CarGurus Global Privacy Notice for Employment Candidates

Date
April 1, 2025


Introduction 
Thank you for considering a job at CarGurus! 

This privacy notice (“Notice”) applies to the processing of Personal Information collected in connection with career opportunities and the hiring process at CarGurus, Inc., its brands, and affiliates (collectively, “CarGurus,” “we,” or “our”). This Notice, together with other notices provided at the time of data collection, explain what Personal Information we collect about you, how we use this Personal Information, and your rights regarding this Personal Information. California, Canada, UK, and EU candidates should also refer to the jurisdiction-specific sections of this Notice.

The data controller for the processing of your Personal Information is the CarGurus entity in the country from which you would work if you were offered a job at CarGurus. If you are unsure which country or entity this would be, please write to us using the instructions in the Contact Us section below.


For information about cookies and other tracking technologies on the CarGurus Career Site, please visit the Career Site Cookie Settings.

For information about data practices related to CarGurus’ products, please visit the CarGurus.com Privacy Policy.


Personal information
In the application and hiring process, we collect Personal Information from you directly, from your referral sources and other third parties (such as former employers or background check agencies), and through publicly-accessible sources (such as LinkedIn). 

When we say Personal Information in this Notice, we mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you. 

Personal Information that we collect or use, to the extent permitted by local law, includes the following, where applicable:


  • Name and Contact Information, such as your home address, phone number, and email address.
  • National Identifiers, such as your national ID/passport, citizenship status, residency and visa or work permit information, social security number or other taxpayer/government identification number.
  • Education, Application, and Background Information, such as information about your employment and education history, degrees, certifications, or licenses, eligibility to work in the country where you are applying for a job, your desired salary, willingness to relocate, job preferences, references, interview details, outcomes of any recruiting exercises you complete, and our evaluations of your performance during the interview process. This includes any other information you make publicly available generally (such as on social media) or that you provide to us (such as information included in your application, resume, cover letter, or in this career portal). This may also include background screening information, which may include information related to any legal disputes or disputes that may arise, such as any criminal convictions.
  • Professional or Employment Information, such as your education and work experience, and whether you are subject to any prior employer obligations.
  • Demographic data or other characteristics of protected classifications, if you disclose such information, such as your date of birth and gender as well as more sensitive personal information (also known as special category data), including information relating to racial and ethnic origin, religious, political or philosophical beliefs, trade union membership, parental status, military status, or information about your health, disabilities, sexual orientation, gender identity, and transgender status. Where the processing of this personal information is not required by law, we will only process it with your consent.
  • Business travel and expense information, such as travel itinerary information and expenses incurred for travel during the interview process.
  • Audio or visual information, such as photos provided in connection with a resume, CCTV footage, as well as other information relating to the security of our premises collected during in-person interview or during other parts of the recruitment process, and video or audio recordings of events and recruitment activities.
  • Internet and electronic network, and device activity and device information, and related identifiers, such as information about your use of our network while you are on our premises, including IP address (which may be used to derive a general location) and device identifiers and attributes.
  • Other information that you may voluntarily choose to include on your resume, in connection with your application, or otherwise, such as survey responses.

Combining Personal Information from Different Sources. We may combine the Personal Information we receive from various sources with Personal Information we collect from and about you and use it as described in this Notice.

How we use your personal information
We use the Personal Information described above in the context of your candidacy for employment at CarGurus. Our business purposes for collecting this information include the following:

To consider you for, and assess your suitability for, employment opportunities with CarGurus. 

For example:
  • To receive, consider, and reply to your application;
  • To verify the information you or others provide, and to check your references;
  • To assess your suitability for the opportunity you applied for, and in certain cases, for other opportunities at CarGurus;
  • To facilitate the interview/recruiting process;
  • To prepare an offer letter, if your application is successful;
  • To determine your eligibility to work in the jurisdiction to which you are applying;
  • If you were referred, to inform your referral source of the status and final outcome of your application; and
  • Where we have identified you as a potential candidate from information that we've collected from public sources, in order to suggest suitable opportunities for you at CarGurus.
  
To stay in touch and engage with you. In considering you for opportunities at CarGurus we may consider you for current and future opportunities. We may contact you from time to time, for example, to invite you to events we organize or sponsor, send you alerts or recommendations about opportunities at CarGurus, or ask you for updates. You can opt out of these communications at any time.

To maintain and improve our recruiting processes, for internal planning and management reporting, and to comply with laws and regulations, for example:
  • To manage and improve our careers portal and our recruiting processes, for instance, to make the application process easier and more efficient;
  • To prepare and perform management reporting and to perform analysis related to recruiting metrics, such as length of the recruiting process;
  • To defend your or our interests in actual or threatened legal proceedings, or regulatory, administrative, or legislative inquiries or investigations;
  • To maintain the safety, integrity, and security of CarGurus, its employees, and others as required or permitted by law, including but not limited to conducting background and security checks;
  • To protect the health and safety of employees and others in our facilities to the extent permitted by applicable law (e.g., to monitor the spread of infectious diseases in the workplace, where appropriate); 
  • To create and submit reports as required by applicable law or regulation; and 
  • To respond to and cooperate with legal or regulatory requests or investigations.

If you accept a conditional offer from us, we process your information for background verification (to the extent permitted by applicable laws). We'll provide further information regarding this processing upon the start of the background verification process.

To manage and administer our HR process. For example, for onboarding, determining compensation, scheduling, IT and information security purposes, fraud prevention, and conducting internal audits and analyses.

To manage our security operations, for example:
  • Detecting security incidents;
  • Debugging and repairing errors, and preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution;
  • Monitoring and controlling access to our premises and locations (including through use of CCTV);
  • Safeguarding CarGurus, our locations, services, workforce, users, partners, and others.

To exercise our legal rights, including seeking legal advice from our external lawyers or in connection with litigation with third parties.

To facilitate M&A and other business transactions. For example, for planning, due diligence and implementation of commercial transactions, such as mergers, acquisitions, asset sales or transfers, bankruptcy, or reorganization or other similar business transactions.

At your request, in order to fulfill your instructions.

For other legally permitted purposes (subject to your consent, where legally required).

Aggregate and De-Identified Information. We may aggregate or de-identify personal information such that it no longer reasonably identifies you. We may use and disclose this information for any purpose and in any way in our discretion.


Recorded Interviews 
For a fairer, more objective hiring process, your interview may be recorded and/or transcribed using AI-powered tools. You will receive more detailed information before any recording takes place, and you may opt out of recording. No hiring decisions will be influenced by whether a candidate opts in or out of recording.  

Automated decision-making
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We do not currently anticipate that any decisions will be made about you using automated means, however we will notify you in writing if this position changes.

How we disclose your personal information
We will, from time to time, disclose some of your Personal Information to certain recipients as detailed below:
  • Internally: To employees within CarGurus who participate in the recruitment process, such as HR managers and employee interviewers;
  • Other group companies: To other CarGurus group companies for the legitimate interests of CarGurus, to the extent to which they need access to your Personal Information because they are involved in the recruitment processes and to facilitate group HR management and groupwide human resources planning and administration (including adequate staffing and in connection with management of the CarGurus group structure); 
  • Vendors: To background check companies, security providers, information technology providers, travel management companies, employment businesses (e.g., recruiting contractors or agency workers), and other vendors that assist us in the development, performance and management of our recruitment process; 
  • Recruiters: To the extent you are working with a recruiter in connection with your application for employment and your recruiter is authorized by you to obtain feedback from us regarding your application and interview process;
  • Legal, compliance, and exercising legal rights: (i) When required to do so by law regulation, or court order; (ii) in response to a request for assistance by a law enforcement agency; (iii) to seek legal advice from our external lawyers or in connection with litigation with you or a third party; or (iv) as otherwise necessary to exercise our legal rights or to protect CarGurus or its employees;
  • Business transaction purposes: To a buyer, investor, or potential buyer/investor in connection with a sale or other transfer of all or part of our shares, assets or business; and  
  • Consent: With your consent and as permitted by law, we may disclose your Personal Information to any other parties in any other circumstances.

The entities to which we disclose Personal Information for the purposes described in this Notice may be located in jurisdictions outside of your jurisdiction of residence. In such situations, we will perform appropriate diligence to determine whether the third-party recipient can process and protect such Personal Information in a manner at least as robust as is required under applicable law.

How long we retain your personal information
We’ll retain your Personal Information until we determine it is no longer necessary to satisfy the purposes for which it was collected and our legal obligations. As described above, these purposes include our business operations and complying with reporting, legal, and accounting obligations, including to resolve disputes, to enforce our contractual agreements, and, where applicable, to consider you for other current and future employment opportunities at CarGurus.

In determining how long to retain information, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of Personal Information, the purposes for which we process the Personal Information, and whether we can achieve those purposes in other ways, the applicable legal requirements, and our legitimate interests. 

If you’re successful in your application for a position at CarGurus, we retain the Personal Information you provide during the application process, and information about your application process, as part of your employee records.

If you no longer want us to use your information 
Applying to CarGurus is entirely voluntary on your part, so by submitting your application you are expressly agreeing that we can use your Personal Information in order to decide whether to contact you, discuss employment possibilities with you, and/or offer you employment. If you do submit an application but subsequently decide, before we make any decision, that you do not want us to use your Personal Information, you can let your CarGurus recruiting specialist know, and we will stop using it (we may retain a copy in our files as described in this Notice). However, this means you will no longer be eligible for employment, unless you subsequently apply for another position at CarGurus.

Data security
We are committed to protecting the privacy and security of your Personal Information. We have put in place security measures to protect your Personal Information from being accidentally lost, used or accessed in an unauthorized way, altered, or disclosed, but we cannot guarantee absolute security.  In addition, we have policies in place to limit access to your Personal Information to only those employees, agents and contractors who are authorized to access your Personal Information.

Notice regarding lie detector tests
It is unlawful in Massachusetts to require or administer a lie detector test as a condition of employment or continued employment. An employer who violates this law shall be subject to criminal penalties and civil liability.

Changes to this notice
We may change this Notice from time to time. If we make material changes to the Notice, we’ll prominently post the changes on this page and take any other steps required by applicable law. Please refer to the date at the top of this Notice for the last-updated version. 

Contact us
If you have any questions or concerns about this Notice and the practices described herein, or wish to avail yourself of your data privacy rights, please contact us at privacy@cargurus.com. 

Personal Information Rights for California, Canadian, EU, and UK Residents
Depending on your jurisdiction of residence, you may have certain rights regarding your Personal Information. As provided in applicable law, these rights may include:   
  • Request access to certain of your Personal Information, including the right to obtain confirmation of whether we are processing your Personal Information, obtain a copy of that information, and know certain information about our processing of your Personal Information, such as our processing purposes; 
  • Request correction of certain of the Personal Information that we have about you that is inaccurate;
  • Request deletion or removal of certain of your Personal Information; or
  • Object to or request restriction of certain processing activities.

Where we rely on your consent to process your personal information, you have the right to withdraw consent at any time. This will not affect the lawfulness of processing prior to the withdrawal of your consent.

Exceptions: There are certain exceptions to the above rights. For instance, we may retain your Personal Information if it is reasonably necessary for us or our service providers to provide a service that you have requested, to comply with law, or to detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity or prosecute those responsible for that activity. In addition, we reserve the right not to process requests that are manifestly unfounded or excessive, as provided in applicable law, or that we are not legally obligated to process.

Exercising your rights: To exercise your rights, please contact us and specify the right(s) you want to exercise and the Personal Information with respect to which you want to exercise such right(s). You can submit your request by emailing us at privacy@cargurus.com.  We may take reasonable steps to verify your identity before responding to a request, and to do so, we may ask you for additional information to verify your identity.


Additional Information for California Candidates
Additional Rights of California Residents.
California law places certain obligations on businesses that “sell” personal information to third parties or “share” personal information with third parties for “cross-context behavioral advertising” as those terms are defined under the California Consumer Privacy Act. We do not “sell” or “share” the Personal Information covered by this Notice and have not done so in the twelve months prior to the effective date of this Notice.

Please note that to the extent we collect sensitive/protected classification information, we do not process such information for purposes subject to the “right to limit” under California law.  Accordingly, we only use and disclose such sensitive information about California applicants as reasonably necessary and proportionate: (i) to perform our services requested by you; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our services; and (v) for compliance with our legal obligations.

No Discrimination. We will not discriminate against you for exercising your rights concerning your Personal Information.


Additional Information for Canadian Candidates
International Transfers of Personal Information. Where applicable law permits, we may transfer the Personal Information we collect about you to the United States and other jurisdictions that may not be deemed to provide the same level of privacy protection as Canada for the purposes set out in this Notice. The measures that we use to protect Personal Information are subject to the legal requirements of the jurisdictions to which we transfer Personal Information, including lawful requirements to disclose information to law enforcement and government agencies in those countries. 

Additional Information for EU/UK Candidates
Legal Bases for Processing. Where we are required to have a legal basis for processing your Personal Information, these legal bases are:
  • Contract: We may process your Personal Information as necessary to perform a contract with you, such as to enter into an employment agreement with you.
  • Legal obligation: We may process your Personal Information to comply with a legal obligation or request, such as to comply with employment laws.
  • Legitimate interest: We may process your Personal Information for purposes of our or another party’s legitimate interests, such as to maintain the security of our premises, personnel, and property.
  • Consent: We may process your Personal Information consistent with your consent to the extent permitted by applicable law.

Right to Lodge a Complaint. You have the right to lodge a complaint with your local data protection authority if you believe we have processed your Personal Information in violation of applicable data protection law. However, we encourage candidates to raise any complaint with us first so we can do our best to resolve it.  

International Transfers of Personal Information. Subject to applicable law, we may transfer, process, and store your Personal Information outside of your jurisdiction of residence, including in the United States and other jurisdictions where we or our vendors are located. If we transfer, or allow our vendors to transfer, some of your Personal Information to jurisdictions not deemed to be “adequate” by the relevant authorities (such as jurisdictions that are deemed not to provide a level of protection to Personal Information that is equivalent to that of the EEA, UK, or Switzerland), we will transfer such Personal Information in compliance with applicable law and using a legally recognized transfer mechanism, including the European Commission's Standard Contractual Clauses, and equivalent transfer mechanisms in the UK and Switzerland.