1) Who we are and what we do
We are CitNOW Group Limited (“CitNOW Group”, “us”, “we”, “our”). We are a global provider to the automotive sector, providing innovative solutions that unite customers and retailers to provide improved customer experiences, using technology as the key enabler. Our solutions and products support sales, aftersales, communications, marketing, and related functions within our Customers businesses.
We are committed to ensuring that we fulfill our legal obligations when processing your personal data under both the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as well as the European Union General Data Protection Regulation (EU GDPR), where applicable. We are also registered with the UK supervisory authority, the Information Commissioner’s Office (“ICO”), in relation to our processing of Personal Data under registration number Z3117589.
Our services operate under the following brands (non-exhaustive list):
- CitNOW (including Video, Imaging and Conversations)
- Dealerweb
- Dealerdesk
- RTC (REALTime Communications)
2) Purpose of this privacy notice
The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, therefore please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section.
Important note about our role
In most cases, CitNOW Group acts as a data processor. This means we process personal data on behalf of our clients (such as dealerships or vehicle manufacturers), who act as the data controller. If your personal data has been uploaded into one of our platforms by a dealership or manufacturer, that organisation remains responsible for your information.
If you wish to exercise your data protection rights in relation to that information, please contact the dealership or manufacturer directly. If you send your request to us, we will forward it to the relevant controller but cannot respond directly without their instruction.
3) Who this privacy notice applies to
This privacy notice applies to you if:
- You visit our websites.
- You use or are onboarded to a CitNOW Group product or platform (as a customer or end user).
- You communicate with us.
- Your data is processed by us on behalf of a client (e.g., dealerships or OEMs).
- You are employed by or act on behalf of a client, partner, or supplier.
Local requirements (UK GDPR, EU GDPR, or national laws) are reflected in this notice and our operational practices.
4) What Personal Data is
‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier.
‘Special Category Personal Data’ is more sensitive personal data, such as health, race, or biometric data. We do not collect this kind of data on behalf of our Customers or through our provision of our services, including our websites.
5) Personal Data we collect
We may collect the following categories of personal data:
- Directly provided information: name, email, phone, job title, company (e.g., via forms, onboarding, support).
- Automatically collected information: device details, browser, IP address, usage logs.
- Customer-provided data: dealership/OEM staff contact details entered into our platforms.
- End-consumer data: buyer information and vehicle media (video/photos, conversations), processed strictly on behalf of dealerships/OEMs.
- Marketing and prospecting data: contact details from events, directories, public sources, or opt-in forms.
We do not knowingly collect data from children under 16 and actively try to mitigate this through check boxes on our website forms.
6) How we collect your Personal Data
We collect most of the Personal Data directly from you through onboarding of our products and services, use of these products and services, website forms and general business actions. However, we may also collect your Personal Data from third parties such as:
- Reputable companies who provide lead generation contact lists.
- Others to whom you have provided consent.
- Publicly available sources such as social media platforms.
7) Roles: Controller vs Processor
| Website users (e.g., contact forms, newsletter signups) |
Controller |
Consent; Legitimate Interests |
| Users of services (dealership employees using platforms) |
Processor |
Contractual obligation with customer |
| Customer onboarding and support records |
Processor |
Contract; Legitimate Interests |
| End-consumer data (uploaded by dealerships) |
Processor |
Contractual obligation with customer |
| Prospecting, B2B marketing outreach |
Controller |
Legitimate Interests; Consent |
| Supplier, contractor, or partner management |
Controller |
Contract; Legal Obligation |
| Third-party integrations |
Processor |
Contractual obligation; written instruction from Controller |
8) Purposes and retention periods
| Customer |
Name, contact details, login credentials |
To fulfil your order / deliver services |
Contract |
6 years following the date of the transaction |
| Consumer (Dealership customer) |
Name, contact details, vehicle information including VIN |
To deliver our services |
Contract |
Set retention per Product, Service or tier |
| Website visitors |
IP address, device/browser data |
Analytics, site optimisation |
Legitimate Interests; Consent |
2 years |
| Business associate |
Name, job title, work email/phone, employer |
Newsletters, promotional updates |
Legitimate Interests; Consent |
2 years following last meaningful contact |
| Supplier/partner |
Name, contact details, business data |
Contract management, compliance |
Contract; Legal Obligation |
7 years |
In some cases, we may retain data for longer if required by law, to resolve disputes, or to enforce our agreements.
Where Personal Data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
9) Sharing your Personal Data
We may share your Personal Data with:
- Other entities within the CitNOW Group.
- Trusted service providers and subprocessors (list available on request).
- Integration partners.
- Legal authorities, where required.
We may share or make personal data accessible to our appointed service providers and authorised sub-processors for the purposes of software development, system maintenance and technical support.
All sub-processors engaged by us are subject to written agreements that include provisions no less protective than those we have in place with our customers. Where any sub-processor is located in a Third Country, we ensure that appropriate data transfer mechanisms are implemented in accordance with Article 46 of the UK/EU GDPR, including the use of adequacy decisions, Standard Contractual Clauses (SCCs), or other approved safeguards as required by law. This ensures your data remains protected to a level essentially equivalent to that required by UK/EU law.
In some cases, we may share data with authorised personnel located outside the UK and European Economic Area, including Moldova, Belarus and Georgia where such access is strictly necessary to support our services.
Any such access is subject to appropriate contractual safeguards and technical and organisational measures, including encrypted connections, access controls, monitoring, and restrictions on local storage or download of data. Personal data remains hosted within the UK or EEA and is accessed remotely only.
Where data is accessed from countries that do not benefit from an adequacy decision, we rely on approved transfer mechanisms and additional safeguards to protect personal data in accordance with applicable data protection laws.
10) Marketing Communications
From time to time, we may use your information to contact you with details about our products and services which we feel may be of interest to you. You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise these rights, you can do so by following the ‘unsubscribe’ link on any emails received or contacting us at dpo@citnowgroup.com.
We only send marketing communications in compliance with the Privacy and Electronic Communications Regulations (PECR) in the UK and applicable e-privacy laws in the EU.
11) Artificial Intelligence (AI)
We use AI technologies to drive efficiencies within our CitNOW products to provide our customers with better outcomes. We use AI in line with our internal policies and procedures (including human oversight where applicable). For example, we use AI assisted chatbots to assist our customers.
Your personal data may be processed by providers of AI either directly sourced by us or via third party AI tools embedded in systems providing IT services to us. Any use of AI technologies by us will be in accordance with technical and operational safeguards appropriate for data types.
AI functionalities are only available through selected products and services, and are not a requirement of our Products or Services at this time. In the event of a Product or Service including AI functionality, Customers will be made aware of this before subscribing to this through their contracts.
AI Functionalities shall include transparency statements where applicable in line with the EU AI Act.
12) Your rights and how to complain
You have certain rights under UK GDPR and EU GDPR in relation to the processing of your Personal Data, including:
- Right to be informed – to receive clear and transparent information about how we use your personal data;
- Right of access – to request a copy of the personal data we hold about you;
- Right to rectification – to have inaccurate or incomplete personal data corrected;
- Right to erasure – to request deletion of your personal data when it is no longer needed, or if you withdraw consent where consent was the legal basis.
- Right to object to processing – to object to certain types of processing, for example direct marketing.
- Right to restrict processing – to request that we limit the way we use your data in certain circumstances (e.g. while a complaint is being investigated).
- Right to data portability – to request a copy of your data in a commonly used, machine-readable format so you can reuse it with another service.
- Right not to be subject to automated decision-making – to not be subject to decisions made solely by automated means without human involvement, where these decisions have legal or significant effects.
- Right to withdraw consent – where we rely on your consent to process your data, you can withdraw it at any time.
- Right to lodge a complaint – to raise concerns with a supervisory authority if you are unhappy with how we handle your data.
You may contact us to exercise these rights using the details in Section 13. We may need to verify your identity. We will respond within one month unless the request is complex.
Important note: In most cases we act as a data processor on behalf of our customers (dealerships or manufacturers), who are the data controllers. If your personal data has been uploaded into one of our platforms by a dealership or manufacturer, you should exercise your rights directly with that organisation. If you send your request to us, we will forward it to the relevant controller but cannot respond directly without their instruction.
13) How to contact us and our Data Protection Officer
Data Protection Officer – CitNOW Group
9 Millars Brook
Molly Millars Lane
Wokingham
Berkshire
RG41 2AD
Email: dpo@citnowgroup.com
Phone: +44 (0)118 997 7740
EU Representative: Comp-Lex (EU GDPR Representative)
Lindwurmstr. 10
D-80337 Munich
Germany
Email: jn@comp-lex.de
Phone: +49 (0)89 41614295-2
14) Supervisory Authorities
If you are unhappy with how we handle your data, you can complain to your national authority.
Examples include:
For supervisory authorities in other countries within the EU/EEA, see:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
