Privacy Policy

1. Introduction and General Information

1.1 About This Policy

This Privacy Policy describes how Motorbase ("we," "us," or "our") collects, uses, shares, and protects personal information when you use our vehicle inventory management platform (the "Service"). This policy applies to our website, web application, mobile applications, API, and all related services.

1.2 Legal Basis and Compliance

We are committed to protecting your privacy and complying with applicable data protection laws and regulations, including:

• The General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA)
• The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) for California residents
• Other applicable data protection and privacy laws worldwide

1.3 Our Role in Data Processing

Depending on how you use our Service, we act in different capacities:

• Data Controller: For your account information, billing data, usage analytics, and communications, we determine the purposes and means of processing your personal data.
• Data Processor: For the vehicle inventory data and customer information you upload to the Service, you (the customer) are the Data Controller, and we process this data on your behalf according to your instructions and our agreement.

1.4 Acceptance of This Policy

By accessing or using the Service, you acknowledge that you have read, understood, and agree to this Privacy Policy. If you do not agree, please discontinue use of the Service immediately.

2. Information We Collect

2.1 Information You Provide Directly

Account and Registration Information:

• Full name
• Email address
• Password (encrypted and stored securely)
• Organization name and details
• Job title and role
• Phone number (if provided)
• Profile picture (if uploaded)

Billing and Payment Information:

• Billing name and address
• Credit card information (processed and stored securely by our payment processor, not stored on our servers)
• Tax identification numbers (when required)
• Payment history and transaction records

Vehicle Inventory Data (Customer Data):

• Vehicle information (make, model, year, VIN, color, type, version)
• Vehicle images and documentation
• Pricing and availability information
• Custom fields and metadata you create
• Any other data you upload, create, or store in the Service

Communications and Support:

• Messages, emails, and communications you send to our support team
• Feedback, survey responses, and feature requests
• Information provided during customer service interactions

2.2 Information Collected Automatically

Usage Data:

• Features and pages accessed
• Actions performed within the Service
• Time spent on pages and features
• Search queries and filters used
• Frequency and duration of sessions
• Click patterns and navigation paths

Technical and Device Information:

• IP address
• Browser type and version
• Device type, operating system, and version
• Screen resolution and device identifiers
• Time zone and language preferences
• Referring URLs and exit pages

API Usage Data:

• API endpoints accessed
• API call frequency and volume
• Authentication tokens and API keys (encrypted)
• Request and response data (for troubleshooting and security)

Location Data:

• Approximate geographic location derived from IP address
• Precise location data (only if you explicitly grant permission through your device settings)

2.3 Information from Third-Party Sources

We may receive information about you from third-party sources, including:

• Authentication Services: If you sign in using a third-party service (e.g., Google, Microsoft), we receive basic profile information such as your name, email, and profile picture as permitted by that service.
• Analytics and Marketing Tools: We use third-party analytics services (e.g., Google Analytics, Mixpanel) that may provide aggregated or de-identified data about user behavior and demographics.
• Payment Processors: Our payment processors (e.g., Stripe) provide us with payment confirmation and billing information.
• Public Sources: We may supplement our data with publicly available information from business directories or social media platforms to better understand our business customers.

3. How and Why We Use Your Information

We process your personal information for the following purposes, based on the legal grounds specified below:

3.1 Marketing Communications

With your consent or based on our legitimate interests (for existing customers), we may send you marketing emails about new features, product updates, special offers, and other information we think may interest you. You can opt out of marketing communications at any time by:

• Clicking the "unsubscribe" link in any marketing email
• Adjusting your email preferences in your account settings
• Contacting us at [email protected]

Note: Even if you opt out of marketing communications, we will still send you essential service-related emails (e.g., account notifications, billing statements, security alerts).

4. How We Share and Disclose Information

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Third-Party Service Providers

We share data with trusted third-party vendors who help us provide and improve the Service. These service providers are contractually obligated to protect your data and use it only for the purposes we specify:

• Cloud Hosting and Infrastructure: We use cloud service providers (e.g., AWS, Cloudflare) to host and deliver the Service.
• Payment Processing: Payment information is processed by secure payment processors (e.g., Stripe) who are PCI-DSS compliant.
• Analytics and Performance Monitoring: We use analytics tools (e.g., Google Analytics, ClickHouse) to understand usage patterns and improve the Service.
• Customer Support Tools: We use customer support platforms to manage and respond to your inquiries.
• Email and Communication Services: We use email service providers (e.g., Plunk) to send transactional and marketing emails.
• Authentication Services: We use third-party authentication providers to enable secure sign-in options.
• Storage and CDN: We use cloud storage services (e.g., Cloudflare R2) to store and deliver vehicle images and files.

4.2 Business Transfers and Corporate Events

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of assets, or transition of service to another provider, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any such change in ownership or control of your personal information.

4.3 Legal Obligations and Protection

We may disclose your information if required to do so by law or if we believe in good faith that such action is necessary to:

• Comply with legal obligations, court orders, subpoenas, or government requests
• Enforce our Terms of Use or other agreements
• Protect and defend our rights, property, or safety
• Protect the rights, property, or safety of our users or the public
• Prevent or investigate fraud, security breaches, or illegal activity
• Respond to emergencies that threaten the life, health, or safety of any person

4.4 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing, such as when you integrate third-party applications with your account or participate in partner programs.

4.5 Aggregated and De-Identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This data may be used for industry research, analytics, marketing, or other business purposes without restriction.

4.6 Within Your Organization

If you use the Service as part of an organization account, other authorized users within your organization may have access to the data you create, upload, or manage within that shared account.

5. Cookies and Tracking Technologies

5.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website. They help websites remember your preferences, authenticate your login, and provide analytics about how you use the site. We also use similar technologies such as web beacons, pixels, and local storage.

5.2 Types of Cookies We Use

Essential Cookies (Strictly Necessary):

These cookies are required for the Service to function properly. They enable core functionality such as security, authentication, and accessibility. You cannot opt out of these cookies.

• Session management and authentication
• Security and fraud prevention
• Load balancing and performance

Functional Cookies:

These cookies enable enhanced functionality and personalization, such as remembering your preferences, language settings, and recent searches.

Analytical/Performance Cookies:

These cookies help us understand how users interact with the Service by collecting and reporting information anonymously. They help us improve the Service and user experience.

• Google Analytics (or similar analytics platforms)
• Usage statistics and performance monitoring
• A/B testing and feature optimization

Advertising/Targeting Cookies (if applicable):

These cookies may be used to deliver relevant advertisements and track the effectiveness of our marketing campaigns. They may be set by us or our advertising partners.

5.3 Your Cookie Choices

You have several options to manage cookies:

• Cookie Consent Banner: When you first visit our website, you'll see a cookie consent banner where you can accept or customize your cookie preferences.
• Browser Settings: Most browsers allow you to refuse or delete cookies. Check your browser's help section for instructions. Note that disabling essential cookies may affect the functionality of the Service.
• Opt-Out Tools: You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.
• Do Not Track: Some browsers support "Do Not Track" (DNT) signals. Currently, there is no universal standard for how DNT signals should be interpreted, but we respect your browser settings where technically feasible.

6. Data Security and International Data Transfers

6.1 How We Protect Your Data

We take data security seriously and implement industry-standard technical and organizational measures to protect your personal information from unauthorized access, disclosure, alteration, or destruction. Our security measures include:

• Encryption: Data in transit is encrypted using TLS/SSL protocols. Data at rest is encrypted using AES-256 or equivalent encryption standards.
• Access Controls: Strict access controls and authentication mechanisms ensure that only authorized personnel can access personal data on a need-to-know basis.
• Multi-Factor Authentication (MFA): We require MFA for administrative access to our systems and encourage users to enable MFA on their accounts.
• Regular Security Audits: We conduct regular security assessments, vulnerability scans, and penetration testing to identify and address potential risks.
• Secure Development Practices: We follow secure coding standards and perform code reviews to minimize security vulnerabilities.
• Data Backup and Recovery: We maintain secure, encrypted backups and have disaster recovery procedures in place to ensure business continuity.
• Employee Training: Our team receives regular training on data protection and security best practices.
• Incident Response: We have an incident response plan to quickly detect, respond to, and mitigate security breaches.

However, no system is completely secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and notifying us immediately of any unauthorized access.

6.2 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you without undue delay and in accordance with applicable law (typically within 72 hours of discovering the breach). Our notification will include:

• The nature of the breach and the data affected
• The likely consequences of the breach
• The measures we have taken or propose to take to address the breach
• Recommended actions you can take to protect yourself
• Contact information for further inquiries

6.3 International Data Transfers

Motorbase operates globally, and your information may be stored and processed in countries outside of your home country, including the United States and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from those in your country.

When we transfer personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries that do not provide an adequate level of data protection, we implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses to ensure adequate protection for data transfers.
• Data Processing Agreements (DPAs): We enter into DPAs with our service providers that include data protection obligations and rights.
• Certifications: We work with service providers that maintain relevant certifications and comply with recognized data protection frameworks.

For more information about our international data transfer safeguards, please contact us at [email protected].

7. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights regarding your personal information:

7.1 Right to Access

You have the right to request access to the personal information we hold about you. You can view and download much of your data directly from your account settings. For additional information, contact us at [email protected].

7.2 Right to Rectification

You have the right to correct or update inaccurate or incomplete personal information. You can update most of your information directly in your account settings. For assistance, contact our support team.

7.3 Right to Erasure ("Right to be Forgotten")

You have the right to request deletion of your personal information under certain circumstances, including:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw your consent (where consent was the legal basis for processing)
• You object to the processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Legal obligations require deletion

Note: We may retain certain information as required by law or for legitimate business purposes (e.g., to resolve disputes, enforce agreements, or maintain tax and accounting records).

To delete your account and associated data, you can use the account deletion option in your settings or contact [email protected].

7.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal information in certain circumstances, such as:

• You contest the accuracy of the data (during verification)
• The processing is unlawful, but you prefer restriction over deletion
• We no longer need the data, but you need it for legal claims
• You have objected to processing (pending verification of legitimate grounds)

7.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON, CSV) and to transmit that data to another service provider. You can export your data using the export tools in your account settings or by contacting [email protected].

7.6 Right to Object

You have the right to object to processing of your personal information based on our legitimate interests or for direct marketing purposes. To opt out of marketing communications, use the unsubscribe link in our emails or adjust your preferences in your account settings.

7.7 Right to Withdraw Consent

Where we process your data based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

7.8 Right to Lodge a Complaint

If you believe we have not handled your personal information in accordance with applicable law, you have the right to lodge a complaint with your local data protection authority:

• EEA residents: Contact your national data protection authority (list available at https://edpb.europa.eu)
• UK residents: Information Commissioner's Office (ICO) at https://ico.org.uk
• California residents: California Attorney General at https://oag.ca.gov

7.9 California Privacy Rights (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information (subject to certain exceptions)
• Right to opt out of the "sale" or "sharing" of personal information (Note: We do not sell personal information)
• Right to correct inaccurate personal information
• Right to limit the use and disclosure of sensitive personal information
• Right to non-discrimination for exercising your privacy rights

To exercise these rights, please contact us at [email protected] or use the data management tools in your account settings.

7.10 How to Exercise Your Rights

To exercise any of the rights described above, you can:

• Use the account settings and data management tools within the Service
• Email us at: [email protected]
• Submit a request through our privacy request form (if available on our website)

We will respond to your request within the timeframe required by applicable law (typically 30 days for GDPR requests, 45 days for CCPA requests). We may need to verify your identity before processing your request to ensure the security of your information.

8. Data Retention and Deletion

8.1 How Long We Keep Your Data

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our retention criteria include:

• Account Data: Retained for as long as your account is active, plus up to 90 days after account deletion (to allow for account recovery and prevent abuse).
• Billing and Payment Records: Retained for 7 years after the last transaction to comply with tax, accounting, and legal requirements.
• Vehicle Inventory Data (Customer Data): Retained for 30 days after account termination to allow for data retrieval, then securely deleted. Backup copies are retained for up to an additional 90 days.
• Support Communications: Retained for 3 years to improve customer service and resolve disputes.
• Usage and Analytics Data: Aggregated, anonymized data may be retained indefinitely for research and analysis.
• Marketing Data: Retained until you opt out or withdraw consent, then deleted within 30 days.
• Legal and Compliance Data: Retained as long as necessary to comply with legal obligations, resolve disputes, or enforce agreements.

8.2 Data Deletion Process

When personal information is no longer needed or upon your deletion request, we:

• Securely delete or anonymize the data from our production systems
• Remove data from backup systems within 90 days
• Use industry-standard data deletion techniques to ensure data cannot be recovered
• Retain only aggregated, anonymized data that cannot identify you

Note: We may retain certain data if required by law or for legitimate purposes such as fraud prevention, dispute resolution, or enforcing our agreements.

9. Children's Privacy

The Service is not directed to, and we do not knowingly collect personal information from, children under the age of 16 (or under 13 in the United States). If we learn that we have collected personal information from a child under the applicable age without parental consent, we will take steps to delete that information as soon as possible.

If you are a parent or guardian and believe that your child has provided us with personal information without your consent, please contact us immediately at [email protected], and we will take appropriate action.

Our Service is designed for business use by automotive dealerships, rental companies, and fleet managers. Users must be at least 18 years old (or the age of majority in their jurisdiction) to create an account and use the Service.

10. Contact Information and Policy Updates

10.1 Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

10.2 Data Protection Officer (DPO)

If you are in the EEA or UK and have questions about how we handle your personal data, you may contact our Data Protection Officer:

10.3 Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Service features. When we make material changes, we will notify you by:

• Posting the updated policy on this page with a new "Last Updated" date
• Sending an email notification to the address associated with your account
• Displaying a prominent notice within the Service or on our website

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the changes.

For significant changes that materially affect your rights, we may request your explicit consent before the changes take effect.

10.4 Previous Versions

If you would like to review previous versions of this Privacy Policy, please contact us at [email protected], and we will provide them upon request.

11. Additional Information

11.1 Third-Party Links

The Service may contain links to third-party websites, applications, or services that are not operated or controlled by us. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

11.2 Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you, except where necessary for entering into or performing a contract with you, authorized by law, or based on your explicit consent.

11.3 Your Responsibility for Customer Data

If you use the Service to process personal data of your customers, employees, or other individuals (as a Data Controller), you are responsible for:

• Obtaining necessary consents and providing required privacy notices
• Complying with applicable data protection laws
• Ensuring the accuracy and lawfulness of the data you upload
• Respecting the privacy rights of individuals whose data you process

We act as a Data Processor for such data and process it only in accordance with your instructions and our Data Processing Agreement (DPA).