VAVA Cars Pakistan (Private) Limited Privacy Policy

VAVA Cars Pakistan (Private) Limited owns the www.vava.cars/pk (“VAVA Cars Pakistan (Private) Limited”, “we”, “us” or “our” ). We are committed to protecting and respecting your privacy.

This privacy notice explains how and why we use your personal data when you visit our website www.vava.cars/pk regardless of where you visit from, purchase goods or services from us or otherwise communicate or engage with us.

It is important that you read this privacy policy together with any other privacy notice or fair processing notice we may provide on our website on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This privacy notice supplements these other notices and is not intended to override them.

Please use the Glossary to understand the meaning of some of the terms used in this privacy policy.

Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy.

Sources of personal information

VAVA Cars Pakistan (Private) Limited collects and uses limited personal data about individuals. Where it does use such personal data, this will normally be incidental to a corporate relationship with a customer or supplier or where we work with nominated contacts at such organisations who hold relevant positions, such as a contract manager, counterparty contact or key decision makers in respect of our business relationship.

Save for dealing with any cyber security incident investigation, will not try to identify you from any online identifiers like your IP address.

VAVA Cars Pakistan (Private) Limited may obtain personal data about you through:

The relationship we have with you will dictate what, if any, personal data we collect about you and why we use it.

We will sometimes obtain personal data from other sources, such as from other third parties or publicly available online sources or official records.

Types of personal information

We may collect, use, store and transfer the following types of personal information about you:

Type of personal information Collected from

Contact information (name, title, address, email, telephone numbers)

You

Identity information (Date of birth, gender, marital status)

Where needed for identification purposes documented identity papers, such as a copy of your current passport and recent evidence of home address, such as from a utility bill and any other documents that verify your identity

You

Third party systems used for our identity checks

Financial Information (bank account details, financing arrangements and agreements, bank statements)

Where needed payment and transactional information regarding payment to a finance company and the finance company’s details.

You

Vehicle Information (vehicle registration, vehicle log book)

You

Technical and usage information (user name and passwords, IP address and other online identifiers, account settings, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, other technology on the devices you use to access our website and information about how you use our website, products and services)

You

Uses of your personal information

We process your personal data for many different purposes when you visit our website, to purchase goods or services from us, supply goods or services to us or otherwise communicate or engage with us

By submitting a quote on our website www.vava.cars/pk, you hereby consent that we may use your personal data to contact you about offers, promotions and other marketing materials about us

We are required by law to always have a permitted reason or justification (called a “lawful basis”) for processing your personal data

For some processing activities, we consider that more than one lawful basis may be relevant depending on the circumstances. We rely on the following lawful basis for processing your personal data:

We may convert your personal data into statistical or aggregated form, or de-identify it (anonymise it),to better protect your privacy, or so that you are not identified or identifiable from it. We may use it for the purpose of research, analysis, advertising, sales, marketing, including to producing statistical research and reports.

We are required by law to treat certain categories of personal data with even more care than usual. These are called sensitive or special categories of personal data and additional different lawful bases apply to them. This is rarely relevant but unusually may arise where we handle your passport and they reveal information about your race or ethnicity, or where KYC/AML checks reveal any criminal issues. We only process this special category of personal data, as it is necessary for the purposes of preventing fraud.

You can read more about what we process your data for, and the lawful bases on which we rely for such processing, in the table below.

Purpose of processing Lawful basis

Enabling customers to set up an account and to use the tools on the website, such as the valuation and meeting booking functions.

Legitimate Interest

To assess your vehicle and if accepted, agree to purchase your vehicle.

Contract

Engaging with suppliers on their goods and services.

Legitimate Interest

Contract

Transfer of ownership documentation, including liaising with financing companies (if applicable).

Contract

Maintaining up to date records as required by law and internal governance policies.

Legal Obligation

Legitimate Interest

Ensuring the proper operation and performance of the website, monitoring its use, security and integrity on an ongoing basis and checking and improving its functionality for users.

Legitimate Interest

Establishing and enforcing our legal rights and obligations, monitoring to identify and record fraudulent activity online, preventing and detecting crime

Meeting legal obligations for data security.

Legal Obligation

Legitimate Interest

How we keep your personal data secure

We take our security obligations seriously and we take specific steps (as required by applicable data protection laws) to protect your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage.

How long we keep your personal information

We will keep your personal data during the period of your relationship with us and then, after that period ends, for as long as is necessary in connection with both our and your legal rights and obligations. This may mean that we keep some types of personal data for longer than others but we will only retain your personal data for a limited period of time. This period will depend on a number of factors, including:

Disclosure of your personal information

Vava Cars Group company

We may need to share your personal data with other companies our group for the following purposes:

Access rights between members of our group are limited and granted only on a need to know basis, depending on job functions and roles.

Where any group company process your personal data on our behalf (as our processor), we will make sure that they have appropriate security standards in place to protect your personal data. In addition, if any data is transferred out of Pakistan, we will ensure that we comply with all applicable laws to ensure appropriate safeguards are in place to protect your personal data.

Third parties

From time to time we may ask third parties to carry out certain business functions for us, such as helping to organise our events. These third parties will process your personal data on our behalf (as our processor). We will disclose your personal data to these parties so that they can perform those functions. Before we disclose your personal data to other people, we will make sure that they have appropriate security standards in place to make sure your personal data is protected and we will enter into a written contract imposing appropriate security standards on them. Examples of these third party service providers include service providers and/or sub-contractors, such as our IT support, back up and server hosting providers.

In certain circumstances, we will also disclose your personal data to third parties who will receive it as controllers of your personal data in their own right for the purposes set out above, in particular:

We have set out below a list of the categories of recipients with whom we are likely to share your personal data with:

We may also share your personal data with third parties, as directed by you.

Where we store your personal information

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy

If any of our processing activities require your personal data to be transferred outside the EEA, we will only make that transfer if:

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our site; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Children’s personal data

We do not knowingly solicit or collect personal data from children below the age of 18. If we discover that we have accidentally collected personal data from a child below 18, we will remove that child’s personal data from our records as soon as reasonably possible. However, we may collect personal data about children below the age of 18 years of age from the parent or custodian directly and therefore with their explicit consent and if consent is not obtained, erase the information.

Your rights

You have certain legal rights, which are summarised in the table below, in relation to any personal data about you which we hold. Your ability to exercise these rights will naturally be limited where we incidentally use limited business-related personal data in business records and business communications which we need to retain.

Your right What does it mean? Limitations and conditions

Right of access

Subject to certain conditions, you are entitled to have access to your personal data (this is more commonly known as submitting a “data subject access request”).

If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations. We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff. Other exemptions may apply dependent on the information and context.

Right to data portability

Subject to certain conditions, you are entitled to receive the personal data which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.

If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.

This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal data that has been provided to us by you.

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of your personal data and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date. We encourage you to notify us of any changes regarding your personal data as soon as they occur, including changes to your contact details.

Please always check first whether there are any available self-help tools to correct the personal data we process about you. This right only applies to your own personal data. When exercising this right, please be as specific as possible.

Right to erasure

Subject to certain conditions, you are entitled to have your personal data erased (also known as the “right to be forgotten”), e.g. where your personal data is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.

We may not be in a position to erase your personal data, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.

Right to withdrawal of consent

As stated above, where our processing of your personal data is based on your consent you have the right to withdraw your consent at any time.

If you withdraw your consent, this will only take effect for future processing.

Right to object to automated decision making

If you have the right to object to a decision being made solely by an automated decisions that will have a significant effect on you.

We may not be in a position to stop all processing if the decision is necessary for a contract, authorised by law, or you have given your consent.

Where our processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.

Where our processing of your personal data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

You can exercise these rights at any time by contacting us at [email address].

If any of the personal information you give us changes, or something is incorrect (e.g. your contact details), please inform us without delay.

Automated decision making and profiling

We do not make any decision solely using automated decision-making processes. However, we do utilise certain automated decision-making processed such as identity and fraud checks.

More Information

If you want more information about any of the subjects covered in this privacy notice or if you would like to discuss any issues or concerns with us, please contact us at [email address].

Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on this page. Please check back frequently to see any updates or changes to our privacy policy.

Third party websites

Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

Contact

Questions, comments and requests regarding this privacy policy should be addressed to [email address]

Glossary

Please see below a glossary of key terms used

Term Meaning

European Economic Area or EEA

Countries in the European Union, Iceland, Liechtenstein and Norway.

personal data or personal information

Any information that relates to an identifiable natural person. Your name, address, contact details and vehicle registration number are all examples of your personal data, if they identify you.

process

Any activity relating to personal data, including, by way of example, collection, storage, use, consultation and transmission.

processor

A person or an entity that processes the personal data on the controller’s instructions.

Controller

[VAVA ENTITY] is a “controller” of your personal data. This is a legal term – it means that we make decisions about how and why we process your personal data and, because of this, we are responsible for making sure it is used in accordance with data protection laws.

special category personal data

personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation and data relating to criminal allegations, offences, proceedings, convictions, sentences and/or sanctions.