Privacy Policy

The data Bumper uses and how we keep it safe and secure

Privacy policy

Introduction

This privacy statement describes Bumper’s use of your personal data. We at Bumper are committed to respecting your online privacy and recognize your need for appropriate protection and management of any personal data collected by or submitted to us (or carefully selected third parties acting on our behalf).

Below we explain in more detail how we process your personal data. For purposes of this privacy statement, "personal data" means any information that relates to you and identifies you personally, either alone or in combination with other information available to us.

This privacy statement applies to all personal data that is collected and used by us through our "services", meaning through our products and services, apps, websites (including www.bumper.co and www.bumper.co.uk) and when you interact with us through social media or otherwise.

Who we are

Bumper is a peace-of-mind car servicing platform. Bumper International Ltd. is "controller" for all processing of your personal data, unless specified otherwise. Bumper International Ltd. is referred to in this privacy policy as "Bumper", "we" or "us".

What personal data do we collect?

We collect personal data when:

  • you purchase our services

  • you request support for our services

  • you request information or materials (e.g. newsletters)

  • you apply for a job or submit your resume

  • you submit questions or comments to us

  • you visit and interact with our websites

The types of personal data collected include:

  • first and last name

  • date of birth

  • full address

  • how long you have been registered at an address

  • payment card details

  • vehicle registration number

  • current location

  • credit history details

  • e-mail address

  • telephone number

  • for job applicants submitting electronic information: your educational background, employment experience, and job interest

  • any other identifier that permits Bumper to make physical or online contact with you

  • your online behaviour, device type, operating system type, browser type, device ID, IP address and other software and hardware information including type, version, language, settings, and configuration

  • website and app usage data

  • your marketing preferences, including any consents you have given us

  • any other information that you provide to us when you are communicating with us.

We may also record or monitor calls for the purpose of quality checks and staff training. These phone records may also be used to help us combat fraud.

We also collect information on the use of our services via cookies. Please view our Cookie Policy for more information about the use of cookies.

Whenever we collect personal data directly from you, we will indicate whether the provision of personal data is mandatory. Such will be the case where we require personal data to comply with legal or contractual obligations: if such data is not provided, then we will not be able to manage our contractual relationship, or to meet the obligations placed on us. In all other cases, the active provision of requested personal data is optional.

We also receive data on you from Credit Reference Agencies (CRAs) and/or Fraud Prevention Agencies (FPAs) if you apply for Bumper’s Paylater service.

The CRA we use in the UK is TransUnion Limited (see https://www.transunion.co.uk/crain for more information) and the FPA that we use in the UK is CIFAS (see https://www.cifas.org.uk/contact-us for more information).
In Germany we use Schufa (see https://www.schufa.de/ for more information) and in Spain we use Equifax (see here for more information).

How do we use your personal data?

The purpose and legal basis of processing

When you access and use the services, we will only collect personal data for the following purposes:

  • To establish and fulfil a contract with you, for example if you make a purchase from us. This may include assessing your eligibility, verifying your identity, taking payments, communicating with you, providing customer services and arranging the provision of products or services

  • As required by Bumper to enable our business and pursue our legitimate interests. In particular:

    • we will use your personal data to provide services you have requested, and respond to any communications you may send us

    • we monitor use of our services, and may use your personal data to help us monitor, improve and protect our products, content, website and other services

    • we may use personal data you provide to personalize our services for you

    • we may use your personal data for the purposes of ensuring network and information security, including preventing unauthorized access to electronic communications networks and stopping damage to computer and electronic communication systems

    • we may monitor any customer account to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law

    • we may use your personal data for market research and marketing purposes.

  • More information about how we have balanced our legitimate interest with your privacy interests can be obtained upon request via support@bumper.co

  • For compliance with applicable laws and protection of our legitimate business interests and legal rights, including, but not limited to, use in connection with legal claims, compliance, regulatory, investigative purposes (including disclosure of such information in connection with legal process or litigation).

  • In addition, we will send you, based on your consent (if required), direct marketing communication in relation to our relevant services, or other products and services provided by us, our affiliates and carefully selected partners.

  • Furthermore, we may process your personal data, based on your consent, to personalize our editorial content based on your navigation and to display personalized ads based on your navigation and your profile and provide social media features by the means of cookies.

    You can withdraw your consent at any time ("opt out"); see the section "What rights do you have in relation to your data?" below. In case of electronic direct marketing you can opt out by following the instructions in the communication. With regards to cookies, you can withdraw your given consent at any time and manage your cookie preferences by clicking on Cookie Settings.

Click here to learn more about our legal bases for collection and processing personal information.

Who will we share this data with?

We may share your personal data with third parties, as necessary to provide services to you or for the internal operations of Bumper.

Personal data may be shared with government authorities and/or law enforcement officials for the purpose of prevention of fraud or other crime, if mandated by law or if required for the legal protection of our legitimate interests in compliance with applicable laws.

Personal data may also be shared with third party service providers, who will process it on behalf of Bumper for the purposes above. Such third parties include, but are not limited to, payment service providers and technical providers.

Personal data may also be shared with others in connection with, or during negotiations of any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company.

Click here to learn more about the parties that we may share information with and why.

Where will we send your data?

Personal information provided to Bumper may be transferred across state and country borders e.g. to perform a service you request from us to follow-up on your enquiries, for the purposes of data storage and simplified information management.

Where personal information of EU respectively UK data subjects is transferred outside the European Economic Area (EEA) respectively the UK, and where this is to a service provider in a country that is not subject to an adequacy decision by a relevant body such as the European Commission (read more here), data is adequately protected by approved standard contractual clauses such as those approved by the European Commission (read more here) or a vendor's Binding Corporate Rules (read more here).

We may transfer your personal data to third parties (e.g., service providers) overseas, which may involve the transfer of personal data to countries outside the EEA or the UK which have different data protection standards to those which apply in the EEA or the UK.

You can ask us for a copy of the safeguard used by contacting us via support@bumper.co.

How long do we store your data?

Our general policy is that we will only retain your information for as long as we need it to do the relevant job, including to meet legal, accounting or reporting requirements. After that time your personal data will be erased (unless we have the statutory right or obligation to further keep this data).

For example, Bumper retains contact and communication information following an enquiry for one year from the individual’s last communication with Bumper (assuming they do not then become a customer of Bumper). If you are a customer of Bumper, we will keep your information for the duration of the contractual relationship you have with us, and, to the extent permitted, after the end of that relationship for as long as necessary to perform the purposes set out in this notice. The criteria to determine the storage period are statutory and contractual requirements, the nature of our relationship with you, the nature of the data concerned, technical necessities. Laws may require us to hold certain information for specific periods.

What rights do you have in relation to your data?

You have the right to ask us:

  • for access to and a copy of your personal data that we hold on you
  • for a copy of the personal data you provided to us and to provide it to you or send to a third party in a commonly used, machine readable format
  • to update or correct your personal data in order to make it accurate
  • to delete your personal data from our records in certain circumstances
  • to restrict the processing of your personal data in certain circumstances

and you may also:

  • object to us processing your personal data in certain circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement, or where we are using the data for direct marketing
  • withdraw your consent at any time where we are using your personal data with your consent. This will not affect our use of your personal data prior to the withdrawal of your consent.

These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data. In some instances, this may mean that we are able to retain data even if you withdraw your consent.

We use automated decision making as part of our loan assessment process, where this is necessary for the entering into a contract with you or where you have provided your explicit consent. You have the right to object to such automated decisions if such automated decision produces legal effect or otherwise significantly affects you and ask for an actual person to make the decision instead. For further information on our use of automated decision making and the logic involved, please contact support@bumper.co. We hope that we can satisfy queries you may have about the way we process your data. If you have any concerns about how we process your data, or would like to opt out of marketing, you can always contact support@bumper.co. When addressing us, please always provide your name, address and/or email address (ideally using the one you are registered with) as well as information about your request.

In the event you have unresolved concerns, you also have the right to complain to a data protection authority in the country of the local Bumper entity with whom you may interact. If you are based in the EU, you can find the contact details of your local data protection authority here, and if you are in the UK you can find the contact details of your local data protection authority (the Information Commissioner’s Office) here. We hope this will not be necessary and would like to assure you we will do our best to resolve any dissatisfaction you may have.

Links on our Website and Social Media Buttons

This Bumper Privacy Policy does not apply to external parties or external web areas and any processing of personal data by parties outside Bumper will not be covered by this Privacy Policy. We encourage you to review the Privacy Policy of any company or website before submitting any personal data.

On our website we use the following social media plug-ins: Facebook, Instagram, LinkedIn and Twitter. The plug-ins can be identified by the social media buttons marked with the logo of the provider of the respective social media networks.

Information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the respective data protection policies of these providers, where you will also find further information on your rights and options for privacy protection, including:

  • Facebook and Instagram plugins as provided by Meta Platforms Ireland Ltd. See here for more information.

  • LinkedIn plugin as provided by LinkedIn Corporation. See here for more information.

  • Twitter plugin as provided by Twitter, Inc. See here for more information.

Google Analytics

Our website uses Google Analytics, which is a web analytics service provided by the third party provider Google, Inc. (“Google”). Google Analytics is used for the purpose of evaluating your use of our website, compiling reports on website activity and other services relating to website activity and internet usage. The information generated by the cookie about your use of the website is usually transmitted to and stored by Google on servers in the United States. This transfer is covered by Standard Contractual Clauses approved by the European Commission (see: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc) and a separate data processing agreement that we have concluded with Google.

On this website we have also activated the IP anonymisation tool provided by Google to help protect your privacy. This means that your IP address will automatically be shortened after it is collected so it can no longer be connected to you (see here). For more information see here (information on Google Analytics and data privacy).

Changes

Bumper may change this Privacy Policy from time to time by updating this page. This Privacy Policy was last updated in February 2023. Each time we change this Privacy Policy, we will post the changes in a revised Privacy Policy as it appears on our website. We will notify you if there are material updates to this Privacy Policy and where this is required by law.

If you have any questions about your data

If you have any questions about the processing of your personal data, please feel free to contact us at:

Bumper International Ltd. TOG, 1 Lyric Square London W6 0NB +44 0800 612 0946 support@bumper.co

We will address your possible concerns and attempt to resolve any problem.

Overview of recipients

Recipients
(Categories) of data
Reason for sharing
Google, Inc. (Google Maps map service)
IP address
This site uses the map service Google Maps via an API. To use the functions of Google Maps, it is necessary to store your IP address. Google Maps is used to provide an attractive presentation of our online offers and to make it easy to find the places we have indicated on the website.
Google, Inc. (Google Analytics)*

* We have also extended Google Analytics on this website with the code „anonymizeIP“. This guarantees the masking of your IP address so that all data is collected anonymously.
browser type/version
operating system used
referrer URL (the page previously visited)
host name of the accessing computer (IP address) time of server request
By integrating Google Analytics, we pursue the purpose of analysing user behaviour on our website and being able to react to this. This enables us to continuously improve our offer.
Google Ireland Limited (Google Web Fonts)
IP address
language settings
screen resolution of the browser
browser version and browser name
We use "Google Web Fonts", a directory of various fonts, for the uniform and visually appealing display of textual content on our website.
Hotjar
IP address of the device (only collected and stored anonymously during your use of the website), screen size, device type (unique device identifiers), information about the browser used, location (country only), preferred language for viewing our website
We use Hotjar to better understand the needs of our users and to optimise the offer and experience on this website. Using Hotjar's technology, we get a better understanding of our users' experiences (e.g. how much time users spend on which pages, which links they click on, what they like and don't like etc.) and this helps us to tailor our offering to our users' feedback.
Statsig
Key user metrics
To configure and monitor our software using tools such as feature flags, segment analysis, and statistical measures. This allows us to accelerate software development based on how our users react to new features and provide a better experience to our end-users. All user data provided to Statsig is anonymised and is only used in aggregate to understand impact of product changes on key user metrics.
Google Ireland Limited (Google Pay)
Credit and debit card information
To process your payments, if you select payment via GooglePay.
Apple Inc. (Apple Pay)
Credit and debit card information
To process your payments, if you select payment via ApplePay.
IDB LLC (ipinfo)
Ip address
To automatically display the website in the best language version based on the IP address.
TrustPilot A/S (rating portal)
Surname, first name, email address and a reference number (for unique assignment)
To constantly improve our service, we offer our customers the opportunity to rate us via this independent portal, without us being able to influence this in any way. An invitation to submit a rating is generated for every transaction or contract that takes place via us and our website.
NICE inContact, Inc (LiveChat)
Data entered for the purpose of the chat (name, email address, message texts
We use an online chat system for our offers and the possibility of direct customer or prospective customer communication.
The use of our LiveChat is in the interest of direct communication with our customer service team.
Third parties, e.g. referral partners
Contact details
Application details
To allow third parties to inform you about products and services that may be of interest to you.
The Rocket Science Group, LLC (Mailchimp)
Email address
Name
To send our service mails and analyze our usage behaviour in order to optimise the content within our emails.
Braze Email Campaigns
Data entered in the newsletter registration form, e.g. your email address
Email campaign dispatch purposes.
Zoho campaigns
Data entered in the newsletter registration form, e.g. your email address
Reporting on email marketing data and for the purpose of sending ad-hoc surveys to customer who have subscribed to receive marketing emails.
Car vehicle dealerships
Name
Email address
Vehicle registration number
Telephone number
Where it is necessary to do so in order to provide our services (including the use of our website and application), which will include sharing certain details (such as your name, email address, vehicle registration number, telephone and/or mobile number) with the car and vehicle dealerships we are partnered with.

Legal basis for processing your data

Purpose for processing your data
Legal basis
Categories of personal data used for the purpose
Registration
Performance of the contract
Art. 6 (1) (b) UK GDPR/GDPR
first and last name
date of birth
full address
how long you have been registered at an address
payment card details
vehicle registration number
credit history details
e-mail address
telephone number
To provide you with our services, incl. to process your payments, to retrieve further vehicle details from e.g. AutoData Guru or to find garages in the area of your location or home address to enable you to book and use the services of the garages closest to you.
Performance of the contract
Art. 6 (1) (b) UK GDPR/GDPR
user data
payment data
vehicle details
MOT history
address
location Data
To show you your uses and to make corresponding suggestions for further uses, incl. the services of partners
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR
user data
usage data
Advertising and communication, incl. to advertise various products, services and events.
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR
user data
usage data
To assess your job application
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR
contact details
educational background
employment experience
job interest
To answer your enquiries
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR
user data
information that you provide to us when you are communicating with us
To send you promotional or marketing emails about new products and services
Consent
Art. 6 (1) (a) UK GDPR/GDPR
e-mail address
user data
usage data
Assess your eligibility for our products and services, e.g. we use your information to: Search records from credit reference agencies and fraud prevention agencies (including information from overseas).
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR
Public information, incl. electoral register, country court judgements and bankruptcies.
Credit and fraud prevention information, incl. details of previous applications and the status of any account you and your financial associates have.
Manage your account and any PayLater or PayNow transaction you make with us.
Performance of the contract
Art. 6 (1) (b) UK GDPR/GDPR
user data
usage data
payment data
Improve our service by monitoring and analysing the services provided to you (including asking you to rate your experience as a customer).
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR
user data
usage data
survey data
Investigate, prevent, detect and combat fraud, money laundering, terrorism and other criminal offences.
Legitimate Interest
Art. 6 (1) (f) UK GDPR/GDPR
user data
location data
usage data
payment and purchase data
Conduct market research, business and statistical analysis. To share anonymised information with independent external bodies conducting research (e.g. government departments and agencies and universities).
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR
user data
usage data
survey data
Comply with our regulatory obligations.
This might be:
• an obligation under the law of the country / region you are in
• UK law (because Bumper is based is established in the UK)
• EU law that applies to us
Compliance with a legal obligation
Art. 6 (1) (c) UK GDPR/GDPR
user data
street address data
usage data
payment and purchase data
survey and research data
Provide our website
Legitimate interest
Art. 6 (1) (f) UK GDPR/GDPR

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.
information about the type of browser and the version used
the user's operating system
the user's internet service provider
the IP address of the user
date and time of access
websites from which the user's system accesses our website
websites that are accessed by the user's system via our website