PRIVACY POLICY — CarNet & CarNinja

Hebel & Margo BV — Last update: November 21, 2025

1. Who are we and how can you contact us?

  • Data controller: Hebel & Margo BV
  • Address: Kapellekensweg 32, 3391 Meensel-Kiezegem, Belgium
  • Company number: BE 0794.199.079
  • General: info@carnet.be
  • Privacy & GDPR: info@carnet.be
  • Response within 1 month (exceptionally 3 months for complex requests, with motivation, in accordance with GDPR Art. 12).

2. Scope

This policy applies to Carnet.be, CarNinja, and all subdomains, apps, APIs and integrations. By using our services, you agree to this policy.

  • Carnet.be
  • CarNinja
  • Subdomains, apps, APIs and integrations

3. What data do we process and why?

Account & profile data

  • Examples: Name, e-mail, phone, address, company name, hashed password
  • Legal basis: Performance of contract + legitimate interest
  • Purposes: Account management, login, support, fraud prevention

Advertisement data (Carnet)

  • Examples: Vehicle info, mileage, photos/videos, price, reactions
  • Legal basis: Performance of contract + legitimate interest
  • Purposes: Publication & display of ads; use of vehicle photos for marketing (e.g. social media, newsletters, example ads) without identifiable personal data of the seller, with opt-out via email

Vehicle analysis (CarNinja)

  • Examples: Photos (incl. EXIF), technical data, AI input/output, risk profiles (primarily vehicle data; EXIF anonymized)
  • Legal basis: Performance of contract + legitimate interest
  • Purposes: Analysis, recommendations, quality control & model improvement (anonymized)

Payment & invoicing data

  • Examples: Cardholder name, billing address, payment status (Stripe)
  • Legal basis: Performance of contract + legal obligation
  • Purposes: Payments, invoicing, accounting

Technical data

  • Examples: IP address, browser, device, logs, session duration
  • Legal basis: Legitimate interest
  • Purposes: Security, stability, fraud detection

Communication

  • Examples: E-mails, chat, support tickets
  • Legal basis: Performance of contract
  • Purposes: Customer service

Marketing & cookies

  • Examples: Cookie IDs, ad IDs, newsletter status
  • Legal basis: Consent (opt-in)
  • Purposes: Newsletters, retargeting, personalization

4. AI & Profiling (CarNinja)

4.1 No binding automated decisions

Our AI provides advice based on vehicle data, no binding or legal decisions. You always retain full control. No profiling with personal data is performed; EXIF metadata may contain personal data and is anonymized to minimize risks.

4.2 Rights regarding AI

  • Request human intervention
  • Obtain an explanation of the logic
  • Contest the results (via info@carnet.be)

4.3 Storage of photos & metadata

  • Photos: max. 160 days
  • EXIF metadata: max. 120 days, anonymized after processing
  • Model training: only anonymized (no personal data)
  • DPIAs and bias mitigation through regular audits

5. Retention periods

  • Account data: max. 3 years after last login or deletion (reactivation, administration)
  • Advertisement data: until deletion, max. 5 years inactive (proportionality)
  • CarNinja analyses: max. 24 months (model optimization)
  • Photos: max. 160 days (technical processing)
  • EXIF metadata: max. 120 days (fraud prevention & security)
  • Invoices: 7 years (Belgian legislation)
  • Logs & IPs: max. 12 months (security)
  • Marketing consent: until withdrawal + 2 years proof (GDPR compliance)
  • After expiry, data is deleted or anonymized.

6. Sharing with third parties

  • OpenAI / Anthropic — AI analysis (US) — SCCs + TIA
  • Google Cloud / AWS — Hosting (EU/US) — SCCs + BCR
  • Stripe — Payments (US) — SCCs + PCI-DSS
  • Google Analytics / Plausible — Analytics (EU/US) — IP anonymization + SCCs
  • Meta & Google Ads — Retargeting (opt-in) (US) — SCCs + consent
  • We never sell personal data.

7. International transfers

Data outside the EU is protected via EU Standard Contractual Clauses (2021), Transfer Impact Assessments, and additional technical & organizational measures. We monitor GDPR case law (Schrems II/III).

8. Your GDPR rights

  • Access, rectification, deletion, restriction
  • Objection (incl. to marketing & model training)
  • Data portability
  • Withdrawal of consent
  • Complaint to the DPA
  • Contact: info@carnet.be

9. Account deletion

Email info@carnet.be — subject “Account deletion”. Within 30 days: account deleted, personal data removed, remaining data anonymized.

10. Cookies & tracking

  • Functional cookies
  • Analytical cookies
  • Marketing cookies (opt-in)
  • Retargeting via Meta/Google Ads

11. Security

  • TLS 1.3
  • AES-256 encryption
  • bcrypt/Argon2 hashing
  • Least-privilege access control
  • Regular penetration tests
  • DPIA for CarNinja
  • Data breach notification (72 hours)

12. Minors

Our services are not aimed at persons under 18 years. Detected data is immediately deleted.

13. Changes

Important changes are announced via the website and/or email. The current version is always available at carnet.be/privacy.

14. Applicable law

Belgian law. Competent court: arrondissement Leuven.