1. Who We Are
1.1. This Privacy Policy explains how GrowthTurn Marcin Chirowski, registered in Poland with NIP 7542694209, with its registered office at al. Zwycięstwa 241/13, 81-521 Gdynia ("Carseto", "we", "us", "our"), collects, uses, stores, and shares your personal data when you use our website carseto.com, mobile applications, and related services (the "Platform").
1.2. Carseto is the data controller responsible for your personal data under the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1.3. For data protection enquiries, contact our Data Protection contact at: privacy@carseto.com or write to: Data Protection, GrowthTurn Marcin Chirowski, al. Zwycięstwa 241/13, 81-521 Gdynia, Poland.
2. What Data We Collect
We collect the following categories of personal data:
2.1. Account Data - name, email address, password (hashed), phone number (optional), display name, profile photo, country of residence, preferred language.
2.2. Garage & Listing Data - vehicle details you provide (make, model, year, VIN/chassis number, condition, photos, service history, documents), asking prices, listing descriptions.
2.3. Identity Verification Data - where you choose to verify your identity: government-issued ID, business registration documents, bank account details (for dealers), selfie for identity matching. These are processed only for verification purposes and stored with enhanced security.
2.4. Communication Data - messages sent through our internal messaging system, enquiries, support requests, listing comments.
2.5. Transaction Data - purchase and payment records, subscription details, billing address, payment method identifiers (we do not store full card numbers; these are held by Stripe).
2.6. Usage Data - pages visited, features used, search queries, device information (browser type, operating system, screen resolution), IP address, referral source, session duration.
2.7. Cookie and Tracking Data - as described in our Cookie Policy, including analytics data, preference cookies, and marketing identifiers (only with your consent).
2.8. Third-Party Data - where listings are sourced from public marketplaces, we may collect publicly available listing information including vehicle descriptions and seller contact details published by users on those platforms.
3. How and Why We Use Your Data
We process your personal data on the following legal bases:
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account creation and management | Account Data | Performance of contract - Art. 6(1)(b) |
| Providing the marketplace service | Garage, Listing, Communication Data | Performance of contract - Art. 6(1)(b) |
| Processing payments | Transaction Data | Performance of contract - Art. 6(1)(b) |
| Identity verification and fraud prevention | Verification Data, Usage Data | Legitimate interest - Art. 6(1)(f) |
| Trust scoring and platform safety | Usage Data, Communication Data | Legitimate interest - Art. 6(1)(f) |
| Message monitoring for fraud/scam detection | Communication Data | Legitimate interest - Art. 6(1)(f) |
| Market data and CCI price indices | Listing Data (aggregated/anonymised) | Legitimate interest - Art. 6(1)(f) |
| Platform analytics and improvement | Usage Data | Legitimate interest - Art. 6(1)(f) |
| Customer support | Account, Communication Data | Performance of contract - Art. 6(1)(b) |
| Marketing emails and newsletters | Account Data | Consent - Art. 6(1)(a) |
| Personalised recommendations | Usage Data, Garage Data | Consent - Art. 6(1)(a) |
| Legal compliance (tax records, disputes) | Transaction, Account Data | Legal obligation - Art. 6(1)(c) |
| Translated listing content | Listing Data | Legitimate interest - Art. 6(1)(f) |
| Dynamic OG image generation for shared URLs | Garage Data, Listing Data | Legitimate interest - Art. 6(1)(f) |
3.2. Where we rely on legitimate interest, we have conducted a balancing test and determined that our interests do not override your rights and freedoms. You may request details of our balancing assessments by contacting privacy@carseto.com.
5. International Data Transfers
5.1. Your data is primarily stored and processed within the European Economic Area (EEA). Our primary database is hosted by Supabase in the EU-West (Frankfurt) region.
5.2. Some of our service providers may process data outside the EEA (for example, certain Vercel CDN edge nodes). Where this occurs, we ensure appropriate safeguards are in place, including: EU Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR; or adequacy decisions by the European Commission pursuant to Art. 45 GDPR.
5.3. You may request a copy of the safeguards we use for international transfers by contacting privacy@carseto.com.
6. Data Retention
6.1. We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by law.
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 2 years | Service provision + dispute window |
| Listing data (active) | Duration of listing + 5 years | Market data, dispute resolution |
| Listing data (sold/expired) | 5 years from sale/expiry | CCI price index, legal compliance |
| Transaction/payment records | 7 years from transaction | Tax and financial regulations |
| Messages | 3 years from last activity | Fraud prevention, dispute resolution |
| Verification documents | 1 year after successful verification | Regulatory compliance |
| Usage/analytics data | 26 months (rolling) | Platform improvement |
| Marketing consent records | Duration of consent + 3 years | Proof of consent |
| Support tickets | 3 years from resolution | Quality and training |
6.2. After the retention period, data is securely deleted or irreversibly anonymised for statistical purposes.
7. Your Rights
7.1. Under the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) - request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) - request correction of inaccurate or incomplete data.
- Right to erasure (Art. 17) - request deletion of your personal data where there is no compelling reason for continued processing (subject to legal retention obligations).
- Right to restrict processing (Art. 18) - request that we limit how we use your data in certain circumstances.
- Right to data portability (Art. 20) - receive your personal data in a structured, commonly used, machine-readable format, and transmit it to another controller.
- Right to object (Art. 21) - object to processing based on legitimate interests, including profiling. Where we process data for direct marketing, you have an absolute right to object.
- Right to withdraw consent - where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
7.2. To exercise any of these rights, contact us at privacy@carseto.com. We will respond within one month. If your request is complex, we may extend this by a further two months, and we will inform you of any extension.
7.3. We will not charge a fee for exercising your rights unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act.
7.4. If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, Poland, https://uodo.gov.pl. You may also lodge a complaint with the supervisory authority in your country of residence.
8. Data Security
8.1. We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
- Encryption of data in transit (TLS 1.2+) and at rest;
- Row Level Security (RLS) on all database tables, scoped to authenticated users;
- Rate limiting and bot prevention on all endpoints;
- Regular security audits and vulnerability assessments;
- Access controls limiting employee access to personal data on a need-to-know basis;
- Secure authentication via Supabase Auth with support for multi-factor authentication.
8.2. While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
9. Children
9.1. The Platform is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us at privacy@carseto.com, and we will promptly delete it.
10. Automated Decision-Making
10.1. We use automated systems for trust scoring, fraud detection, and listing moderation. These systems may influence the visibility of your listings or account status. However, no automated decision that produces legal or similarly significant effects is made without human oversight.
10.2. You have the right to request human review of any automated decision that significantly affects you.
11. Changes to This Privacy Policy
11.1. We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice on the Platform at least 30 days before the changes take effect.
11.2. The date of the most recent update is displayed at the top of this page.
12. Contact Us
12.1. For any questions about this Privacy Policy or our data practices, contact us at:
- Email: privacy@carseto.com
- Post: Data Protection, GrowthTurn Marcin Chirowski, al. Zwycięstwa 241/13, 81-521 Gdynia, Poland
- Supervisory Authority: UODO, ul. Stawki 2, 00-193 Warszawa, https://uodo.gov.pl
For more information, see our Terms of Service and Cookie Policy.