GDPR Compliance

Last updated: 1 June 2026

Our Commitment

Caribou Flow is committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This page outlines how we meet our obligations and how you can exercise your rights.

Data Controller

Caribou Flow is the data controller for personal information collected through this website and our car hire services.

Contact:
Caribou Flow
47 Whiteladies Road
Clifton, Bristol BS8 2LS
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data under the following lawful bases:

Contract Performance

When you book a vehicle, we process your data to fulfil our contractual obligations. This includes your name, contact details, driving licence information, and payment details.

Legal Obligation

Certain processing is required by law, including identity verification for vehicle hire and retention of financial records for tax purposes.

Legitimate Interests

We process some data based on legitimate business interests, such as fraud prevention and service improvement. We balance these interests against your rights and freedoms.

Consent

For marketing communications, we rely on your explicit consent. You can withdraw consent at any time.

Your Rights Under GDPR

Right of Access (Article 15)

You can request a copy of all personal data we hold about you. We will respond within one month.

Right to Rectification (Article 16)

If any data we hold is inaccurate or incomplete, you can request correction.

Right to Erasure (Article 17)

You can request deletion of your personal data where there is no compelling reason for continued processing. Note that legal obligations may require us to retain certain data.

Right to Restrict Processing (Article 18)

You can request that we limit how we use your data in certain circumstances.

Right to Data Portability (Article 20)

You can request your data in a structured, commonly used format to transfer to another service.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

We do not use automated decision-making that produces legal effects concerning you.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected] with the subject line "Data Rights Request". We will:

  • Verify your identity before processing any request
  • Respond within one month (extendable by two months for complex requests)
  • Provide our response free of charge (unless requests are manifestly unfounded or excessive)

Data Protection Measures

We implement appropriate technical and organisational measures:

  • SSL/TLS encryption for data in transit
  • Encrypted storage for sensitive data
  • Access controls limiting data access to authorised personnel
  • Regular security assessments
  • Staff training on data protection
  • Incident response procedures

International Transfers

We primarily store and process data within the United Kingdom. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses.

Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours and inform affected individuals without undue delay.

Complaints

If you are not satisfied with how we handle your data or respond to your requests, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Website: ico.org.uk