The data Bumper uses and how we keep it safe and secure
Our address is TOG, 1 Lyric Square, London, W6 0NB
Our company number is 08576711
Our data protection number is ZA044414
“UK GDPR” means European Union Regulation (EU) 2016/679 (General Data Protection Regulation) as such regulation is adopted into the law of the United Kingdom pursuant to the European Union (Withdrawal Act) 2018 and as amended by the Data Protection Act 2018 and any successor regulation or law. In order to protect your privacy, we have taken a number of steps to ensure that any personal data collected on this website is processed and maintained in accordance with the GDPR, UK GDPR and other data protection legislation (DPA) and in accordance with recognised principles of good data handling practice. This policy explains the type of information we hold about you, how we collect and use that information and how we protect your privacy.
It is important that we protect and manage the information you provide to us and we do this by:
Using cyber security methods such as firewalls and data encryption.
Strict access controls in all our buildings and within our computer systems, and ensuring that files can only be viewed by staff who need access to do their jobs.
We protect any information or data you provide to us on our website by using Secure Socket Layer (SSL) encryption. This helps to ensure that the information remains private.
Our security systems meet or exceed industry standards and we constantly monitor developments on the internet and update our systems whenever necessary.
Unfortunately, sharing information over the internet is not completely secure and there are some risks. We will always do our best to protect your personal information, but no company can fully guarantee the security of information shared via websites. Any information you provide to us is shared at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
If you create a password or we provide you with one to enable you to access certain parts of our website, you are responsible for keeping that password confidential. Please do not share your password with anyone else.
2. Collecting information
There are several ways in which we may obtain information about you:
Information you give us through our websites and apps.
Information you give us over the phone when you talk to our customer service or one of our partners.
Information you share in person when you talk to one of our trusted partners who enters it into our system.
Information you provide to us through other direct communications with us, e.g. an email. From other groups, e.g. credit reference agencies and customer data providers, who provide us with relevant information to help us check who you are and what credit line we can offer you.
The information we collect about you may include the following:
- Full name
- Date of birth
- Full address
- How long you have been registered at an address
- Payment card details
- Vehicle registration number
- Telephone number
- Email address
- Current location
- Credit history details
- We may also record or monitor calls for the purpose of quality checks and staff training. These phone records may also be used to help us combat fraud.
To use any of Bumper's PayLater products, you must be 18 years or older. Anyone under the age of 18 is strictly prohibited from using Bumper's PayLater products.
3. How we use your information
We use your information to:
- provide you with the smoothest experience possible when using our services. For instance and in order to protect you and other customers, we use your information to: Search records from credit reference agencies and fraud prevention agencies (including information from overseas).
- make credit decisions about you or help assess credit (and verify the information you have provided to us and others). This is done using an algorithm that compares your information with information held by credit rating agencies and FPAs (explained in more detail below).
- manage your account, any PayLater or PayNow transaction you make with us and any form of your communication with us
- improve our service by monitoring and analysing the services provided to you (including asking you to rate your experience as a customer).
- keep in touch with you by email, text message, letter, telephone or otherwise about our products and services unless you tell us that you do not wish to receive marketing material.
- investigate, prevent, detect and combat fraud, money laundering, terrorism and other criminal offences.
- develop a clearer understanding of you as a customer so that we can identify, develop or improve offers that may be of interest to you.
- conduct market research, business and statistical analysis. To share anonymised information with independent external bodies conducting research (e.g. government departments and agencies and universities).
- conduct audits.
- perform other administrative and operational tasks, including testing systems.
- track your location to verify the information you have provided
- collect your debts owed to us.
- comply with our regulatory obligations.
- find garages in the area of your location or home address to enable you to book and use the services of the garages closest to you.
- retrieve further vehicle details from AutoData Guru or other third parties by searching your vehicle registration (anonymised).
- retrieve details about your MOT history.
- Your information may occasionally be used for other purposes for which you have given your permission, where we are legally entitled to do so or it is in the public interest to disclose the information.
4. Provision of the website
Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected:
- Information about the type of browser and the version used.
- The user's operating system
- The user's internet service provider
- The IP address of the user
- Date and time of access
- Websites from which the user's system accesses our website
- Websites that are accessed by the user's system via our website
The legal basis for the temporary storage of the data is Art. 6 (1) clause 1 f) UK GDPR/GDPR. The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
5. Credit Reference Agencies (CRAs) and Fraud Prevention Agencies (FPAs) – United Kingdom
When you apply to use Bumper's Paylater service, we will check records about you (and others where applicable) held by the following organisations
- Bumper (our own)
- Credit Reference Agencies (CRAs)
- Fraud Prevention Agencies (FPAs)
The check made by Bumper with CRAs is a ‘soft check’ and will not place a search footprint on your credit file. However, Bumper are obliged to report the status of all payments (on time, late or missed) to CRAs once your Paylater plan is in place.
The CRA that Bumper uses is TransUnion, and you can find their contact details below.
The CRAs provide us with public information (including the electoral register, county court judgements and bankruptcies) and shared credit and fraud prevention information including details of previous applications and the status of any accounts you and your financial associates have.
We may also make occasional searches with CRAs and FPAs to manage our relationship with you.
Any information that you share when applying to use Bumper's Paylater service will be sent to CRAs and recorded by them. We and other organisations may access and use this information to prevent fraud and money laundering, and CRAs and FPAs may use your information for statistical analysis. Information held by CRAs and FPAs will be disclosed to us and to other organisations in order to (for example):
- Prevent fraud and money laundering and to check and assess applications for credit, credit related or other facilities.
- Recover debts that you owe and trace your whereabouts.
- Manage credit accounts and other facilities and decide appropriate credit limits.
- Verify your identity.
- Make decisions on credit and other facilities for you, your financial associate(s), members of your household or your business.
- Check details of job applicants and employees.
- When you borrow from us, we will give details of your loan and how you manage it to the CRAs. If you borrow and do not repay in full and on time, the CRAs will record the outstanding debt and, in some cases, the length of time that the debt remains outstanding; other organisations may see these updates and this may affect your ability to obtain credit in the future
If you fall 3 or more payments behind, and a full payment (or satisfactory repayment arrangement) is not received within 28 days of a formal demand being issued, then a default notice may be recorded with the CRAs. Any records shared with CRAs will remain on file for 6 years after your account is closed, whether any outstanding sums have been settled by you or as following a default.
This information may be supplied to other organisations by CRAs and FPAs to perform similar checks and to trace your whereabouts and recover debts that you owe. Records remain on file for 6 years after they are closed, whether any outstanding sums have been settled by you or following a default.
If you give us false or inaccurate information and we have reasonable grounds to suspect fraud or we identify fraud, we may record this and may also pass this information to FPAs and other organisations involved in crime and fraud prevention including law enforcement agencies who may then access this information.
We and other organisations may access and use the information recorded by fraud prevention agencies from other countries.
The Credit Reference Agency we use is TransUnion Limited (registration number 03961870) with registered office at One Park Lane, Leeds, West Yorkshire, LS3 1EP.
The legal basis for these transfers is Article 6(1) b) and Article 6(1) f) of the GDPR/UK GDPR. Transfers based on Article 6(1) f) of the UK GDPR/GDPR may only take place if this is necessary to protect the legitimate interests of Bumper International Limited or third parties and if the interests or fundamental rights and freedoms of the data subject which require the protection of personal data do not override these interests.
More information about CRAs and how they use personal data is available at https://www.transunion.co.uk/crain.
The Fraud Prevention Agency that we use is CIFAS, with registered office at 6th Floor Lynton House, 7-12 Tavistock Square, London, WC1H 9LT. You can contact CIFAS at www.cifas.org.uk/contact-us.
If you have any further questions about our use of CRAs or FPAs please email us at firstname.lastname@example.org
You can use our website to register with us. The data entered here will then be stored on our servers and used to process your orders. This data will not be passed on to third parties unless it is necessary for the execution of the contract. The legal basis for the processing of the data is Art. 6 (1) (b) UK GDPR/GDPR.
7. Usage history
Within the framework of the contract with you, we also process data in order to show you recent uses that have already taken place and to make corresponding suggestions for further uses, including the services of partners. The legal basis for the processing of this data is also Art. 6 (1) (b) UK GDPR/GDPR, as the processing is necessary for the performance of the contract existing between you and us.
8. E-mail contact
At various points on the website, it is possible to contact us via the e-mail address provided. The personal data transmitted, in particular the e-mail address itself, is stored. This data is not passed on to third parties. The data is used exclusively for processing the enquiry. The legal basis for the processing of the data is Art. 6 (1) (f) UK GDPR/GDPR. The legitimate interest in processing the data lies in the implementation of the contact. The data will be deleted after the purpose no longer applies or the communication has ended. If an offer process is carried out during the communication, the processed data will be deleted after the expiry of the retention periods provided for this purpose.
9. Internet cookies and how we use them
When you use a website, it will ask you if you accept cookies. These are small electronic files that are stored on your computer's hard drive. If you agree, the file is added.
The cookie helps websites respond to your individual preferences by remembering information about your previous web usage. Cookies also allow websites to recognise you on your next visit, which can make it easier for you to use the website. There are cookies on our website which, if present, record your IP address and the type of operating system and browser you are using. This information is used to improve our website and to tell our advertisers how many people visit our website.
In addition to using cookies, we may also use other web tools to collect information about your browsing activities on our website. The information collected is similar to the information provided by cookies and we use it for the same purposes as those mentioned above.
Any information we collect using cookies or web tools is subject to the same restrictions and conditions as any other information we collect about you.
10. Google Maps
This site uses the map service Google Maps via an API. The provider is Google Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. To use the functions of Google Maps, it is necessary to store your IP address. This information is usually transferred to a Google server in the USA and stored there. Google Inc. in the USA has undertaken to guarantee appropriate data protection in accordance with the American-European and the American-Swiss Privacy Shield. The provider of this site has no influence on this data transmission. Google Maps is used to provide an attractive presentation of our online offers and to make it easy to find the places we have indicated on the website. The legal basis is your consent within the meaning of Art. 6 (1) (a) UK GDPR/GDPR
11. Google Webfonts
We use "Google Web Fonts", a directory of various fonts, for the uniform and visually appealing display of textual content on our website. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. When you visit our website, the fonts are reloaded from a Google server, which enables us to achieve faster loading times and also a better Google ranking, among other things.
Each time you visit our website, the following data is transmitted to Google:
- IP address
- Language settings
- Screen resolution of the browser
- Browser version and browser name
Google may transfer your data to servers worldwide. This includes locations in countries without an adequate level of data protection.
You can find more information on data protection at Google at: https://policies.google.com/privacy.
You can object to Google's use of your data here: Opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=gb, settings for the display of advertisements at:https://adssettings.google.com/authenticated.
The legal basis for the use of "Google Web Fonts" is Art. 6 (1) (f) UK GDPR/GDPR. Our legitimate interest lies in the purposes described above, i.e. uniform and appealing presentation as well as faster loading times and better search ranking.
12. Google Analytics
TThis website uses Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of the website, such as browser type/version, operating system used, referrer URL (the page previously visited), host name of the accessing computer (IP address), time of server request, is usually transmitted to a Google server in the USA and stored there. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. We have also extended Google Analytics on this website with the code „anonymizeIP“ . This guarantees the masking of your IP address so that all data is collected anonymously. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there.
In addition, you can prevent the collection of the data generated by the cookie and related to your use of the website (incl. your IP address) by Google as well as the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=gb. An opt-out cookie will be set, which prevents the future collection of your data when visiting this website. The opt-out cookie is only valid in this browser and only for our website and is stored on your device. If you delete the cookies in this browser, you must set the opt-out cookie again. You can find information on how to integrate the opt-out cookie at: https://developers.google.com/analytics/devguides/collection/gajs/?hl=de#disable
Further information on data protection in connection with Google Analytics can be found in the Google Analytics Help. (https://support.google.com/analytics/answer/6004245?hl=de)
By integrating Google Analytics, we pursue the purpose of analysing user behaviour on our website and being able to react to this. This enables us to continuously improve our offer.
The legal basis for the processing of personal data described here is Art. 6 (1) (a) UK GDPR/GDPR.
Right of withdrawal
You have a right of revocation.
You can revoke your consent at any time at email@example.com without stating a reason.
The use of Hotjar requires your consent, which we have obtained with our cookie banner. According to Art. 6 (1) (a) UK GDPR/GDPR, this consent constitutes the legal basis for the processing of personal data as it may occur when collected by web analytics tools.
For more information, see the ‘about Hotjar’ section on Hotjar's help page.nking.
14. Payment provider Google Pay
On our website we offer, among other things, payment via Google Pay. The provider of this payment service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Tel: +353 1 543 1000, Fax: +353 1 686 5660, Email: firstname.lastname@example.org (hereinafter "Google Pay"). If you select payment via GooglePay, the payment data you enter will be transmitted to GooglePay. The transmission of your data to GooglePay is based on Art. 6 (1) (a) UK GDPR/GDPR (consent) and Art. 6 (1) (b) UK GDPR/GDPR (processing for the performance of a contract).
You have the option to revoke your consent to data processing at any time. A revocation does not affect the validity of past data processing operations.
Further details on payment with Google Pay can be found in the following links:
15. Payment provider Apple Pay
On our website we offer, among other things, payment via Apple Pay. The provider of this payment service is Apple Inc, Infinite Loop, Cupertino, CA 95014, telephone: +1 408 996 1010, represented in Europe by Apple Distribution International Ltd, Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland, email@example.com, registration number: 470672, registered with the Irish Trade Register, VAT number: DE 27946362, (hereinafter "Apple Pay"). If you select payment via Apple Pay, the payment data you enter will be transmitted to Apple Pay. The transmission of your data to Apple Pay is based on Art. 6 (1) (a) UK GDPR/GDPR (consent) and Art. 6 (1) (b) UK GDPR/GDPR (processing for the performance of a contract).
You have the option to revoke your consent to data processing at any time. A revocation does not affect the validity of past data processing operations.
Further details on payment with Apple Pay can be found in the following links:
We use the "ipinfo" service of IDB LLC, 5616 49th Ave SW, Seattle, 98136, USA, on our website to automatically display the website in the best language version based on the IP address. The legal basis is our legitimate interest pursuant to Art. 6 (f) UK GDPR/GDPR. You can find out more about data protection with regard to the "ipinfo" service here: https://ipinfo.io/privacy-policy.
We use the rating portal Trustpilot, which is operated by TrustPilot A/S, Pilestraede 58, 5th floor, 1112 Copenhagen, Denmark. In order to constantly improve our service, we offer our customers the opportunity to rate us via this independent portal, without us being able to influence this in any way. An invitation to submit a rating is generated for every transaction or contract that takes place via us and our website. For this purpose, your surname, first name, email address and a reference number (for unique assignment) are transmitted to Trustpilot. Trustpilot neither uses this data itself nor passes it on to third parties. A rating of our company can be carried out on the page https://www.trustpilot.com/review/bumper.co.uk.
The verification of the rating is based on the reference number. The submission of a rating is voluntary. In order to submit a rating or to record customer feedback, it is necessary to create/open a user profile on Trustpilot. In addition to a rating for the inviting company, ratings can then also be entered for any company on the Trustpilot rating portal. If a rating is submitted by clicking on the link included in the invitation, a user profile is automatically created on TrustPilot after entering the personal data (name and email address for verification).
This is accompanied by the agreement to the data protection provisions and general terms and conditions of Trustpilot. These can be viewed on the Trustpilot website at: https://uk.legal.trustpilot.com/for-reviewers/end-user-privacy-terms By placing an order with us or entering into a contract with us via our website, you expressly consent to the aforementioned transfer of reference data to Trustpilot and to the automated sending of an evaluation invitation from this application in accordance with Article 6 (1) clause 1 a) UK GDPR/GDPR
We use an online chat system for our offers and the possibility of direct customer or prospective customer communication. Provider is NICE inContact, Inc., 75 West Towne Ridge Parkway, Tower 1; Sandy, UT 84070; sending an email to firstname.lastname@example.org; calling +1 877 718 4382.LiveChat.
The data entered for the purpose of the chat (name, email address, message texts ...) are stored on the servers of LiveChatNICE inContact. The use of our LiveChat is in the interest of direct communication with our customer service team. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) UK GDPR/GDPR.
Further information on the data protection provisions of NICE inContact can be found at https://www.niceincontact.com/call-center-software-company/legal/privacy-policy
19. Social media presences
We maintain online presences within social networks and platforms to be able to communicate with the customers, interested parties and users active there and to inform them about our services there.
We would like to point out that you use these sites and their functions on your own responsibility. This applies in particular to the use of the interactive functions (e.g., commenting, sharing, rating). Alternatively, you can also access the information we offer on our website https://staging.bumper.co/.
When you visit our various online presences, the respective provider of the website records your IP address as well as further information that is available on your PC in the form of cookies. The data collected about you in this context is processed by the respective provider and may be transferred to countries outside the UK and the European Union. The providers of the services describe in general terms what information they receive and how it is used in their respective data usage guidelines. There you will also find information on contact options as well as on the setting options for advertisements.
As the provider of the information service, we also collect and process data from your use of our service for the purpose of advertising and communication, to answer your questions and to advertise various products, services and events, as well as for applicant management purposes. The legal basis is Art. 6 (1) (f) and b) UK GDPR/GDPR.
In the case of requests for information and the assertion of user rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If you still need help, you can of course contact us.
You can also find us at:
- https://www.facebook.com/Bumperpay/ at www.Facebook.com.We use the technical platform and services of Facebook Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland for the information service offered there. You can find Facebook's full data policy here: https://de-de.facebook.com/full_data_use_policy
- https://www.linkedin.com/company/bumper-pay/ at www.Linkedin.com. We use the technical platform and services of LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland for the information service offered there. The current data protection information on LinkedIn and supplementary information can be found on this website: https://www.linkedin.com/legal/privacy-policy
- https://twitter.com/bumperpay at www.Twitter.com. We use the technical platform and services of Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland for the information service offered there. The current data protection information on Twitter and supplementary information can be accessed on this website: https://twitter.com/de/privacy
- https://www.instagram.com/bumperpay at www.Instagram.com. The Instagram service is one of the Facebook products provided by Facebook Ireland Limited. We use the technical platform and services of Facebook Ireland Ltd, 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland for the information service offered there. The complete data policies of Instagram can be found here: https://help.instagram.com/519522125107875?helpref=page_content
20. Promotional and marketing communications
From time to time we may send you promotional or marketing emails about new products and services. In accordance with Art. 6 (1) (a) UK GDPR/GDPR (the legal basis we rely on), we will ask for your consent prior to sending any such communications, usually by way of an “opt-in” tick box, but you can unsubscribe from these promotional/marketing communications at any time. To stop receiving these emails, simply click on the unsubscribe link at the bottom of the email. You can also ask to be removed from our mailing list by emailing us at email@example.com or writing to us at the address given in the "Contact Us" section below. If you do so, we may ask you to first confirm your identity. We will then process your request as soon as possible. If you object to the use of your data for marketing purposes, we will respect that decision once we have had a reasonable opportunity to process your request. We reserve the right to take reasonable steps to verify your identity in relation to such request or any other request.
Where you have given your express consent to be contacted by our partners, we may share your information, including application details you have already provided, with carefully selected third parties, including referral partners such as motor finance providers who may contact you by post, email, SMS and telephone about products and services that may be of interest to you.
Once you have given your consent, you can revoke it at any time with effect for the future. To do so, simply use the contact options given above free of charge. When revoking your consent, please note that there is a transition and processing period for all our communication channels, as we sometimes work with an external service provider here and there is a certain amount of lead time.
We use Mailchimp from The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (Mailchimp) to send our newsletter. This allows us to contact subscribers directly. In addition, we analyse your usage behaviour in order to optimise our offer.
For this purpose, we pass on the following personal data to Mailchimp:
Our email sends include a link that allows you to update your personal data.
Mailchimp is the recipient of your personal data and acts as a processor for us as far as sending our newsletter is concerned. The processing of the data provided under this section is neither legally nor contractually required. Without your consent and the transmission of your personal data, we cannot send out a newsletter to you.
Mailchimp also collects information about you from other sources. In an unspecified period and scope, personal data is collected via social media and other third-party data providers. We have no control over this process
You can find more information about objection and removal options vis-à-vis Mailchimp at: https://mailchimp.com/legal/privacy/#3._Privacy_for_Contacts.
The legal basis for these processing operations is your consent pursuant to Art. 6 (1) (a) UK GDPR/GDPR. You can revoke your consent to the processing of your personal data at any time. A corresponding link can be found in all mailings. In addition, the revocation can be made via the specified contact options. The declaration of revocation does not affect the lawfulness of the processing carried out to date.
Your data will be processed as long as you have given your consent. Apart from that, they will be deleted after the termination of the contract between us and Mailchimp, unless legal requirements make further storage necessary.
Mailchimp has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://mailchimp.com/legal/data-processing-addendum/
22. Zoho Campaigns
If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. No further data is collected or only on a voluntary basis. We use this data exclusively for sending the requested information and do not pass it on to third parties.
The processing of the data entered in the newsletter registration form is based exclusively on your consent (Art. 6 (1) (a) UK GDPR/GDPR). You can revoke your consent to the storage of the data, the e-mail address and their use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.
The data you provide for the purpose of receiving the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted after you unsubscribe from the newsletter. Data stored by us for other purposes (e.g., e-mail addresses for the members" area) remain unaffected by this.
Your data will be transmitted to "Zoho MarketingHub" or "Zoho Campaigns" for dispatch purposes. Zoho processes and stores the data in accordance with the European General Data Protection Regulation (GDPR)/UK GDPR:
Appropriate technical and organisational measures are taken to protect the data:
If you register for the newsletter, you will receive a so-called double opt-in email. In it, you will be asked to confirm your registration once again. If you no longer wish to receive our newsletter, you can object to receiving it at any time (so-called opt-out). You will find an unsubscribe link at the end of each newsletter.
To optimise the newsletter for you, we measure how often the newsletter is opened and which links our readers click on. When registering, you consent to the evaluation of your usage data.
23. The laws governing Bumper's use of your information
The management of your data is governed by the GDPR and UK GDPR . We may process your data if it is necessary for the following:
- Entering into or performing a contract. In order for us to perform our contract with you and provide you with Bumper's services, it is necessary for us to process your data.
- Compliance with a legal obligation. There are certain legal requirements that we must follow, some of which require us to process your data. In certain cases, we are required by law to share your information with a supervisory authority or law enforcement agency.
- Legitimate Interest Purposes. Either Bumper or a third party must process your information for purposes of our legitimate interests that do not infringe your rights and freedoms - including your right to have your information protected. Our legitimate interests include responding to enquiries and requests from you or third parties, improving our website and the services we provide to our customers, informing you about our services and ensuring that we operate in a reasonable and efficient manner.
24. Transferring your information outside the UK or Europe
Through the use of the analysis tools, data is transferred to countries outside the UK and the European Economic Area ("third countries"), e.g., to the USA. In order to ensure the protection of your personal rights, we will never transfer your data to third countries unless a level of data protection equivalent to the GDPR (and/or UK GDPR) is ensured.
25. Retention of your information
Our general policy is that we will only retain your information for as long as we need it to do the relevant job, including to meet legal, accounting or reporting requirements. The length of time we keep data depends on what type of data it is, the reason it was collected, how sensitive it is and the potential risk of harm associated with it.
For any category of personal data not specifically defined in this notice, or where the category has been defined but no retention period has been specified elsewhere in this notice, and unless otherwise specified by applicable law, the required retention period for any personal data will be deemed to be 6 years from the date of receipt by us of that data or (if later) the end of the relevant contract, arrangement or interaction with that person.
The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).
We review the personal data (and the categories of personal data) we are holding on a regular basis to ensure the data we are holding is still relevant to our business and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take reasonable steps to correct or delete this data as may be required.
If you wish to request that data we hold about you is amended or deleted, please see clause 26 below, which explains your privacy rights.
26. Your Rights
You have certain rights in relation to the personal data we hold about you. You can find out more about these rights by reading the information below: Details of these rights and how you can exercise them can be found below.
- You have a right to know about our personal data protection and data processing activities, details of which are contained in this notice.
- You may request information from the controller as to whether personal data concerning you are being processed by us. You can make what is known as a Subject Access Request (“SAR”) to request information about the personal data we hold about you (free of charge, save for reasonable expenses for repeat requests). If you wish to make a SAR please contact us as described below.
- You have the right to have your personal data corrected, completed, restricted and deleted by the controller. Please notify us if you no longer wish us to hold personal data about you (although in practice it is not possible to provide our services without holding your personal data). Unless we have reasonable grounds to refuse the erasure, on receipt of such a request we will securely delete the personal data in question within one month. The data may continue to exist in certain backup, but we will take steps to ensure that it will not be accessible. We will take reasonable steps to communicate any corrections or erasure to any third parties to whom we have passed the same information.
- You have the right to receive the personal data concerning you that you have provided to the controller in a structured, common and machine-readable format. (Right to data portability). You may also request that we transfer your personal data directly to a third party (where technically possible).
- You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Article 6 (1) (e) or Article 6 (1) (f) of the UK GDPR/GDPR unless we have overriding legitimate grounds for such processing. You may also object if we use your personal data for marketing purposes (including profiling) or for research or statistical purposes. Please notify your objection to us and we will gladly cease such processing, unless we have overriding legitimate grounds. You may revoke your consent at any time, taking into account Art. 7 (3) UK GDPR/GDPR.
- Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the country of your residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR or UK GDPR.
- Although we will try to comply with this request, we cannot guarantee technical compatibility with a third party organisation"s systems. We are also unable to comply with requests relating to personal information of other individuals without their consent.
Please note that we require proof of your identity before we can process any of the above requests.
Requests regarding your rights can be made by emailing firstname.lastname@example.org. Our website may from time to time contain links to and from the websites of our partner networks, advertisers and affiliates. These websites have their own privacy policies and if you follow a link to them, we do not accept any responsibility or liability for those websites. Please check the policies of each website before submitting any personal information.
27. Sharing your information
Credit and debit card information will be provided to our payment processing partner. We will collect this information from you via our website or application, over the phone or by email and supply this information to our payment processing partner who will process this credit or debit card information.
Our payment processing partner will have their own privacy policies and notices. But we will take reasonable steps to ensure that they are compliant with applicable data protection legislation and we will consult with them in relation to maintaining the security of payment information.
We do not disclose any personal data you provide to any third parties other than as follows:
- where it is necessary to do so in order to provide our services (including the use of our website and application), which will include sharing certain details (such as your name, email address, vehicle registration number, telephone and/or mobile number) with the car and vehicle dealerships we are partnered with;
- where you have asked us to share your information with a third party as part of the performance of a contract between us or as part of the performance of our Services generally;
- certain third party suppliers including technical support providers may have access to personal data;
- if we are under a duty to disclose or share your personal data in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime);
- in order to enforce any terms and conditions or agreements for our Services that may apply;
- we may transfer your personal information to a third party as part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation, but we will take steps with the aim of ensuring that your privacy rights continue to be protected;
- to protect our rights, property and safety, or the rights, property and safety of our users or any other third parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Other than as set out above, we shall not disclose any of your personal information unless you give us permission to do so. If we do supply your personal information to a third party we will take steps to ensure that your privacy rights are protected and that third party complies with the terms of this notice.
28. Data breaches
If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO).
If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible.
If you are unhappy with our use of your information, you can contact us using the contact details at the bottom of this page. You can also make a complaint to the UK Information Commissioner"s Office using one of the contact methods below:
Telephone: 0303 123 11113
Postal Address: Information Commissioner's Office
If you live or work outside the UK or have a complaint about our activities outside the UK, you may prefer to take your complaint to another authority. You can access a list of relevant authorities in the EEA here.
30. Requesting information from credit reference agencies
You have the right to ask credit reference agencies to provide you with the information they hold about you. To do this you must contact them directly and a fee may have to be paid.
31. Responsible party and contact
You can contact us by email at: email@example.com
Telephone: 0800 6120946 (from a BT landline, mobile and other providers may charge);
Or by writing to us at:
TOG, 1 Lyric Square,
Our opening hours are
- Monday - Friday 8.30am - 6.00pm
- We are closed on Sundays and public holidays.