Caravan Guide
Search
Legal

Privacy policy

Last updated: 15 May 2026. This policy describes how Caravan Guide collects and uses personal data when you use this website and related services. The service is operated in the United Kingdom and is intended for users in the UK. For cookies specifically, see our cookie information. For purchases, subscriptions, and liability, see our terms and conditions (same agreement as our terms of use).

1. Data controller

The data controller for personal data processed through this site is Caravan Guide.
Postal address: Caravan Guide.

Contact details are published in the site footer and company settings where available.

2. What data we collect

  • Account and profile: email address, password (stored as a one-way hash we cannot reverse), and any business or contact details you provide at registration or in your account settings.
  • Billing and subscriptions: plan type, subscription status, billing interval, and payment-related identifiers provided by our payment processor. Card details are handled entirely by Stripe; we do not store full card numbers or CVV codes on our servers.
  • Guide usage: when you are signed in, search queries and filter selections may be logged for service operation, fraud detection, and analytics. Your search history is accessible to you from your account.
  • Support tickets: the content of any messages, descriptions, or attachments you submit through the support ticket system or by email to us.
  • Valuation certificates: where you use the certificate feature, we store the caravan details, edition date, guide values, and any reference information associated with each certificate you issue. Certificate records are retained for audit and independent verification purposes.
  • Image and media uploads: where you submit photographs or other media to the platform, we store the file and associated metadata. By submitting images you confirm ownership of the rights in accordance with our terms and conditions. Approved images and their associated rights are retained permanently following payment.
  • API usage: if you hold API access, we log request metadata including timestamps, endpoints called, response codes, and rate-limit counters. We do not log full request or response payloads. API key hashes (never the raw keys) are stored for authentication purposes.
  • Referrals and earnings: if you participate in the referral programme, we record referral link usage, qualifying sign-ups attributed to your link, and any credits or commissions earned. Referral tracking cookies are only set with your consent; see our cookie information.
  • Bot and spam detection: we use Cloudflare Turnstile on public forms (including registration, login, and password reset) to distinguish human users from automated bots. Turnstile processes browser and interaction signals and your IP address. We do not have access to the raw signals Turnstile uses; we receive only a pass or fail result. See Cloudflare’s privacy policy for full details of their processing.
  • Security and abuse prevention: IP addresses and request metadata are used for rate limiting, CSRF protection, audit logs, and detection of unauthorised access attempts.
  • Technical logs: standard server and application logs include IP address, user agent, timestamps, HTTP method, and requested URL. These are used for operational monitoring, debugging, and security investigations.
  • Organisation and park group data: if you administer or are a member of an organisation account, we store the organisation name, associated user accounts, and subscription details for that organisation.
  • Newsletter subscriptions and email marketing: if you sign up to our newsletter (via the signup form on our website, a footer widget, or a pop-up), we collect your email address, your name where you choose to provide it, and your subscription group preferences. We also record your subscription status (e.g. active, unsubscribed), and the timestamps of subscription events. When we send you a marketing email, we embed a small invisible tracking pixel; if your email client loads images, the open event is recorded along with a timestamp. When you click a link in a marketing email, you are routed through a short redirect that records the click event, the destination URL, and a timestamp, before forwarding you immediately to the destination. This engagement data is used solely to measure the effectiveness of our campaigns and to improve future communications. You may unsubscribe at any time by clicking the unsubscribe link included in every marketing email, or by visiting our unsubscribe page.

3. Why we use your data (legal bases)

Under UK GDPR we rely on one or more of the following bases, depending on the activity:

  • Contract: to provide the service you signed up for, manage your subscription, process payments, issue certificates, and deliver account features you have purchased.
  • Legitimate interests: to secure the site; prevent fraud, abuse, and unauthorised access; improve the product; analyse aggregated usage trends; verify image ownership; operate the referral programme; enforce rate limiting and API audit logging; and detect automated bot activity via Turnstile. We balance our interests against your rights before relying on this basis.
  • Legal obligation: where we must retain or disclose data for tax records, accounting obligations, or lawful requests from competent authorities.
  • Consent: for optional referral tracking cookies set via the cookie banner; and for direct marketing communications including our newsletter. You give consent for newsletter emails by completing our signup form. You may withdraw consent at any time by clicking the unsubscribe link in any marketing email or by using our unsubscribe page. Withdrawing consent does not affect the lawfulness of emails sent before withdrawal.

4. Sharing and processors

We use trusted third-party service providers who process data on our behalf and under our instructions. These currently include:

  • Stripe: payment processing, subscription management, invoicing, and tax data. Stripe is also an independent data controller for some of its own activities; see Stripe’s privacy policy.
  • Cloudflare (Turnstile): bot and spam prevention on public-facing forms. Cloudflare processes browser signals and IP address data to produce a bot-detection result. See Cloudflare’s privacy policy.
  • Email delivery providers: to send transactional emails (such as account verification, password reset, and subscription receipts) and marketing emails (such as newsletters and campaign communications). These providers process email addresses and message content on our behalf.
  • Hosting and infrastructure providers: servers and databases that store and process data on our behalf in accordance with appropriate agreements.

Where our pages load fonts or other resources from third-party CDNs (such as Google Fonts), those providers may process technical data such as your IP address under their own terms and privacy policies.

We do not sell personal data to third parties. We do not share personal data for third-party marketing purposes.

5. International transfers

Some of our processors are based outside the UK or operate infrastructure outside the UK. Where such transfers occur, we seek to ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement or Addendum, adequacy decisions, or other mechanisms recognised under UK data protection law.

6. Retention

We retain personal data only for as long as necessary for the purposes described in this policy:

  • Account data is retained for the life of your account and for a reasonable period after closure for legal, tax, and dispute resolution purposes (typically up to 7 years for financial records).
  • Certificate records are retained indefinitely as they may be presented for independent verification at any point after issuance.
  • Approved image rights are retained permanently following assignment, as described in our terms and conditions.
  • API request logs and search logs are retained for a shorter operational period and then purged or anonymised.
  • Technical server logs are typically retained for a short operational period (days to weeks) unless required for an ongoing security investigation.
  • Support ticket records are retained for the duration of your account relationship and a reasonable period thereafter.
  • Newsletter subscriber records (email address, name, group preferences, and subscription status) are retained for as long as you remain subscribed and for a reasonable period after unsubscription to honour suppression lists and prevent re-subscription without fresh consent. Unsubscribed records are kept in a suppressed state rather than deleted, so that we do not accidentally email you again.
  • Email engagement logs (open and click events) are retained for a reasonable operational period to support campaign analytics and are then aggregated or purged.

7. Security

We implement reasonable technical and organisational measures to protect personal data against unauthorised access, accidental loss, or disclosure. These include one-way hashed password storage, HTTPS encryption for all data in transit, CSRF token protection on forms, rate limiting, IP-based abuse detection, and role-based access controls on administrative functions.

No method of transmission over the internet is completely secure. In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify the Information Commissioner’s Office (ICO) and, where required, affected individuals, within the timeframes required by applicable law.

8. Your rights

Under UK data protection law you have the following rights, subject to applicable exemptions:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure: ask us to delete your data where there is no compelling reason to continue processing it.
  • Restriction: ask us to restrict how we use your data in certain circumstances.
  • Portability: receive your data in a structured, machine-readable format where applicable.
  • Objection: object to processing based on legitimate interests or for direct marketing at any time. You may opt out of marketing emails at any time via the unsubscribe link in each email or our unsubscribe page.
  • Withdraw consent: where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us using the details in section 1 above. We will respond within the timeframe required by law (generally one calendar month) and may need to verify your identity before acting on a request.

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint, or by calling 0303 123 1113.

9. Children

This service is not directed at children under the age of 13. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will take prompt steps to delete it.

10. Automated decisions

We use automated systems for rate limiting and abuse detection (including Cloudflare Turnstile bot scoring and API rate counters). These may restrict access to the service automatically where misuse thresholds are exceeded. They do not produce legal or similarly significant effects in the sense of UK GDPR Article 22, but are necessary for platform security and integrity. You may contact us to dispute an automated access restriction.

Valuation outputs produced by the platform are informational guidance tools and are not automated decisions that determine your legal status or rights.

11. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of this page reflects the most recent revision. Where changes are material, we will provide reasonable notice by email or a prominent notice on the platform before the changes take effect.

12. Governing law

UK data protection law, including UK GDPR and the Data Protection Act 2018, governs our processing of your personal data. Any other contractual terms between you and us specify the courts and applicable law that govern those terms separately.

Still unsure about our pricing?

See exactly how our valuations are calculated.

How our valuations work

Verified & trusted

Powered by Caravan Guide About our trust badge ↗

Free newsletter

Get the latest caravan market news

Valuations, price trends, and updates from Caravan Guide straight to your inbox.