Information about our privacy policy

This policy was last amended on 14 May 2018 to comply with the new GDPR law which supersedes the DPA, by using our website and our services you consent to this privacy policy.

If we decide to change this policy, we will post those changes on this page, and update the privacy policy modification date above.

We are a “data controller” for the purposes of the Act, as we process personal data on your behalf. With this deadline approaching, we are currently in the process of contacting all of our data subjects to inform them of our terms of business that meet the requirements of GDPR.

If you have any questions regarding this privacy policy you may contact our DPO at

Or contact us directly:

Carlton Motors Ltd 54 Springfield Road, Welling, Kent. DA16 1QW

What information do we collect?

We collect information from you when you place an order, fill out a form or make a payment.

When contacting us on the phone, we record your call for Contract, training and quality control purposes.

When contacting us from this site you may be asked to enter your name, e-mail address or phone number as appropriate. You may, however, visit our site anonymously.

For placing Bookings online

We require you to use a separate site ( We implement a variety of security measures to maintain the safety of your personal information when you place an order:

Our booking site is a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology. This is then encrypted into our payment gateway provider's database, it is only to be accessible by those authorized with special access rights to such systems, and who are required to keep the information confidential.

After a transaction, sensitive private information (social security numbers, financials, etc.) will not be stored on our servers.

For bookings placed by App.

We implement a variety of security measures to maintain the safety of your personal information when you place an order:

Our booking site is a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology. This is then encrypted into our payment gateway provider's database, it is only to be accessible by those authorized with special access rights to such systems, and who are required to keep the information confidential.

After a transaction, sensitive private information (social security numbers, financials, etc.) will not be stored on our servers.

Do we use cookies?

Yes. Cookies are small files that a site or its service provider transfers to your computer's hard drive through your web browser (if you allow). This enables the sites or service providers systems to recognize your browser and capture and remember certain information.

We use cookies to compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. We may contract with third-party service providers to assist us in better understanding our site visitors. These service providers are not permitted to use the information collected on our behalf except to help us conduct and improve our business.

What do we use your information for?

Any of the information we collect from you may be used to:

Improve customer service. Your information helps us to more effectively respond to your customer service requests and support needs.

Process transactions.

Send periodic emails. The email address you provide for order processing, may be used to send you information and updates pertaining to your order. These updates may on occasion also include company news, updates, related product or service information, etc.

Lawful basis for processing your personal data

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

If customers do not provide the information required for processing transactions, then we will be unable to provide a service to the customer.

Processing of your personal data

Description of processing

The following is a broad description of the way this organisation/data controller processes personal information. Or see ICO Register of Data Controllers – Registration Number: Z6883971.

We process personal information to enable us to promote our goods and services, to maintain our accounts and records and to support and manage our staff.

We process information relevant to the above reasons/purposes. This may include:

Personal details.

Family, lifestyle and social circumstances.

Financial details

Employment and education details.

Goods or services provided.

We also process sensitive classes of information that may include:

Physical or mental health details.

Racial or ethnic origin.

Religious or other beliefs of a similar nature.

Trade union membership.

We may at times need to share the personal information we process with the individual themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the General Data Protection Regulation (GDPR).

What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons

Where necessary or required we share information with:

family, associates and representatives of the person whose

personal data we are processing

employment and recruitment agencies

current, past and prospective employers

educators and examining bodies

central government

credit reference agencies

suppliers and service providers

debt collection and tracing agencies

financial organisations




CCTV is used for maintaining the security of property and premises and for prevention and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.

It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.


Do we disclose any information to outside parties?

We do not sell, trade, or otherwise transfer to outside parties your personally identifiable information. This does not include trusted third parties who assist us in operating our website, conducting our business, or servicing you, so long as those parties agree to keep this information confidential.

Our third party partners are:

The Cracking Good Design Company. (website design)


Cordic Ltd. Progress House Rowles way Swavesey, Cambridge, CB24 4UG.

We may also release your information when we believe release is appropriate. For example, this may be to comply with the law, enforce our site policies, or protect ours or others rights, property, or safety. However, non-personally identifiable visitor information may be provided to other parties for marketing, advertising, or other uses.

Retention Policy

Carlton does not hold data which we have not gained for contractual obligations after 30 days, depending on the sensitivity of this data, it will be deleted instantly. Ranks of sensitivity will be outlined below, as well as some exceptions where data may be held longer lawfully.

Where personal data is held

Carlton holds personal data in a few different locations, these can include: Our own database servers, email accounts, desktops, employee owned devices, paper files and backup storage.

Procedures in place for deletion

Accounts related data that is processed via our database server are subject to a 1 year non-usage review of the account, followed up by a further 6 month review before the deletion of personal or sensitive data. Also upon request by the authorised account holder data will be deleted from both database servers within 30 days of the request followed up by a privacy notification and confirmation of the deletion except where that holds contractual information which must be held for legal purpose.

Employee and mobile users including sub-processors who process data on behalf of our company are subject to a systematic daily purge when data is only held on an encrypted server managed by Cordic Software..

Exceptions where data may be held longer than our 30-day retention period

Financial data stored on our accounts server or stored as hard copies are held for up to 7 years before disposal due to TAX and VAT legalities.

Ranks of sensitive data – Different retention periods

Security criticality of sensitive or personal data which we process will be described and provided for in section 3.1 below, this policy contains requirements for the deletion of any data we process either personal or sensitive ranked 'low', 'medium' and 'high'.

System data ranking

1 – High – For the requirement of our business and the completion of contractual obligations with our clients it is very important to us that any financial data we store or process for or on behalf of our clients is subject to immediate tokenisation/masking of card details which include CVV/CVV2 information, card number and expiration date. However if data is to be processed as a one off request this data will be deleted after processing with immediate effect unless contractual consent is gained.

2 – Medium – Account data which may include but not limited to personal data and goods or services provided will be subject to regular review of the data stored for the purpose of maintaining account records. This data allows us to complete our contractual agreements and can include but not limited to the client's name, address and contact details. Upon request by the authorised account holder this data can be deleted from our systems within 30 days of the request except where this is required for legal compliance.

3 – Low – Sensitive classes of information that may include physical or mental health issues, racial or ethnic origin, religious or other beliefs of a similar nature and trade union memberships are stored for legalities but are not processed. We do not use profiling nor automated decision making systems as a part of our company policies. Deletion of this data is subject to but not limited to either upon request or legal obligations.

Your rights as a data subject

We have a robust process for dealing with customer queries and subject access request is in place, this includes but not limited to the right to withdraw any processing of your personal data and to remove any personal or sensitive data.

The request can be made via email

or Telephone 020 8303 2222

Your right to request from the controller restriction of processing of personal data can be applied upon request by the authorised account holder.

You have a right to lodge a complaint with a supervisory authority in regards to how your information has been handled. Please contact the Information Commissioner's Office (ICO).

Client account data is stored in SQL tablespaces & data file formats which can be exported into either a Microsoft excel spreadsheet or Adobe PDF which is then encrypted with a password before sending out electronically. Immediate access to account details is available to clients with web access to our online booking platform which allows the client to update or change the account records, this functionality is secured using a Secure Socket Layer (SSL).

Childrens Online Privacy Protection Act Compliance

We are in compliance with the requirements of COPPA (Childrens Online Privacy Protection Act). We do not collect any information from anyone under 13 years of age. Our website, products and services are all directed to people who are at least 13 years old or older.