Car Spot respects Your privacy and is committed to protecting Your Personal Data. This Privacy Policy explains how We collect, use, store, and protect Your information when You use Our Application on iOS and Android. It also explains Your rights under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other U.S. state privacy laws, and how Our data practices align with Apple's App Privacy and Google Play's Data Safety requirements.
By using the Application, You agree to the terms of this Privacy Policy.
For the purposes of this Privacy Policy, capitalized terms have the meanings defined below, whether they appear in singular or plural form.
When You use the Application, We collect information that is necessary to provide, operate, and improve the Service. Where You have an Account, this information is linked to it. The information falls into the following categories:
Information used to create, identify, and manage Your Account, such as account identifiers, email address, sign-in method (email/password, Google, or Apple), and account-related timestamps. If You sign in via Google or Apple, We receive Your name, email address (which Apple may relay through a private address), and profile picture from the provider.
Purpose: To authenticate You, manage Your Account, and associate Your data with Your use of the Service.
Information You choose to provide to personalize Your Account and experience within the Application, including display name, avatar image, and progress indicators (XP, level, rank).
Purpose: To personalize the Service, display relevant information within the Application, and track Your progress.
Content You create, upload, or submit while using the Application, including images, associated metadata, and other content generated through Your use of the Service. This includes spotted cars and their associated details, car identification corrections You submit, collections You create, and shareable links You generate.
Purpose: To provide the core functionality of the Service and allow You to view, manage, and retrieve Your content.
Precise location data (GPS latitude and longitude) collected only while the Application is in use and with Your explicit permission. We also derive an approximate location name (city, region, country) from Your coordinates.
Purpose: To associate content or activity with a geographic location as part of the Service's functionality. Location data is never collected in the background. You may disable location tagging at any time in the Application's settings.
Information about how You interact with the Application, such as actions taken (e.g., scans performed, collections created), frequency of use, activity dates, and engagement over time.
Purpose: To support Application features (such as activity history and streaks), monitor usage patterns, enforce rate limits, and improve functionality and user experience.
Information related to how You organize, group, or manage Your content and preferences within the Application, including settings such as theme, currency, distance units, and region.
Purpose: To enable content organization and customization features.
Information You provide when contacting Us for support or assistance, including messages, support requests, optional screenshots, and technical information associated with Your Device (such as device model, operating system name and version, and app version).
Purpose: To respond to inquiries, troubleshoot issues, and improve the Service.
Information related to in-app purchases and subscriptions processed through Apple's App Store, Google Play, or RevenueCat (our subscription management provider). RevenueCat receives Your anonymous user identifier and purchase events; it does not receive Your email address or other profile information. We do not collect or store payment card details or billing information.
Purpose: To manage access to paid features and track subscription status.
Technical and diagnostic data, such as device information, operating system version, application version, crash reports, and error logs. We use Sentry for error monitoring and crash reporting to help us diagnose and fix problems. Personally identifiable information is not sent to Sentry in production builds.
To reduce processing cost and latency for repeated scans, the result of an AI identification may be cached on Our servers, keyed by a non-reversible cryptographic hash (SHA-256) of the submitted image. This cache stores only the hash and the identification result; it does not store the photo itself and is not linked to Your Account or identity.
Purpose: To maintain performance, identify and fix errors, and improve reliability and user experience.
If You use the Application in Guest Mode (without an Account), We do not create an Account for You and We do not store Your photos or scan history on Our servers; scan results are stored only on Your Device until You create an Account. Limited data is persisted only as described elsewhere in this Policy: short-lived rate-limiting records (see below), and, if You purchase a Subscription in Guest Mode, a pseudonymous identifier from our subscription provider together with Your entitlement status, stored to deliver the paid features You purchased (see Section 1.8).
To enforce rate limits and prevent abuse, We temporarily store rate-limiting records. The identifier in these records (for signed-in users, Your account identifier; for unauthenticated requests, Your IP address) is stored only as a one-way cryptographic hash (SHA-256) — never in raw form — together with the type of operation performed and a timestamp. These records are retained for up to 48 hours and are then automatically deleted. They are used only for rate limiting and abuse prevention (for example, throttling sensitive endpoints such as data export and administrative operations).
Purpose: To provide limited Service functionality and prevent abuse.
If You participate in the creator or referral program, We track referral relationships (who referred whom), associated subscription events, and revenue amounts attributable to referrals, for the purpose of calculating referral attribution and commission payouts. Creator participants' contact information (name, email) is stored for program administration.
Purpose: To operate the referral program and attribute referrals correctly.
When You create shareable links, Your display name, avatar, and the content You choose to share — car spot details (including the precise GPS location where the car was spotted, if You enabled location) and collections — may be visible to anyone who accesses the link. Share links expire 3 days after creation.
We may, in future versions of the Application, introduce social and multiplayer features — such as public or private profiles, following other users, leaderboards, and liking or viewing other users' spots — that allow certain information You provide (such as Your display name, avatar, statistics, and spots You choose to make visible) to be seen by other users. Where such features are introduced, profile visibility will default to private and additional details will be disclosed in an updated version of this Privacy Policy before the feature becomes available to You.
Purpose: To enable sharing and social features within the Service.
We process Your Personal Data under the following legal bases, in accordance with GDPR:
Automated decision-making (GDPR Article 22): The Service uses AI-based systems (including Google Gemini) for car identification. These systems analyze photos You submit and generate automated results including car make, model, year, generation, and specifications. These automated results do not produce legal or similarly significant effects on You, and are provided for informational and entertainment purposes only. You may submit corrections to any AI-generated identification. You have the right to request human review of any automated result by contacting Us at carspot@novapps.dev.
AI Transparency (EU AI Act, Regulation 2024/1689): In accordance with Article 50 of the EU AI Act, We disclose that the Application uses an AI system to identify vehicles from photos You submit, and to generate accompanying commentary. This AI system is operated by Us as the deployer, using Google's Gemini model as the underlying provider. AI-generated outputs (identifications and commentary) are labelled within the Application. Reference data displayed alongside identifications — including specifications such as horsepower, weight, performance figures, dimensions, and historical information — is sourced from Our curated reference database (the "Catalog", as defined in Our Terms of Service) and is not AI-generated. The AI system is intended for entertainment and informational purposes only and may produce inaccurate results, particularly for rare, modified, or visually ambiguous vehicles. You should not rely on AI-generated identifications for purchases, insurance, valuation, legal, or safety-critical purposes. We do not use AI to make decisions that produce legal or similarly significant effects on You. We comply with Article 4 of the AI Act regarding AI literacy of personnel involved in operating the Service.
We use the following categories of Service Providers to operate the Service. These providers process data on Our behalf and are contractually required to protect Your data:
We do not sell Your Personal Data and do not share it with third parties for their own marketing purposes.
We maintain this list of Service Providers and keep it current. If We engage a new Service Provider, or materially change how an existing one processes Your Personal Data, We will update this Section and provide notice of such material changes in accordance with Section 13 (Changes to This Privacy Policy).
Your core account data, content, and images are stored within the EU/EEA (Supabase, Ireland). However, some of Our other Service Providers (such as Google Gemini, Sentry, and RevenueCat) are based in or process limited data in the United States. Where Personal Data is transferred outside the EU/EEA, We ensure appropriate safeguards are in place, such as:
Where a Service Provider processes Personal Data on Our behalf, that provider is engaged as a processor under a data processing agreement that complies with Article 28 of the GDPR.
You may contact Us for more information about the specific safeguards applied to any particular transfer.
All user data, including Account information, Location Data, User Content, activity data, and progress-related data is securely stored using Supabase.
The Application stores certain data locally on Your Device to enable offline functionality and improve performance. This includes cached content, preferences, and authentication tokens. Authentication tokens are stored using encrypted storage (Keychain on iOS, encrypted SharedPreferences on Android). Other cached data is stored in standard device storage.
We apply reasonable technical and organizational safeguards to protect Your data, including:
While no system can guarantee absolute security, We continuously work to protect Your information. In the event of a data breach that poses a risk to Your rights and freedoms, We will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.
If You are located in the European Union or European Economic Area, You have the following rights under the GDPR and applicable national data protection laws (such as the Danish Data Protection Act):
Our lead supervisory authority is the Danish Data Protection Agency (Datatilsynet), as NovApps ApS is established in Denmark. You may contact Datatilsynet at datatilsynet.dk. You also have the right to lodge a complaint with the supervisory authority in Your own EU/EEA country of residence.
You may also contact Us at carspot@novapps.dev if You need assistance exercising any of these rights. We will respond to requests within 30 days.
A number of U.S. states have enacted comprehensive consumer privacy laws, including (among others) California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, and additional states whose laws take effect over time. As a small business established in the European Union, We are generally below the applicability thresholds of these laws; nonetheless, We extend the following rights to residents of U.S. states with applicable privacy laws as a matter of good practice. If You are a resident of such a state, You may have the right to:
To exercise any of these rights, You may use the in-app controls described in Section 6, or contact Us at carspot@novapps.dev. You may designate an authorized agent to submit a request on Your behalf; We may require verification that the agent is properly authorized and verification of Your identity before fulfilling a request.
Categories of Personal Data collected (per CCPA categories):
We do not sell Personal Data and do not knowingly sell or share the Personal Data of consumers under 16 years of age.
Right to limit use of sensitive personal information: We collect precise geolocation data, which is classified as sensitive personal information under the CCPA. You may direct Us to limit the use of this sensitive personal information to purposes necessary to provide the Service. You can disable location collection at any time in the Application's settings, or contact Us at carspot@novapps.dev.
Response timing: We will acknowledge Your request within 10 business days and respond substantively within 45 calendar days, with the possibility of a 45-day extension if reasonably necessary and communicated to You.
We retain Personal Data for the following periods:
When You reset data, the selected information is permanently removed from Our servers. When You delete Your Account, all associated Personal Data is permanently deleted from Our servers. We do not retain user data after Account deletion beyond short-term technical backup requirements (up to 30 days).
Third-party data retention: Data previously sent to third-party Service Providers (such as Sentry crash reports, RevenueCat purchase records, or photos processed by Google Gemini API) is subject to those providers' own data retention policies and cannot be deleted by Us. Google's Gemini API does not retain photos or use them for model training, in accordance with its API Terms of Service.
Authorized personnel of the Company may access Your Personal Data on a need-to-know basis to operate, support, secure, and moderate the Service — for example, to respond to support requests or to review and correct car identifications. Such access is limited to what is necessary for these purposes and is subject to confidentiality obligations.
We may disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (such as a court or government agency).
If the Company is involved in a merger, acquisition, or asset sale, Your Personal Data may be transferred. We will notify You before Your data becomes subject to a different privacy policy.
You must be at least 13 years old to use the Service, as set out in our Terms of Service. Separately, the minimum age at which You can consent to the processing of Your Personal Data without parental authorization varies by country. Under Article 8 of the GDPR this age is 16 by default, but EU/EEA member states may lower it to as low as 13 (for example, it is 13 in Denmark, 15 in France, and 16 in Germany and the Netherlands). If You are under the applicable age in Your country of residence, You may only use the Service with the consent of a parent or legal guardian.
We do not knowingly collect Personal Data from children where such collection would violate applicable child data protection laws, including the U.S. Children's Online Privacy Protection Act (COPPA) and Article 8 of GDPR. If We become aware that Personal Data has been collected without the required parental or legal guardian consent, We will take reasonable steps to delete such data as soon as practicable.
If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data without Your consent, please contact Us at carspot@novapps.dev.
The Application may request access to the following Device features. All permissions are optional and can be granted or revoked at any time through Your Device's settings:
The Application does not access Your microphone, contacts, calendar, or other sensitive Device features.
The Application may contain links to third-party websites or services that are not operated by the Company. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise You to review their privacy policies.
We may update this Privacy Policy from time to time. For material changes, We will provide notice through the Application or by updating the effective date on this page. Changes will be posted with a revised effective date. Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.
If You have questions, concerns, or requests regarding this Privacy Policy or Your Personal Data, please contact Us at:
Email: carspot@novapps.dev
We aim to respond to all legitimate requests within 30 days. If Your request is particularly complex, We may notify You and extend the response period by up to 60 additional days.