TowMyCar

Privacy Policy

Last Updated: January 2025

1. Introduction and Data Controller

This Privacy Policy describes how 3C NET PVT Ltd. (Company Registration No. 16204011) ("Company," "we," "us," or "our"), operating as TowMyCar.uk, collects, uses, processes, and protects your personal information when you use our platform, website, and mobile applications (collectively, the "Platform").

We are committed to protecting your privacy and handling your personal data in accordance with the General Data Protection Regulation (GDPR), the Data Protection Act 2018, and all other applicable data protection laws.

Data Controller: 3C NET PVT Ltd.
Contact: support@towmycar.uk

2. Information We Collect

We collect and process various categories of personal data necessary for providing our services:

2.1 Personal Information

  • Identity Data: Full name, date of birth, government-issued identification numbers
  • Contact Data: Email address, phone number, postal address
  • Account Data: Username, password, account preferences, and security settings

2.2 Service-Related Data

  • Vehicle Information: Registration number, make, model, year, condition details
  • Location Data: Real-time GPS coordinates, pickup and destination addresses
  • Service Details: Type of service requested, service history, preferences

2.3 Financial Information

  • Payment Data: Payment card details, billing address, transaction history
  • Financial Records: Commission payments, refunds, dispute records

2.4 Technical Information

  • Device Data: IP address, device identifiers, operating system, browser type
  • Usage Data: Pages visited, time spent, features used, search queries
  • Communication Data: Messages, chat logs, customer service interactions

2.5 Marketing and Communication Data

  • Communication preferences, marketing consent status, email engagement metrics

3. Legal Basis for Processing Under GDPR

We process your personal data based on the following lawful bases under Article 6 of the General Data Protection Regulation:

3.1 Contract Performance - Article 6(1)(b) GDPR

"Processing is necessary for the performance of a contract to which the data subject is party"

We rely on this legal basis for:

  • Creating and managing user accounts (customers and service providers)
  • Facilitating towing and roadside assistance service bookings
  • Processing payments, refunds, and commission calculations
  • Coordinating service delivery between customers and service providers
  • Providing customer support related to active services
  • Managing disputes and complaints related to service contracts

3.2 Legal Obligation - Article 6(1)(c) GDPR

"Processing is necessary for compliance with a legal obligation to which the controller is subject"

We process personal data to comply with:

  • Financial Regulations: HM Revenue & Customs (HMRC) requirements for tax reporting and record-keeping
  • Anti-Money Laundering (AML): The Money Laundering, Terrorist Financing and Transfer of Funds Regulations 2017
  • Data Protection Laws: GDPR and Data Protection Act 2018 compliance obligations
  • Company Law: Companies House filing requirements under the Companies Act 2006
  • Consumer Protection: Consumer Rights Act 2015 and related regulations
  • Employment Law: For service provider verification and due diligence
  • Law Enforcement: Responding to lawful requests from police, courts, and regulatory authorities

3.3 Legitimate Interests - Article 6(1)(f) GDPR

"Processing is necessary for the purposes of the legitimate interests pursued by the controller"

We have conducted Legitimate Interest Assessments (LIAs) for the following processing activities:

3.3.1 Platform Security and Fraud Prevention

  • Our Interest: Protecting our platform, users, and business from fraud and security threats
  • Necessity: Essential for maintaining trust and operational integrity
  • Balancing Test: User safety and platform security outweigh minimal privacy impact
  • Safeguards: Data minimization, encryption, and limited access controls

3.3.2 Business Analytics and Improvement

  • Our Interest: Understanding user behavior to improve services and develop new features
  • Necessity: Required for competitive business operations and user experience enhancement
  • Balancing Test: Business improvement benefits balanced against user privacy through anonymization
  • Safeguards: IP anonymization, aggregated data analysis, and opt-out mechanisms

3.3.3 Customer Service and Communication

  • Our Interest: Providing effective customer support and service communications
  • Necessity: Essential for resolving issues and maintaining customer relationships
  • Balancing Test: Customer service quality justifies necessary communication processing
  • Safeguards: Purpose limitation and retention controls

3.3.4 Marketing to Existing Customers

  • Our Interest: Informing existing customers about relevant services and updates
  • Necessity: Reasonable expectation within existing customer relationship
  • Balancing Test: Relevant service information balanced against easy opt-out options
  • Safeguards: Clear unsubscribe mechanisms and preference management

3.4 Consent - Article 6(1)(a) GDPR

"The data subject has given consent to the processing of his or her personal data"

We obtain explicit consent for:

  • Marketing to Non-Customers: Newsletter subscriptions and promotional communications
  • Optional Analytics: Advanced tracking and personalization features
  • Third-Party Integrations: Social media connections and external service integrations
  • Research Participation: Customer surveys and market research activities

Consent Management:

  • All consent is freely given, specific, informed, and unambiguous
  • Users can withdraw consent at any time without detriment
  • Withdrawal is as easy as giving consent
  • We maintain records of consent and withdrawal

3.5 Special Category Data

Article 9 GDPR - Processing of Special Categories

We do not routinely process special category personal data (sensitive data such as health, race, religion, etc.). In exceptional circumstances where such data is disclosed during service provision:

  • Legal Basis: Article 9(2)(f) - necessary for legal claims establishment, exercise, or defense
  • Safeguards: Immediate data minimization, restricted access, and enhanced security
  • Retention: Deleted immediately after resolution unless legally required

4. How We Use Your Information

We use your personal data for the following purposes:

4.1 Service Provision

  • Facilitating connections between customers and service providers
  • Processing and managing service bookings
  • Coordinating service delivery and logistics
  • Handling payments, refunds, and commission calculations

4.2 Account Management

  • Creating and maintaining user accounts
  • Identity verification and authentication
  • Account security and fraud prevention
  • Customer support and dispute resolution

4.3 Communication

  • Service-related notifications and updates
  • Emergency communication during service delivery
  • Customer support correspondence
  • Legal notices and policy updates

4.4 Platform Improvement

  • Analyzing usage patterns and user behavior
  • Improving platform functionality and user experience
  • Developing new features and services
  • Performance monitoring and optimization

4.5 Marketing (with consent)

  • Sending promotional materials and newsletters
  • Personalized service recommendations
  • Market research and customer feedback collection

5. Cookies and Similar Technologies

5.1 Introduction to Cookies and PECR Compliance

Cookies are small text files placed on your device when you visit our Platform. Our use of cookies is governed by:

  • GDPR: For the processing of personal data contained in cookies
  • Privacy and Electronic Communications Regulations (PECR) 2003: For the storage and access of information on user devices
  • ICO Guidance: Following the Information Commissioner's Office guidance on cookies and similar technologies

PECR Requirements: Under Regulation 6 of PECR, we must obtain consent before storing or accessing information on your device, except where strictly necessary for service provision.

5.2 Current Cookie Implementation

Important Notice: TowMyCar.uk currently operates without a cookie consent banner. By continuing to use our Platform, you acknowledge our use of cookies as described below. We are committed to implementing enhanced cookie controls in the future.

5.3 Categories of Cookies

5.3.1 Strictly Necessary Cookies

These cookies are essential for the Platform's basic functionality and are exempt from consent requirements under PECR Regulation 6(1)(a):

Purpose and Legal Basis:

  • Authentication: Maintaining secure user sessions (Legal basis: Legitimate interests under Article 6(1)(f) GDPR)
  • Security: Preventing fraud and ensuring platform security (Legal basis: Legitimate interests under Article 6(1)(f) GDPR)
  • Load Balancing: Ensuring optimal performance and availability (Legal basis: Legitimate interests under Article 6(1)(f) GDPR)
  • Essential Functionality: Core platform operations and service delivery (Legal basis: Contract performance under Article 6(1)(b) GDPR)

Retention: Session-based or until technical requirements no longer necessitate storage

5.3.2 Performance and Analytics Cookies

These cookies collect information about how you interact with our Platform:

Current Implementation:

  • Google Analytics: Website usage statistics, user journey analysis, performance monitoring
  • Internal Analytics: Platform optimization and error tracking

Legal Basis: Legitimate interests under Article 6(1)(f) GDPR for business improvement purposes

Data Processing: We ensure IP anonymization and have configured analytics to respect user privacy

Retention Period: Up to 26 months (Google Analytics default) or until withdrawn

Your Rights: You may opt out using browser settings or Google Analytics opt-out tools

5.3.3 Functional Cookies

These cookies enable enhanced features and personalization:

  • User preferences (language, region, accessibility settings)
  • Remember form inputs and user choices
  • Customized user interface elements

Legal Basis: Legitimate interests under Article 6(1)(f) GDPR, balanced against user expectations

Retention: Up to 12 months

5.3.4 Marketing and Advertising Cookies

Current Status: We do not currently deploy marketing or advertising cookies. Should we implement such technologies in the future, we will:

  • Obtain explicit prior consent in accordance with PECR
  • Provide clear opt-out mechanisms
  • Update this policy with detailed information

5.4 Third-Party Cookie Providers

We utilize the following third-party services that may place cookies:

5.4.1 Google Services

  • Google Analytics: Privacy Policy at policies.google.com/privacy
  • Google Maps: For location services and mapping functionality
  • Legal Basis: Legitimate interests for service provision and improvement

5.4.2 Payment Processing

  • Stripe: Payment processing and fraud prevention
  • Privacy Policy: stripe.com/privacy
  • Legal Basis: Contract performance and legal obligations

5.5 Cookie Management and Your Rights

5.5.1 Browser-Based Controls

Immediate Actions You Can Take:

  • Chrome: Settings > Privacy and Security > Cookies and other site data
  • Firefox: Settings > Privacy & Security > Cookies and Site Data
  • Safari: Preferences > Privacy > Manage Website Data
  • Edge: Settings > Cookies and site permissions > Cookies and site data

5.5.2 Third-Party Opt-Outs

5.5.3 Impact of Disabling Cookies

Strictly Necessary Cookies: Disabling these may prevent core functionality including:

  • User authentication and account access
  • Security features and fraud prevention
  • Service booking and payment processing

Other Cookies: Disabling these may affect:

  • Personalized user experience
  • Platform performance optimization
  • Customer support effectiveness

5.6 Future Cookie Consent Implementation

Legal Commitment: We acknowledge our obligation to provide enhanced cookie controls and are developing:

  • Granular cookie preference center
  • Category-specific consent options
  • Easy withdrawal mechanisms
  • Real-time consent management

Timeline: We commit to implementing comprehensive cookie consent mechanisms within 6 months of this policy's effective date.

5.7 International Cookie Transfers

Some cookies may involve data transfers to countries outside the EEA:

  • Google Analytics: Data processed in accordance with Google's international transfer safeguards
  • Stripe: Data processed under adequate data protection agreements
  • Safeguards: All transfers comply with GDPR transfer requirements through adequacy decisions or appropriate safeguards

6. Data Sharing and Third Parties

We may share your personal data with the following categories of recipients:

6.1 Service Providers

  • Independent contractors providing towing and roadside assistance services
  • Only information necessary for service delivery is shared
  • Service providers are bound by confidentiality obligations

6.2 Technology Partners

  • Payment Processors: Stripe for secure payment processing
  • Cloud Services: AWS, Google Cloud for data hosting and processing
  • Analytics Providers: Google Analytics for platform analytics
  • Communication Services: Email and SMS service providers

6.3 Legal and Regulatory Authorities

  • Law enforcement agencies (when legally required)
  • Regulatory bodies and government authorities
  • Courts and legal representatives (in legal proceedings)
  • Insurance companies (for claims and investigations)

6.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity, subject to the same privacy protections.

7. International Data Transfers

We may transfer your personal data outside the European Economic Area (EEA) to:

  • Cloud service providers with data centers in multiple regions
  • Payment processors operating internationally
  • Technology vendors providing global services

Safeguards: All international transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by data protection authorities
  • Adequacy decisions where applicable
  • Additional security measures and encryption
  • Regular compliance monitoring and audits

8. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with our legitimate business needs and legal obligations.

8.1 Retention Schedule

8.1.1 Account and Identity Data

  • Active Accounts: Retained while account remains active plus 30 days for account reactivation
  • Deleted Accounts: Core identity data retained for 6 monthspost-deletion for legal compliance (Companies Act 2006, HMRC requirements)
  • Verification Documents: Retained for 6 months from last service provision for regulatory compliance

8.1.2 Service and Transaction Records

  • Service Bookings: 6 months from service completion (insurance claims, legal disputes)
  • Payment Records: 6 months from transaction date (HMRC, AML compliance)
  • Commission Data: 6 months from payment date (tax and accounting obligations)
  • Insurance Claims: 6 months from claim resolution (regulatory requirements)

8.1.3 Communication and Support Data

  • Customer Service Records: 6 months from last interaction (dispute resolution, service improvement)
  • Chat Logs: 6 months from conversation end (customer support, safety monitoring)
  • Email Communications: 6 months from send date (regulatory compliance, dispute resolution)

8.1.4 Marketing and Consent Data

  • Marketing Preferences: Until consent withdrawal plus 30 days (consent record-keeping)
  • Consent Records: 6 months from withdrawal (demonstrating compliance)
  • Newsletter Data: Until unsubscribe plus 1 year (suppression list maintenance)

8.1.5 Technical and Analytics Data

  • Log Files: 12 months from creation (security monitoring, performance optimization)
  • Analytics Data: 6 months from collection (Google Analytics default, business intelligence)
  • Security Incident Data: 6 months from incident resolution (legal protection, compliance)

8.2 Legal Basis for Retention

Our retention periods are based on:

  • Statutory Requirements: UK law mandating specific retention periods
  • Limitation Periods: Legal claim time limits (typically 6 months)
  • Regulatory Obligations: Industry-specific requirements for financial and transportation services
  • Legitimate Interests: Business needs balanced against privacy rights

8.3 Data Deletion Process

8.3.1 Automated Deletion

  • Regular automated reviews identify data eligible for deletion
  • Systematic deletion occurs monthly for expired data categories
  • Backup systems are purged in accordance with retention schedules

8.3.2 Manual Deletion Procedures

  • Immediate deletion upon valid erasure requests (where legally permissible)
  • Secure deletion using industry-standard data destruction methods
  • Certificate of destruction for high-risk data categories

8.3.3 Anonymization Alternative

Where deletion is not legally permissible but continued storage is unnecessary:

  • Data is anonymized to remove personal identification
  • Anonymized data may be retained for statistical and research purposes
  • Regular review ensures anonymization effectiveness

8.4 Retention Review Process

  • Annual review of retention schedules and legal requirements
  • Quarterly assessment of data categories and deletion eligibility
  • Regular legal and compliance review of retention practices
  • Update procedures when laws or business needs change

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

9.1 Right of Access (Article 15)

Request a copy of the personal data we hold about you, including:

  • Confirmation of processing activities
  • Categories of data processed
  • Purposes of processing
  • Recipients of your data

9.2 Right to Rectification (Article 16)

Request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure (Article 17)

Request deletion of your personal data when:

  • Data is no longer necessary for the original purpose
  • You withdraw consent (where applicable)
  • Data has been unlawfully processed
  • Legal obligations require deletion

9.4 Right to Restrict Processing (Article 18)

Request limitation of processing when:

  • You contest the accuracy of the data
  • Processing is unlawful but you prefer restriction over deletion
  • We no longer need the data, but you need it for legal claims

9.5 Right to Data Portability (Article 20)

Request transfer of your data to another service provider in a structured, machine-readable format.

9.6 Right to Object (Article 21)

Object to processing based on legitimate interests, including:

  • Direct marketing communications
  • Profiling for marketing purposes
  • Processing that affects your interests or rights

9.7 Rights Related to Automated Decision Making

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects.

9.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of previous processing.

9.9 Exercising Your Rights - Practical Procedures

9.9.1 How to Submit Requests

Email: Send requests to support@towmycar.uk with:

  • Subject line clearly stating the right you wish to exercise
  • Proof of identity (government-issued ID or account verification)
  • Specific details about your request and any relevant dates/services
  • Contact information for our response

Response Time: We will respond within 30 calendar days of receiving a valid request. Complex requests may require up to 60 additional days with explanation.

9.9.2 Identity Verification

To protect your privacy, we require identity verification for all requests:

  • Account holders: Login credentials and security question verification
  • Non-account holders: Government-issued photo identification
  • Third-party representatives: Written authorization and identity verification

9.9.3 Fees and Charges

  • Most requests: Free of charge
  • Excessive or repetitive requests: May incur reasonable administrative fees
  • Copy requests: First copy free, additional copies at reasonable cost
  • Fee notification: We will inform you of any charges before processing

9.9.4 Refusal Grounds

We may refuse or restrict requests when:

  • Identity cannot be verified
  • Request is manifestly unfounded or excessive
  • Legal obligations require data retention
  • Rights of others would be adversely affected
  • Data is required for legal claims defense

Appeal Process: If we refuse your request, you may appeal to the ICO or seek legal remedy through the courts.

10. Data Security

We implement comprehensive security measures to protect your personal data:

10.1 Technical Safeguards

  • End-to-end encryption for data transmission
  • Advanced encryption for data storage
  • Multi-factor authentication systems
  • Regular security audits and penetration testing
  • Secure API endpoints and database access controls

10.2 Organizational Measures

  • Staff training on data protection principles
  • Access controls and role-based permissions
  • Regular compliance reviews and updates
  • Incident response and breach notification procedures
  • Data protection impact assessments (DPIAs)

10.3 Data Breach Response

In the event of a data breach, we will:

  • Notify the ICO within 72 hours (where required)
  • Inform affected individuals without undue delay
  • Implement immediate containment measures
  • Conduct thorough investigation and remediation
  • Review and strengthen security measures

11. Children's Privacy

Our Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child, we will take immediate steps to delete it and terminate the account.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

  • Changes in applicable laws and regulations
  • Updates to our data processing practices
  • Introduction of new features or services
  • Feedback from users and regulatory authorities

Notification: We will notify you of material changes through:

  • Email notifications to registered users
  • Prominent notices on our Platform
  • Updated "Last Modified" date on this policy

Continued Use: Your continued use of our Platform after policy updates constitutes acceptance of the revised terms.

13. Contact Information and Data Protection Officer

For any questions, concerns, or requests regarding this Privacy Policy or our data protection practices:

General Inquiries:

Data Protection Officer:

Postal Address: 3C NET PVT Ltd.
[Company Address to be added]

Response Time: We aim to respond to all privacy-related inquiries within 30 days, as required by UK GDPR.

14. Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe your data protection rights have been violated:

ICO Contact Information:

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

15. Cookie Policy Summary

This Privacy Policy incorporates our Cookie Policy. For specific information about cookies:

  • See Section 5 above for detailed cookie information
  • Manage your cookie preferences through your browser settings
  • Contact us for assistance with cookie-related questions
  • Review our cookie notice displayed on first visit to our Platform

16. Compliance Demonstration and Record Keeping

In accordance with the accountability principle under Article 5(2) GDPR, we maintain comprehensive records to demonstrate our compliance:

16.1 Data Protection Documentation

  • Records of Processing Activities (ROPA): Detailed records under Article 30 GDPR
  • Data Protection Impact Assessments (DPIA): For high-risk processing activities
  • Legitimate Interest Assessments (LIA): Balancing tests for legitimate interest processing
  • Consent Records: Documentation of consent mechanisms and withdrawal procedures
  • Data Breach Register: Record of all data breaches and remedial actions

16.2 Policy Review and Updates

  • Annual Review: Comprehensive policy review and updates
  • Legal Monitoring: Continuous monitoring of data protection law changes
  • Stakeholder Consultation: Regular consultation with legal advisors and DPO
  • User Feedback: Incorporation of user feedback and regulatory guidance

16.3 Training and Awareness

  • Staff Training: Regular data protection training for all personnel
  • Contractor Education: Data protection requirements for service providers
  • Management Oversight: Board-level data protection governance
  • Incident Response: Regular testing of data breach response procedures

16.4 Audit and Monitoring

  • Internal Audits: Regular assessment of data protection practices
  • External Reviews: Periodic third-party privacy audits
  • Continuous Monitoring: Ongoing assessment of processing activities
  • Improvement Actions: Implementation of recommended enhancements

17. Effective Date and Policy History

Effective Date: This Privacy Policy is effective from January 2025.

Previous Versions: This represents a comprehensive update to our privacy practices, incorporating enhanced GDPR compliance measures and detailed cookie policy provisions.

Change Log: Material changes to this policy will be documented and communicated to users in accordance with Section 12 above.

Legal Disclaimer: This Privacy Policy has been prepared to comply with GDPR, PECR, and other applicable data protection laws. It should be read in conjunction with our Terms and Conditions. In case of any conflict between this policy and applicable law, the law shall prevail.

TowMyCar.uk is committed to the highest standards of data protection and privacy. This policy reflects our commitment to transparency, accountability, and user rights under data protection law.