; Anthropic for de-identified operational use) do not produce legal or similarly significant effects on you, and do not amount to automated decision-making under Art. 22 GDPR. We classify our AI use as minimal risk under the EU AI Act. You can opt out of AI-assisted translation by emailing [email protected].
6. Communications
Service-related messages (security alerts, billing, terms changes) are sent on the basis of contract or legitimate interest and cannot be opted out of. Marketing communications are sent only with consent and can be withdrawn at any time via the unsubscribe link or by emailing [email protected].
7. Data sharing
7.1 Sub-processors
We use the following sub-processors under GDPR Art. 28 Data Processing Agreements:
| Provider | Purpose | Location |
|---|---|---|
| Microsoft Azure | Cloud infrastructure | EU (West Europe) |
| Stripe | Payments | EU / US (SCC) |
| WhatsApp Business API (Meta) | Messaging | EU / US (SCC) |
| Viber (Rakuten) | Messaging | EU / International (SCC) |
| Twilio | SMS gateway | EU / US (SCC) |
| Intercom | Support & AI translation | US (SCC) |
| Anthropic | AI services (de-identified data) | US (SCC) |
| Mailchimp (Intuit) | Email marketing | US (SCC) |
| Mixpanel | In-app product analytics | US (SCC) |
| Cloudflare | CDN, bot mitigation | EU / Global edge (SCC) |
| Google Ireland Ltd. | Website analytics (GA4, GTM) | EU / US (SCC) |
| Microsoft Ireland Operations Ltd. | Website UX analytics (Clarity) | EU / US (SCC) |
| Meta Platforms Ireland Ltd. | Advertising measurement (Meta Pixel) | EU / US (SCC) |
| LinkedIn Ireland Unlimited Company | Advertising measurement (LinkedIn Insight Tag) | EU / US (SCC) |
7.2 Sub-processor changes
We notify platform users at least 30 days before engaging or replacing a sub-processor. Objection rights are set out in the DPA in our Terms and Conditions (Annex A, §A5).
7.3 Other recipients
We may share personal data with professional advisors under confidentiality obligations, with law enforcement where legally required, and in connection with a merger or acquisition (with prior notice).
7.4 Anonymised insights
We may share irreversibly anonymised, aggregated insights with industry partners. Recipients are contractually prohibited from attempting re-identification. Because such data is outside the scope of GDPR (Recital 26), it is not a transfer of personal data.
We do not sell personal data.
8. Your rights
You have the rights to access, rectification, erasure, restriction, portability, objection, and to withdraw consent at any time — without affecting the lawfulness of prior processing. Email [email protected] to exercise them. We will verify your identity and respond within 30 days (extendable by two months for complex requests).
If a workshop processes your data through our platform, your primary contact is the workshop (as Controller). We will assist them in handling your request.
9. International transfers
Our primary infrastructure is in the EEA. Where data is transferred outside the EEA or UK, we rely on the Standard Contractual Clauses (Decision 2021/914) or the UK IDTA/Addendum, supplemented by encryption (TLS 1.2+ in transit, AES-256 at rest) and transfer impact assessments. EU–UK transfers rely on the UK adequacy decision (renewed July 2025). You can request a copy of the applicable SCCs from [email protected].
10. Cookies
Website. Cookies on www.carsu.com are described in our Cookie Policy.
In-app. When signed into the Carsu platform we use a session cookie, a CSRF protection cookie, and a language preference (all strictly necessary). We use Mixpanel for product analytics on the basis of legitimate interest (Art. 6(1)(f)); you can object by emailing [email protected], and we will stop event collection and delete associated records within 30 days. An in-app opt-out toggle is on the roadmap.
11. Retention
| Data | Retention | Reason |
|---|---|---|
| Account and profile data | Subscription + 12 months | Service provision and export window |
| Billing and invoices | 7 years | Dutch / Italian tax law |
| Vehicle and service data | Subscription + 12 months | Service provision |
| Communication logs | 24 months | Service delivery, disputes |
| Support tickets | 36 months | Quality assurance |
| Analytics cookies | Up to 13 months | Website improvement |
| Marketing cookies | Up to 12 months | Advertising measurement |
| Marketing consent records | Consent + 3 years | Proof of consent |
After retention we delete or irreversibly anonymise the data.
12. Security
We apply technical and organisational measures under GDPR Art. 32, including encryption in transit and at rest, role-based access control with least privilege, MFA for all admin and platform access, regular vulnerability assessments, access logging, and documented incident response. We are working toward SOC 2 Type II and ISO 27001. Responsible vulnerability disclosure: security.txt or [email protected].
13. Data breaches
Where a breach is likely to result in a risk to your rights, we notify the supervisory authority within 72 hours (Art. 33) and, where the risk is high, you directly without undue delay (Art. 34). Where Carsu acts as Processor, we notify the Controller (workshop) without undue delay.
14. UK residents
UK residents have the same rights as described in §8. Transfers between the EU and UK rely on the EU adequacy decision for the UK (renewed July 2025, valid until 2031). Where UK data protection law conflicts with this policy for UK residents, UK law prevails.
15. Children
Our services are B2B and are not directed at children. We do not knowingly collect data from individuals under 16 (or under 14 in Italy, per D.Lgs. 101/2018). If we discover such data, we delete it promptly.
16. Changes
We update this policy when our practices, technology, or legal obligations change. Material changes are notified by email or in-platform at least 30 days in advance.
17. Complaints
You can complain to the Dutch Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl) — our lead supervisory authority under the GDPR one-stop-shop — or to the data protection authority in your EU country of residence. We’d prefer you contact us first at [email protected] so we can try to resolve your concern directly.
18. Related documents
This policy should be read alongside our Terms and Conditions (including the Data Processing Agreement in Annex A) and our Cookie Policy.
19. Contact
Privacy: [email protected]
Legal: [email protected]
Security: [email protected]
General: [email protected]
Post: Carsu B.V., Harderwijkerweg 145, 3852 AB Ermelo, The Netherlands