What personal data we collect, why, how long we keep it, who we share it with, and the rights you have under UK GDPR.
cheap car tow is a booking and price-publication service. The recovery itself is performed by an independent PAS 43 compliant operator dispatched at the published rate. See terms for the operator-panel arrangement.
Cheap Car Tow Ltd is the data controller for personal data collected through the website and the booking line. Companies House number TBC. ICO fee number TBC.
Data protection contact: hello@cheapcartow.co.uk with the subject prefix "DPO" or "DSAR" for subject access. Postal address: the registered office published on the contact page.
Booking data: name, phone, vehicle registration, vehicle class, pickup location, destination, and notes. Lawful basis: contract performance (UK GDPR Article 6(1)(b)). Without this data we cannot dispatch the operator.
Payment data: card details handled by the payment processor; we do not store full card numbers on our systems. Lawful basis: contract performance and legal obligation (VAT records).
Communications: emails, support tickets and call recordings (where call recording is enabled). Lawful basis: legitimate interests in service quality and dispute resolution; legal obligation for billing-related communications.
Analytics: standard web analytics if you consent to analytics cookies. Lawful basis: consent (UK GDPR Article 6(1)(a)).
The PAS 43 compliant operator dispatched to your recovery: location, vehicle class and registration, destination, and your contact number for arrival communication. The operator is a separate controller for the operator-side records.
Payment processor: card details to authorise the payment.
Email provider: the recovery sheet and booking confirmations are sent through a UK-based email infrastructure.
Insurer: where the recovery is insurer-instructed the recovery sheet and invoice are sent to the instructing insurer.
Police, HMRC, ICO or other regulator: where required by law or to resolve a complaint.
Billing records: six years from the end of the financial year of the booking. This is the HMRC retention requirement for VAT records.
Recovery sheet and operational records: three years from the date of the recovery.
Marketing data: until you withdraw consent.
Job applications: six months from the closing date of the role.
After retention, records are deleted from active systems and from backups on the next backup cycle.
Subject access (Article 15): you can ask for a copy of your data.
Rectification (Article 16): you can ask us to correct inaccurate data.
Erasure (Article 17): you can ask us to delete data we hold, subject to the legal retention overrides.
Restriction (Article 18): you can ask us to restrict processing pending review.
Portability (Article 20): you can ask us to send a machine-readable copy of your data to you or another controller.
Objection (Article 21): you can object to processing based on legitimate interests.
Automated decision-making (Article 22): we do not make automated decisions with legal or similarly significant effects.
By default we host the active service on UK and EEA infrastructure. Where a sub-processor is outside the UK/EEA we use a standard contractual clause and an additional safeguards assessment.
The list of active sub-processors is available on request; the data protection contact replies inside ten business days.
Booking data is encrypted in transit (TLS 1.2 or better) and at rest. Access to booking data is limited to dispatch and customer-support staff with role-based controls. Sub-processors are reviewed annually.
Where a personal data breach occurs that meets the UK GDPR notification threshold we notify the ICO inside 72 hours and the affected individuals inside the same window where their rights are at high risk.
UK GDPR Article 6 requires a lawful basis for each processing activity. The bases for the activities we run are set out in detail below.
Each lawful basis is recorded in the data processing register held by the data protection contact and is reviewed annually against the ICO lawful-basis guidance.
When you book a recovery the booking record is shared with the PAS 43 compliant operator dispatched to your booking. The data shared is the minimum needed to fulfil the recovery: location, vehicle class and registration, destination, contact phone number, and access notes.
The operator is a separate data controller for the operator-side records (their recovery sheet, their internal job log, their accounting records). The shared data flows under a written data-sharing agreement that requires the operator to: hold the data only for the duration of the booking and the legal retention period thereafter; use it only for the recovery and any post-recovery insurance correspondence; apply security controls equivalent to ours; and notify us inside 24 hours of any personal-data breach on their side.
We do not share the data with non-dispatched operators (operators on the panel who were not chosen for this booking). We do not share the data with marketing agencies, telematics providers, or any third party not directly involved in fulfilling the recovery.
UK GDPR Article 35 requires a Data Protection Impact Assessment (DPIA) for processing that is likely to result in a high risk to individuals. Our DPIA register currently covers: vulnerability-flag processing on the customer record (Article 9 special category data), call recording on the dispatch line (large-scale processing of identifying voice data), and any new sub-processor added to the data flow.
Each DPIA follows the ICO methodology: describe the processing, assess necessity and proportionality, identify risks to individuals, identify mitigations, document the residual risk. Where the residual risk is high after mitigations, we consult the ICO before processing.
DPIAs are reviewed annually or when the processing materially changes. The DPIA documents are not public (they contain commercial-sensitive technical detail) but a redacted summary is available on request to the data protection contact for any individual who is materially affected by the processing.
If you are not satisfied with how we have handled your personal data, complain first to us at the data protection contact email; we reply inside one calendar month.
If still not satisfied, complain to the Information Commissioner's Office at ICO complaints or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
First published 2026-05-17. The privacy policy is reviewed every 12 months or sooner if the cited primary source changes. Material changes (new lawful basis, new escalation route, new scope) are added below with a date and a one-line reason. Editorial corrections (typo, broken link) are not logged here; the live page is the source of truth.
If anything in this privacy policy reads as inaccurate, out of date, or unclear, email the editorial team at hello@cheapcartow.co.uk with the page URL and a description of the issue. The editorial team replies inside three business days; a material correction is published with a dated note in this section. External escalation routes (ICO, Trading Standards, Financial Ombudsman Service) apply where the relevant complaint is in scope for the regulator.
Cheap Car Tow Ltd, ICO fee number TBC. Contact via the email published on the contact page.
Contract performance under UK GDPR Article 6(1)(b). We cannot deliver the recovery without the data.
Yes; the operator needs the location, the vehicle class and registration, the destination and a contact number to attend. The operator is a separate controller for the operator-side records.
Six years for billing-related records (HMRC requirement); three years for non-billing operational records. After retention the records are deleted.
Yes. Email a subject access request (SAR) to the data protection contact at hello@cheapcartow.co.uk. We reply within one calendar month per UK GDPR.
Essential cookies only by default; analytics and marketing cookies require your consent. See the cookie policy for the full inventory and the consent mechanism.
Published price, PAS 43 compliant operator, 24/7 dispatch.