Car Spot respects Your privacy and is committed to protecting Your Personal Data. This Privacy Policy explains how We collect, use, store, and protect Your information when You use Our Application on iOS and Android. It also explains Your rights under the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and how Our data practices align with Apple's App Privacy and Google Play's Data Safety requirements.
By using the Application, You agree to the terms of this Privacy Policy.
For the purposes of this Privacy Policy, capitalized terms have the meanings defined below, whether they appear in singular or plural form.
When You use the Application, We collect information that is necessary to provide, operate, and improve the Service. Where You have an Account, this information is linked to it. The information falls into the following categories:
Information used to create, identify, and manage Your Account, such as account identifiers, email address, sign-in method (email/password, Google, or Apple), and account-related timestamps. If You sign in via Google or Apple, We receive Your name, email address (which Apple may relay through a private address), and profile picture from the provider.
Purpose: To authenticate You, manage Your Account, and associate Your data with Your use of the Service.
Information You choose to provide to personalize Your Account and experience within the Application, including display name, username, bio, avatar image, and progress indicators (XP, level, rank).
Purpose: To personalize the Service, display relevant information within the Application, and track Your progress.
Content You create, upload, or submit while using the Application, including images, associated metadata, and other content generated through Your use of the Service. This includes spotted cars and their associated details, car identification corrections You submit, collections You create, and shareable links You generate.
Purpose: To provide the core functionality of the Service and allow You to view, manage, and retrieve Your content.
Precise location data (GPS latitude and longitude) collected only while the Application is in use and with Your explicit permission. We also derive an approximate location name (city, region, country) from Your coordinates.
Purpose: To associate content or activity with a geographic location as part of the Service's functionality. Location data is never collected in the background. You may disable location tagging at any time in the Application's settings.
Information about how You interact with the Application, such as actions taken (e.g., scans performed, collections created), frequency of use, activity dates, and engagement over time.
Purpose: To support Application features (such as activity history and streaks), monitor usage patterns, enforce rate limits, and improve functionality and user experience.
Information related to how You organize, group, or manage Your content and preferences within the Application, including settings such as theme, currency, distance units, and region.
Purpose: To enable content organization and customization features.
Information You provide when contacting Us for support or assistance, including messages, support requests, optional screenshots, and technical information associated with Your Device (such as device model, operating system name and version, and app version).
Purpose: To respond to inquiries, troubleshoot issues, and improve the Service.
Information related to in-app purchases and subscriptions processed through Apple's App Store, Google Play, or RevenueCat (our subscription management provider). RevenueCat receives Your anonymous user identifier and purchase events; it does not receive Your email address or other profile information. We do not collect or store payment card details or billing information.
Purpose: To manage access to paid features and track subscription status.
Technical and diagnostic data, such as device information, operating system version, application version, crash reports, and error logs. We use Sentry for error monitoring, which may capture sampled session replays (short screen recordings) to help diagnose errors. Session replays do not capture text input fields, passwords, or sensitive data. Personally identifiable information is not sent to Sentry in production builds.
Purpose: To maintain performance, identify and fix errors, and improve reliability and user experience.
If You use the Application in Guest Mode (without an Account), We process Your photos for AI identification but do not store them or any Personal Data on Our servers. A hashed (pseudonymized) representation of Your IP address is temporarily stored for up to 48 hours for rate limiting and abuse prevention purposes, after which it is automatically deleted. No other Personal Data is persisted for Guest Mode users. Scan results are stored only on Your Device until You create an Account.
Purpose: To provide limited Service functionality and prevent abuse.
If You participate in the creator or referral program, We track referral relationships (who referred whom), associated subscription events, and revenue amounts attributable to referrals, for the purpose of calculating referral attribution and commission payouts. Creator participants' contact information (name, email) is stored for program administration.
Purpose: To operate the referral program and attribute referrals correctly.
When You create shareable links, Your display name, avatar, and the content You choose to share (car spot details, collections) may be visible to anyone who accesses the link. Share links expire after 3 days. Social features such as follows, likes, and public profiles may make certain information visible to other users.
Purpose: To enable sharing and social features within the Service.
We process Your Personal Data under the following legal bases, in accordance with GDPR:
Automated decision-making (GDPR Article 22): The Service uses AI-based systems (including Google Gemini) for car identification. These systems analyze photos You submit and generate automated results including car make, model, year, generation, and specifications. These automated results do not produce legal or similarly significant effects on You, and are provided for informational and entertainment purposes only. You may submit corrections to any AI-generated identification. You have the right to request human review of any automated result by contacting Us at legal@carspot.dev.
We use the following categories of Service Providers to operate the Service. These providers process data on Our behalf and are contractually required to protect Your data:
We do not sell Your Personal Data and do not share it with third parties for their own marketing purposes.
Some of Our Service Providers are based in or process data in the United States and other countries outside the European Union. Where Personal Data is transferred outside the EU/EEA, We ensure appropriate safeguards are in place, such as:
You may contact Us for more information about the specific safeguards applied to any particular transfer.
All user data, including Account information, Location Data, User Content, activity data, and progress-related data is securely stored using Supabase.
The Application stores certain data locally on Your Device to enable offline functionality and improve performance. This includes cached content, preferences, and authentication tokens. Authentication tokens are stored using encrypted storage (Keychain on iOS, encrypted SharedPreferences on Android). Other cached data is stored in standard device storage.
We apply reasonable technical and organizational safeguards to protect Your data, including:
While no system can guarantee absolute security, We continuously work to protect Your information. In the event of a data breach that poses a risk to Your rights and freedoms, We will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.
If You are located in the European Union or European Economic Area, You have the following rights under GDPR:
You may also contact Us at legal@carspot.dev if You need assistance exercising any of these rights. We will respond to requests within 30 days.
If You are a California resident, You have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
To exercise these rights, You may use the in-app controls described in Section 6, or contact Us at legal@carspot.dev.
Categories of Personal Data collected (per CCPA categories):
We do not knowingly collect or sell the Personal Data of consumers under 16 years of age.
Right to correct: You may request that We correct inaccurate Personal Data that We maintain about You. You can update most information directly within the Application, or contact Us at legal@carspot.dev.
Right to limit use of sensitive personal information: We collect precise geolocation data, which is classified as sensitive personal information under the CCPA. You may direct Us to limit the use of this sensitive personal information to purposes necessary to provide the Service. You can disable location collection at any time in the Application's settings. To submit a request to limit, contact Us at legal@carspot.dev.
Authorized agents: You may designate an authorized agent to submit a request on Your behalf. We may require verification that the agent has been properly authorized.
Response timing: We will acknowledge Your request within 10 business days and respond substantively within 45 calendar days, with the possibility of a 45-day extension if necessary and communicated to You.
We retain Personal Data for the following periods:
When You reset data, the selected information is permanently removed from Our servers. When You delete Your Account, all associated Personal Data is permanently deleted from Our servers. We do not retain user data after Account deletion beyond short-term technical backup requirements (up to 30 days).
Third-party data retention: Data previously sent to third-party Service Providers (such as Sentry crash reports, RevenueCat purchase records, or photos processed by Google Gemini AI) is subject to those providers' own data retention policies and cannot be deleted by Us. Google's Gemini API may retain submitted data for up to 30 days for abuse monitoring purposes.
We may disclose Your Personal Data if required to do so by law or in response to valid requests by public authorities (such as a court or government agency).
If the Company is involved in a merger, acquisition, or asset sale, Your Personal Data may be transferred. We will notify You before Your data becomes subject to a different privacy policy.
The Service is intended for users of all ages. However, if You are under the age of 13 (or the minimum age required by applicable law to enter into a legally binding agreement), You may only use the Service with the consent of a parent or legal guardian.
We do not knowingly collect Personal Data from children where such collection would violate applicable child data protection laws, including the U.S. Children's Online Privacy Protection Act (COPPA) and Article 8 of GDPR. If We become aware that Personal Data has been collected without the required parental or legal guardian consent, We will take reasonable steps to delete such data as soon as practicable.
If You are a parent or guardian and You are aware that Your child has provided Us with Personal Data without Your consent, please contact Us at legal@carspot.dev.
The Application may request access to the following Device features. All permissions are optional and can be granted or revoked at any time through Your Device's settings:
The Application does not access Your microphone, contacts, calendar, or other sensitive Device features.
The Application may contain links to third-party websites or services that are not operated by the Company. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services. We strongly advise You to review their privacy policies.
We may update this Privacy Policy from time to time. For material changes, We will provide notice through the Application or by updating the effective date on this page. Changes will be posted with a revised effective date. Continued use of the Service after changes take effect constitutes acceptance of the updated Privacy Policy.
If You have questions, concerns, or requests regarding this Privacy Policy or Your Personal Data, please contact Us at:
Email: legal@carspot.dev
We aim to respond to all legitimate requests within 30 days. If Your request is particularly complex, We may notify You and extend the response period by up to 60 additional days.