Data & Privacy
Overview
CarBuddy processes customer data on behalf of our dealer clients. We act as a data processor under GDPR — your dealership is the data controller, and you retain ownership of all customer data you provide to us.
What data we process
| Data type | Purpose | Retention |
|---|---|---|
| Customer name and email | Campaign personalisation and delivery | Duration of your contract + 30 days |
| Mobile number | SMS outreach (where provided) | Duration of your contract + 30 days |
| Vehicle details | Message personalisation | Duration of your contract + 30 days |
| Conversation transcripts | Lead qualification and handover | Duration of your contract + 30 days |
| Portal user accounts | Product access | Until account is deleted |
We do not process special category data (health, financial, biometric, etc.).
Where data is stored
All data is stored in AWS eu-west-1 (Ireland). No data is transferred outside the EU/EEA without a valid legal basis and appropriate safeguards.
Sub-processors used by CarBuddy:
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS | Infrastructure and storage | EU (Ireland) |
| SendGrid (Twilio) | Email delivery | EU data residency available |
| OpenAI | AI conversation generation | EU (data processing agreement in place) |
Lawful basis
CarBuddy sends outreach on your behalf. The lawful basis for processing is legitimate interests — reaching out to customers who have already had a commercial relationship with your dealership (showroom visit, service appointment, etc.).
All outreach includes a clear opt-out mechanism. Customers who unsubscribe are immediately and permanently suppressed.
Your obligations as data controller
As the data controller, your dealership is responsible for:
- Ensuring you have a lawful basis to share customer data with CarBuddy
- Providing appropriate privacy notices to customers (mentioning that you may contact them via third-party systems)
- Responding to data subject access requests (DSARs) — CarBuddy will provide exports to support these on request
- Notifying CarBuddy of any relevant data subject deletion requests
Your CarBuddy account manager can provide a Data Processing Agreement (DPA) and GDPR checklist on request.
Data subject rights
If a customer contacts you directly to exercise their rights under GDPR, here's how CarBuddy supports you:
| Right | How we help |
|---|---|
| Right of access | Full data export for any individual available via support ticket within 3 business days |
| Right to erasure | Individual record deletion actioned within 24 hours of request |
| Right to object | Equivalent to unsubscribe — suppressed immediately and permanently |
| Data portability | CSV export of all records and messages available on request |
Security
CarBuddy implements the following controls:
- Encryption in transit: All data transferred over TLS 1.2+
- Encryption at rest: AWS RDS and S3 with AES-256 encryption
- Access controls: Role-based access, principle of least privilege
- Audit logging: All data access and modifications are logged
- Penetration testing: Annual third-party pen test
- Incident response: Security incidents notified to affected clients within 72 hours
Data retention and deletion
On contract end:
- All customer records and conversation transcripts are deleted within 30 days
- Portal user accounts are deactivated immediately and deleted within 30 days
- A deletion confirmation is provided on request
You can request deletion of individual customer records at any time via the portal support system.
Contact
For data protection queries, contact your CarBuddy account manager or email privacy@carbuddyai.com.
To request our Data Processing Agreement, GDPR checklist, or a copy of our information security policy, contact us.