Privacy Notice when our website is visited
This Privacy Notice fulfills the obligation to provide information pursuant to Article 13 et seq. of the General Data Protection Regulation (GDPR) where personal data is collected on our website.
1. Name and contact details of the data controller:
CARFAX Europe GmbH Barthstraße 2-10 80339 Munich Email: firstname.lastname@example.org (hereinafter referred to as "CARFAX", “we", "us").
2. Contact details of the data protection officer:
3. Purposes for which the personal data is to be processed and the legal basis for processing
3.1. Data processing on the basis of legitimate interests (Article 6(1)(f) GDPR)
In consideration of your rights and freedoms, processing will be carried out if this is necessary for the purposes of a legitimate interest on our part and this is not overridden by your interests, fundamental rights and fundamental freedoms, which require protection of personal data. Article 6(1)(f) GDPR provides the legal basis in these cases.
3.1.1. Collection of access data/server log files
For technical reasons, we process a limited amount of data (known as connection data) each time the website is accessed. This data is necessary from a technical point of view to establish and implement a connection between your device and our servers. The following data or categories of data can be collected:
Name of the file accessed.
The date and time of access.
Amount of data transferred.
Notification indicating whether access was successful.
Notification indicating why access may have failed.
Name of your Internet service provider.
Your computer's operating system and browser software, if applicable.
The website which directed you to us.
This log data will only be processed in order to carry out statistical analyses for the purpose of operating, securing and optimizing the site. However, we reserve the right to check the log data retrospectively if there are legitimate grounds for suspecting unlawful use on the basis of concrete evidence. This data is therefore not used to create user profiles.
3.1.2. Cookies required and not required for technical reasons
This website sometimes uses files known as cookies. Cookies do not damage your computer and do not contain viruses. Cookies are used to make our site more user-friendly, effective and secure. Cookies are small text files that are placed on your computer and stored by your browser.
Most of the cookies we use are known as session cookies. They are automatically deleted once you leave our website. Cookies of this kind are essential from a technical standpoint for the website to be able to operate and for the purpose of providing the service requested by the user and therefore cannot be disabled.
3.1.3. Use of the contact form
When using the contact form, we will only collect personal data to the extent to which you provide it. We will only use your name and your email address to process your request.
3.2. Data processing based on your consent (Article 6(1)(a) GDPR)
Third-party services such as advertising and marketing cookies (tracking cookies) and analysis tools may also be used on the website. These are not necessary from a technical standpoint for operation of the website but are used, for example, to record how the user utilizes the Internet, to create a user profile and to send ads to the user which are tailored to the user's profile. These services will only become enabled after you have explicitly given your consent using the consent banner. For an overview of all third-party services which are embedded in the website and which are subject to consent, see point 10.
3.3 Data processing after entering a vehicle identification number (VIN)
By entering a vehicle identification number (VIN) on our website, you can check in advance whether CARFAX has fundamental information available for a specific vehicle at no charge and without the purchase of a used car history.
4. Automated decision-making including profiling
CARFAX Europe GmbH does not employ automated individual decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR.
5. Data transfer to a third country
Data is transferred to countries outside the EU and the European Economic Area ("third countries") as part of administering, developing and operating IT systems. Data shall only be transferred on the basis of:
an adequate decision of the European Commission under Article 45 GDPR;
an approved certification mechanism pursuant to Article 42 GDPR together with legally binding and enforceable obligations on the part of the controller or the processor in the third country;
standard data protection clauses issued by the Commission in accordance with the examination procedure referred to in Article 93(2) GDPR.
Personal data is currently transferred to the United States through the use of analysis and tracking tools (such as Google Analytics, DoubleClick or Microsoft Bing Ads) in the following cases:
Transmission of data to Google Inc., 1600 Amphitheater Parkway Mountain View, CA 94043, USA.
Transmission of data to New Relic Inc., 188 Spear Street, Suite 1200 San Francisco, CA 94105, USA.
Transmission of data to Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA.
In the event that you order a search for information by entering a valid vehicle identification number, we will transmit the VIN to our parent company CARFAX Inc., 5860 Trinity Parkway, Suite 600, Centreville, VA 20120 in the USA, only in cases where there is no data available in our own database and to therefore allow you full access to the global database.
6. Categories of data recipient
To the extent permitted by law, we share personal data with external service providers:
IT service providers to maintain our IT infrastructure.
Server providers to store and process the data in a confidential manner.
Your data will also be shared as far as we are legally obliged to do so.
7. Retention period and criteria for determining such period
Personal data will only be retained for as long as is necessary in order to fulfill the purposes mentioned here or as stipulated by the statutory retention periods. The data will be deleted in accordance with the statutory regulations once the relevant purpose ceases to apply or after the retention periods have expired.
We will store your data for advertising purposes until you object to such use or we are no longer permitted by law to send promotional material to you.
8. Information about your rights as a data subject
CARFAX Europe GmbH, Barthstraße 2-10, 80339 Munich, Germany, is responsible for processing your data, unless otherwise stated.
You can obtain information from us at any time (Article 15 GDPR) about the data stored about you and request that it be rectified (Article 16 GDPR) where there are errors. You can also request that processing be restricted (Article 18 GDPR), request that data you give us be provided (Article 20 GDPR) in a machine-readable format (data portability) or that your data be erased (Article 17 GDPR) provided it is no longer required.
Furthermore, you have the right to object to the use of your data, which is based on public or legitimate interests (Article 21 GDPR), at any time.
If you wish to exercise your rights as a data subject, please contact: CARFAX Europe GmbH Barthstraße 2-10 80339 Munich, Germany email@example.com
9. Right to lodge a complaint with a supervisory authority
In addition, you can contact a supervisory authority at any time to lodge a complaint. The Bayerisches Landesamt für Datenschutzaufsicht (Bavarian State Office for Data Protection Supervision), P.O. Box 1349, 91504 Ansbach, Germany, is the competent authority for us. Alternatively, you can contact your local supervisory authority.
10. Privacy notice for all third-party services embedded in the website
10.1. Privacy notice about the use of Google Analytics
This website uses Google Analytics, a web analytics service provided by Google Inc. LLC (1600 Amphitheater Parkway, Mountain View, CA 94043, USA; "Google"). Google Analytics uses text files known as cookies that are stored on your computer and enable how you use the website to be analyzed. The information generated by the cookie about how you use the website such as
type/version of your browser,
operating system used,
referrer URL (the page previously visited),
host name of the accessing computer (IP address),
time of the server request,
is usually transferred to a Google server in the USA, where it will be stored. The IP address provided by your browser as part of Google Analytics will not be merged with other Google data. We have also added the code "anonymizeIp" to Google Analytics on this website.
Google will use this data on behalf of CARFAX Europe GmbH to analyze how you use the website, to compile reports about website activities and to provide further services related to website use and Internet use to the website operator. You can prevent cookies from being stored by setting your browser software accordingly; however, we would like to point out that in this case you may not be able to use all the functions of this website to their full extent.
You can also prevent Google from collecting the data generated by the cookie and related to how you use the website (including your IP address) and from processing this data by downloading and installing the browser plug-in available via the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
10.2. Privacy notice about the use of Google Tag Manager
The legal basis for processing your personal data is your consent pursuant to Article 6(1)(a) GDPR. You give your corresponding consent via the consent banner. For more information about Google Tag Manager, visit: https://www.google.com/analytics/terms/tag-manager/
10.3. Privacy notice about the use of Doubleclick.net by Google
Due to the marketing tools used, your browser automatically establishes a direct connection to the Google server. We have no influence on the scope and further use of the data collected by Google as a result of this tool being used and we are therefore providing you with the following information to the best of our knowledge: By integrating DoubleClick, Google receives the information that you have accessed the corresponding part of our website or clicked on one of our ads. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, the provider may learn of and store your IP address.
In addition, the DoubleClick Floodlight cookies used enable us to understand whether you perform certain actions on our website after you have accessed or clicked on one of our display/video ads on Google or on another platform via DoubleClick (conversion tracking). DoubleClick uses this cookie to understand the content that you have interacted with on our website so that targeted ads can subsequently be sent to you.
The legal basis for processing your personal data is your consent pursuant to Article 6(1)(a) GDPR. You give your corresponding consent via the consent banner. For more information about DoubleClick by Google, visit https://marketingplatform.google.com/about/enterprise/
10.4. Privacy notice about the use of Google Fonts API/gStatic API
This website uses external fonts from Google Inc. such as Google Fonts and gStatic. These are services provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, California 94043, USA. ("Google"). These web fonts are embedded via a call to a server, usually a Google server in the USA. This will tell the server which of our websites you have visited. The IP address of the browser on the device of the visitor to these Internet pages is also stored by Google.
The legal basis for processing your personal data is your consent pursuant to Article 6(1)(a) GDPR. You give your corresponding consent via the consent banner. For more information, visit https://developers.google.com/fonts/faq?tid=331597391040
10.5. Privacy notice about the use of Google Dynamic Remarketing
10.6. Privacy notice about the use of Google Audiences
We also use Google Audiences ("GA Audience") from Google LLC (1600 Amphitheater Parkway, Mountain View, CA 94043, USA; "Google"), another web analytics service from Google. This service collects and stores data from which pseudonymized usage profiles are created. This technology allows users who have visited our websites to see targeted advertising from us on other external sites in the Google Partner Network.
For more information about privacy when GA Audience is being used, please visit: https://support.google.com/analytics/answer/2700409?hl=en&ref_topic=2611283.
10.7. Privacy notice about the use of New Relic
New Relic will use this information on our behalf to evaluate how our site is utilized by users, to compile reports about the activities within the site and to provide us with further services associated with how this site is used and Internet use. In this case, pseudonymized usage profiles of users can be created from the processed data.
The IP address provided by the user's browser will not be merged with other New Relic data. The legal basis for processing your personal data is your consent pursuant to Article 6(1)(a) GDPR. You give your corresponding consent via the consent banner.
For more information about how New Relic uses data, see the New Relic privacy statement at https://newrelic.com/termsandconditions/cookie-policy and at https://newrelic.com/termsandconditions/cookie-policy.
In addition to the conventional function of Google reCaptcha (for example, within an ordering process to be able to differentiate between input by a natural person or misuse by a bot or other spam software), we are also using the new reCAPTCHA v3 on our website (called the invisible reCAPTCHA). This is a function of Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) to detect abusive traffic—especially spam—on a website without user interaction. By spam, we mean any unsolicited, unwanted information sent electronically. The reCAPTCHA is therefore used to secure our website and ultimately also for your security.
The invisible reCAPTCHA does not conduct any classic CAPTCHA test, but rather makes an assessment to allow us to select the most suitable action for our website ourselves. Google does not disclose exactly which data it collects and stores in this process. In addition, we also use the classic CAPTCHAS, in which you generally have to solve a text or image puzzle or check a box to confirm that you are not a bot. The classic reCAPTCHA is only used as a fallback solution if the invisible reCAPTCHA identifies a user as a bot in order to still give real users the opportunity to access the website.
According to our information, the following information is collected in relation to your terminal and your browser and transmitted to Google:
Referrer URL (the address of the site from which the visitor is coming)
User’s IP address
User’s operating system
Mouse and keyboard behavior
Language set in the browser
Screen and window resolution
Installation of browser plugins
Limited location and usage data
The Captcha window uses "Google Fonts" for the visual display, i.e. the fonts loaded from the Internet by Google. There is no processing of information other than that mentioned above, which is already transmitted to Google via the functionality of reCAPTCHA.
The use of Google reCAPTCHA occurs in accordance with Article 6(1)(f) of the GDPR based on our legitimate interest in establishing individual ownership on the Internet and preventing misuse and spam, and thereby ensuring the security of our website. Information is stored and accessed in accordance with Article 25 (1 and 2) TTDSG (Telekommunikation-Telemedien-Datenschutzgesetz — German Telecommunications and Telemedia Data Protection Act).
As part of this use of Google reCAPTCHA, personal data may be transmitted to the server at Google LLC. in the USA.
For further information on data privacy at Google, please visit: https://www.google.com/intl/de/policies/privacy/
For further information on Google reCAPTCHA Version 3 can be found at https://developers.google.com/recaptcha?hl=de
10.9. Privacy notice about the use of Microsoft Bing Ads
On our website we use conversion tracking by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. In this respect, Microsoft Bing Ads will store a cookie on your computer if you have accessed our website via a Microsoft Bing advertisement. In this way, we and Microsoft Bing can see that someone clicked on an ad, was redirected to our website and arrived at a previously designated landing page (conversion page). We are told the total number of users who clicked on a Bing ad and were then redirected to the conversion page.
In addition, Microsoft may be able to track your usage behaviour across several of your electronic devices through cross-device tracking, which allows Microsoft to display personalized advertising on or in Microsoft websites and apps. You can disable such tracking of your behaviour via https://account.microsoft.com/privacy/ad-settings/signedout. If you do not want information about your behaviour to be used by Microsoft as explained above, you may opt out of a cookie being set, for example by using a browser setting that generally disables cookies being set automatically.
10.10. Privacy notice about the use of Hotjar
Our website uses Hotjar, analysis software from Hotjar Ltd. ("Hotjar"), 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta, Europe. Hotjar can be used to measure and analyze usage behavior on our website in the form of clicks, mouse movements, scroll depths, etc. The information generated by the "tracking code" and the "cookie" is transmitted to and stored on the Hotjar servers in Ireland. The following information is collected:
The IP address of your device (collected and stored in an anonymized format)
Screen size of your device
Device type and browser information
Geographical location (country only)
The preferred language for displaying our website
In addition, the following data will be logged on our server when Hotjar is used:
Geographical location (country only)
The preferred language for displaying our website
Date and time website accessed
Hotjar will use this information to analyze how you use our website, to create reports as well as other services concerning website use and Internet analysis of the website. Hotjar also uses third-party services such as Google Analytics to provide services. These third-party companies may store information that your browser sends during the visit to the site, such as cookies or IP requests. For more information about how Google Analytics stores and uses data, please refer to their respective privacy notices.
The legal basis for processing your personal data is your consent pursuant to Article 6(1)(a) GDPR. You give your corresponding consent via the consent banner. For more information about privacy when using Hotjar, please visit www.hotjar.com/privacy and www.hotjar.com/legal/policies/privacy
Our website uses a "Meta pixel" created by the social network Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA ("Meta"). The Meta pixel makes it possible to track users' behavior after they click on a Meta ad. Using this Meta pixel helps us to understand how our marketing campaigns are received by users on Meta's platforms, such as Facebook and Instagram, and enables us to devise action improvement plans, if necessary. While visiting one of Meta's social networks or any other website that also utilizes this tool, users of our website are shown targeted ads ("Meta ads" or "Facebook ads" and "Instagram ads"). Accordingly, we also use the Meta pixel to display Meta ads placed by us only to those Meta users who have also shown an interest in our online offering or to those who have certain characteristics (e.g. interest in certain topics or products determined on the basis of the web pages they have visited), which we share with Meta (Meta "Custom Audiences" or "Lookalike Audiences").
Your browser uses the Meta pixel to automatically establish a direct connection to the Meta server. We have no influence on the scope and further use of the data collected by Meta, as a result of this tool being used, and we are therefore providing you with the following information to the best of our knowledge:
The integrated Meta Pixel notifies Meta that you have clicked on an ad from us or called up the corresponding page of our website. If you are registered with a Meta service, Meta can assign the visit to your account. Even if you are not registered with Meta or you have not logged in, the provider may learn a store your IP address and other identifying information.
Information in the end user's terminal is stored and accessed in accordance with Article 25(1) TTDSG (Telekommunikation-Telemedien-Datenschutzgesetz — German Telecommunications and Telemedia Data Protection Act). The legal basis for your personal data being further processed is the informed consent that you have freely given pursuant to Article 6(1)(a) GDPR. You give your corresponding consent via the consent banner.
Munich, July 2023