Purple Cars Privacy Policy


Last update: January 2026


Purple Cars respects your privacy and is committed to protecting your personal data in full compliance with the General Data Protection Regulation (GDPR/RGPD), the Spanish Organic Law 3/2018 (LOPDGDD), and guidance from the Spanish Data Protection Agency (AEPD).


We will never sell your personal data to third parties. We collect and process data transparently, only for legitimate purposes related to providing our car rental services, managing bookings, protecting our assets, and improving our operations.


1. Who is the Data Controller?


Purple Cars (hereinafter "we" or "us") is the data controller.

Contact: legal@purplegroup.es (or hire@purplecars.es for general queries).

We have appointed a Data Protection Officer (DPO) — contact details available upon request.


2. Types of Personal Data We Collect


  • Data you provide: When booking or renting, we collect name, address, email, phone, date of birth, driving licence details, payment information, and any additional info for your reservation.
  • Automatically collected data: Device info (e.g., IP address, browser type, OS), website usage (pages viewed, time spent), collected via cookies and similar technologies.
  • Geolocation data: All vehicles have GPS tracking devices. We collect real-time location data only in limited cases (see section 4).
  • Other: Any data from customer interactions (e.g., complaints, feedback).


We do not knowingly collect data from children under 16. Our services are not directed at minors.


3. Purposes and Legal Basis for Processing


We process your data for:


  • Managing bookings, reservations, and rentals (contract performance — Art. 6.1.b GDPR).
  • Providing customer support and communications (contract performance or legitimate interest).
  • Processing payments and fraud prevention (contract performance + legitimate interest).
  • Complying with legal obligations (e.g., traffic authority requirements, tax laws — Art. 6.1.c GDPR).
  • Improving services and website experience (legitimate interest — Art. 6.1.f GDPR).
  • Protecting our property and enforcing contract terms (legitimate interest — see below).


Geolocation/GPS Data (Special Section)


All rental vehicles are equipped with GPS devices for real-time tracking. We process this data only on the basis of our legitimate interest (Art. 6.1.f GDPR) in protecting our vehicles and enforcing contractual limits. A Legitimate Interests Assessment (LIA) has been conducted, confirming that our interests prevail over your rights when strictly limited to these purposes:


  • Recovering the vehicle in cases of non-payment (including locating it if payments are overdue and contact attempts fail).
  • Theft, attempted theft, or disappearance.
  • Protecting against imminent serious risk or damage.
  • Detecting and responding to unauthorised exit from Andalucía (vehicles are contractually not permitted to leave this region).
  • Locating the vehicle after failed reasonable contact attempts where a serious breach is suspected.


We will NOT use geolocation data for:


  • Routine monitoring of your movements or behaviour during normal rental.
  • Speed enforcement or traffic violation fines.
  • Marketing or commercial purposes.


The Renter must not tamper with, disable, or remove the device — doing so is a serious breach and may trigger recovery actions.


This processing is proportionate, necessary, and transparent (detailed in the rental agreement clause 14.2). You can object to processing based on legitimate interest (see section 7).


4. Sharing Your Data


We share data only when necessary:


  • With service providers (e.g., payment processors, IT/hosting, insurers) acting as processors under strict agreements.
  • With authorities if legally required (e.g., law enforcement for theft recovery).
  • With affiliates for internal operations.


International transfers (if any) use Standard Contractual Clauses or other safeguards to ensure adequate protection.


5. Data Retention


We retain data only as long as necessary:


  • Booking/rental data: Up to 5 years after rental end (for legal claims, tax, insurance purposes).
  • Geolocation data: Usually until vehicle return and resolution of incidents (e.g., payment disputes, theft); maximum 30 days unless legally required longer.
  • Website usage/cookies: As per cookie policy (session or up to 2 years for analytics).


Data is securely deleted or anonymised thereafter.


6. Security


We implement technical, organisational, and physical measures (e.g., encryption, access controls) to protect your data against unauthorised access, loss, or breach.


7. Your Rights Under GDPR


You have the right to:


  • Access your data.
  • Rectify inaccurate data.
  • Erase data (where applicable).
  • Restrict processing.
  • Object to processing based on legitimate interest (including geolocation) — we will stop unless compelling reasons override.
  • Data portability.
  • Withdraw consent (if used).


Requests are free and responded to within 1 month (extendable in complex cases). Contact: legal@purplegroup.es.


If unsatisfied, complain to the AEPD (www.aepd.es).


8. Cookies and Similar Technologies


We use:


  • Strictly necessary cookies (essential for site function).
  • Performance/analytics (e.g., Google Analytics — anonymised).
  • Functional (e.g., remembering preferences).


Manage via browser settings or our cookie banner. For details, see our Cookie Policy [link if separate].


9. Changes to This Policy


We may update this policy. Changes will be posted here with the new "Last updated" date. Review periodically.


10. Contact Us


For questions: legal@purplegroup.es or hire@purplecars.es.

By using our services/website, you acknowledge this policy. For rentals, additional details are in your contract.

Purple Cars GDPR


At Purple Cars, we take the protection of personal data very seriously. We are committed to complying with all applicable data protection laws, including the General Data Protection Regulation (GDPR).


This GDPR policy sets out how we collect, process, and store personal data, as well as the rights that individuals have in relation to their personal data.


Collection and Processing of Personal Data:


We collect personal data from our customers when they make a booking or reservation with us. This may include name, address, email address, phone number, date of birth, driving license number, and payment information.


We may also collect personal data from our customers when they interact with us via our website, social media channels, or customer service channels.


The personal data we collect is used to:


Process and manage bookings and reservations

Provide customer service and support

Improve our products and services

Comply with legal and regulatory requirements

We will only process personal data for the purposes for which it was collected and in accordance with the principles of the GDPR.


Storage and Security of Personal Data:


We take appropriate measures to ensure that personal data is stored securely and protected against unauthorized access, disclosure, or destruction. This includes physical, technical, and administrative safeguards.


Personal data is only retained for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required by law.


Disclosure of Personal Data:


We may share personal data with third-party service providers who process personal data on our behalf, such as payment processors, IT service providers, and marketing agencies.


We may also disclose personal data to law enforcement authorities or regulatory bodies if required by law.


Rights of Individuals:


Individuals have the right to access, correct, or delete their personal data held by us. They also have the right to object to the processing of their personal data or to request that we restrict the processing of their personal data.


We will respond to requests from individuals in relation to their personal data within one month, in accordance with the GDPR.


Contact Us:


If you have any questions or concerns about our GDPR policy or the way we collect, process, or store personal data, please contact us at legal@purplegroup.es


We may update this GDPR policy from time to time to reflect changes in our data protection practices or legal requirements. We encourage you to review this policy regularly for updates.