PRIVACY POLICY
FOR ENTERPRISE SERVICES

This privacy policy (the “Privacy Policy”) explains how carVertical (also "we," "us," or "our") collects, uses, and protects personal data when your organization (the “Client”) uses our Enterprise vehicle report services (the “Enterprise Services”) provided on the website www.carvertical.com or any other platform operated by us.

This Privacy Policy should be read together with our Privacy policy for users of the website/app services, which provides additional details on data processing activities common to all users of the www.carvertical.com (or its mobile application).

Please take a moment to read this important information.

1. Who Controls Personal Data?

1.1. The company that controls the personal data collected for the Enterprise Services is UAB cV Group (carVertical), legal entity code 303134915, with its address at Aukštaičių str. 7, LT-11341 Vilnius, Lithuania.

1.2. Because our Enterprise Services are intended for business use (B2B), we collect personal data in the course of maintaining the business relationship between us and the Client. The Client is responsible for any personal data arising from its team's use of the Enterprise Services, including the personal data of its representatives.

2. Why Is Personal Data Processed?

2.1. We process the personal data to enable and support your organization’s use of the Enterprise Services, which includes:

1. 1.2.1.1. Managing the Client’s business account, handling the Client authentication, enabling use of the Enterprise Services, and processing the payment.

2. 2.2.1.2. Ensuring the security and confidentiality of the Enterprise Services, and improving the platform and services.

3. 3.2.1.3. Meeting all legal obligations (such as anti-fraud laws), sending relevant updates and communications, and providing technical support and customer service.

4. 4.2.1.4. Sending B2B direct marketing communications.

3. What Personal Data We Collect?

3.1. We collect the following personal data, necessary to manage the Enterprise Services for the Client:

1. 1.3.1.1. Business Account and Usage Data: Full name, work email, job title of the Client representative; other registration details; information needed to verify the Client; user ID, login details, and other service operation data.

2. 2.3.1.2. Billing and Contract Data: Contract details, payment details, and other financial data, which may include personal data of the Client representative.

3. 3.3.1.3. Technical Data: IP address, device and browser details, operating system, and usage timestamps, used to diagnose issues, ensure security, and assess performance.

3.2. Our Enterprise Services provide vehicle history reports using vehicle-related data, which is technical and historical information derived from the VIN (e.g., mileage, damages, etc.). More detailed information on the handling of this data is available in our dedicated Privacy Notice on the Processing of Vehicle Data.

4. On What Legal Basis Do We Process Personal Data?

4.1. We process personal data because it is necessary for our business needs (legitimate interest), which include implementing the B2B contract (e.g., managing the account, processing billing, and providing access to the Enterprise Services), ensuring the security and operation of the Enterprise Services, promoting similar services, and growing the business.

4.2. We may process some data to meet our legal obligations (e.g., storing financial information for tax and accounting purposes or complying with anti-fraud laws).

4.3. Where required by law for electronic communications (e.g., B2B marketing for non-similar products), we obtain necessary consent.

5. How Long Will We Retain Personal Data?

5.1. Data related to account and service usage will be retained for up to 5 years following the termination of the agreement.

5.2. We will retain payment and financial information for as long as required by applicable accounting and tax laws, which is typically up to 10 years.

5.3. We keep data related to disputes for up to 10 years after the issue is resolved, and requests from data subjects for 2 years after we’ve responded.

5.4. B2B marketing communications data based on consent will be kept until consent is withdrawn.

6. How We Collect Personal Data?

6.1. We collect personal data directly from the person (e.g., during business account setup or when providing your organization verification information).

6.2. In some cases, data may be provided by the Client or a third party or automatically gathered through the Enterprise Services platform or other tracking tools we use.

7. How is Personal Data Shared and Transferred?

7.1. We may share personal data with partners who help us manage and operate our Enterprise Services. This includes service providers such as:

1. 1.7.1.1. Hosting service providers. Our main providers: Amazon Web Services, Inc. and Mongo DB for cloud hosting services (Mongo DB data may be transferred to the USA under Standard Contractual Clauses).

2. 2.7.1.2. Payment service providers. Our main providers: Neopay Ltd / PayPal (Europe) S.à r.l. et Cie, S.C.A. / Krajowy Integrator Płatności S.A. (Tpay) / Adyen N.V. for payment processing services.

3. 3.7.1.3. Cloud storage and communication tools provider: Google LLC (data may be transferred to the USA under Standard Contractual Clauses).

4. 4.7.1.4. Providers of team collaboration, productivity, and communication tools. Our main providers: Atlassian Corporation Plc (Jira and Confluence) (data may be transferred to the USA under Standard Contractual Clauses) and Slack Technologies LLC (data may be transferred to the USA under Standard Contractual Clauses).

5. 5.7.1.5. Document management and CRM systems providers. Our main providers: Avokaado OÜ (document management) and HubSpot, Inc. (CRM) (data may be transferred to the USA under Standard Contractual Clauses).

6. 6.7.1.6. Data integration and analysis service providers. Our main providers: Salesforce Inc. (data may be transferred to the USA under Standard Contractual Clauses), Fivetran, Inc. (data may be transferred to the USA under Standard Contractual Clauses), Confluent Inc. (data may be transferred to the USA under Standard Contractual Clauses) and Atlan Pte. Ltd (data may be transferred to the USA under Standard Contractual Clauses)

7. 7.7.1.7. Platform operation service providers. Our main providers: Functional Software Inc. (Sentry) (data may be transferred to the USA under Standard Contractual Clauses), Posthog, Inc. (data may be transferred to the USA under Standard Contractual Clauses), Datadog, Inc. (data may be transferred to the USA under Standard Contractual Clauses), Vercel, Inc. (data may be transferred to the USA under Standard Contractual Clauses)

8. 8.7.1.8. Customer support software service provider: Freshworks Inc. (Freshdesk) (data may be transferred to the USA under Standard Contractual Clauses).

9. 9.7.1.9. Customer and marketing engagement service providers. Our main providers: Klaviyo, Inc. (data may be transferred to the USA under Standard Contractual Clauses) and AC PM LLC (Postmark) (data may be transferred to the USA under Standard Contractual Clauses)

10. 10.7.1.10. Other vendors and our legal, financial, compliance and business advisors.

7.2. We may share personal data with other related companies - carVertical OÜ.

7.3. In the case of a business transfer, like a merger or sale, personal data may be transferred to the new owner. We may also share data with law enforcement or government authorities if legally required.

7.4. When it is necessary, we may transfer personal data outside of the EU/EEA. If we do, we'll ensure these data remains protected by using approved methods like Standard Contractual Clauses (SCCs) or other legal safeguards.

8. Your Rights

8.1. You have following rights:

1. 1.8.1.1. Right of Access: Request confirmation that we process your data and obtain a copy.

2. 2.8.1.2. Right to Rectification: Ask us to correct any inaccurate or incomplete data.

3. 3.8.1.3. Right to Restriction: Request limited processing, e.g., while we review a correction.

4. 4.8.1.4. Right to Erasure: Ask us to delete your data when it’s no longer needed or processed unlawfully.

5. 5.8.1.5. Right to Portability: Receive your data in a common electronic format or have it transferred to another provider.

6. 6.8.1.6. Right to Object / Withdraw Consent: Object to processing based on legitimate interests or withdraw consent at any time.

7. 7.8.1.7. Right to Complaint: File a complaint with your data protection authority if you’re concerned about our practices.

8.2. You may exercise these rights in accordance with the conditions and limitations set out in the GDPR. To do so, please contact us at info@carvertical.com or dpo@carvertical.com. We may need to verify your identity for security reasons before we can fulfill your request.

8.3. We will respond to your request within one month of receipt and will either take the requested action or explain why we cannot do so. If the request is complex or we receive multiple requests, we may extend this period by up to two months, and you will be informed of any extension within the initial one-month timeframe.

9. Automated Decision-Making, Including Profiling

9.1. We do not make decisions based solely on automated processing, including profiling, that would produce legal effects concerning you or similarly significantly affect you.

10. How Do We Use Cookies?

10.1. When you visit our website www.carvertical.com, we use cookies as described in our Cookies Policy. These cookies help enhance your browsing experience and ensure the site functions properly.

11. Changes to This Privacy Policy

11.1. We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on our website or by other appropriate means.

12. Contact Us

12.1. If you have any questions about this Privacy Policy or our data processing practices, please contact us at info@carvertical.com.

Last Updated: December 16, 2025