CARSOFIX

Privacy Policy

How we collect, use, and protect your personal data

Summary. CARSOFIX SL processes your personal data to answer enquiries, manage vehicle sales and rentals, and comply with legal obligations. You retain at all times the rights of access, rectification, erasure, objection, restriction and portability granted by the GDPR.

1. Data Controller

The entity responsible for processing your personal data is:

  • Company: CARSOFIX SL
  • Tax ID (NIF): B26932830
  • Registered office: Malaga, Spain
  • Email: info@carsofix.com
  • Phone: +34 641 36 90 97
  • Website: carsofix.com

Under Article 37 GDPR, CARSOFIX SL is not required to appoint a Data Protection Officer, as its core activities do not consist of large-scale regular and systematic monitoring or large-scale processing of special categories of data. Any data-protection-related query can nevertheless be directed to the email above.

2. Personal Data We Process

We may collect and process the following categories of personal data, depending on how you interact with us:

2.1. Enquiries and custom orders

  • Identity data: first name and surname
  • Contact data: email address, phone number
  • Vehicle preferences: brand, model, year, budget, technical specifications
  • Communication content: messages, attachments, notes

2.2. Rental bookings

  • Driver data: date of birth, national ID / NIE / passport number
  • Driving licence data: number, date of issue, category, country of issue
  • Licence-holding history (minimum years depending on vehicle)
  • Pick-up and return date and location
  • Optional coverages selected

2.3. Vehicle sales

  • Identity document (national ID / NIE / passport)
  • Full fiscal address
  • Banking or financing data (where applicable)
  • Details of the vehicle being registered

2.4. Technical and browsing data

  • IP address, browser type and version, operating system, device information
  • Pages visited, time on site, navigation patterns
  • Cookie data (see our Cookie Policy)

2.5. Payment data

Payments are processed through Stripe, Inc., a PCI DSS Level 1 certified processor. CARSOFIX does not store or have access to full card details. We only receive a transaction identifier and the last four digits of the card for invoicing purposes.

3. Purposes and Legal Bases

PurposeLegal basis
Answering enquiries and requestsConsent / Pre-contractual measures (Art. 6.1.a and 6.1.b GDPR)
Handling custom vehicle orders from EuropePerformance of contract (Art. 6.1.b GDPR)
Managing vehicle rentals and paymentsPerformance of contract (Art. 6.1.b GDPR)
Formalising sales and transfer of ownership (Spanish DGT)Performance of contract and legal obligation (Art. 6.1.b and 6.1.c GDPR)
Invoicing and tax compliance (Verifactu, RD 1007/2023)Legal obligation (Art. 6.1.c GDPR)
Identifying the driver before the DGT in case of traffic offencesLegal obligation (Art. 11 Spanish Traffic Act)
Fraud prevention and claims handlingLegitimate interest (Art. 6.1.f GDPR)
Website analytics and improvement (with consent)Consent (Art. 6.1.a GDPR)
Commercial communicationsConsent (Art. 21 LSSI)

4. Recipients and Data Sharing

Your data may be shared with the following recipients only when necessary:

  • Payment provider: Stripe Payments Europe, Ltd. (Ireland) and Stripe, Inc. (USA)
  • Insurance companies: to register insurance for rental vehicles
  • Gestorías and legal/tax advisors: for registration, ownership transfer (DGT), ITV, taxes
  • Spanish General Directorate of Traffic (DGT): driver identification under Art. 11 of Royal Legislative Decree 6/2015 and ownership transfer procedures
  • Tax authorities: Spanish State and regional tax agencies, under applicable tax law
  • Hosting, email and analytics providers: under GDPR Art. 28 data-processing agreements
  • Public or judicial authorities: where legally required

5. International Transfers

Some service providers (Stripe, analytics, email) may process data outside the European Economic Area, in particular in the United States. These transfers are covered by:

  • The EU–U.S. Data Privacy Framework (European Commission adequacy decision of 10 July 2023), where the recipient is certified; or
  • The Standard Contractual Clauses (SCC) approved by the European Commission in Decision 2021/914, with supplementary measures where appropriate.

You may request a copy of the applicable safeguards by writing to info@carsofix.com.

6. Retention Periods

  • Enquiries and custom orders: 2 years from last interaction, unless a contract is signed.
  • Rental contracts: 5 years (Art. 30 Spanish Commercial Code; statute of limitations under LGT 58/2003).
  • Sales contracts: 6 years (Art. 30 Spanish Commercial Code), and up to 10 years where the general limitation period of Art. 1964 of the Civil Code applies.
  • Invoicing and tax records: periods set by LGT, Royal Decree 1619/2012 and RD 1007/2023 (Verifactu).
  • Traffic and analytics data: up to 12 months, in anonymised or pseudonymised form.
  • Cookies: specific periods set out in the Cookie Policy.

After these periods, data are deleted or blocked for the time during which liabilities may still arise, under Art. 32 of the Spanish LOPDGDD.

7. Your Rights

You have the following rights regarding your personal data:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure or "right to be forgotten" (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)
  • Not to be subject to automated decisions (Art. 22 GDPR)
  • Withdraw consent at any time without affecting prior lawful processing

To exercise these rights, send a request to info@carsofix.com with a copy of an ID document. We respond within one month (Art. 12 GDPR).

You may also file a complaint with the Spanish Data Protection Agency (AEPD, www.aepd.es, C/ Jorge Juan 6, 28001 Madrid).

8. Data Security

We apply technical and organisational measures appropriate to the risk (Art. 32 GDPR): HTTPS/TLS encryption, role-based access control, backups, activity logs, periodic reviews and processor agreements with our providers. In case of a personal data breach affecting you, we will proceed under Arts. 33 and 34 GDPR.

9. Automated Decisions and Profiling

CARSOFIX SL does not make decisions based solely on automated processing, including profiling, producing legal or significantly similar effects on data subjects.

10. Minors

Our services are directed exclusively at adults. We do not knowingly process data from minors. If we become aware that data from a minor has been received without parental consent, we will delete it immediately.

11. Changes

We may update this Policy to reflect legal or operational changes. The version in force is the one published on the site, with the date of last update. Material changes will be communicated by appropriate means (email or prominent notice on the site).

12. Contact