Last update 01/12/2025
PRIVACY POLICY — CarNet & CarNinja, ENGLISH
Hebel & Margo BV — Last update: 01/12/2025
1. Who are we and how can you contact us?
Data controller: Hebel & Margo BV
Kapellekensweg 32, 3391 Meensel-Kiezegem, Belgium
Company number: BE 0794.199.079
General: info@carnet.be Privacy & GDPR:
info@carnet.be We respond within 1 month (exceptionally 3 months for complex requests, with motivation, in accordance with GDPR Art. 12).
2. Scope This privacy policy applies to:
• CarNinja
• All subdomains, apps, APIs and integrations
By using our services, you agree to this policy.
3. What data do we process and why?
3.1 Overview
Category | Examples | Legal basis | Purposes |
Account & profile data | Name, e-mail, phone, address, company name, hashed password | Performance of contract + legitimate interest | Account management, login, support, fraud prevention |
Advertisement data (Carnet) | Vehicle info, mileage, photos/videos, price, reactions | Performance of contract + legitimate interest | Publication & display of ads; use of vehicle photos for marketing (e.g. social media, newsletters, example ads), always without identifiable personal data of the seller, with opt-out via email |
Vehicle analysis (CarNinja) | Photos (incl. EXIF, which may potentially contain personal data such as location/timestamps), technical data, AI input/output, risk profiles (primarily vehicle data; EXIF anonymized) | Performance of contract + legitimate interest | Analysis, recommendations, quality control & model improvement (anonymized) |
Payment & invoicing data | Cardholder name, billing address, payment status (Stripe) | Performance of contract + legal obligation | Payments, invoicing, accounting |
Technical data | IP address, browser, device, logs, session duration | Legitimate interest | Security, stability, fraud detection |
Communication | E-mails, chat, support tickets | Performance of contract | Customer service |
Marketing & cookies | Cookie IDs, ad IDs, newsletter status | Consent (opt-in) | Newsletters, retargeting, personalization |
In the context of facilitating personalized vehicle offers, we may share your personal data (such as name, email, and search preferences) with verified professional sellers (garages) if we detect that you are interested in a specific vehicle model and the garage has it in stock. This is done based on our legitimate interest to optimize the marketplace or with your explicit consent. Conversely, we may share garage details (such as contact info) with you as a private individual if we believe the garage best matches the vehicle you are seeking. Garages are always pre-verified through our KYBC process. You have the right to object to this processing via [opt-out link or email], and we conduct a DPIA for high-risk processing. Data is retained no longer than necessary and used solely for this purpose, in compliance with GDPR Art. 6 and 13-14.
4. AI & Profiling (CarNinja) 4.1 No binding automated decisions Our AI provides advice based on vehicle data, no binding or legal decisions. You always retain full control. No profiling with personal data is performed, but EXIF metadata may potentially contain personal data and is anonymized to minimize risks.
4.2 Rights regarding AI You can: • Request human intervention • Obtain an explanation of the logic • Contest the results
Via info@carnet.be.
4.3 Storage of photos & metadata
• Photos: max. 160 days
• EXIF metadata (potentially personal data): max. 120 days, anonymized after processing
• Model training: only anonymized (no personal data)
We conduct DPIAs and mitigate biases through regular audits.
5. Retention Periods
Type of data | Period | Motivation |
Account data | Max. 3 years after last login or deletion | Reactivation, administration |
Advertisement data | Until deletion, max. 5 years inactive | Proportionality |
CarNinja analyses | Max. 24 months | Model optimization |
Photos | Max. 160 days | Technical processing |
EXIF metadata | Max. 120 days | Fraud prevention & security |
Invoices | 7 years | Belgian legislation |
Logs & IPs | Max. 12 months | Security |
Marketing consent | Until withdrawal + 2 years proof | GDPR compliance |
After expiry, data is deleted or anonymized.
6. Sharing with Third Parties
Partner | Purpose | Country | Safeguards |
OpenAI / Anthropic | AI analysis | US | SCCs + TIA |
Google Cloud / AWS | Hosting | EU/US | SCCs + BCR |
Stripe | Payments | US | SCCs + PCI-DSS |
Google Analytics / Plausible | Analytics | EU/US | IP anonymization + SCCs |
Meta & Google Ads | Retargeting (opt-in) | US | SCCs + consent |
We never sell personal data.
7. International Transfers Data outside the EU is protected via:
• EU Standard Contractual Clauses (2021)
• Transfer Impact Assessments
• Additional technical & organizational measures
We monitor GDPR case law (Schrems II/III).
8. Your GDPR Rights You have the right to:
• Access
• Rectification
• Deletion
• Restriction • Objection (incl. to marketing & model training)
• Data portability • Withdrawal of consent • Complaint to the DPA
Email info@carnet.be.
9. Account Deletion Email: info@carnet.be Subject: “Account deletion” Within 30 days:
• Account deleted
• Personal data removed
• Remaining data anonymized
10. Cookies & Tracking We use:
• Functional cookies
• Analytical cookies
• Marketing cookies (opt-in)
• Retargeting via Meta/Google Ads
11. Security We apply, among others:
• TLS 1.3 • AES-256 encryption
• bcrypt/Argon2 hashing
• Least-privilege access control
• Regular penetration tests
• DPIA for CarNinja
• Data breach notification obligation (72 hours)
12. Minors Our services are not aimed at persons under 18 years. Detected data is immediately deleted.
13. Changes Important changes are announced via the website and/or email. The current version is always available at carnet.be/privacy.
14. Applicable Law Belgian law. Competent court: arrondissement Leuven.
Last update: 01/12/2025 Questions? info@carnet.be
Cookies on Carnet
We use cookies to run the site and improve your experience. Manage your preferences or read our cookie policy. Cookie policy.