Contact Us

Return on Investment LTD Privacy Policy


Introduction

Welcome to Return on Investment Ltd’s privacy policy.

Return on Investment Ltd (“ROI”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This privacy policy explains:

  • what personal data we collect;
  • how we use, store and share it;
  • your privacy rights; and
  • how the law protects you.

This policy is presented in a layered format so you can easily navigate to each section. Additional privacy notices may be provided where we collect data in specific contexts (e.g., website forms or event registrations). These supplement, and do not replace, this policy.

This website is not intended for children and we do not knowingly collect data relating to children.

1. Important Information and Who We Are

Purpose of this privacy policy

Return on Investment Ltd is the data controller for:

  • Client Contacts (employees/representatives of our clients and prospective clients);
  • Suppliers;
  • Website Users;
  • Individuals who contact us directly.

When we process personal data about Customers on behalf of our clients (e.g., automotive manufacturers or leasing companies), we act as a data processor. In those situations, the relevant client is the data controller and determines the purposes of the processing.

Data Protection Officer (DPO)

  • Email: dpo@roiltd.co.uk
  • Postal address: Return on Investment Ltd, Pepper House, Market Street, Nantwich, CW5 5DQ
  • Telephone: 01270 610400 (ask for the DPO)

Complaints (Right to Lodge a Complaint)

You may lodge a complaint at any time with the UK Information Commissioner’s Office (ICO) at www.ico.org.uk.
We ask that you contact us first so we can seek to resolve the issue. An electronic complaints form is available on our website. We will acknowledge complaints within 30 days and respond without undue delay.

2. The Data We Collect About You

We may collect, use, store and transfer the following types of personal data. The data collected will depend on your relationship with us.

Identity Data

e.g., first name, last name, title, job role.
(Proof of ID such as passport/driving licence may be collected only where required for specific contractual or regulatory purposes, such as supplier due diligence.)

Contact Data

e.g., business address, business email address, telephone numbers.

Vehicle Data (Customers)

e.g., vehicle registration number (VRN), vehicle identification number (VIN), date of purchase.

Financial and Transaction Data

e.g., payment details, billing address, credit check results (suppliers only), records of payments to/from us or our clients.

Technical Data

e.g., IP address, browser type, device information, time zone, login data, interaction logs.

Profile and Usage Data

e.g., account login credentials (where applicable), preferences, survey responses, engagement with emails we send on behalf of clients, usage of our products/services or those of our clients.

Marketing and Communications Data

e.g., your preferences in receiving marketing communications.

CCTV Images

Captured at entry/exit points and data processing areas. Typically retained for no more than 31 days, unless required for security, incident investigation or legal reasons.

Special Category Data

We do not routinely collect special category data.
However, where we support client events, we may collect limited health information such as dietary requirements or accessibility needs.

Such data is only processed:

  • with your explicit consent; or
  • where required for substantial public interest (e.g., health and safety obligations).

It is subject to enhanced access controls and deleted after the event unless continued retention is expressly required or agreed.

Failure to provide data

If you fail to provide data required by law or under a contract, we may have to cancel the service provided to you.

3. How Is Your Personal Data Collected? (Source of Data

We use different methods to collect data from and about you
including through:

Direct interactions

You provide data by contacting us via website forms, telephone, email, post or in person.

Automated technologies

When you interact with our website, we collect Technical and
Usage Data through cookies and log files.
(See our Cookie Policy for details.)

Clients (when we act as processor)

Clients may provide Customer data for us to process on their behalf.
Clients are responsible for ensuring they have a lawful basis to share this data with us.

Third parties and publicly available sources

Examples include analytics providers (e.g., Google), payment processors, data aggregators, Companies House, business directories and public websites/social media.

CCTV systems

Images are collected at our premises for safety and security purposes.

4. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances: where we need to perform a contract, comply with a legal obligation, or where it is necessary for our legitimate interests and these are not overridden by your rights. The specific purposes and legal bases for processing are detailed in the tables below:

Purpose/Activity

Lawful basis for processing including basis of
legitimate interest

To register you/the client you represent as a new client

Performance of a contract; compliance with a legal
obligation

To process service requests, manage payments and recover
debts

Performance of a contract; legitimate interests (debt
recovery)

To manage our relationship with you (policy updates,
surveys, feedback)

Performance of a contract; legal obligation; legitimate
interests (keeping records up to date)

To administer and protect our business and website

Legitimate interests (IT security, business operations);
legal obligation

To use analytics to improve our website, services and
client experience

Legitimate interests

To make recommendations to you about services relevant to your organisation

Legitimate interests (business development)

Customers of Our Clients (Processor)

When acting as a processor, we process data according to our
client’s instructions.

Purpose / Activity

Lawful Basis (determined by client)

To send marketing communications on behalf of a client

Legitimate
interests (B2B marketing to corporate subscribers where
permitted under PECR) or
Consent
(where required or obtained by the client)

To notify you about changes to terms or privacy policy

Legal obligation

To support prize draws, surveys or competitions

Performance of a contract; legitimate interests (customer insights)

To deliver relevant content/advertising and measure engagement

Legitimate interests (informing client marketing strategies)

To support analytics, market research and satisfaction surveys

Legitimate interests

To organise client events (may include Special Category Data)

Consent; legitimate interests (client services)

To book test drives or respond to customer requests

Legitimate interests (client fulfilment

Suppliers

Purpose / Activity

Lawful Basis

To register you as a supplier and assess creditworthiness

Performance of a contract; legitimate interests

To perform the supplier contract and manage payments

Performance of a contract

To notify you of changes to our terms/policies

Performance of a contract; legal obligation

Users of our website

Purpose / Activity

Lawful Basis

To respond to enquiries submitted via our website

Legitimate interests

To administer and protect our website

Legitimate interests; legal obligation

To use analytics to improve user experience

Legitimate interests

Marketing

Marketing by ROI (Controller)

You may receive marketing from us if:

  • you requested information from us; or
  • you purchased services from us; and
  • you have not opted out of marketing.

Marketing by Our Clients (Processor)

Customers may receive marketing from us on behalf of our clients where:

  • permitted under PECR for B2B communications, or
  • consent has been obtained by the client.

Consent Withdrawal

Where processing is based on consent, you can withdraw it at any time.

Third-Party Marketing

We will obtain your explicit consent before sharing your personal data with any unrelated third party for marketing purposes.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly. For more information about the cookies we use, please see cookie policy.

Change of purpose

We only use personal data for the purposes for which it was collected, unless compatible with the original purpose. If we need to use your data for an unrelated purpose, we will notify you.

5. Disclosures of Your Personal Data

We may share your data with:

  • Clients (if you are a Customer);
  • Service providers acting as processors (e.g., IT, hosting, analytics);
  • Professional advisers (lawyers, bankers, auditors, insurers);
  • Regulators and authorities (where required by law);
  • Third parties involved in merger, acquisition or restructuring activity.

All third parties must process your data securely and only on our instructions. When we act as a processor, disclosures are determined by our client

6. International Transfers

Some of our service providers are located outside the UK/EEA. Where this occurs, we ensure appropriate safeguards, such as:

  • Adequacy Regulations/Decisions; or
  • UK International Data Transfer Agreement (IDTA) / UK Addendum to EU SCCs.

7. Data Security

We implement appropriate organisational and technical measures to protect your data from loss, misuse, unauthorised access or disclosure. Access is limited to those with a business need and subject to confidentiality obligations.

We have procedures to respond to suspected data breaches.

8. Automated Decision-Making and Profiling

We do not use your data for solely automated decisions that produce legal or similarly significant effects.

We may perform limited profiling (e.g., engagement analytics or marketing segmentation). This does not have significant effects on you.

If we introduce automated decision-making in the future, we will update this policy and explain your rights

9. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including legal, regulatory, tax and accounting requirements.

Examples (non-exhaustive):

  • Client records: retained for 6 years after the relationship ends (legal requirement).
  • CCTV images: typically retained for 31 days, unless required for an investigation.
  • Event-related Special Category Data: deleted immediately after the event unless continued retention is required or you have consented.

10. Your Legal Rights

You have rights under data protection law, including the right to:

  • access your personal data;
  • correct inaccurate data;
  • request erasure;
  • object to processing (including direct marketing);
  • restrict processing;
  • request data portability;
  • withdraw consent at any time (where applicable).

We may request proof of identity before responding to your request. We aim to respond within one month.

11. Glossary

Client – an organisation (for example, an automotive manufacturer, dealer group or leasing company) that engages ROI to provide services.Client Contact – an employee or representative of a Client or prospective Client.

Customer – an individual who purchases, uses or is interested in products or services provided by a Client (for example, a fleet buyer, company vehicle user or prospective customer).

Personal Data – any information that identifies, relates to, or can reasonably be linked to an individual (such as name, business email, telephone number, identification numbers, IP address).

Special Category Data – more sensitive categories of personal data that require additional protection under UK GDPR, such as health information (e.g., accessibility needs or dietary requirements for events).

Consent – a freely given, specific, informed and unambiguous indication of your wishes, usually expressed by a clear affirmative action (for example, ticking a box), agreeing to the processing of your personal data.

Data Controller – the organisation that determines the purposes and means of processing personal data. ROI is the controller for Client Contacts, Suppliers, and Website Users. Clients are typically the controller for Customer data we process on their behalf.

Data Processor – an organisation that processes personal data on behalf of a Data Controller and in accordance with its instructions. ROI acts as a processor when processing Customer data for
Clients.

Legitimate Interests – our interest in operating our business effectively and securely. We consider and balance any potential impact on your rights before relying on this basis.

Performance of a Contract – processing necessary to perform a contract with you, or to take steps at your request before entering into a contract.

Legal Obligation – processing necessary to comply with UK law.

External Third Parties – organisations that assist us in delivering our services, including:

  • IT and system administration providers;
  • Professional advisers (e.g., lawyers, auditors, insurers);
  • HMRC, regulators and other authorities;
  • Cloud hosting and infrastructure providers.

Last Updated: 28th November 2025