Privacy Policy

Last updated: 2026-06-03

Effective date: 2026-06-03

This Privacy Policy describes how Car Manager ("we", "us", "our", or "the App") collects, uses, and shares information about you when you use our mobile and web applications.

1. Who we are

Car Manager is a fleet management application that helps individuals and small businesses track vehicles, fuel and maintenance expenses, shifts, and service providers. The App is operated by Sergii Solonyna, a private entrepreneur (FOP) registered in Ukraine, acting as the data controller ("the Operator").

Contact: [email protected]

2. Information we collect

2.1 Information you provide

  • Account data: name, email address, password (hashed), profile language, country and currency.
  • Vehicles: make, model, year, VIN, license plate, mileage, fuel type, photos you upload.
  • Expenses and shifts: amounts, dates, categories, notes, attachments, mileage readings, work and part items.
  • Team members: when you invite drivers or admins to your organization, we store their email and role.
  • Service providers: addresses, phone numbers, ratings, recommendations.
  • Maintenance records and reminders: dates, intervals, completion notes.
  • Payment information: when you subscribe, billing is handled by Stripe. We do not store full card numbers; we store only the Stripe customer ID, subscription ID and billing metadata.

2.2 Information collected automatically

  • Authentication sessions: cookies (web) and secure-storage tokens (mobile) issued by Better Auth.
  • Device information: app version, OS, model, language, locale.
  • Diagnostic data: crash reports and performance traces via Sentry. These may include stack traces, device model, and a hashed user identifier — they do not include the contents of your vehicles or expenses.
  • Usage logs (optional): when activity logging is enabled, we record high-level actions you take (e.g., "created expense") for debugging and audit. No payload contents are logged.
  • Approximate location: only when you use address autocomplete or the country picker. We do not track your location in the background.
  • Bluetooth: the App can connect to an ELM327 / OBD-II adapter to read your vehicle's diagnostic data. This data stays on the device unless you explicitly save it to an expense or maintenance record.

2.3 Information from third parties

  • Google Sign-In: when you log in with Google, we receive your name, email and Google account ID. We do not receive your contacts, calendar, or files.
  • VIN decoding (NHTSA vPIC, Auto Data, CarMD): when you scan a VIN, we send the VIN to these services to retrieve vehicle specifications. We do not share your personal data with them.
  • Currency rates (ECB): we fetch public exchange rates; no personal data is sent.

3. How we use the information

We use the information to:

  • Operate the App, authenticate you, and keep your data in sync across devices.
  • Generate reports on your expenses, maintenance schedule, and shift history.
  • Send transactional emails (email verification, invitations, billing receipts).
  • Detect, prevent and debug technical issues and abuse.
  • Process subscription payments via Stripe.
  • Comply with legal obligations.

We do not sell your personal data. We do not use your data for advertising.

4. Legal basis (GDPR / UK GDPR)

  • Contract: to provide the service you signed up for.
  • Legitimate interest: to keep the service safe, debug issues, and prevent abuse.
  • Consent: for optional features such as Bluetooth OBD scanning and precise location.
  • Legal obligation: to retain billing records and respond to lawful requests.

5. Sharing your information

We share information only with:

  • Stripe — payment processing.
  • Authentication — handled by self-hosted Better Auth; credentials and session data are stored in our own database, not shared with a third-party authentication service.
  • Sentry — crash and performance diagnostics.
  • Google — only when you choose Google Sign-In or use Google Maps Places autocomplete.
  • Cloud hosting — our database, backend and web application are hosted on cloud infrastructure located in the European Union.
  • Law enforcement — when required by valid legal process.

We do not share data with advertisers, data brokers, or analytics resellers.

6. International transfers

Your data is hosted on servers located in the European Union. Because the Operator is established in Ukraine, your personal data is accessed from Ukraine for the purpose of operating and maintaining the App, under appropriate safeguards (Standard Contractual Clauses).

Certain service providers may process limited data outside the EU: Stripe (payment processing) and Google (Sign-In and Maps Places) may process data in the United States under Standard Contractual Clauses and/or the EU–US Data Privacy Framework; Sentry (diagnostics) may process data outside the EU under equivalent safeguards.

Where data is transferred outside the EU, we rely on the safeguards offered by these providers under the applicable transfer mechanisms.

7. Retention

  • Account data is retained while your account is active. When you request deletion, your account enters a 90-day retention window during which you can cancel; at the end of that window your personal data is anonymised. See Account Deletion for the full procedure. Billing records are retained for 7 years to comply with tax obligations.
  • Sentry diagnostic events are retained for 90 days.
  • Activity logs are retained for 12 months.

8. Your rights

You may at any time:

  • Access the personal data we hold about you — via the Profile screen or by emailing us.
  • Correct inaccurate data — directly in the App.
  • Delete your account — Profile → Delete account. Deletion begins a 90-day retention window (during which you can cancel by signing in again); your personal data is anonymised at the end of that window.
  • Export your data — request via email; we will return a JSON archive within 30 days.
  • Object or restrict processing — by email.
  • Lodge a complaint with your data protection authority. In Ukraine this is the Ukrainian Parliament Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини); EU residents may complain to their national supervisory authority.

9. Security

  • HTTPS for all network traffic, with TLS certificates issued by Let's Encrypt.
  • Passwords hashed with scrypt (Better Auth default parameters); session tokens stored in iOS Keychain / Android Keystore.
  • Access to the production database is restricted to the Operator over SSH key authentication.
  • Vulnerability reports may be sent to [email protected].

10. Children

The App is not directed at children under 16 (or the higher minimum age required by your local law), and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us and we will delete it.

11. California & US state privacy rights

If you are a resident of California or another US state with a comprehensive privacy law, you have the right to know what personal information we collect, to access and delete it, and to opt out of its sale or sharing for targeted advertising. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. To exercise any of these rights, email us at [email protected]. We will not discriminate against you for exercising them.

12. Changes

We may update this policy. Material changes will be announced inside the App and by email. The "Last updated" date at the top reflects the current version.

13. Contact

For privacy questions, data requests, or to exercise your rights:

Email: [email protected]

© 2026 Car Manager. All rights reserved.