Privacy Policy

1. Who We Are

CityGrip Ltd, trading as TowManVan ("TowManVan", "we", "us", "our") is the data controller for the personal data collected through the TowManVan website (towmanvan.co.uk) and mobile application (the "Platform").

As data controller, TowManVan determines the purposes and means of processing your personal data. Our primary contact for data protection enquiries is:

• Email: privacy@towmanvan.co.uk
• General contact: hello@towmanvan.co.uk

This Privacy Policy explains what personal data we collect about you when you use the Platform, why we collect it, how long we keep it, who we share it with, and what rights you have over it.

This policy applies to all users of the Platform, including customers placing Bookings and visitors browsing the website. It is separate from our Operator Privacy Notice which governs data processed in relation to self-employed Operators on the Platform.

2. Personal Data We Collect

2.1 Account Registration Data

When you register for a TowManVan account, we collect:

• Full name
• Email address
• Phone number
• Password (stored as a cryptographic hash - we never see your password in plain text)

2.2 Booking and Service Data

When you place a Booking, we collect:

• Your location at the time of the Booking (GPS coordinates, postcode, and any address details you provide)
• Vehicle registration number and vehicle type
• Service type requested (car recovery, jump start, or man-and-van)
• Booking date, time, and status
• In-app communications with our support team
• Photos or additional information you upload in connection with a Booking

2.3 Payment Data

Payment card details are processed directly by our PCI-DSS-compliant third-party payment processor. TowManVan does not store your full card number or CVV. We retain tokenised payment references and transaction records (amount, date, Booking reference) for billing, refund, and fraud prevention purposes.

2.4 Device and Technical Data

When you use the App or visit the website, we automatically collect:

• IP address
• Device type, model, and operating system version
• App version
• Browser type and version (website)
• Pages visited, time spent, and click patterns (via Google Analytics 4)
• Crash reports and diagnostic data

2.5 Communications Data

If you contact us by email, in-app chat, or phone, we keep a record of that communication including the content, date, and your contact details. This helps us resolve queries and monitor service quality.

2.6 Data We Do Not Collect

TowManVan does not knowingly collect special category personal data (as defined by UK GDPR Article 9) such as health data, racial or ethnic origin, religious beliefs, or biometric data, unless you voluntarily disclose such information in the course of a support interaction (for example, explaining a medical reason for a vehicle breakdown scenario).

3. How We Use Your Data

We use your personal data for the following purposes:

We will never sell your personal data to third parties for marketing purposes. We do not use your data for automated profiling or decision-making that produces legal or significantly similar effects.

4. Legal Bases for Processing

Under UK GDPR, TowManVan relies on the following legal bases depending on the type of processing:

• Contract performance (Article 6(1)(b)). Processing that is necessary to perform the contract with you - creating your account, placing your Booking, dispatching an Operator, processing payment, and resolving issues arising from a Service.
• Legal obligation (Article 6(1)(c)). Processing required to fulfil our obligations under UK law - including transaction records for HMRC, responding to law enforcement requests under a valid court order, and complying with the Money Laundering Regulations where applicable.
• Legitimate interests (Article 6(1)(f)). Processing that is in our or a third party's legitimate interests, where those interests are not overridden by your rights - including fraud prevention, platform security, aggregated analytics, and essential service communications. We conduct a balancing test before relying on this basis.
• Consent (Article 6(1)(a)). For activities where we ask for your opt-in agreement - specifically, marketing communications and the use of non-essential analytics cookies. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Data Sharing and Recipients

TowManVan does not sell your personal data. We share your data only in the circumstances described below.

5.1 Operators (Independent Data Controllers)

When a Booking is confirmed, we share your first name, phone number, pickup location (GPS coordinates or address), and vehicle details with the Operator assigned to your Booking. This is the minimum information necessary for the Operator to find you and complete the Service.

Each Operator receives and processes this data as an independent data controller in their own right, not as a data processor acting on TowManVan's behalf. Once your data is transmitted to an Operator, that Operator is independently responsible for its lawful handling, storage, security, and deletion in accordance with UK GDPR and the Data Protection Act 2018. TowManVan accepts no responsibility or liability - whether in contract, tort, or under data protection law - for the way in which any Operator processes your personal data after it has been transmitted.

Operators are required by their terms of engagement with TowManVan to use your personal data only to fulfil the Booking and to maintain appropriate security measures. Any complaint concerning an Operator's handling of your personal data\ should be directed to that Operator directly and, if unresolved, to the Information Commissioner's Office (ICO) at ico.org.uk.

5.2 Payment Processor

Payment is processed by a PCI-DSS-certified third-party payment processor. Your card details are transmitted directly and securely to the processor. TowManVan receives only tokenised transaction data.

5.3 Google Analytics 4 (Google LLC)

We use Google Analytics 4 to understand aggregate usage patterns on our website and App (pages visited, session duration, device types). Google Analytics collects anonymised or pseudonymised data via cookies. Google LLC processes this data on our behalf under a data processing agreement. You can opt out of analytics cookies via our Cookie Policy or by installing the Google Analytics opt-out browser add-on.

5.4 IT and Hosting Providers

We use reputable third-party cloud infrastructure providers to host the Platform and store data. These providers act as data processors under contractual data processing agreements from which you benefit as a data subject.

5.5 Legal and Regulatory Disclosure

We may disclose personal data where required: to comply with a legal obligation; to exercise or defend legal claims; to protect the safety of a person; or to prevent serious crime, where permitted by applicable law.

5.6 Business Transfers

If TowManVan is involved in a merger, acquisition, or sale of its assets, customer data may be transferred as part of that transaction. We will notify affected users and ensure the receiving entity complies with this Privacy Policy and applicable data protection law.

6. International Data Transfers

TowManVan is based in the United Kingdom and processes data primarily within the UK. Where data is transferred outside the UK - for example, to Google LLC in the United States in connection with Google Analytics - we ensure appropriate safeguards are in place in accordance with Chapter V of UK GDPR.

Transfers to the United States are currently covered by the UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge), which provides an adequacy mechanism for transfers to US organisations registered under the Framework. Google LLC is registered under the Framework. Where the Framework or other safeguards do not apply, we use UK International Data Transfer Agreements (IDTAs) or equivalent standard contractual clauses approved by the ICO.

7. How Long We Keep Your Data

When the relevant retention period expires, we securely delete or anonymise your data. If you request erasure before a retention period expires, we will comply except where we are required by law to retain the data or where it is necessary to defend a legal claim.

8. Your Rights Under UK GDPR

As a data subject, you have the following rights in relation to your personal data held by TowManVan. These rights are subject to certain conditions and exemptions set out in the UK GDPR and the Data Protection Act 2018.

• Right of access (Article 15). You have the right to obtain a copy of the personal data we hold about you (a "Subject Access Request" or SAR). We will respond within 30 calendar days of receiving a valid request. There is no charge for the first request in any 12-month period.
• Right to rectification (Article 16). If your personal data is inaccurate or incomplete, you have the right to ask us to correct it. You can update most of your account information directly within the App.
• Right to erasure (Article 17). You have the right to ask us to delete your personal data in certain circumstances - for example, where the data is no longer necessary, where you withdraw consent (for consent-based processing), or where you object to legitimate interest processing and we have no overriding grounds to continue. We may retain certain data where required by law.
• Right to restriction of processing (Article 18). In certain circumstances, you may ask us to restrict processing of your data while we investigate an accuracy challenge or during a pending objection.
• Right to data portability (Article 20). Where processing is based on your consent or on contract performance, and is carried out by automated means, you may request that we provide your data in a commonly used, machine-readable format, and transmit it to another controller where technically feasible.
• Right to object (Article 21). You have the right to object to processing based on our legitimate interests at any time. We will stop the processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is necessary for the establishment, exercise, or defence of legal claims.
• Right to withdraw consent (Article 7(3)). Where processing is based on your consent, you may withdraw it at any time via the App settings or by contacting us. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.

To exercise any of your rights, please email us at privacy@towmanvan.co.uk or write to our registered address, including proof of identity (for example, your registered email address and confirmed name). We will respond within 30 calendar days.

9. Security

TowManVan takes the security of your personal data seriously and implements appropriate technical and organisational measures to protect it against accidental loss, unauthorised disclosure, access, or destruction, in accordance with UK GDPR Article 32.

Our measures include:

• Encryption of data in transit using TLS (HTTPS);
• Passwords stored as cryptographic hashes (we never store plain-text passwords);
• Payment data tokenised by our PCI-DSS-compliant processor - we do not store full card details;
• Role-based access controls - data is accessible only to staff or contractors with a business need;
• Regular security testing and vulnerability assessments;
• Contractual data protection obligations imposed on all third-party processors.

Despite these measures, no data transmission over the internet or storage system can be guaranteed to be completely secure. If you suspect that your account has been compromised, contact us immediately at hello@towmanvan.co.uk.

Data breach notification. If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach and, where appropriate, notify you directly without undue delay, as required by UK GDPR Article 33–34.

10. Children's Privacy

The Platform is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected personal data from a child under 18 without verifiable parental or guardian consent, we will delete that data as soon as practicable.

If you believe we may have inadvertently collected data from or about a child, please contact us at privacy@towmanvan.co.uk.

11. Cookies

TowManVan uses cookies and similar tracking technologies on the website. For full details of the cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory guidance from the ICO. We will update the "Last updated" date at the top of this page when we make changes.

For material changes - such as new data sharing arrangements, new processing purposes, or significant changes to your rights - we will notify you by email or in-app notification at least 30 days before the change takes effect.

We encourage you to review this policy periodically. The current version is always available at towmanvan.co.uk/legal/privacy.

13. Contact Us and Right to Complain

For any questions, concerns, or requests relating to your personal data, or to exercise any of your rights, please contact us:

• Data enquiries: privacy@towmanvan.co.uk
• General enquiries: hello@towmanvan.co.uk

If you are not satisfied with our response, or you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We would appreciate the opportunity to address your concerns directly before you contact the ICO, so please do reach out to us first.

CityGrip Ltd (trading as TowManVan) - Data Controller. Incorporated in England and Wales. This policy is effective as of 1 April 2026.