Privacy Notice

1. Introduction
This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data and keep it safe.
We know that there’s a lot of information here, but we want you to be fully informed about your rights, and how Co-wheels uses your data. For simplicity, throughout this notice, when we refer to ‘we’ or ‘us’ it means Co-wheels Car Club.
We hope the following sections will answer any questions you have but if not, please do get in touch with us.
It’s likely that we’ll need to update this Privacy Notice from time to time. We’ll notify you of any significant changes, but you’re welcome to come back and check it whenever you wish.

2. Explaining the legal bases for collecting and processing data
The law on data protection sets out several different reasons for which a company may collect and process your personal data, including:

Contractual obligations
In certain circumstances, we need your personal data to comply with our contractual obligations.
For example, we need your name and address to be able to send your smart card to you and we need your email address so that you can access the booking system to use the Co-wheels service.

Legal compliance
If the law requires us to, we may need to collect and process your data.
For example, we need your driving license details to ensure that you are legally eligible to use the Co-wheels service and be covered by our insurance.

Legitimate interest
In specific situations, we require your data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact your rights, freedom or interests.
For example, to be able to provide a service and also identify ways to improve our service and your experience of using our cars we have a legitimate interest and need to hold and process your data

In specific situations, we can collect and process your data with your consent. If we are collecting your personal data and it isn’t based on Contractual obligations, Legal compliance or Legitimate interest then, of course, we’ll always make clear what data is necessary and why.
This Privacy Notice explains in detail the types of personal data we may collect about you when you interact with us. It also explains how we’ll store and handle that data and keep it safe.

3. When we collect your personal data
• When you register and use the Co-wheels booking system
• When you sign up on the Co-wheels home page for further information or to be kept updated for offers
• If you engage with us on social media.
• When you download or install one of our apps.
• If you contact us by any means with queries, complaints, details about a breakdown or accident.
• If you ask us to email you information about a product or service.
• When you enter prize draws or competitions.
• If you choose to complete any surveys, we send you.
• When you comment on or review our products and services. Any individual may access personal data related to them, including opinions. It is important to mention that if your comment or review includes information about a member of the Co-wheels team who provided that service, it may be passed on to them if requested if there is a legal or legitimate basis to do so.
• When you fill in any forms. For example, if you are involved in an accident, a member of our team may collect additional personal data or that of third parties for insurance purposes on your behalf.
• When you’ve given a third-party permission to share with us the information they hold about you. For example, when you provide us with your DVLA sharing code.
• When you visit our website, we may collect information via cookies, pixels and tags, more information on this can be found under section 5 of this privacy policy

4. The personal data we collect
• If you register as a Co-wheels member: your name, address as it appears on your driving license, billing details & address if different to that on your driving license, date of birth, email and telephone number. For your security, we’ll also keep an encrypted record of your login password. We will also collect your driving license details and history with regards to any driving offences, as well as asking for specific information relating to medical conditions that may affect eligibility for holding a driving license.
• If you only register on the Co-wheels website for information and offers then we will only collect your name, email address and postcode so that we can personalise the information that we send you.
• Details of your interactions with us through our Customer Service Team or where changes have been made to your account on a self-service basis through the Co-wheels booking system.
• Copies of documents you provide to prove your age or identity where the law requires this. (including your passport and driver's license). This will include details of your full name, address, date of birth and facial image. If you provide a passport, the data will also include your place of birth, gender and nationality.
• Details of your visits to our websites or apps, and which site you came from to ours.
• Details of your bookings and use of our vehicles including GPS and vehicle tracking data.
• Information gathered by the use of cookies in your web browser.
• Payment card information.
• Your social media username, if you interact with us through those channels, to help us respond to your comments, questions or feedback.
Our services are not intended for children under the age of 17 and we do not knowingly collect data relating to children.

5. How and why we use your personal data
Due to the nature of our business and your membership of Co-wheels Car Club, the GDPR allows us to hold and use your personal data to perform the contract with you and for our legitimate business interests. See below for further details. Of course, if you wish to change how we use your data, you’ll find details in the ‘What are my rights?’ section below.
Remember, if you choose not to share your personal data with us, or refuse certain permissions, we will be unable to provide you with membership and access to book our vehicles.
Here’s how we’ll use your personal data and why:

• We will use the data you provide us with to determine your eligibility for membership of Co-wheels Car Club. This will include checking the driving license and driving history information you have provided us with to determine whether you are covered on our insurance to drive our vehicles.
• We will use your details to provide the service delivered by Co-wheels Car Club. This will include sending your smartcard and membership pack to the address you have provided us with, sending you emails so we can verify your email address and send you booking confirmations and billing details.
• To protect our business and your account from fraud and other illegal activities by automatically checking your password when you log in against the one that you used at registration, or reset if you have updated your password.
• To process payments and to prevent fraudulent transactions. We do this on the basis of our legitimate business interests. This also helps to protect our customers from fraud.
• If we discover any criminal activity or alleged criminal activity through fraud monitoring and suspicious transaction monitoring, we will process this data for the purposes of preventing or detecting unlawful acts. We aim to protect the individuals we interact with from criminal activities.
• We will use your personal data, preferences and details of your transactions to keep you informed by email about relevant products and services including tailored special offers, discounts, promotions, events, competitions and so on. Of course, you are free to opt out of hearing from us by any of these channels at any time by contacting us as set out below.
• To send you communications required by law or which are necessary to inform you about our changes to the services we provide you. For example, updates to this Privacy Notice, changes to terms & conditions of use, and legally required information relating to ongoing membership of Co-wheels Car Club These service messages will not include any promotional content and do not require prior consent when sent by email. If we do not use your personal data for these purposes, we would be unable to comply with our legal obligations.
• To develop, test and improve the systems and services we provide to you. We’ll do this on the basis of our legitimate business interests.
• To comply with our contractual or legal obligations to share data with law enforcement or other relevant parties.
• To send you surveys and feedback requests to help improve our services. These messages will not include any promotional content and do not require prior consent when sent by email or text message. We have a legitimate interest to do so as this helps make our products or services more relevant to you.
• We will use cookies, pixels and tags to identify which pages of our website are being used to help us analyse data about web page traffic and improve our website for our customer’s needs. A cookie is a small file which asks permission to be placed on your computer's hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us. You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website. We also use this data for Facebook adverts and Google AdWords Remarketing to advertise Co-wheels across the Internet. Facebook and AdWords remarketing may display relevant ads tailored to you based on which parts of our website you visit, or to stop sending you adverts if they are not relevant to you. These cannot be used to identify you, and are simply used to say "This person visited this page, so show them ads relating to that page.This helps us tailor our marketing to better suit your needs and only display ads that are relevant to you.
• We also collect, use and share Aggregated Data such as statistical or demographic data to build a general model of users and behaviours to improve and/or enhance the service. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to understand and analyse demand and interest for our services. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

6. Using your data for direct marketing
We want to bring you offers and promotions that are most relevant to your interests at times. To help us form a better, overall understanding of you as a customer, we combine your personal data gathered as described above, for example your booking history. For this purpose, we may also combine the data that we collect directly from you with data that we obtain when you post on social media relating directly or indirectly to our pages and/or posts.

We will get your express opt-in consent before we share your personal data with any company outside Co-wheels for marketing purposes.

7. Protecting your data
We know how much data security matters to all our customers. We will treat your data with the utmost care and take all appropriate steps to protect it.
The booking system where you enter your personal data is secured by https technology and Co-wheels hold Cyber-Essentials certification, a government approved IT security certificate which has to be renewed on an annual basis.
Access to your personal data is password-protected, and sensitive data (such as your password and payment card information) is secured by encryption.
We regularly monitor our system for possible vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security.

8. How long we hold your personal data
Due to the nature of membership we will keep your personal data for as long as you remain a Co-wheels member. We need to do this to ensure that we can provide the service to you. If you close your account or it was not approved for any reason or you registered your details but did not fully submit an application, we will still retain your information on the basis below
Retention Periods:

Closed Accounts & Non-approved Accounts
We will keep your data for 5 years, this is in case the information is required for legitimate or legal needs, for example, if an insurance claim is submitted or it is required for legal means. If after 5 years, there is a legal need to continue to hold the information we will do so until that requirement is satisfied.

Part registered accounts or inactive accounts
If you have not fully registered or there has been no form of activity on your account in the last 5 years, we will contact you asking whether you want to continue your account or whether you wish to have your details removed

9. Who we share your data with
We sometimes share your personal data with trusted third parties.
Here’s the policy we apply to those organisations to keep your data safe and protect your privacy:
• We provide only the information they need to perform their specific services.
• They may only use your data for the exact purposes we specify in our contract with them.
• We work closely with them to ensure that your privacy is respected and protected at all times.
• If we stop using their services, any of your data held by them will either be deleted or rendered anonymous.
• We only use companies with privacy and data policies which comply with the GDPR regulations

Examples of the kind of third parties we work with are:
• IT companies who support our website and other business systems.
• Operational companies such as breakdown services and insurance companies.
• Direct marketing companies who help us manage our electronic communications with you.
• Google/Facebook to show you products that might interest you while you’re browsing the internet. This is based on either your marketing consent or your acceptance of cookies on our websites.
• Data insight companies to ensure your details are up to date and accurate.
• Payment processors and your Bank for direct debit payments
• Professional advisers including lawyers, bankers, auditors and insurers based who provide consultancy, banking, legal, insurance and accounting services.

Sharing your data with third parties for their own purposes:
• We do not share your data with third parties for their own direct marketing purposes
• If you are a driver on an account, then we may share your data with your account owner
• If we are delivering the service with third party support, we may share limited information with the third party so that they may contact you for monitoring and feedback purposes
• For fraud management, we may share information about fraudulent or potentially fraudulent activity in our premises or systems. This may include sharing data about individuals with law enforcement bodies.
• We may also be required to disclose your personal data to the police or other enforcement, regulatory or Government body, in your country of origin or elsewhere, upon a valid request to do so. These requests are assessed on a case-by-case basis and take the privacy of our customers into consideration.

To assist us with responding to requests for information and to identify appropriate information to share with you, we currently use the following companies who will process your personal data as part of their contracts with us:
• Google
• Facebook
• Linked-in
• Twitter
• TripIQ (this is the booking system)
• Nation Builder (our website platform is based on this)
• Drift (this is the live chat software on our website we use to talk to members and potential customers)
• Mailchimp (An e-mail marketing system used to collect contact data from Nation Builder)
• A GDPR and EU-US Privacy Datashield compliant integrated email marketing and marketing automation supplier based in Chicago, Illinois (This is used to send you emails)
• A lead generation suite and data sub-processor which is GDPR and EU-US Datashield certified based in Miami, Florida (This is a data bridge between the above suppliers for forwarding contact information)
We may share your personal data with third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Third-party links
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

10. Where your data is processed
Where your data is processed within the United Kingdom or with the European Union it is done so under the same GDPR requirements. Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US. On this basis it ensures that all data is processed in accordance with GDPR.

11. What are your rights
Under GDPR you have a number of rights with regards to your personal data, these are;
• The right of access to the personal data we hold about you
• The correction of your personal data when incorrect, out of date or incomplete.
• The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
• The right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
• The right to request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• The right to request the transfer of your personal data to you or to a third party.
• The right to withdraw consent at any time where we are relying on consent to process your personal data.

You can contact us to request to exercise these rights at any time, initially by contacting our Customer Service Team at [email protected] or phoning on 0191 375 1050 who will pass the request to the Data Privacy Manager. Alternatively you may write to: Data Privacy Manager, Co-wheels Car Club, 3a Sunderland Road, Gilesgate, Durham, DH1 2LH

Your right to withdraw consent
Whenever you have given us your consent to use your personal data, you have the right to change your mind at any time and withdraw that consent.

Where we rely on our legitimate or legal basis
In cases where we are processing your personal data on the basis of our contract with you or our legitimate interests, you can ask us to stop for reasons connected to your individual situation however dependent on the data which you are requesting us to stop processing this may result in our not being able to provide you with an ongoing service.
In such cases where you accept that this may be the outcome and decide to close your account, we must then do so unless we believe we have a legitimate or legal overriding reason to continue processing your personal data.

Direct marketing
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels. We must always comply with your request.

Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

12. Opting out of direct marketing
There are several ways you can stop direct marketing communications from us:
• Click the ‘unsubscribe’ link in any email communication that we send you. We will then stop any further marketing emails from that us.
• Email [email protected] and let us know, please make sure you email us from the registered email address so that we can be sure we remove the right one.
• Write to: Data Privacy Manager, Co-wheels Car Club, 3a Sunderland Road, Gilesgate, Durham, DH1 2LH
Please note that you may continue to receive communications for a short period after changing your preferences while our systems are fully updated.
If you do not wish to participate in our Google AdWords Remarketing, you can opt out by visiting Google's Ads Preferences Manager. If you wish to change or opt out of Facebook adverts then you can amend your settings by using this guide and stop specific ads or companies, including those from Co-wheels, by following this guide

13. Any questions
Hopefully this Privacy Notice has been helpful in setting out the way we handle your personal data and your rights to control it.
Co-wheels Car Club Community Interest Company is the controller and responsible for your personal data. Its company number is 6512325 and registered office is at 3a Sunderland Road, Gilesgate, Durham DH1 2LH.

If you have any questions on this privacy notice or anything else relating to your rights, please contact our Data Privacy Manager who will be pleased to help you:
• Email via [email protected]
• Or write to us at Data Privacy Manager, Co-wheels Car Club, 3a Sunderland Road, Gilesgate, Durham, DH1 2LH

14. The Regulator
If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
You can contact them by calling 0303 123 1113.
Or go online to