This privacy policy describes how we, the data controller CROOSR LTD of New World Busiess Centre, Station Rd, Warmley, Bristol BS30 8XG (“Croosr”, “we” or “us”) collect, store and process information about individual visitors to this website.

This privacy policy only applies to website of Croosr on which this privacy policy is stored or from which reference is made to this privacy policy by means of a link (hereinafter: “website”). This privacy policy does not apply to linked website that are not owned and controlled by Croosr.

Commitment to data protection

Personal data is any information relating to personal or material circumstances that relates to an identified or identifiable individual. This includes, for example, your name, date of birth, e-mail address, postal address or telephone number as well as online identifiers such as your IP address. In contrast, information of a general nature that cannot be used to determine your identity is not personal data. This includes, for example, the number of users of a website.

In principle, we will only use your personal data in accordance with the applicable data protection laws, in particular the UK`s Data Protection Act 2018 (DPA), the European General Data Protection Regulation (“GDPR”), and only as described in this privacy policy.

However, we reserve the right to put this data to additional uses to the extent permitted or required by law or necessary to support legal or criminal investigations. In this case, we will inform you again about this further data processing to the extent required by law and obtain your consent.

In the next sections we explain when and how we process personal data about you when you visit our website.

Purposes of use of personal data and legal basis

a) Log Files

We only collect and process access data that your internet browser automatically transmits to us for technical reasons in order to provide the website. Depending on the access protocol used, the protocol data record contains general information with the following contents: Your session data (usage behaviour, length of stay, which links were clicked on, etc.), your abbreviated and unabbreviated IP address, your browser version, your operating system, your website-specific settings, your cookie IDs, your pixel IDs. This data does not allow any direct inference to your person and is processed to improve our website offer and to defend against attempted attacks on our web server. The legal basis for the processing of your personal data is Art. 6 para. 1 lit. f) GDPR. We have a legitimate interest in presenting you with a website optimised for your browser and in enabling communication between our server and your terminal device.

b) Contact and Quote requests

Enquiries via our contact form, quote request or book now form may include your name, address, e-mail address, the subject of your contact and your message. As well as your Phone number, Pickup and Drop Off Location and optional other travel details. We process and store the personal data provided in the contact enquiry solely for the purpose of processing and responding to your enquiry and contacting you. The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b) GDPR. In the event that you report a side effect, we process your personal data to track the side effect in accordance with Art. 6 (1) f) GDPR, as we have a legitimate interest in tracking any side effects.

c) Registration and booking

If you register on our website, we will request mandatory and, where applicable, non-mandatory data in accordance with our registration form for the purposes of making your booking. This may include your name, address, e-mail address, your Phone number, Pickup and Drop Off Location and optional other travel details. The entry of your data is encrypted so that third parties cannot read your data when it is entered.

The basis for this storage is our legitimate interest in communicating with interested users according to Art. 6 para. 1 lit. f GDPR and, in the case of contracts, also the storage of contract data according to Art. 6 para. 1 lit. b GDPR.

Your data will remain stored for as long as the registration lasts, in particular the storage is still necessary for the fulfilment/execution of the contract, for legal prosecution by us or for our other legitimate interests or we are required by law to retain your data (e.g., within the framework of tax retention periods).

We process personal data for the purpose of your booking and for the purpose of fulfilling the contract. The legal basis is Art. 6 para. 1 lit. b and lit. f GDPR. You can manage and change all information in your account. If you set up an account, we store the data required for the fulfilment of the contract until final deletion of the access and/or after expiry of the statutory retention periods. For a longer period, the data could also be processed on the basis of our legitimate interest (legal defence, debt collection, etc.). The legal basis is Art. 6 para. 1 lit. b and lit. f GDPR.

d) Cookies and similar technologies

For the processing of personal data using cookies and similar technologies on our website, please refer to our Cookie Policy, which is part of this privacy policy.

e) Google Maps

Our website accesses the map service Google Maps via an API. To use the functions of Google Maps, it is necessary to save your IP address. This information is usually transmitted to a Google server in the USA and stored there. We have no influence on this data transmission. Google Maps is used in the interest of a user-friendly presentation of our online offers, in order to user-friendly presentation of our online offer. The legal basis is consent in accordance with Art. 6 (1) (a) GDPR.

Transfer of personal data

Croosr will not disclose or otherwise distribute your personal data to third parties unless this is necessary for the performance of our services (legal basis for processing: Art. 6 para. 1 lit. b) GDPR), you have consented to the disclosure (legal basis for processing: Art. 6 para. 1 lit. a) GDPR) or the disclosure of data is permitted by relevant legal provisions.

Croosr is entitled to outsource the processing of your personal data in whole or in part to external service providers acting as processors for Croosr pursuant to Art. 4 No. 8 GDPR within the framework of the data protection provisions. External service providers support us, for example, in the technical operation and support of the website, data management, the provision and performance of services, marketing, as well as the implementation and fulfilment of reporting obligations.

The service providers commissioned by Croosr process your data exclusively in accordance with our instructions. Croosr remains responsible for the protection of your data, which is ensured by strict contractual regulations, technical and organisational measures and additional controls by us.

Personal data may also be disclosed to third parties if we are legally obliged to do so e.g., by court order (legal basis for processing: Art. 6 (1) (c) GDPR) or if this is necessary to support criminal or legal investigations or other legal investigations or proceedings at home or abroad or to fulfil Croosr’s legitimate interests (legal basis for processing: Art. 6 (1) (f) GDPR).

Croosr will not sell, rent, or otherwise transfer your personal data to third parties. We will transfer your data to third parties if you have consented to this in accordance with Art. 6 (1) (a) GDPR, or in the following cases:

Croosr may engages other companies and individuals in certain cases to fulfil its obligations to its customers on its behalf. This may involve sharing your data with these third parties in order to provide products or services to you. Examples include customer service, payment data processing and marketing support. In these cases, data is transferred to such service providers and contractors (such as payment service providers, advertising providers, technical service providers) for the purpose of fulfilling the contract in accordance with Art. 6 (1) (b) GDPR.

It goes without saying that Croosr ensures that the respective service provider guarantees data security before passing on personal data. Croosr will therefore only commission companies that can guarantee secure and proper data processing based on their qualifications and their technical and organisational capabilities.

Payment Processors

PayPal

On our website we offer, payment via PayPal. The provider of this payment service is PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter “PayPal”). If you select payment via PayPal, the payment data you enter will be transmitted to PayPal. The transmission of your data to PayPal is based on Art. 6 para. 1 lit. a GDPR (consent) and Art. 6 para. 1 lit. b GDPR (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the validity of past data processing operations.

Stripe

Payment by credit card and SEPA direct debit is made via the payment service provider “Stripe“, to which we pass on your mandatory details (e-mail address) provided during the registration process, together with information about your booked packages, in accordance with Art. 6 Para. 1 lit. b GDPR for payment processing. Your data will only be passed on for the purpose of payment processing with the payment service provider Stripe and only insofar as it is necessary for this purpose (data protection Stripe). Information on the service provider: Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland.

Storage and retention

Your personal data will be stored by us only for as long as is necessary to achieve the purposes for which the data was collected or – if statutory retention periods exist that go beyond this point and for the duration of the legally prescribed retention period (typically 6 years). We then delete your personal data. Only in a few exceptional cases is your data be stored beyond this period, e.g. if storage is necessary in connection with the enforcement of and defence against legal claims against us.

Croosr is entitled to process your personal data insofar as this is necessary to fulfil legal obligations. For this purpose, Croosr may transfer this data in particular to authorities, law enforcement agencies and courts. In this case, the transfer of your data is required by Art. 6 (1) (c) GDPR for compliance with a legal obligation to which we are subject. Croosr is further entitled to process personal data if and to the extent necessary to detect or prevent misuse of this website or to enforce claims of Croosr, its employees or users, whereby the data processing in these cases is necessary to protect these aforementioned legitimate interests of Croosr pursuant to Art. 6 (1) (f) GDPR. Insofar as the disclosure of health data is necessary for the assertion of claims or the defence against claims, the related data processing is based on Art. 9 (2) f) GDPR.

International transfers

Our main operations are based in the UK and your personal information is generally processed, stored and used within in the UK and other countries in the European Economic Area (EEA). In some instances, your personal information may be processed outside the European Economic Area. If and when this is the case, we take steps to ensure there is an appropriate level of security, so your personal information is protected in the same way as if it was being used within the UK and the EEA.

Where we need to transfer your data outside the UK or the EEA, we will use one of the following safeguards:

• The use of approved standard contractual clauses in contracts for the transfer of personal data to third countries.

• Transfers to a non-EEA country with privacy laws that give the same protection as the UK and the EEA.

Automated decision-making

Automated decision-making including profiling pursuant to Art. 22 (1) and (4) GDPR does not take place on the part of Croosr.

Direct marketing in the context of a customer relationship

We use the data you provide to fulfil and process our contract and to respond to your enquiries in accordance with Art. 6 (1) (b) GDPR or on the basis of your consent in accordance with Art. 6 (1) (a) GDPR. Insofar as you have also given us separate consent to process your data for consulting, quotation and advertising purposes, Croosr is entitled to contact you for these purposes via the communication channels you have ticked in this consent.

Your Rights

You have a number of ‘Data Subject Rights’ below is some information on what they are and how you can exercise them. There is more information on the Information Commissioners website (www.ico.org.uk).

• information about the processing of your personal data.

• obtain access to the personal data held about you.

• ask for incorrect, inaccurate or incomplete personal data to be corrected.

• request that personal data be erased when it’s no longer needed or if processing it is unlawful.

• object to the processing of your personal data for marketing purposes or on grounds relating to your particular situation.

• request the restriction of the processing of your personal data in specific cases.

• receive your personal data in a machine-readable format and send it to another controller (‘data portability’).

• request that decisions based on automated processing concerning you or significantly affecting you and based on your personal data are made by natural persons, not only by computers.

• You also have the right in this case to express your point of view and to contest the decision

• Where the processing of your personal information is based on consent, you have the right to withdraw that consent without detriment at any time through our contact form.

The above rights may be limited in some circumstances, for example, if fulfilling your request would reveal personal information about another person, if you ask us to delete information which we are required to have by law, or if we have compelling legitimate interests to keep it.

We will let you know if that is the case and will then only use your information for these purposes. You may also be unable to continue using our services if you want us to stop processing your personal information.

We encourage you to get in touch if you have any concerns with how we collect or use your personal information. You do however also have the right to lodge a complaint directly with the ICO, their contact details can be found on their website (www.ico.org.uk).

Security and confidentiality

To ensure the security and confidentiality of the personal data we collect on the Website, we use data networks that are protected by, among other things, industry-standard firewalls and password systems. When handling your personal information, we take appropriate technical and organisational measures to protect your information from loss, misuse, unauthorised access, disclosure, alteration or destruction and to ensure its availability.

Social Media

Online presences in social media

We maintain online presences in Facebook, Twitter, LinkedIn on the basis of our legitimate interests. We maintain online presences within social networks and platforms in order to communicate with customers, interested parties and users who are active there. Unless otherwise stated in this policy, we process the data of users if they communicate with us within the social networks and platforms, e.g., write articles on our online presences or send us messages.

Social Media Plugins

Social media plugins normally result in every visitor to a page being immediately recorded by these services with their IP address and their further browsing behaviour being logged. This can happen even if you do not click the button.

To prevent this, we use the Shariff method. This means that our social media buttons only establish direct contact between the social network and you when you click on the respective share button. If you are already logged in to a social network, this is done without another window or a pop-up window depending on the social network.

You can thus publish our content on social networks without them being able to create complete surf profiles. The social media platform will usually store cookies on your device or even save your usage behaviour to your account, especially if you are logged in yourself. The social media platform can use your data to analyse your user behaviour and use it for (interest-based) advertising. This may result in advertisements being displayed to you inside and outside the social media platform.

Google Analytics

We use Google Analytics, a service provided by Google Inc. This means that the data collected can in principle be transmitted to a Google server in the USA, whereby the IP addresses are anonymised by means of IP anonymisation so that an allocation is not possible. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data. You can object to the collection and processing of this data by Google Analytics by setting an opt-out cookie that prevents the future collection of your data when you visit this website: http://tools.google.com/dlpage/gaoptout?hl=en.

Google reCAPTCHA

We use “Google reCAPTCHA” on our websites. The provider is Google Inc. The purpose of reCAPTCHA is to check whether the data input on our websites is made by a human being or by an automated programme, and reCAPTCHA also protects our users from SPAM when using the message function. For this purpose, reCAPTCHA analyses the behaviour of the website visitor on the basis of various characteristics. This analysis begins automatically as soon as the website visitor enters the website. For the analysis, reCAPTCHA evaluates various information (e.g., IP address, time spent by the website visitor on the website or mouse movements made by the user). The data collected during the analysis is forwarded to Google.

The reCAPTCHA analyses run entirely in the background. Website visitors are not informed that an analysis is taking place. We have a legitimate interest in protecting our offers from abusive automated spying and our users from SPAM.

Cookie Consent manager

We have integrated the consent management tool “GDPR Cookie Consent” from Mozilor Limited trading as WebToffee, on our website in order to request consent for data processing or the use of cookies or comparable functions. With the help of “GDPR Cookie Consent” you have the possibility to give or refuse your consent for certain functionalities of our website, e.g., for the purpose of integrating external elements, integrating streaming content, statistical analysis, coverage measurement and personalised advertising. You can use “GDPR Cookie Consent” to give or refuse your consent for all functions or to give your consent for individual purposes or individual functions. The settings you have made can also be changed by you afterwards. The purpose of integrating “GDPR Cookie Consent” is to allow the users of our website to decide on the aforementioned matters and, in the course of further use of our website, to offer them the opportunity to change settings they have already made. In the course of using “GDPR Cookie Consent”, personal data as well as information of the end devices used, such as the IP address, are processed.

The legal basis for the processing is your consent in conjunction with our legitimate interest. Our legitimate interests in the processing lie in the storage of user settings and preferences in relation to the use of cookies and other functionalities. “GDPR Cookie Consent” stores your data as long as your user settings are active. After two years after the user settings have been made, you will be asked again for your consent. The user settings made will then be stored again for this period.

You can object to the processing. You have the right to object on grounds relating to your particular situation. To object, please contact us.

Web hosting and content delivery network

Croosr works with an external web host (WordPress), through which we are able to offer you our website and services online and to process your data securely and efficiently. We have a legitimate interest in this within the meaning of Art. 6 Para. 1 S. 1 lit. f GDPR. In this context, all information that accrues in the course of using our services pursuant to Art. 3.1. to 3.3. is transmitted to WordPress and stored there until we delete it.

Links to other website

The website may contain links to another website. We have no control over the privacy practices or the content of those other website. Therefore, we recommend that you carefully read the respective privacy policies of these other website that you visit.

Changes

This Policy and our commitment to protecting the privacy of your personal data can result in changes to this Policy. Please regularly review this Policy to keep up to date with any changes.

Queries and Complaints

Any comments or queries on this policy should be directed to us. If you believe that we have not complied with this policy or acted otherwise than in accordance with data protection law, then you should notify us. You can also make a referral to, or lodge a complaint with, the ICO.