This Privacy Policy explains how we collect, use, disclose, retain, and protect your personal data when you access or use our websites at carscreener.ai and report.carscreener.ai, and all related services (collectively, the "Service"). It also describes your rights regarding your personal data.
CarScreener is an AI-powered used car listing verification tool. Users submit a car listing URL or vehicle description and receive a verification report that cross-checks the listing against official government data sources, including MOT history and DVLA records (United Kingdom) and RDW and APK records (Netherlands). Our AI also analyzes listing photos for signs of damage, paint mismatches, and abnormal wear.
By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.
We collect information you voluntarily provide when using the Service:
Car Verification Requests (Quick Check & Full Report):
Professional Inspection Requests:
Seller Access Requests:
Payment Information:
Communications:
When you access our Service, we automatically collect certain technical information:
We process your personal data only when we have a valid legal basis under Article 6 of the GDPR. The table below sets out each processing activity, the corresponding legal basis, and the applicable GDPR provision.
| Processing Activity | Legal Basis | GDPR Article |
|---|---|---|
| Generating Quick Check (free) verification reports | Performance of contract | Art. 6(1)(b) |
| Generating Full Report (first report free, then £7.99/€8.99; see Terms §8.2 for current pricing) verification reports | Performance of contract | Art. 6(1)(b) |
| Arranging Professional Inspections (from £89/€99) | Performance of contract | Art. 6(1)(b) |
| Processing payments via Stripe | Performance of contract / Legal obligation | Art. 6(1)(b), (c) |
| Delivering reports and confirmations by email | Performance of contract | Art. 6(1)(b) |
| Processing Seller Access Request forms | Pre-contractual measures at your request | Art. 6(1)(b) |
| Querying government databases (MOT/DVLA, RDW/APK) | Performance of contract | Art. 6(1)(b) |
| AI analysis of listing photos | Performance of contract | Art. 6(1)(b) |
| Fraud prevention and security monitoring | Legitimate interest | Art. 6(1)(f) |
| Service improvement and analytics (Google Analytics) | Consent (required for placing analytics cookies) | Art. 6(1)(a) |
| Performance monitoring (Vercel Analytics & SpeedInsights) | Legitimate interest (cookieless, no consent required) | Art. 6(1)(f) |
| Error monitoring, diagnostics, and Session Replay (Sentry) | Legitimate interest | Art. 6(1)(f) |
| Improving AI systems using anonymized and aggregated data | Not applicable — truly anonymized data falls outside the scope of GDPR (Recital 26). Where pseudonymized data is used prior to aggregation, processing is based on legitimate interest. | Art. 6(1)(f) where applicable |
| Marketing communications | Consent | Art. 6(1)(a) |
| Tax and accounting records | Legal obligation | Art. 6(1)(c) |
| Responding to legal and regulatory requests | Legal obligation | Art. 6(1)(c) |
| Placing non-essential cookies (analytics) | Consent | Art. 6(1)(a) |
| Placing marketing cookies (Meta Pixel, Google Ads) and conversion tracking | Consent | Art. 6(1)(a) |
Where we rely on legitimate interest as a legal basis, we have conducted balancing tests to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:
You have the right to object to processing based on legitimate interest at any time (see Section 9).
We share information with trusted third parties who assist in operating our Service. Each provider acts as a data processor under our instructions and is bound by a Data Processing Agreement (DPA).
| Provider / Category | Data Shared | Purpose |
|---|---|---|
| Stripe (Payment Processor) | Payment card details (entered directly into Stripe), transaction amount, email | Process payments for Full Report and Professional Inspection tiers |
| Vercel (Hosting & AI Gateway) | Website data, server logs, IP addresses, listing URLs, vehicle descriptions, uploaded photographs, and all data transmitted to AI providers for analysis | Host and serve our website; route AI analysis requests to sub-processors (Google Gemini, Anthropic Claude) via Vercel AI Gateway. Vercel operates a zero data retention (ZDR) policy for AI Gateway requests. |
| Google Analytics | Anonymized/pseudonymized usage data, anonymized IP addresses | Understand Service usage and improve performance |
| Google (AI Analysis — Gemini API) [sub-processor via Vercel] | Listing URLs (which the provider accesses directly to read publicly available content), vehicle descriptions, user-uploaded photographs, image data, government data for cross-referencing | Primary AI analysis: natural language analysis, image analysis, listing photo assessment, data cross-referencing, and verification report generation. Zero data retention through Vercel AI Gateway. |
| Anthropic (AI Analysis — Claude API) [sub-processor via Vercel] | Vehicle data, listing descriptions, government data for cross-referencing | Supplementary AI analysis: known-issue identification and data cross-referencing. Zero data retention through Vercel AI Gateway. |
| Meta (Facebook Pixel) | Anonymized/pseudonymized usage data, page view events, IP address (hashed) | Conversion tracking and advertising performance measurement (only with your consent) |
| Google Ads (Conversion Tracking) | Anonymized/pseudonymized usage data, conversion events, IP address | Advertising conversion tracking and campaign performance measurement (only with your consent) |
| Vercel Analytics & SpeedInsights | Page views, referrer URLs, browser/device type, approximate geographic location, Web Vitals performance metrics | Cookieless web analytics and performance monitoring to understand Service usage and improve page load times. No cookies are placed; data is collected via the Web Analytics API. |
| Sentry (Error Monitoring) | Error stack traces, browser/device information (no IP addresses), page URL, user interactions leading to errors, Session Replay recordings (DOM snapshots with all text and media masked) for error sessions only | Error detection, diagnostics, and performance monitoring. Session Replay is limited to sessions where errors occur and masks all text, inputs, and media. PII collection is disabled. Data is processed in the EU (Sentry’s EU data center in Frankfurt, Germany). |
| Calendly (Scheduling) | Name, email address, scheduling preferences (if you book a call) | Schedule consultation calls |
| Professional Inspectors | Vehicle location, listing details, contact information (for inspection coordination) | Perform on-site vehicle inspections (Professional Inspection tier) |
| Government APIs (MOT/DVLA, RDW/APK) | Vehicle registration number, VIN (as extracted from listing) | Retrieve official vehicle history and registration data |
All service providers are contractually bound to:
We may disclose your information when required or permitted by law:
If Evengrid B.V. is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you (via email and/or prominent notice on our Service) before your personal data becomes subject to a different privacy policy.
We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This includes aggregated statistics about vehicle listings, market trends, and Service usage. Such data is not considered personal data and is not subject to this Privacy Policy.
Evengrid B.V. is based in Weesp, the Netherlands (European Economic Area). We primarily serve users in the United Kingdom and the Netherlands. Your data may be transferred to and processed in countries outside the EEA and the UK, including countries that may not provide the same level of data protection.
For transfers outside the EEA and/or the UK, we implement appropriate safeguards as required by applicable law:
| Recipient | Location | Safeguard |
|---|---|---|
| Vercel (Hosting & AI Gateway) | United States | Data Processing Agreement (DPA), EU-US Data Privacy Framework, UK IDTA where applicable, zero data retention for AI Gateway requests |
| Google Analytics | United States | Standard Contractual Clauses (SCCs) with UK IDTA where applicable, IP anonymization enabled |
| Stripe (Payments) | United States | Standard Contractual Clauses (SCCs) with UK IDTA where applicable |
| Google (AI Analysis — Gemini) [sub-processor via Vercel] | United States | Covered under Vercel DPA as authorised sub-processor; Google Cloud Data Processing Addendum; EU-US Data Privacy Framework; UK IDTA where applicable; zero data retention through Vercel AI Gateway, no model training on submitted data |
| Anthropic (AI Analysis — Claude) [sub-processor via Vercel] | United States | Covered under Vercel DPA as authorised sub-processor; UK IDTA where applicable; zero data retention, no model training on submitted data |
| Meta / Facebook (Pixel) | United States | Standard Contractual Clauses (SCCs) with UK IDTA where applicable, consent-based processing only |
| Google Ads (Conversion Tracking) | United States | Standard Contractual Clauses (SCCs) with UK IDTA where applicable, consent-based processing only |
| Sentry (Error Monitoring) | European Union (Frankfurt, Germany) | Data Processing Agreement (DPA), data remains within the EU |
| Calendly (Scheduling) | United States | Standard Contractual Clauses (SCCs) with UK IDTA where applicable |
You may request information about the specific safeguards in place for any particular transfer by contacting us at privacy@carscreener.ai.
Transfers of personal data from the UK to the EEA (and vice versa) are permitted under the applicable adequacy regulations and do not require additional safeguards.
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce agreements. The specific retention periods are set out below.
| Data Type | Retention Period | Reason |
|---|---|---|
| Quick Check report data | 90 days from generation | Service delivery, short-term reference |
| Full Report data (including AI analysis) | 2 years from delivery | Service fulfillment, dispute resolution, warranty claims |
| Professional Inspection reports and photos | 2 years from delivery | Service fulfillment, dispute resolution |
| Uploaded listing photos | 90 days from report delivery | Report generation, quality assurance |
| Email addresses (buyers) | 3 years from last interaction | Purchase history lookup, customer service, legal claims |
| Seller access request data | 1 year (if not accepted) / duration of relationship + 2 years (if accepted) | Application processing, relationship management |
| Transaction and payment records | 7 years | Dutch tax law (Algemene wet inzake rijksbelastingen), UK tax obligations |
| Google Analytics data | 26 months | Analytics data retention setting (anonymized) |
| Vercel Analytics & SpeedInsights data | Managed by Vercel per their data retention policy | Cookieless web analytics, performance monitoring |
| Sentry error data and Session Replay recordings | 90 days | Error diagnostics, bug reproduction, performance monitoring |
| Support communications | 3 years from resolution | Quality assurance, dispute resolution |
| Cookie consent records | 12 months | Compliance documentation (ePrivacy / PECR) |
| Server / access logs (Vercel) | 30 days | Security monitoring, debugging |
We are implementing automated deletion processes to enforce the retention periods listed above. Until automated deletion is fully operational, data may be retained beyond the stated periods. We regularly review stored data and delete records that have exceeded their retention period during periodic manual reviews. You may request earlier deletion at any time subject to our legal obligations (see Section 9).
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR.
In accordance with GDPR Article 30, we maintain a Record of Processing Activities (ROPA) documenting all categories of personal data processing carried out by Evengrid B.V. This record is reviewed and updated as our processing activities evolve, and is available to the relevant supervisory authority upon request.
In the event of a personal data breach that poses a risk to your rights and freedoms:
CarScreener uses artificial intelligence to analyze car listings. Our AI systems perform the following automated processing:
To perform the analysis described above, we route AI requests through Vercel AI Gateway, which acts as our data processor for AI-related processing. The following AI services are accessed as authorised sub-processors via Vercel:
When you submit a listing URL, the URL is transmitted through the Vercel AI Gateway to the relevant AI provider, which accesses the publicly available listing page directly to extract and analyse its content at your direction. CarScreener does not independently scrape or collect data from third-party listing platforms. If you upload photographs separately, those images are similarly transmitted through the gateway to the AI providers for analysis.
Vercel is bound by a Data Processing Agreement (DPA) and is certified under the EU-US Data Privacy Framework. Google and Anthropic are authorised sub-processors under Vercel’s DPA. See Section 5 for details on international transfer safeguards.
Our AI-generated reports are advisory and informational only. They do not constitute automated decision-making with legal or similarly significant effects on you within the meaning of Article 22 of the GDPR. Our reports are designed to inform your purchasing decisions, not to make decisions on your behalf.
We may use aggregated and anonymized data derived from Service usage to improve our internal systems and processes. This data is stripped of all personal identifiers and cannot be used to identify any individual or any specific vehicle listing.
CarScreener’s AI systems are classified as limited-risk AI systems under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), subject to transparency obligations under Article 50. We inform you that Verification Reports are generated in whole or in part by AI systems, that AI-generated content is identified as such, and that you are interacting with an automated analysis system rather than a human expert. The capabilities and limitations of our AI analysis are described in our Terms of Service (Sections 5.2 and 5.3).
In accordance with GDPR Article 35, we are conducting a Data Protection Impact Assessment (DPIA) to evaluate the risks of our AI-powered data processing activities. This assessment covers the processing of personal data through third-party AI providers, the analysis of listing photographs, and the generation of automated verification reports. The DPIA will be reviewed and updated periodically and will be available to the relevant supervisory authority upon request.
As a data subject, you have the following rights under both the EU GDPR and the UK GDPR. These rights apply to all users of our Service, regardless of location, to the extent required by applicable law.
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with information about:
We will provide the first copy of your data free of charge. Additional copies may be subject to a reasonable administrative fee.
You have the right to request correction of inaccurate personal data and completion of incomplete personal data without undue delay.
You have the right to request deletion of your personal data when:
Limitations: We may retain data where necessary for the establishment, exercise, or defense of legal claims; compliance with a legal obligation; or reasons of public interest.
You have the right to request restriction of processing when:
You have the right to receive your personal data in a structured, commonly used, machine-readable format (such as JSON or CSV) and to transmit that data to another controller without hindrance. This right applies to data:
You have the right to object to processing of your personal data based on legitimate interest (Article 6(1)(f)) at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
Direct Marketing: You have an absolute right to object to processing of your personal data for direct marketing purposes. Upon receiving such an objection, we will cease processing your data for direct marketing without exception.
Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
You have the right not to be subject to decisions based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you. As noted in Section 8.2, our AI-generated reports are advisory only and do not constitute automated decision-making with legal or similarly significant effect.
You have the right to lodge a complaint with a supervisory authority if you believe your data protection rights have been violated. Depending on your location, the relevant authority may be:
Autoriteit Persoonsgegevens
Bezuidenhoutseweg 30, 2594 AV Den Haag, the Netherlands
Postbus 93374, 2509 AJ Den Haag
Website: autoriteitpersoonsgegevens.nl
Phone: +31 70 888 8500
Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom
Website: ico.org.uk
Phone: +44 303 123 1113
To exercise any of these rights, contact us at:
We will acknowledge receipt of your request within 5 business days. We will provide a substantive response within one month (30 calendar days). If your request is complex or we receive a large number of requests, we may extend this period by up to two further months (for a total of three months). We will notify you of any such extension within the initial one-month period, together with reasons for the delay.
We may ask you to verify your identity before processing your request. Since we identify users by email address, we will typically ask you to submit your request from the email address associated with your use of the Service.
Requests are provided free of charge. However, if requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act on the request, in accordance with Article 12(5) of the GDPR.
We use cookies and similar technologies on our Service. For comprehensive information about the cookies we use, the purposes for which we use them, and how to manage your preferences, please see our Cookie Policy.
Strictly Necessary Cookies:
Analytics Cookies (Google Analytics):
Marketing Cookies (Meta Pixel & Google Ads):
Functional Storage (localStorage):
You can opt out of Google Analytics at any time using the Google Analytics Opt-out Browser Add-on.
Our Service is intended for individuals aged 18 and over. CarScreener is a tool for evaluating used car listings, which is relevant to individuals of legal driving and purchasing age. We do not knowingly collect or solicit personal data from anyone under the age of 18.
If you are a parent or guardian and believe your child under 18 has provided us with personal data, please contact us immediately at privacy@carscreener.ai. If we discover that we have collected personal data from a child under 18 without appropriate parental consent, we will take steps to delete that data as quickly as possible.
Our Service may contain links to third-party websites and services, including:
These third parties operate independently and have their own privacy policies. We are not responsible for their privacy practices or content. We encourage you to review their respective privacy policies before providing any personal data to them.
CarScreener is operated by Evengrid B.V., a company established in the Netherlands. Our Service is primarily designed for users in the European Union/EEA and the United Kingdom. If you are located outside these jurisdictions, please note that we process your personal data in accordance with the GDPR standards described throughout this Privacy Policy. We do not specifically target users outside the EU/EEA and UK, nor do we maintain separate compliance programmes for other privacy regimes at this time.
If you have questions about your rights under your local privacy law, or wish to exercise any data subject rights, please contact us at privacy@carscreener.ai.
Evengrid B.V. is established in the EU (Netherlands) and offers its Service to individuals in the United Kingdom. In accordance with Article 27 of the UK GDPR, we are in the process of appointing a UK representative. Once appointed, their name and contact details will be published here. In the meantime, UK data subjects may direct any data protection queries to privacy@carscreener.ai, and we will respond within the timeframes required by the UK GDPR.
We may update this Privacy Policy periodically to reflect changes in our data practices, technologies, legal requirements, or other factors. We will not reduce your rights under this Privacy Policy without your explicit consent.
We will notify you of material changes by:
We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with a revised policy, you must discontinue use of the Service.
Evengrid B.V.
Trading as: CarScreener
KVK: 98623877
BTW: NL868573863B01
Registered Office: Middenstraat 121a, 1381XC Weesp, the Netherlands
Privacy Email: privacy@carscreener.ai
General Email: contact@carscreener.ai
Website: carscreener.ai
Response Time: Within 30 days (one month) as required by GDPR Article 12
Evengrid B.V. has not appointed a Data Protection Officer (DPO) as it does not meet the mandatory appointment thresholds under GDPR Article 37 (large-scale processing of special categories of data or systematic monitoring). Our designated privacy contact handles all data protection inquiries, including data subject access requests, complaints, or questions about this Privacy Policy, at privacy@carscreener.ai. Please include “Data Protection” in the subject line for priority handling.
| Version | Date | Summary of Changes |
|---|---|---|
| 1.0 | 16 February 2026 | Initial publication. |
| 1.1 | 26 February 2026 | Added Sentry Session Replay disclosure, Vercel Analytics & SpeedInsights, Meta Pixel and Google Ads processor entries, marketing cookie legal basis table entries, and Google Ads conversion tracking disclosure. |
| 1.2 | 1 March 2026 | Updated EXIF metadata disclosure (Section 1.1); corrected report delivery description (Section 3.1); removed phantom Cloud Storage Provider from processor table (Section 4.1); updated data retention enforcement language (Section 6); updated DPIA status (Section 8.6); added AI Act risk classification (Section 8.5). |