1. About this Policy
Your privacy is important to us and we want you to feel comfortable with how we use, share and process your personal information. This policy sets out how we handle your personal information when you use this website, including when and why it is collected, used, processed, disclosed and how it is secured.
Our contact details are at the end of this policy which you can use if you have any questions, including how to update or access your personal information or to make a complaint.
This policy may change, so please check this page from time to time to ensure that you’re happy with any changes. This policy was last updated on 4th April 2023.
2. Who We Are
Where this policy refers to “we”, “our” or “us” below, unless it mentions otherwise, it’s referring to Drivalia UK Ltd and Drivalia Lease UK Ltd.
Drivalia UK Ltd and Drivalia Lease UK Ltd are appointed representatives of CA Auto Finance UK Ltd (FRN: 312683), which is part of the Crédit Agricole Consumer Finance and we our usually the controller of your personal information. A “controller” is a company that decides why and how your personal information is processed.
3. How and What Personal Information We Collect
We may collect and process the following personal information about you:
- Personal information you give to us: this is information about you that you give to us by entering information on our websites, APP, social media pages, corresponding with us by phone, email or otherwise and is provided entirely voluntarily. It also includes information provided directly to our rental agents when hiring a vehicle from us. We record all of our telephone calls for the performance of our contract with you. The information you give to us includes your name, contact details (such as phone number, email address and address), driving licence details, and enquiry details that may include your opinions about our products, and other information relevant to customer surveys and/or offers.
- Personal information we collect about you: we may automatically collect the following personal information: our web servers store as standard details of your browser and operating system, the website from which you visit our website, the pages that you visit on our website, the date of your visit, and, for security reasons, e.g. to identify attacks on our website, the Internet protocol (IP) address assigned to you by your internet service. We collect some of this information using cookies – please see Cookies in the paragraph below for further information. We may also collect any personal information which you allow to be shared that is part of your public profile on a third party social network.
- Special categories of personal data: this is personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. We do not routinely process such data about you but during the performance of our contract with you, we may receive such data about you and process it, e.g. as part of a complaint.
4. How We Use Your Personal Information
4.1. Where required to perform a CONTRACT with you
We may use and process your personal information where it is necessary for the performance of a contract with you or in order to take steps, at your request, before entering into a contract with you, including for the following purposes:
- When you enquire about our products and services
- When you are a customer of one of our products or services
- When we make reasonable enquiries to assess your application and to confirm your identity
- We may from time to time share your personal data with some of our suppliers (see paragraph below on Our Suppliers and Service Providers)
- To process bookings, creating a contract for delivery and payment of your rental vehicle.
4.2. Where There is a Legitimate Interest
We may use and process your personal information where it is necessary for us to pursue our legitimate interests as a business for the following purposes:
- for analysis, and profiling to inform our marketing strategy, and to enhance and personalise your customer experience
- for market research in order to continually improve our products and services
- to administer our websites and for internal operations, testing, statistical purposes and pricing
- for marketing activities (other than where we rely on your consent) e.g. to tailor marketing communications or send targeted marketing messages via social media and other third party platforms
- for the prevention of fraud, crime and money laundering
- to undertake soft credit checks, where required
- to correspond and communicate with you
- to create a better understanding of you as a customer or visitor
- for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access
- to comply with a request from you in connection with the exercise of your rights, for example, where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request
- for the purposes of a corporate restructure or re-organisation or sale of our business or assets
- for efficiency, accuracy or other improvements of our databases and systems e.g. by combining systems or consolidating records we or our group companies hold about you
- to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings
- for general administration including managing your queries, complaints, or claims
- It may be necessary from time to time share your personal data with regulators including, the Financial Conduct Authority and the Information Commissioner’s Office.
4.3. Where you have provided CONSENT
We may use and process your personal information where you have consented for us to do so for the following purposes:
- to enable us to process special categories of personal data
- for direct marketing purposes where you have chosen to receive marketing offers from us
4.4. Where required to comply with our LEGAL OBLIGATIONS
We will use your personal information to comply with our legal obligations including:
- to assist HMRC, the Police, the Driver and Vehicle Licensing Agency (DVLA), any other public authority or criminal investigation body
- to identify you when you contact us, and
- to verify the accuracy of data that we hold about you
We reserve the right to transfer your data to UK government police, councils and third-party parking authorities who process Penalty Charge Notices or Parking Charge Notices (PCNs) in the event a PCN or crime is incurred during your rental.
4.5. Where it is in your VITAL INTEREST
We may use your personal information to contact you if there are any urgent safety or product recall notices to communicate to you or where we otherwise reasonably believe that the processing of your personal information will prevent or reduce any potential harm to you. It is in your vital interests for us to use your personal information in this way.
5. Others Who May Receive or Have Access to Your Personal Information
5.1. Group Companies
We may share your information with other companies within the Credit Agricole Group. This would usually be for reporting or statistical purposes, provision of customer services or as part of our investigation of a complaint or a crime.
5.2. Our suppliers and service providers
We may disclose your information to our third party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf. Such third parties may include IT services providers, Credit Reference Agencies and administrative services or other third parties who provide services to us. When we use third party service providers, we only disclose to them any personal information that is necessary for them to provide their services and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.
5.3. Third parties who provide products and services
We work closely with various third parties to bring you a range of products and services which are complimentary to ours. Examples of these include: our insurance providers, breakdown assistance, etc. When required for the performance of the contract or for example in case of a claim, the relevant third party may be required to process your data.
5.4. Other ways we may share your personal information
We may transfer your personal information to a third party as part of a sale (or a preparation for sale) of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.
We may also transfer your personal information if we’re under a duty to disclose or share it in order to comply with any legal obligation (e.g. by sharing your personal information with the DVLA or our regulators), to detect or report a crime, to enforce or apply the terms of our contracts or to protect the rights, property or safety of our visitors and customers. However, we will always take steps with the aim of ensuring that your privacy rights continue to be protected.
6. Where We Process Your Personal Information Outside the EEA
All information you provide to us may be transferred to countries outside the UK. We may be working with some third party service providers / contractors who are located in a country outside of the UK.
These countries may not have similar data protection laws to the UK. In such cases, we will take steps to ensure that appropriate security measures are taken with the aim of ensuring that your privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on these providers, including the appropriate model contractual clauses that aim to ensure adequate protection.
Our data centres, where we store all our data, are based in Italy.
Please contact us using the details at the end of this policy if you would like more information about the protections that we put in place.
7. How Long Do We Keep Your Personal Information
If we collect your personal information, the length of time we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We have documented this in our Data Retention Policy.
We do not retain personal information in an identifiable format for longer than is necessary. We may need your personal information to establish, bring or defend legal claims, in which case we will usually retain your personal information for 6 years after the last occasion on which we have used your personal information. The only exceptions to this are where:
- the law requires us to hold your personal information for a longer period, or to delete it sooner
- you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted in this policy, or because we are required under the law, and
- in limited cases, the law permits us to keep your personal information indefinitely provided we put certain protections in place.
8. Your Rights
8.1. Your data subject rights
You have a number of rights in relation to your personal information under data protection laws. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received this information or, where no such information is required, after we have received your request.
We will aim to deliver the data you request, however it may not always be possible. If your request is excessive or unfounded or would require a disproportionate effort to meet, we may charge a reasonable fee. Unfortunately in some cases we may not be able to provide with all of the data you request. If that happens, we will explain why.
8.2. Accessing your personal information
You have the right to ask for a copy of the information that we hold about you by emailing or writing to us (contact details at the end of this policy). We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
8.3. Correcting and updating your personal information
The accuracy of your information is important to us. If you change any of your personal details or if you want to correct any inaccuracy in your personal data, please contact us and we will be happy to assist or log on to the Manage My Bookings in our website.
8.4. Withdrawing your consent
Where we rely on your consent as the legal basis for processing your personal information, as set out under How we use your personal information, you may withdraw your consent at any time by contacting us.
If you would like to withdraw your consent to receiving any direct marketing, please refer to Marketing in paragraph 10.
8.5. Objecting to our use of your personal information
Where we rely on our legitimate business interests as the legal basis for processing your personal information for any purpose(s), as out under How we use your personal information, you may object to us using your personal information for these purposes by emailing or writing to us at the address at the end of this policy.
Except for the purposes for which we are sure we can continue to process your personal information, we will usually temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification as to why we need to continue using your data.
8.6. Erasing your personal information or restricting its processing
In certain circumstances, you may ask for your personal information to be removed from our systems by contacting us. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.
You may also ask us to restrict processing your personal information in the following situations:
- where you believe it is unlawful for us to do so
- when you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.
In these situations, we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so; for example, for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.
8.7. Transferring your personal information in a structured data file (data portability)
Where we rely on your consent as the legal basis for processing your personal information or need to process it in connection with your contract, as set out under How we use your personal information, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly-used and machine-readable form, such as a CSV file.
You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
8.8. Complaining to the UK Data Protection Regulator
You have the right to complain to the Information Commissioner’s Office (ICO) if you are concerned about the way we have processed your personal information. Please visit the ICO’s website for further details.
9. Security
9.1. Security measures we put in place to protect your personal information
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. To ensure your safety whilst using our website, all booking enquiries (quotes), payments and communications that we receive are processed with HTTPS secure encryption using state of the art encryption (SSL/TLS). You will know that your browser uses this secure transmission as it is indicated by the Internet address beginning with “https” and a small lock symbol (usually) displayed in the address bar of your browser window. When the lock is closed, it is a safe transfer. Some browsers show the address bar or part of it in green colour for this case.
As with all rental companies within the travel industry, we process payments via our website which means your card details are retained on our system after your payment has been processed. We hold this information for PCN purposes for as long as necessary in accordance with GDPR. We are fully PCI DSS compliant and constantly update our payment systems with the latest security software to ensure your details are kept safe.
9.2. Use of ‘cookies’
A cookie is a small file which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
We use traffic log cookies to identify which pages are being used. This helps us analyse data about web page traffic and improve our website in order to tailor it to customer needs. We only use this information for statistical analysis purposes and then the data is removed from the system.
Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the website.
Further information on the cookies that we use and their features can be found in the Cookie Policy.
9.3. Google Analytics
Our website uses Google Analytics, a web analytics tool provided by Google Inc. The cookies that are stored on your computer, allow us to analyse your use of our website. This information is solely used to monitor our performance, improve our service and make necessary updates to our website. The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. We use the service on our website with activated IP anonymity. This means that on our website, your IP address will be abbreviated beforehand by Google within the member states of the European Union or in other contracting states of the Agreement in the European Economic Area and therefore anonymous. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and abbreviated there. On our behalf, Google will use this information to evaluate your use of the website, to compile reports on website activity and to provide other services related to the website activity and internet usage to us as website operators.
9.4. Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
9.5. Social plugins
From time-to-time, we may use social plugins (buttons) of social networks such as Facebook, LinkedIn, Instagram, Google and Twitter. Please see the Cookie Policy in Section for further details regarding our use of cookies. If you are a member of a social network and do not wish it to combine data retrieved from your visit to our websites with your membership data, you must log out from the social network concerned before activating the buttons. We have no influence on the scope of data that is collected by the social networks through their buttons. The data use policies of the social networks provide information on the purpose and extent of the data that they collect, how this data is processed and used, the rights available to you and the settings that you can use to protect your privacy.
We may contact you with targeted advertising delivered online through social media and platforms (operated by other companies) by using your personal information, or use your personal information to tailor marketing to improve its relevance to you, unless you object.
10. Marketing
For marketing purposes, Drivalia UK Ltd is the data controller and we rely on your consent to market similar products and services to you.
When signing for your rental at the counter, you will be asked to confirm that you agree to receive promotional offers, discounts and articles of interest from time to time. You have the right to revoke this consent at any time so we include an unsubscribe link at the bottom of every email should you wish to opt-out of future newsletter emails. You can unsubscribe now by emailing uk.unsubscribe@drivalia.com thus revoking your consent.
We may contact you by telephone, email, SMS and post. We may also analyse our customer databases to enable us to do targeted marketing (known as ‘profiling’).
SMS, telephone and email are known as ‘electronic marketing’ and we are required to ask your permission to communicate with you in these ways. Before you sign your agreement, you will be given an opportunity to opt-out. If you did not opt-out at the time you signed your agreement with us, we regard your permission to electronic marketing to be valid until you unsubscribe. This is to provide you with promotional discounts to get the best offers on the rentals. Of course, you may unsubscribe at any time.
10.1. Channels
When you signed your agreement with us (unless you opted-out), you gave us permission to market to you by telephone, email, SMS and post. If you would like to change these communication preferences please let us know.
10.2. Profiling
From time to time we carry out marketing activities which are targeted towards a selected group of customers. In order to select those customers, we may use what is known as ‘profiling’, for example selecting our customers by age, gender or location.
10.3. Opt out from marketing communications
As well as being given the opportunity to opt-out when you signed your agreement, you may unsubscribe of marketing communications at any time in the following easy ways:
- Email: please send an email to uk.unsubscribe@drivalia.com and include your name, date of birth and address
- Unsubscribe on promotional emails
- Post: please write to us at this address – PO Box 4465, Slough, SL1 0RW
- Telephone: please call us at 0203 657 6045
10.4. Websites
We may collect your preferences to send you marketing information directly from us by email / post / telephone / SMS, if you request a quote for one of our products or services on our website.
After booking on our website, we will send you a “booking voucher” containing useful information, what to bring to the counter and instructions on where to collect your vehicle.
After your rental is completed, we may also send you a survey asking you to review your experience with us. Both platforms used to collect reviews (Trustpilot and SurveyMonkey) are GDPR compliant and do not store your data after transferring to us.
11. Geolocation Data and Trackers
Our vehicles are fitted with vehicle telematics systems (GPS) provided by GDPR-complaint third-party companies. They have security software in place to prevent data being lost, used, altered, disclosed or accessed in an unauthorised way.
The third-party companies only process and retain personal data in relation to the performance of any of its obligation set out under the agreement with the Data controller. After the rental period, this data is securely stored for the purposes of Insurance, PCNs, Crime or any other DPA requests. This data is deleted after the data retention period that is set out in the agreement between Drivalia and the third-party companies.
We will use the information from the devices to access location-based information and mileage of the vehicle. We only use this information when we seem necessary. For example, in the following circumstances;
- To provide information to the police or other authorities (e.g. recovery companies) in the event that the vehicle is stolen or is not returned at the end of the contract period
- To detect whether the vehicle is being used in a prohibited area in respect of the terms and conditions agreed upon in the contract
- To locate the vehicle in case of theft, accident, or misappropriation
12. Changes to This Policy
We may review this policy from time to time and any changes will be published on our website. We may also contact you by email. Any changes will take effect 7 days after the date of our email or the on the date on which we post the modified terms on our website, whichever is the earlier. We recommend that you regularly check for changes and review this policy when you visit our website.
If you have any queries about any aspect of our policies, please do not hesitate to contact us.
13. Contact Our Data Protection Officer
If you want to contact us about anything in this policy or for any further query, please contact our Data Protection Officer (DPO) at:
- Email: dataprotectionoffice@ca-autobank.com
- Telephone: 0344 5614738; one of our customer service team will answer and will redirect the call to the DPO
- Post: PO Box 4465, Slough, SL1 0RW, indicating “for the attention of the Data Protection Officer”