Privacy Policy
Data Controller and Joint Controllership
TransparentCaprice Lda, tax identification number (NIF) 517840642, with registered office at Porto, Portugal (hereinafter referred to as the «Company», «we» or «us»).
General contact: info@claracars.pt | Phone: +351 XXX XXX XXX
Data Protection Officer (DPO): dpo@claracars.pt
The Company is the sole controller of personal data collected through this website, within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation — «GDPR»), and Law No. 58/2019 of 8 August (Portuguese national implementing law of the GDPR).
Joint controllership: In the context of vehicle imports, we may occasionally act as joint controllers with import suppliers or partners (namely auction platforms or European wholesalers), to the extent that both parties jointly determine the purposes and means of processing data relating to specific transactions. In such cases, we enter into joint controllership arrangements pursuant to Article 26 GDPR, the essential elements of which will be made available to data subjects upon request.
Categories of personal data we collect
We collect and process the following categories of personal data, depending on the service or feature you use:
a) Contact forms and information requests
Full name, email address, phone number (optional), preferred contact method, message content.
b) Vehicle valuation (online valuation tool)
Make, model, version, year of first registration, mileage, fuel type, transmission type, general vehicle condition, additional notes, and optionally, vehicle photographs uploaded by the user.
c) Import-to-order request
Desired specifications (make, model, engine, equipment), budget range, desired timeline, preferred country of origin.
d) Test drive scheduling
Name, phone number, email, preferred date and time, driver's license number (for verification of legal driving qualification).
e) Job applications (if applicable)
Curriculum vitae, cover letter, academic and professional qualifications, relevant professional experience.
f) Technical and browsing data
IP address (anonymized before storage), browser type and version, device type (desktop, tablet, mobile), operating system, referrer URL (origin page), pages visited on our site, visit duration, date and time of access.
g) Cookie data
Detailed information about cookies and similar technologies can be found in our Cookie Policy.
Special categories of data: We do not collect special categories of personal data (sensitive data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning sex life or sexual orientation), except where strictly required by law.
Purposes and legal bases for processing
We process your personal data only for specified, explicit and legitimate purposes, based on the following legal grounds under the GDPR:
1. Respond to contact and information requests
Legal basis: Data subject's consent (Art. 6(1)(a) GDPR) and/or performance of pre-contractual steps at the data subject's request (Art. 6(1)(b) GDPR).
2. Manage test drive bookings
Legal basis: Contract performance or pre-contractual steps (Art. 6(1)(b) GDPR). Collection of the driver's license number is justified by the need to verify legal qualification to drive the vehicle safely.
3. Process vehicle sales and imports
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
4. Send valuations and commercial proposals
Legal basis: Consent (Art. 6(1)(a) GDPR) and/or legitimate interests in commercial management (Art. 6(1)(f) GDPR). The legitimate interest consists of the need to respond to commercial inquiries and present suitable proposals.
5. Marketing to existing customers (soft opt-in)
Legal basis: Legitimate interest (Art. 6(1)(f) GDPR), in accordance with Article 13-A of Decree-Law No. 7/2004. We may send commercial communications about products or services similar to those you have already purchased, always ensuring the possibility of easy and free objection.
6. Newsletter
Legal basis: Explicit and unambiguous consent (Art. 6(1)(a) GDPR), obtained through a double opt-in mechanism.
7. Statistical analysis and website optimization
Legal basis: Legitimate interest in the continuous improvement of the site and user experience (Art. 6(1)(f) GDPR), combined with consent for analytics cookies (Google Analytics 4 via Google Tag Manager). See Cookie Policy for details.
8. Recruitment and selection
Legal basis: Candidate's consent (Art. 6(1)(a) GDPR) and/or pre-contractual steps (Art. 6(1)(b) GDPR).
9. Compliance with legal and tax obligations
Legal basis: Compliance with a legal obligation to which the controller is subject (Art. 6(1)(c) GDPR), namely accounting, tax (IRS, IRC, VAT Codes), anti-money laundering (Law No. 83/2017), and commercial documentation retention obligations (Commercial Code).
Sources of personal data
The personal data we process is primarily collected directly from the data subject through the forms and features available on our website or through direct contact (phone, email, WhatsApp, Telegram, in person). Communication via WhatsApp and Telegram may begin through automated bot.
In certain situations, we may also obtain data from third-party sources, namely:
• Vehicle sourcing platforms (Auto1, European auctions): technical and historical data on imported vehicles, including declared mileage, ownership history, inspection reports.
• Market platforms (Portuguese classified portals): market data for valuation and comparative price analysis purposes.
• Public registers: data from the Institute for Mobility and Transport (IMT) for vehicle registration verification, where applicable and authorized by the data subject.
In all cases, data is processed in accordance with GDPR principles and for the purposes identified above.
Data retention periods
We retain your personal data only for the period strictly necessary for the purposes for which it was collected, or for the period required by law. Applicable periods are as follows:
• Contact requests and leads (no purchase): 24 months from last contact, unless active negotiation is ongoing.
• Vehicle sales/import contracts: during contract validity plus 10 years after conclusion (legal limitation period and tax obligations under the IRC and IRS Codes).
• Test drive bookings: 12 months from the test drive date or until completion of sale, whichever occurs first.
• Valuations and commercial proposals: 18 months from issuance.
• Job applications: 12 months from receipt, deleted thereafter if no hiring results, unless the candidate expressly consents to longer retention.
• Newsletter: until withdrawal of consent (unsubscribe).
• Analytics cookies (Google Analytics 4): 14 months (GA4 default configuration).
• Consent cookies: 12 months.
• Complaints (Complaints Book): 5 years (minimum legal retention period).
• Accounting and tax documentation: 10 years (IRS/IRC Codes).
After expiry of the above periods, data is securely and irreversibly deleted, or anonymized for exclusively statistical purposes.
Data sharing and recipients
We do not sell, transfer, or make available your personal data to third parties for marketing purposes.
Your personal data may be communicated to or accessed by the following categories of recipients, always in strict compliance with the data minimization principle and based on sub-processing agreements (Art. 28 GDPR) or legal obligations:
a) Internal staff
Sales team, administrative team (invoicing, accounting) and customer support team — solely to the extent necessary for the performance of their duties (need-to-know principle).
b) Sub-processors (data processors)
• Web hosting: servers hosted within the European Union by a provider contractually bound to adequate security measures.
• Google LLC (USA): Google Analytics 4 (via Google Tag Manager) for anonymous site traffic analysis (only with your consent). International transfer under the EU-US Data Privacy Framework. See section «International Transfers».
• Email service provider: for sending operational communications and, where you have consented, newsletters.
• Payment processors: if applicable, for secure electronic payment processing in compliance with PCI-DSS standards.
c) Vehicle suppliers (import)
Auto1 platforms, auction houses and other European wholesalers — only the data strictly necessary for sourcing and acquiring the desired vehicle (order data, never sensitive personal data).
d) Legal and regulatory authorities
When required by law: Tax and Customs Authority (AT), police forces, courts, Institute for Mobility and Transport (IMT), National Data Protection Commission (CNPD).
All sub-processors are required to process personal data exclusively according to our documented instructions, ensure confidentiality, and implement adequate technical and organizational protection measures.
International data transfers
As a general rule, your personal data is processed within the European Economic Area (EEA).
Exceptionally, transfers to countries outside the EEA may occur in the following situations:
• Google LLC (United States of America): Google Analytics 4 processes analytics data on servers located in the USA. This transfer is carried out under the EU-US Data Privacy Framework, approved by the European Commission's Adequacy Decision of 10 July 2023 (Implementing Decision (EU) 2023/1795), which recognizes that the USA provides an adequate level of protection for data transferred under this framework.
• Other transfers: Should it become necessary to transfer data to other countries outside the EEA, we will ensure the existence of adequate safeguards, namely through Standard Contractual Clauses (SCC) approved by the European Commission (Implementing Decision (EU) 2021/914) or other legal mechanisms provided for in Articles 46 to 49 GDPR.
You may request additional information about the safeguards applicable to international transfers by contacting our DPO: dpo@claracars.pt.
Your rights as a data subject
Under the GDPR and applicable Portuguese legislation, you have the right to exercise the following rights regarding your personal data at any time:
• Right of access (Art. 15 GDPR): You have the right to obtain confirmation that your data is being processed and, if so, to access it and obtain a copy, as well as information about purposes, data categories, recipients, retention periods, and data sources.
• Right to rectification (Art. 16 GDPR): You have the right to request, without undue delay, the rectification of inaccurate personal data concerning you, or to complete incomplete data.
• Right to erasure — «right to be forgotten» (Art. 17 GDPR): You have the right to obtain erasure of your personal data when, among other situations, the data is no longer necessary for the purpose for which it was collected, you withdraw consent (where consent is the legal basis), or you object to processing without overriding legitimate grounds. This right may be limited by legal retention obligations (namely tax obligations).
• Right to restriction of processing (Art. 18 GDPR): You have the right to obtain suspension of processing in certain circumstances, namely when you contest data accuracy (during the verification period) or when you object to processing (while assessing whether legitimate interests prevail).
• Right to data portability (Art. 20 GDPR): You have the right to receive personal data you provided to us in a structured, commonly used and machine-readable format (e.g., CSV, JSON), and to transmit it to another controller, where processing is based on consent or contract performance and is carried out by automated means.
• Right to object (Art. 21 GDPR): You have the right to object, at any time, to the processing of your data for direct marketing purposes, including related profiling. In the case of direct marketing, objection is an absolute right — we will immediately cease processing for that purpose.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, you may withdraw it at any time, without affecting the lawfulness of processing carried out based on consent previously given.
• Right not to be subject to automated decisions (Art. 22 GDPR): You have the right not to be subject to any decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. See section «Automated Decision-Making and Profiling».
How to exercise your rights:
Send a request by email to dpo@claracars.pt or info@claracars.pt with the subject «Exercise of Rights — Data Protection», clearly indicating the right you wish to exercise and your identification details. We may request identity verification (copy of identification document) to ensure data is not disclosed to unauthorized third parties.
Response time: We will respond to your request within a maximum of 30 days (one month) from receipt, pursuant to Article 12(3) GDPR. In cases of particular complexity or high volume of requests, this period may be extended by a further two months, with notification of the extension and reasons. The exercise of these rights is, in principle, free of charge.
Complaints — Portuguese Data Protection Authority (CNPD)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the competent supervisory authority if you consider that the processing of your personal data violates the GDPR or national data protection legislation.
In Portugal, the supervisory authority is:
Comissão Nacional de Proteção de Dados (CNPD)
Address: Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa
Website: https://www.cnpd.pt
Email: geral@cnpd.pt
Phone: +351 213 928 400
We recommend that before lodging a complaint with the CNPD, you contact us directly (dpo@claracars.pt) so we may attempt to resolve your concern promptly and satisfactorily.
Personal data security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, pursuant to Article 32 GDPR.
Technical measures:
• Data encryption in transit (HTTPS/TLS protocol) across the entire site.
• Logical access controls with strong authentication on internal systems.
• Servers hosted in security-certified data centers within the European Union.
• Regular automated backups with encrypted storage.
• Access monitoring and security alerts.
• Regular software updates and security patches.
Organizational measures:
• Staff training and awareness on personal data protection matters.
• Confidentiality agreements with all employees and service providers who access personal data.
• Access restrictions based on the need-to-know principle.
• Internal data security incident response procedures (CNPD notification within 72 hours, pursuant to Art. 33 GDPR).
• Periodic review of security policies and procedures.
Important note: No security system is absolutely impenetrable. Although we continuously strive to protect your data, we cannot guarantee absolute security of information transmitted electronically or stored in our systems.
Children's data
Our services are not intended for persons under 16 years of age. We do not knowingly collect personal data from children under 16 without verifiable consent from their legal representatives (holders of parental responsibility), pursuant to Article 8 GDPR and Article 16 of Law No. 58/2019.
If we become aware that personal data of a child under 16 has been inadvertently collected without proper parental consent, we will promptly delete it. If you become aware of such a situation, please contact us immediately at dpo@claracars.pt.
Automated decision-making and profiling
We do not use solely automated decision-making processes, including profiling, that produce legal effects on the data subject or similarly significantly affect them, within the meaning of Article 22 GDPR.
Vehicle valuations presented on our website are generated based on market analysis algorithms, but constitute mere indicative estimates and do not produce any binding legal effect. Any commercial proposal is always subject to human confirmation and acceptance by both parties.
Changes to this policy
This Privacy Policy may be updated periodically to reflect changes in our data processing practices, applicable legislation, or guidance from supervisory authorities.
In the event of substantial changes, we will endeavor to notify you through a prominent notice on our website or, where we have your email address and it is legally required, by email.
The updated version will always be available on this page, with indication of the date of the last revision. Continued use of our website after publication of changes constitutes acceptance thereof.
We recommend that you periodically consult this page to stay informed about our data protection practices.
Last updated: June 2026.
Contact and Data Protection Officer
TransparentCaprice Lda
NIF: 517840642
Porto, Portugal
General email: info@claracars.pt
Phone: +351 XXX XXX XXX
Data Protection Officer (DPO):
Email: dpo@claracars.pt
For any questions regarding the processing of your personal data or the exercise of your rights, please contact us preferably through the DPO email indicated above.
