Privacy and Cookies Policy

This policy explains how we use personal data under the UK GDPR and Data Protection Act 2018, and how we use cookies under PECR (Privacy and Electronic Communications Regulations).

1) Definitions

1.1 Personal data: information relating to an identified or identifiable individual.

1.2 Processing: anything done with personal data (collecting, storing, using, sharing, deleting).

1.3 UK GDPR: the UK General Data Protection Regulation.

1.4 DPA 2018: the Data Protection Act 2018.

1.5 Controller: the organisation that decides how and why personal data is processed.

1.6 Processor: a third party that processes personal data on behalf of a controller.

1.7 PECR: UK rules covering cookies and similar technologies.

2) Who controls your personal data

2.1 Pico Cars Ltd is the controller of personal data described in this policy.

2.2 Contact (privacy requests/questions)

Email: sales@picocars.co.uk

Post: Pico Cars Ltd, 554 Hertford Road, Enfield, England, EN3 5ST

2.3 ICO and the data protection fee

Most organisations must pay the ICO data protection fee unless exempt. We maintain compliance with our obligations in this area. Our ICO fee payer/registration reference can be provided on request if you need it.

3) When this policy applies

This policy applies when you:

• visit our website;

• contact us by phone, email, WhatsApp or in person;

• enquire about or buy a vehicle (including distance sale);

• arrange delivery;

• use third-party finance (where applicable);

• use a third-party warranty (where applicable); or

• contact us for after-sales support.

4) Personal data we collect

We may collect:

4.1 Identity & contact data: name, address, email, phone number.

4.2 Enquiry and purchase data: vehicle interests, order/invoice details, delivery details, communications.

4.3 Verification / fraud-prevention data: driving licence and proof of address (where needed).

4.4 Payment data: bank transfer details/references and payment confirmations.

4.5 Finance data (where you request finance): limited information needed to introduce you/administer the sale; the lender collects further data directly from you.

4.6 Warranty/after-sales data: details needed to administer warranty support and after-sales enquiries.

4.7 Website/device data: IP address, device/browser information, pages visited and interactions (typically via cookies).

4.8 CCTV: images at our premises for security and safety (see clause 12).

4.9 Call recordings: recordings for defined purposes (see clause 13).

4.10 If you don’t provide data: If you don’t provide the information we reasonably need (e.g., identity/contact details for an order, delivery address, or verification where required), we may be unable to progress your enquiry, complete a sale, arrange delivery, or meet fraud-prevention/legal requirements.

4.11 Children: Our website and services are not intended for children and we do not knowingly collect personal data from children.

We do not normally need “special category” data (e.g., health). If you choose to share sensitive information (for example, to request additional support), we will handle it with additional care and only where lawful.

5) Where we get your data from

5.1 Directly from you (website forms, calls, email, WhatsApp, in person).

5.2 From relevant third parties where appropriate, such as finance providers/lenders, warranty providers, delivery firms, fraud-prevention/ID verification providers, vehicle history check providers, or platforms where you message us about a vehicle.

6) Why we use your data

We use personal data to:

6.1 respond to enquiries and provide quotes;

6.2 sell vehicles and administer orders/invoices;

6.3 arrange delivery/collection and handover;

6.4 process payments and prevent fraud;

6.5 introduce you to third-party finance providers (if requested);

6.6 support warranty administration and after-sales queries;

6.7 comply with legal obligations (tax/accounting, handling claims, responding to lawful requests);

6.8 keep our premises and systems secure;

6.9 improve our website and customer experience (analytics).

6.10 Whether you must provide data: Some information is required to enter into and perform a contract with you (for example, identity and contact details, and delivery/collection details). If you do not provide required information, we may not be able to complete a sale, arrange delivery/collection, or provide after-sales support.

7) Lawful bases (UK GDPR)

We rely on one or more lawful bases depending on the activity:

7.1 Contract – steps before or performance of a contract (e.g., processing an order).

7.2 Legal obligation – e.g., accounting/tax compliance.

7.3 Legitimate interests – e.g., fraud prevention, security, service improvement (balanced against your rights). Where we rely on legitimate interests, you can ask for more information about the assessment we’ve carried out.

7.4 Consent – where required (especially for non-essential cookies and some marketing). Cookie consent must be a clear positive action, not implied by simply using the site.

7.5 Withdraw consent: Where we rely on consent (for example, for optional cookies or certain marketing), you can withdraw your consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before it was withdrawn.

8) Marketing

8.1 Service messages about your enquiry/purchase/delivery/warranty admin are not marketing.

8.2 If we send marketing, you can opt out at any time by using an unsubscribe link (where included) or emailing sales@picocars.co.uk with “OPT OUT”.

8.3 If we rely on consent, you can withdraw it at any time.

8.4 Preference management: You can ask us to send marketing only by certain channels (e.g., email only) or not at all.

9) Who we share data with

We may share personal data with:

9.1 Finance providers/lenders (if you request finance);

9.2 Warranty providers (if a third-party warranty applies);

9.3 Delivery/transport providers (if you choose dealer-arranged delivery);

9.4 IT and service providers (email, document storage, e-signature, website hosting, security and analytics);

9.5 Professional advisers (accountants, insurers, solicitors);

9.6 Authorities where we’re legally required or to protect legal rights.

9.7 Independent controllers: Where you choose third-party finance, a warranty provider, or messaging platforms (e.g., WhatsApp), those organisations will usually act as independent data controllers for their own purposes and will provide their own privacy information. We share only what is necessary for the relevant service, and you should also read the provider’s privacy notice.

9.8 Fraud prevention / law enforcement: We may share information with fraud-prevention agencies and law enforcement where necessary to prevent fraud, protect our business and customers, or comply with legal requirements.

10) Our main systems and processors (high-level)

10.1 Google Workspace (email, documents, storage): used for communications and document workflows.

10.2 Google Workspace eSignature: used to request and capture signatures and maintain an audit trail in our document workflows.

10.3 Google Analytics: used to understand how visitors use our website (see Cookies section).

10.4 Website hosting, security and analytics suppliers: We use specialist providers for website hosting, security protection, backups, and performance monitoring. We can provide a current list of key suppliers on request.

10.5 Automated decision-making: We do not use your personal data to make automated decisions that have legal or similarly significant effects on you.

11) International transfers

11.1 Some providers may process data outside the UK.

11.2 Where this happens, we use appropriate safeguards (for example, contractual safeguards) to protect your data.

11.3 Where suppliers process data outside the UK (for example in the United States), we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

12) CCTV (in operation)

12.1 We operate CCTV at our premises for security, safety, crime prevention and incident investigation.

12.2 Lawful basis: legitimate interests (security and safety), and where applicable compliance with legal obligations.

12.3 Retention: CCTV footage is typically retained for up to 30 days, unless it needs to be kept longer to investigate an incident, respond to a complaint, or support legal proceedings.

12.4 Signs are displayed to inform visitors that CCTV is in use.

13) Call recording (in operation)

13.1 We record inbound and/or outbound calls for:

• staff training and quality monitoring;

• complaint handling and dispute resolution;

• fraud prevention and security; and/or

• confirming instructions and agreements.

13.2 Lawful basis: legitimate interests (quality, training, dispute handling, fraud prevention) and/or contract (where needed to evidence instructions).

13.3 Notice: We take reasonable steps to inform you at the start of a call that it may be recorded. If you prefer not to be recorded, you can ask to communicate by email/WhatsApp instead (where feasible).

13.4 Retention: call recordings are typically retained for up to 6 months, unless they need to be kept longer to resolve a complaint/dispute or to establish, exercise or defend legal claims.

14) Data retention

We keep personal data only as long as necessary for the purposes above, including legal/claim needs.

Typical periods:

14.1 Sales & accounting records: usually 6 years after the relevant financial year end.

14.2 Enquiries (no purchase): 12–24 months after last contact.

14.3 Warranty/after-sales: typically the warranty term plus a reasonable period to handle follow-up queries/disputes.

14.4 CCTV: up to 30 days (see clause 12).

14.5 Call recordings: up to 6 months (see clause 13).

14.6 Legal claims: Where necessary, we may retain relevant information for longer to establish, exercise or defend legal claims.

15) Security

We use reasonable technical and organisational measures to protect personal data (access controls, secure systems, staff confidentiality, supplier contracts).

16) Your rights

You have rights under UK GDPR including access, rectification, erasure (in some cases), restriction, portability (in some cases), and objection (including to direct marketing).

To exercise your rights, contact sales@picocars.co.uk. We may need to verify your identity.

You can also complain to the ICO (UK data protection regulator).

Response time: We normally respond to valid requests within one month (and may extend by up to two further months for complex requests, as permitted by law).

ICO: You can complain to the Information Commissioner’s Office (ICO). We’d appreciate the chance to help first.

16.1 Right to object: You have the right to object to processing based on legitimate interests. If you object, we will stop processing unless we have compelling legitimate grounds or the processing is needed for legal claims.

Cookies Policy

17) What cookies are and why we use them

17.1 Cookies are small files placed on your device. PECR applies to cookies and similar technologies.

17.2 We use:

• Strictly necessary cookies (essential for the site to work); and

• Analytics cookies (Google Analytics) to understand site usage.

17.3 Non-essential cookies require consent. Consent must be an active choice with clear options to accept/reject.

17.4 You can change your cookie choices at any time via the cookie settings link/badge.

17.5 Strictly necessary cookies: Strictly necessary cookies are set without consent where they are essential to provide the website/service you request. All other cookies (including analytics) are set only with your consent.

18) How we manage cookie consent

18.1 We use a cookie banner/settings tool so you can accept or reject non-essential cookies.

18.2 If you reject analytics cookies, we will not set Google Analytics cookies (or we will configure analytics so it does not use non-essential identifiers), depending on site configuration.

18.3 You can also manage cookies in your browser settings. Blocking some cookies may affect site functionality.

18.4 We may refresh cookie choices periodically (for example, around every six months) and whenever our cookie use materially changes.

19) Google Analytics cookies we use

Google Analytics cookies help us understand how visitors use our site. Cookie names and durations can vary depending on configuration and browser controls, but may include:

Cookie name | Provider | Purpose | Category | Typical duration*

_ga | Google Analytics | Distinguishes users | Analytics | Up to 2 years*

ga* | Google Analytics | Persists session state / usage measurement | Analytics | Up to 2 years*

_gid (may be used) | Google Analytics | Distinguishes users | Analytics | Up to 24 hours*

_gat / similar throttling cookies (may be used) | Google Analytics | Throttles request rate | Analytics | Up to 1 minute*

*Durations can be affected by your browser settings and evolving browser privacy restrictions.

This list may change as Google updates cookies; the banner shows the current settings.

19.2 We do not use marketing/advertising tags (e.g., Meta Pixel) at this time.

20) Updates to this policy

We may update this policy from time to time. The latest version will always be available on our website.