Privacy Policy

1. INTRODUCTION

Welcome to the Privacy Policy of Sanu Recovery and Breakdown Services ("Company," "we," "us," or "our"). We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, store, protect, and share your personal information when you use our website, platform, and services. It also describes your rights regarding your personal data and how to exercise them.

By using our Platform and services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our services.

2. DATA CONTROLLER INFORMATION

Data Controller: Sanu Recovery and Breakdown Services

Contact Information:

• Email: info@sanurecovery.co.uk
• Phone: 078 3333 93 09
• Business Hours: Monday - Friday, 9 AM - 6 PM (UK time)

For data protection inquiries, you can contact us at the email and phone number above.

3. INFORMATION WE COLLECT

We collect various types of personal data to provide and improve our services. The information we collect falls into the following categories:

3.1 Identity and Contact Data

• Full name
• Phone number(s)
• Email address
• Postal address or billing address (if provided)

3.2 Service-Related Data

• Vehicle registration number
• Vehicle make, model, color, and year
• Vehicle condition and breakdown details
• Pickup location address and GPS coordinates
• Drop-off/destination address
• Preferred service date and time
• Special requirements or instructions
• Service history and preferences

3.3 Payment and Transaction Data

• Transaction history and booking records
• Commission amounts and payment status
• Refund requests and outcomes
• Payment method type (we do not store full card details)
• Billing address

3.4 Technical Data

• IP address and device identifiers
• Browser type and version
• Device type (mobile, desktop, tablet)
• Operating system
• Cookies and similar tracking technologies (see our Cookie Policy)
• Pages visited and time spent on Platform
• Referral source (how you found our Platform)

3.5 Communication Data

• Emails sent and received
• SMS messages for booking confirmations and updates
• Live chat logs or customer support tickets
• Phone call records (we may record calls for quality and training purposes with your consent)
• Feedback, reviews, and survey responses

4. HOW WE USE YOUR DATA

We use your personal data for various purposes to provide, maintain, and improve our services:

4.1 Service Delivery

• Process and fulfill booking requests
• Coordinate with Service Providers on your behalf
• Communicate service details, updates, and confirmations
• Provide customer support and handle inquiries
• Facilitate payment processing
• Send booking confirmations and service updates via email or SMS

4.2 Platform Operation and Improvement

• Maintain and improve Platform functionality
• Analyze usage patterns and performance metrics
• Conduct research and development
• Test new features and services
• Optimize user experience
• Troubleshoot technical issues

4.3 Business Operations

• Manage customer bookings and inquiries
• Process refunds and handle disputes
• Maintain business records and accounting
• Comply with legal and regulatory obligations
• Prevent fraud, abuse, and security threats
• Enforce our Terms and Conditions

4.4 Marketing and Communications (With Your Consent)

• Send promotional offers and service updates
• Conduct customer satisfaction surveys
• Provide personalized recommendations
• Email newsletters about our services

5. LEGAL BASIS FOR PROCESSING

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

5.1 Contract Performance (Article 6(1)(b))

We process your data to perform our contract with you, including:

• Processing bookings and coordinating services
• Handling payments and refunds
• Delivering the services you requested

5.2 Legal Obligations (Article 6(1)(c))

We process your data to comply with legal requirements, including:

• HMRC tax requirements
• Anti-money laundering regulations
• Companies House filing requirements
• Responding to court orders or legal requests

5.3 Legitimate Interests (Article 6(1)(f))

We process your data based on our legitimate business interests, including:

• Platform security and fraud prevention
• Business analytics and service improvement
• Customer service and support
• Internal administrative purposes

We always balance our interests against your rights and freedoms. You have the right to object to processing based on legitimate interests.

5.4 Consent (Article 6(1)(a))

We obtain your consent for:

• Marketing communications (newsletters, promotional offers)
• Optional analytics cookies (see our Cookie Policy)
• Recording phone calls
• Third-party integrations (where applicable)

You can withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

6. DATA SHARING AND DISCLOSURE

We share your personal data only in the following circumstances:

6.1 With Service Providers (Third-Party Recovery Companies)

When we coordinate third-party services, we share necessary information with independent Service Providers:

• Your name and contact details
• Vehicle information
• Pickup and drop-off locations
• Service requirements and special instructions

Important: This sharing is essential for service delivery. Service Providers are independent businesses and handle your data under their own privacy policies. We make reasonable efforts to work with reputable providers but cannot control their data practices.

6.2 With Service Partners and Processors

We share data with trusted third-party service providers who assist our operations:

• Payment processors: For transaction handling (payment card data is handled securely by PCI-DSS compliant processors)
• Cloud hosting providers: For data storage and platform infrastructure
• Email and SMS service providers: For communications (e.g., EmailJS, SMS gateways)
• Analytics platforms: For usage analysis (e.g., Google Analytics with IP anonymization)
• Customer support tools: For managing inquiries and tickets

These partners are contractually obligated to protect your data and use it only for specified purposes on our behalf.

6.3 Legal and Regulatory Authorities

We may disclose data when required by law or to:

• Comply with legal obligations, court orders, or regulatory requests
• Enforce our Terms and Conditions
• Protect our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Prevent or investigate fraud, security issues, or illegal activity
• Respond to requests from law enforcement or government agencies

6.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your data may be transferred to the new owner. You will be notified of any such change, and the new owner will be required to handle your data in accordance with this Privacy Policy or provide you with a new policy.

6.5 With Your Consent

We may share your data with other third parties when you have given us explicit consent to do so.

7. DATA RETENTION

We retain your personal data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

7.1 Retention Periods

Data Type	Retention Period	Reason
Booking and transaction records	7 years from transaction date	Legal and tax compliance (HMRC requirements)
Communication records (emails, SMS, calls)	3 years from interaction	Customer service and dispute resolution
Marketing consent data	Until consent is withdrawn	To honor your marketing preferences
Technical and analytics data	Up to 26 months	Platform improvement and analytics

7.2 Data Deletion

After retention periods expire, we will:

• Securely delete or destroy your personal data
• Anonymize data so it can no longer identify you
• Retain only what is necessary for legal compliance

You may request earlier deletion of your data, subject to our legal obligations and legitimate business interests (see Section 8).

8. YOUR DATA PROTECTION RIGHTS

Under UK GDPR, you have important rights regarding your personal data. We are committed to facilitating the exercise of these rights.

8.1 Right to Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within 30 days.

What we will provide:

• Confirmation that we are processing your data
• A copy of your personal data in a commonly used format
• Information about how we use your data
• Information about who we share your data with
• How long we retain your data

8.2 Right to Rectification

You have the right to request correction of inaccurate or incomplete personal data. We will update your information within 30 days and notify any third parties to whom we have disclosed the data.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal data in the following circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where processing is based on consent)
• You object to processing based on legitimate interests, and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Legal obligation requires deletion

Limitations: We may be unable to delete your data if we need to retain it for:

• Compliance with legal obligations (e.g., tax records)
• Establishment, exercise, or defense of legal claims
• Fulfilling contractual obligations

8.4 Right to Restriction of Processing

You have the right to request that we limit how we use your data in certain circumstances, such as:

• You contest the accuracy of the data (while we verify accuracy)
• Processing is unlawful, but you don't want the data deleted
• We no longer need the data, but you need it for legal claims
• You have objected to processing (pending verification of our legitimate grounds)

8.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and to transmit it to another service provider where:

• Processing is based on consent or contract performance
• Processing is carried out by automated means

8.6 Right to Object

You have the right to object to processing of your personal data where:

• Processing is based on legitimate interests: You can object, and we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests
• Direct marketing: You can object at any time, and we will stop processing your data for marketing purposes immediately

8.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing before consent was withdrawn.

8.8 Right to Complain

You have the right to lodge a complaint with the supervisory authority if you believe your data protection rights have been violated:

8.9 How to Exercise Your Rights

To exercise any of these rights, please contact us:

• Email: info@sanurecovery.co.uk
• Phone: 078 3333 93 09

What to include in your request:

• Your full name and contact details
• Description of your request and which right you're exercising
• Proof of identity (for security purposes, e.g., copy of ID or utility bill)
• Booking reference number (if applicable)

Response timeframe: We will respond within 30 days of receiving a valid request. For complex requests, we may extend this by up to 60 additional days, and we will inform you of the extension and reasons.

9. DATA SECURITY

We take the security of your personal data very seriously and implement industry-standard measures to protect it from unauthorized access, loss, alteration, or disclosure.

9.1 Security Measures

We employ the following security measures:

• Encryption in transit: All data transmitted to and from our Platform is encrypted using HTTPS/TLS protocols
• Encryption at rest: Sensitive data stored in our databases is encrypted
• Access controls: Only authorized personnel have access to personal data, on a need-to-know basis
• Authentication: Strong authentication mechanisms protect access to systems and data
• Regular security audits: We conduct periodic security assessments and vulnerability scans
• Software updates: We keep our systems and software up to date with security patches
• Staff training: Our team receives regular training on data protection and security best practices
• Secure development practices: We follow secure coding standards to prevent vulnerabilities

9.2 Data Breach Notification

In the unlikely event of a data breach affecting your personal data:

• We will notify you within 72 hours as required by UK GDPR
• You will be informed of:
  • The nature of the breach and data affected
  • Potential risks and consequences
  • Measures taken to address the breach
  • Steps you can take to protect yourself
• We will report the breach to the ICO if required by law
• We will take immediate action to contain and remediate the breach

9.3 Your Responsibility

While we implement robust security measures, you also have responsibilities:

• Be vigilant: Watch out for phishing emails or suspicious communications claiming to be from us
• Verify requests: If you receive suspicious requests for information, contact us directly to verify
• Keep contact information updated: Ensure we can reach you for important security notifications
• Report suspicious activity: Contact us immediately at info@sanurecovery.co.uk if you suspect fraud or unauthorized use of your information

10. INTERNATIONAL DATA TRANSFERS

Your personal data is primarily processed and stored within the United Kingdom. However, in some cases, your data may be transferred to or processed in countries outside the UK and European Economic Area (EEA).

10.1 When We Transfer Data

We may transfer your data internationally when:

• Using cloud hosting services with servers outside the UK/EEA
• Working with service providers or partners located outside the UK/EEA
• Coordinating with Service Providers who operate internationally

10.2 Safeguards for International Transfers

When we transfer data outside the UK/EEA, we ensure appropriate safeguards are in place:

• Adequacy decisions: Transfers to countries with adequate data protection as recognized by the UK government
• Standard Contractual Clauses (SCCs): Legally binding contracts approved by the ICO/European Commission
• Binding Corporate Rules: For transfers within multinational organizations
• Certifications: Such as EU-US Data Privacy Framework (where applicable)

These safeguards ensure your data receives equivalent protection to that provided under UK GDPR.

10.3 Your Rights Regarding International Transfers

You have the right to:

• Request information about international transfers of your data
• Obtain a copy of the safeguards we have in place
• Object to international transfers in certain circumstances

For more information about international transfers, contact us at info@sanurecovery.co.uk.

11. CHILDREN'S PRIVACY

Our Platform and services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.

If you are under 18: Please do not use our Platform or provide any personal information to us.

If you are a parent or guardian: If you become aware that your child has provided us with personal data without your consent, please contact us immediately at info@sanurecovery.co.uk.

Our response: If we become aware that we have inadvertently collected personal data from a child under 18, we will take immediate steps to delete that information from our systems.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational, legal, or regulatory reasons.

12.1 How We Notify You

When we make changes to this Privacy Policy:

• Material changes: We will notify you via email and/or a prominent notice on our Platform at least 30 days before the changes take effect
• Minor changes: We will update the "Last Updated" date at the top of this policy
• The updated policy will be posted on our website

12.2 Your Rights Regarding Changes

• You can review the updated policy at any time on our website
• If you do not agree with the changes, you may request deletion of your data and stop using our services
• Your continued use of our Platform after changes take effect constitutes acceptance of the revised policy

12.3 Version History

You can request previous versions of this Privacy Policy by contacting us at info@sanurecovery.co.uk.

13. CONTACT US