CarSpot Logo

Privacy Policy

Last Updated: 1 May 2026

CarSpot (the "Company," "we," "our," or "us") is committed to respecting your privacy and protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard personal data when you visit our website or use our services, in accordance with the General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

1. Who We Are

CARSPOT LIMITED is an online platform that connects car buyers with dealer listings. We are a private company limited by shares registered in Ireland (Registration Number: 789668) with our registered address at The Acres, Coonagh Lower, Coonagh, Limerick, V94 YK49, Ireland. We also operate a private-seller auction marketplace ("Sell My Car") through which private individuals can list vehicles for dealer offers. Our primary data processing takes place within the European Union. Some service providers (such as email delivery) may process data in the United States with appropriate safeguards in place. You can contact us regarding any privacy concerns at privacy@carspot.ie.

2. Data We Collect

For Website Visitors (No Account)

  • IP Addresses: We collect IP addresses for legitimate purposes such as counting unique car views, preventing abuse of our forms, and ensuring system security. Your IP address is stored temporarily for these purposes and for anti-abuse protection (up to 24 hours for contact forms, up to 7 days for finance applications).
  • Device Identifiers: We use anonymized identifiers to distinguish between different users without personally identifying you. These identifiers are stored in cookies and used for security and anti-abuse purposes.
  • Contact Form Data: When you submit an inquiry, we collect your name, email address, phone number (optional), message content, and if applicable, trade-in information you provide.
  • Finance Application Data: When you apply for finance, we collect personal information including identification details, contact information, financial information, employment details, and bank account information as required for credit assessment purposes.

Our legal basis for collecting this information is legitimate interests (GDPR Article 6(1)(f)) for analytics and anti-abuse measures, and contract fulfillment (GDPR Article 6(1)(b)) for processing inquiries and finance applications at your request.

For Dealers (With Accounts)

  • Account Information: Name, email address, phone number, and organization details.
  • Business Information: Organization name, address, contact details, logo, opening hours, and other business information.
  • Session Data: IP addresses, login times, and device information for security purposes.
  • Car Listing Data: Information about vehicles you list including images, specifications, and pricing.

Our legal basis for collecting dealer information is contract fulfillment (GDPR Article 6(1)(b)) and legitimate interests for security purposes (GDPR Article 6(1)(f)).

Sell My Car Submissions

When you submit a vehicle via the Sell My Car service, we collect: your name, email address, and phone number; vehicle details including registration, mileage, condition, photographs, and optional reserve price; and payment information processed by Stripe (we do not store full card details). This data is used to operate the 7-day auction, notify dealers, and email results to you. Your contact details are not shared publicly.

Our legal basis for processing Sell My Car submissions is contract fulfillment (GDPR Article 6(1)(b)) for operating the auction service at your request, and legitimate interests (GDPR Article 6(1)(f)) for fraud prevention and dispute resolution.

Cookies and Similar Technologies

We use cookies for essential website functions, security, and to prevent abuse of our services. We may also use optional analytics and marketing cookies when you consent. These include:

  • Essential cookies: Required for site functionality and security.
  • Anti-abuse cookies: Used to prevent form submission abuse and protect our services.
  • Analytics cookies (optional): Help us understand site usage and improve performance.
  • Marketing cookies (optional): Help measure advertising performance and personalize ads.

Essential and anti-abuse cookies are necessary for the provision of our services and are exempt from the consent requirement under the ePrivacy Directive and the Irish S.I. No. 336/2011 - European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011. Optional analytics and marketing cookies are used only when you consent and can be changed at any time via Cookie Settings.

Analytics

We use Plausible for privacy-friendly analytics. Plausible does not collect personal data beyond high-level usage metrics and is configured to avoid cookies where possible and does not use cookies or persistent identifiers. For more details, see Plausible's Data Policy.

Cookies and Tracking

Our site uses the following cookies. Optional cookies are used only when you consent:

NamePurposeDurationType
Authentication cookiesUsed to maintain your session when logged in as a dealerSession / 30 days if "remember me" selectedEssential
car_inquiry_user_idPrevents duplicate car inquiries and finance applications30 daysFunctional
cookie-preferencesRecords your cookie preferences6 monthsEssential
_ga, _ga_*, _gcl_* (if enabled)Google measurement and conversion tracking (via Google Tag Manager)Varies (up to 2 years for _ga; ~90 days for _gcl_*)Analytics/Marketing
__stripe_* (if payment form used)Payment security and fraud prevention (Stripe)VariesEssential/Functional

We use Plausible Analytics, a privacy-friendly analytics service configured to avoid cookies where possible. All collected data is aggregated and cannot be used to identify individual users.

You can change your cookie preferences at any time via Cookie Settings in the site footer.

3. How We Use Your Data

  • Car View Counting: We temporarily store IP addresses to ensure accurate view counts for each listing. This data is automatically purged after a short period.
  • Dealer Inquiries: When you submit a contact form or inquiry, we store these details (name, email, phone, message, and any optional trade-in fields) in our database so the dealer can access them. The relevant dealer has direct access to these inquiries.
  • Finance Applications: Finance application data is stored securely and shared with the relevant dealer only. This data is used solely for processing your finance application.
  • Anti-Abuse Measures: We create temporary identifiers combining your IP address and other factors (when necessary) to prevent abuse of our services, such as form spamming or excessive submissions. These identifiers help us maintain fair use of our platform while minimizing data collection.
  • Security: We process login information and session data for dealer accounts to ensure account security and prevent unauthorized access.

4. Data Retention

  • IP addresses for view counting: Stored temporarily and automatically purged after a short period.
  • Anti-abuse identifiers: Stored for up to 24 hours for contact form submissions and up to 7 days for finance applications.
  • Inquiries: Stored in our database for dealers to review until they are archived or removed by the dealer.
  • Finance applications: Stored for the duration required by financial regulations and legal requirements (generally up to 7 years after completion).
  • Dealer account information: Maintained for the duration your account is active and for a reasonable period afterward for legal and business purposes.
  • Sell My Car submissions (vehicle details, contact info, photos): retained for 12 months after submission to allow for dispute resolution, then deleted.
  • Bid data: retained for 12 months after auction close, then deleted.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable laws and regulations. We have implemented appropriate data retention policies to ensure data is not kept longer than needed.

5. Your Rights

Under the GDPR and Irish data protection law, you have the following rights:

  • Right of Access (Article 15 GDPR): Request a copy of your personal data.
  • Right to Rectification (Article 16 GDPR): Correct inaccurate or incomplete information.
  • Right to Erasure (Article 17 GDPR): Request deletion of your personal data in certain circumstances.
  • Right to Restriction of Processing (Article 18 GDPR): Request limiting how we use your data.
  • Right to Data Portability (Article 20 GDPR): Request transfer of your data in a machine-readable format.
  • Right to Object (Article 21 GDPR): Object to our processing of your personal data, particularly for processing based on legitimate interests.
  • Rights Related to Automated Decision Making (Article 22 GDPR): We do not currently employ automated decision-making or profiling.

To exercise these rights, please contact us at privacy@carspot.ie. We will respond to your request within one month as required by GDPR. This period may be extended by up to two additional months if necessary, taking into account the complexity and number of requests.

You also have the right to lodge a complaint with the Data Protection Commission (DPC), the Irish supervisory authority for data protection issues, if you believe we have not handled your data in accordance with applicable law.

6. Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption of sensitive data at rest and in transit
  • Regular security assessments and penetration testing
  • Access controls and strict authentication requirements
  • Staff training on data protection
  • Secure data storage in Irish/EU facilities

However, no security system is impenetrable, and we cannot guarantee the absolute security of your data. We regularly review and update our security measures to reflect best practices and current technology.

7. Data Sharing

We share your data with:

  • Car dealers: When you submit an inquiry or finance application regarding a specific vehicle.
  • Service providers: Companies that help us operate our website and services (e.g., EU-based hosting providers, email services).
  • Legal requirements: When required by law, court order, or to protect our legal rights.

Auction results: When a Sell My Car auction closes with bids, we share the bidding dealer's name, dealership name, email address, and phone number with the seller to facilitate direct contact. The seller's name and contact details are not shared with dealers at any stage. Dealers provide implicit consent to this limited disclosure by participating in the trade alert programme.

We do not sell your personal data to third parties. When we engage third-party processors, we ensure they provide sufficient guarantees to implement appropriate technical and organizational measures that meet GDPR requirements and protect your rights.

Sub-processors we currently use include:

  • Stripe (Stripe Payments Europe Ltd.): Payment processing for Sell My Car listing fees. Data transferred: payment card details and billing information. Stripe is certified to PCI DSS Level 1.
  • Resend (Resend Inc., USA): Transactional email delivery for auction notifications, bid confirmations, and seller results. Data transferred: recipient email address and email content. Data may be processed in the United States under appropriate safeguards.

8. Data Transfers

We primarily process and store personal data within the European Union. Where we use service providers in the United States (such as Resend), we rely on appropriate safeguards for international transfers, such as standard contractual clauses and additional protections where required.

Should any change to this policy become necessary in the future, we will update this Privacy Policy and implement appropriate safeguards in compliance with GDPR requirements.

9. Children's Data

Our Platform is intended for users aged 18 and over. We do not knowingly collect, use, or store personal data from individuals under the age of 18. If you believe that we may have inadvertently collected data from a person under 18, please contact us at privacy@carspot.ie and we will take prompt steps to delete such data.

10. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. We will notify you of significant changes by posting the updated policy on our website with a new "Last Updated" date.

For material changes to this Privacy Policy, we will make reasonable efforts to provide notice, such as a prominent website notification or, for registered dealers, an email notification when practicable.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

CARSPOT LIMITED
The Acres, Coonagh Lower, Coonagh
Limerick, V94 YK49
Ireland

Registration Number: 789668
Email: privacy@carspot.ie

12. Data Processing Legal Bases

Our lawful bases for processing your personal data under GDPR Article 6 are:

  • Contractual Necessity (Article 6(1)(b)): Processing necessary to fulfill our contractual obligations to you when you request services (such as processing finance applications or dealer inquiries).
  • Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate interests, such as preventing abuse of our platform, ensuring accurate analytics, and system security, provided these interests are not overridden by your fundamental rights and freedoms.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with our legal obligations, such as financial and tax regulations.

For Finance Applications

Due to the sensitive nature of financial data, we take extra precautions and ensure that we clearly inform you about how this data is used. We process this information on the basis of:

  • Taking steps at your request prior to entering into a contract (GDPR Article 6(1)(b))
  • Your explicit consent through the finance application form (GDPR Article 6(1)(a))