Privacy Policy

1. Methods of data capture

At Nationwide Cars, our business is heavily reliant on consumer data as an online only business. We generate, store and evolve data in respect of our business model, to supply new motor vehicles to residents of the UK.

Data is provided to us in the following methods:

  • website enquires, which include and are not limited to:
    • genuine vehicle enquiries for the purpose of purchase and quotations,
    • call back requests for further information via our online forms or our online chat system
    • email contact via our website details, direct to our sales team
    • telephone contact, again via our website details and data is verbally provided by the customer to our staff
  • purchased data, which includes:
    • data purchased from safe and reliable sources, for the purposes of marketing our services and offers.
  • recommendations, referrals and drop-ins, which includes:
    • details provided to us from customers who have been recommended to us from existing customers
    • any customer details provided to our staff, via an existing customer for the purposes of quoting or placing orders
    • any customers who walk in, contact our staff directly in our place of work
  • direct orders for insurance replacements
    • when orders are placed with us from an insurer on behalf of an end user, for the purposes of a replacement vehicle via a bonafide insurance entity or their authorised representative.

Any users, including both leads and customers may provide the same level of information, depending on what stage of purchase they get to. All initial vehicle quotes will be offered with an opt in capability for those users to stay in touch with our company for remarketing purposes. If a user does not choose to opt in then they will only be contacted relating only to the enquiry they send to our company.

2. Levels of data held

At Nationwide Cars, we have two categories of user and depending on their level of commitment, will depend on what level of information is required.

For users who only request quoting information and never complete an order, are classified as ‘Leads’ or ‘Users’. Our second category of user is a ‘Customer’ who proceeds and completes a full vehicle order with our company.

For the purposes of quoting, applying for finance and processing orders, we require the following details that include and are not limited to:

  • personal information
    • full name of the customer
    • contact details (mobile number, land line number and email address)
    • address details (home and work, depending on relevance to customer)
    • company name, when relevant
    • date of birth (finance applications)
    • marital status (finance applications)
    • any dependants (finance applications)
    • status of accommodation i.e. owned, mortgaged or tenanted (finance applications)
    • occupation details i.e. employers name, address, contact details, term of employment (finance applications)
    • financial details i.e. banking name and address details, salary information, expenditure (finance applications)
    • disclosure of negative impacts i.e. driving convictions, financial convictions or other (finance applications)
  • personal documentation
    • copies of photo identification (for money laundering purposes), either UK or valid driving license and/or UK passport
    • insurance certificate (for customers who complete purchase)
    • bank statements when requested by finance company
    • proof of current vehicle agreements (finance applications)
  • payment details
    • debit and credit card payments, for deposits and part payments towards orders
    • bank details for payments and refunds, relating to customer orders
  • vehicle details: when part exchange vehicles are included in quotations and orders, we require the following information:
    • vehicle registration number
    • mileage
    • condition of the vehicle
    • registered address
    • service history of respective vehicle
    • number of keepers
  • Insurance replacements vehicle details
    • vehicle registration number (REG)
    • vehicle identity number (VIN)

3. 3rd Party controllers and sub-processors

To enable our staff to maintain business practice and continue with daily operating tasks, certain information must be provided to our suppliers to allow the continuation and completion of orders. Only information collected by us for the purpose of an order, will be passed to the following 3rd party controllers and sub-processors.

Our 3rd party controllers and sub-processors, include and are not limited to:

  • fleet suppliers, who arrange onward delivery of new vehicles pursuant to a customers’ order
  • franchised main dealers, who will also arrange and/or process a customers’ order
  • finance companies, who will be reliable for processing, underwriting customers’ applications for finance, pursuant to a vehicle orders
  • insurance companies, who will provide customer information to us for the purpose of vehicle replacement orders and in turn, will be provided suppliers information from us to allow completion of orders.
  • Part exchange underwriters, will be provided with customers’ details, purely for the purpose of collecting vehicles taken in part exchange. Only vehicle information is required for quoting purposes and no further information is passed on unless a part exchange is confirmed with that underwriter.
  • DVLA, are provided information from our company, pursuant to vehicle orders and changes to legal vehicle documents.
  • Accountants, who access, process and manage our accounts in line with legal obligations as a UK registered company.
  • Marketing agency and web development teams, purely for managing our systems, for security, profiling, research and administration purposes. These sub-processors will have no access to financial information, as this is managed in house by our team only.

4. Security Measures

As part of our ongoing development, we have rebuilt our website and back office systems, in line with current security measures. In addition to our secure systems, we have also added further web security for our customers, by adding a premium SSL certification to our front end website, to ensure any information supplied by customers, is securely processed and collated by our team.

Our business model is based around an ‘online' presence, but we have also taken precautions for our off-line measures. Below is a list of online and off-line measure taken by our company in light of GDPR regulations and customer data security, which include and are not limited to:

Online Measures

  •  front end website (customer facing)
    • secure forms
    • SSL certification protection
    • high security development platform
  • back end CRM system (company facing)
    • premium coding platform
    • SSL certification protection
  • payments and financials
    • all processed through a secure 3rd party website
    • only accessible through two members of staff within our company
    • all data is automatically censored on processing payments.

Offline Measures

  • live customer files
    • including orders, payment details are all fully secured in a locked office
    • registered locked office address is located within a secure and alarmed building
  • completed files
    • are all secured in registered locked office, in a sealed box ready for collection by accounts for processing for accounting purposes
    • once collected, these are stored and secured in locked office of registered accountant and only accessible by two member of accounting staff until returned to our office for storage
  • storage files
    • these are secured in sealed storage boxes, fully annotated and logged onto a secure spreadsheet held by our admin team.
    • these sealed boxes are stored offsite at a alarmed and secure location, which is not disclosed for security measures.
    • accessible only by directors of the company

5. Uses of data

As an online sales business, we have various occasions where customer data is required to provide a service and supply goods to our customers. The instances that we require customer data includes but is not limited to:

  • Call back requests/live chat engagements by customers for more information. Data captured can include customer name, contact number and email address.
  • Customer enquiries are sent into our secure system, for a formal quotation by the customer. These enquiries, require the customer name, contact number, email address. In some instances postcode are also required for quoting purposes.
  • Quotations are verbally agreed by a sales person and also confirmed in writing on email to the intended recipient. When a quotation has been requested, the required details as stated above are accumulated, added onto our quoting system at which point formal written confirmation of a vehicle price is provided to the customer, at their request.
  • Part exchange valuations are often requested by customer to aid their decision on purchasing a new vehicle from our company. If a part exchange vehicle is discussed, additional information is required by our staff to confirm a formal and written agreed price. Information required to provide this service is and not limited to: the part exchange registration and chassis details, condition report and ownership history, full address of where the part exchange is located and will be collected from.
  • Vehicle orders are processed based on the information already acquired but do require additional information to allow our staff to complete the necessary order with our suppliers in accordance of our business model. Additional information required includes and is not limited to; full postal address for where the vehicle is to be delivered, registered and kept, deposit and financial information required to place an order, contact details of relevant parties for delivery purposes, invoice details if different from delivery/registered keeper details.
  • Finance applications require a higher level of information, in order to underwrite and apply for finance to purchase a vehicle. As per our agreements with finance companies with whom we work, we are required to obtain additional information relating to an applicants personal situation including and not limited to: marital status, dependants, income, expenditure, employment details. This information is requested purely for the purposes of a finance application and is only passed onto a sub-processor in agreement with the respective customer.
  • Remarketing is used only used for customers who do purchase a vehicle from us as part of our post delivery customer service application. To ensure all our customers who take delivery of a new vehicle from our company, we send out a welcome letter with information about their new car, the deal that they have received, our referral and recommendation offerings and customer retention incentives. In addition to our thank you letters, we also offer a buy back scheme that is communicated by way of a personal letter from the initial sales person, inviting the customer to obtain a part exchange valuation on their current vehicle as purchased from our company, with an additional discount as a returning customer on buying a new vehicle from us.
  • After sales service (ASS) is crucial to the running of our business and as such, we have implemented an ASS list that allows our administration team to contact relevant customers, at correct periods since their vehicle purchase. This includes and is not limited to; completion of documentation for vehicles, vehicle replacement scheme for customers, referral and recommendation offers along with news and blog updates.
  • Returning customer benefits are a very important part of our business and we pride ourselves on retaining a higher percentage of our existing customers. Any customers who have bought a vehicle from our company are entitled to additional discount and benefits if they re-order a new vehicle from us.
  • Market research is very important to our company and it’s success in continuing to offer customers the very best service and vehicle offers. As such, any data that is obtained will be kept on file indefinitely and will be used towards market profiling and strategic marketing plans. This information will not be user specific, but will help identify trends, patterns and buying behaviours. This information will never be passed on to 3rd party controllers or sub-processors and will remain in the secure control of Nationwide Cars. If a customer requests for their data to be removed from future correspondence, then it shall be removed from our ASS list but the core data will remain on our system purely for market research without further contact.

6. Rights of Users’ data

For any users who contact our company for quotes, sales and further information, will have the right to opt in to any future marketing campaigns. By submitting an enquiry, call back request or users are referred to us, these users will automatically accept our terms and conditions for the right to be contacted in reference to the respective enquiry and to be contacted by a representative by our company.

All users will have the option to opt in to additional marketing campaigns or activities, which include and are not limited to; email offers, social media campaigns, written correspondence or market research.

Once a user has opted into our marketing campaigns, they withhold the right to request their details to be removed from our system and any future marketing campaigns. These details will still remain on file

Any users who complete a purchase with our company, automatically become ‘customers’ for the purpose of our after sales service. Once a deal has been completed, that customer or user, is automatically included in future correspondence methods for the purpose of deal completion, vehicle replacement and returning offers.

Once a deal has been completed, in line with HMRC and accounting regulations, all data will be held securely for the require term and cannot be deleted during this period. If a customer wishes to be removed from any after sales marketing beyond the contract formation, then this can and will be adhered to.

If a customer wishes to be removed from this automatic inclusion, a removal from our after sales service (ASS List) list can only be completed once all paperwork is finalised, which can take 12 months from the date of delivery and no sooner. Once all paperwork has been completed, then a removal from our ASS list can be actioned by request from the customer, in writing to our dedicated contact within Nationwide Cars.

Under the General Data Protection Regulation, users have the right to request access to and rectification of personal data, data portability, restriction of processing of personal data, the right to object to processing of personal data and the right to lodge a complaint with a supervisory authority.

If you wish to access or exercise your right to the data held by Nationwide Cars and how it is dealt with, you can contact the Nationwide Cars Personal Data Officer (PDO) in writing at our head office at the following address; Nationwide Cars, Unit 4, Basepoint Business Centre, Crab Apple Way, Evesham, Worcestershire, WR11 1GP.

7. Data Audits

At Nationwide Cars, we continually audit and update our data lists, processes and security protocols to avoid and minimise the threat of security breaches, maintain data integrity and uphold regulations.

All new users and customers will have the ability to update their data preferences, in line with current UK regulations.

8. Disposal of Data

As per HMRC and GDPR regulations, any data that is securely stored by our company, will be updated and deleted at the correct intervals. There are two types of data deletion, which include hard and digital copies. These copies can affect both users and customers of our company. Below is a list of outcomes relating to the respective user:

  • user deletion of hard copies - will be processed by the respective salesperson or admin team. Any hard copy information held by our company that is requested to be deleted, will be shredded in house to ensure that the request is formalised.
  • user deletion of digital copies - will also be processed by the respective salesperson or admin team. If a user does not ‘opt in’ to any future correspondence then once it has been confirmed that the enquiry is no longer live, then this will be deleted from our system.
  • customer deletion of hard copies - will only be processed by our admin team at the request of the Managing Director. This request will be enforced once the completed deal has exceeded the minimum holding period as required by HMRC for accounting purposes, which is currently 6 years. Once all completed deals have exceeded this minimum term, records will be destroyed in accordance with our privacy policy and security measures.
  • removable from marketing activity can be requested at any point during the minimum 6 year period upon request from the user or customer, if they have already opted in.

9. Customer Requests

As a user and/or customer, you have the legal right to request the following from our company:

  • confirmation of what data is held by our company and request a written statement of this information.
  • request a full deletion of data held can only be processed by our Personal Data Officer on receiving a formal request from a user and/or customer in line with current regulations as stated above in Section 8.
  • removal of data from future marketing campaigns can also be requested by a user and/or customer, if they still wish to be held on file for returning customer benefits.

All requests must be submitted to the Personal Data Officer either by email at dataofficer@nccsales.co.uk or by written submission to our main office:

            Unit 4, Basepoint Business Centre
            Crab Apple Way
            Evesham
            Worcestershire
            WR11 1GP

All requests will be receive a response within 24-48 hours. Any additional requests will be handled by the same process.

10. Complaints

Should a user or customer have a complaint regarding our privacy policy under the GDPR rules and feels that their rights have been breached in accordance with these rules, they must follow the the complaints procedure to ensure all parties are compliant with the regulations.

Our complaint policy is as follows:

  1. Before any complaint can be considered, a user and/or customer must have contacted our Personal Data Officer to confirm two things;
    1. what data we hold about that person and
    2. for their details to either be deleted or removed from any marketing activities
  2. If a user and/or customer has already made contact with our PDO to request that their details be removed from any marketing activities, then the PDO will investigate why this has not happened and provide confirmation that this request has been completed.
  3. Once a complaint has been made to the PDO, having checked the status of the respective users’ data then two remedies will be available to the PDO in dealing with the complaint.
    1. Issue an apology to the user and/or customer if they have been contacted incorrectly without the correct permission from that person.
    2. Reject a complaint from the user and/or customer on the basis that they have ‘opted in’ to any of our future marketing activities. If the user and/or customer denies this decision, then the PDO will take the decision to remove and delete any data held about that person in line with current regulations.