Privacy Policy — GaragePilot

Scope of this version: Global (with provisions for US, Canada, EU/EEA, UK, Australia, East Asia, and Latin America)

Official URL for this Policy: GaragePilot.io/legal

Data Controller: Gadsden Tecnologia LTDA. (CNPJ 48.706.913/0001-54)

Headquarters: São José/SC, Brazil

Data Protection Officer (DPO): Ian Storni

Contact (privacy/data/support): suport@gadsden.cc

2.1. Data You Provide

• Account registration: name, email, phone (if provided), account type (End User/Service Provider).
• Vehicles and context: license plate, VIN (if provided), make/model/year, mileage, history, notes, maintenance records.
• Attached files: photos, PDFs, receipts, documents related to the vehicle/service.
• Communications: messages sent to support.

2.2. Data Collected Automatically (Web and Apps)

• Technical records: date/time, IP address, session identifiers, usage events, crash logs, and performance metrics.
• Device data (apps): device model, operating system, app version, language/region, technical identifiers, and network information necessary for operation and security.

2.3. Payment Data

• Web (Stripe): transaction data, status, billing history, and identifiers (card details are typically retained by the payment processor).
• App Store/Google Play: payment data is primarily handled by Apple/Google; Gadsden receives technical confirmations (e.g., subscription/entitlement status).

• Provide the service: account, authentication, report generation, history, and features.
• Security: fraud prevention, abuse detection, auditing, and integrity.
• Support: responding to requests and resolving incidents.
• Product improvement: usage analytics and metrics, preferably with anonymized/aggregated data.
• Legal compliance: fulfilling legal and judicial obligations and orders.

We process data under applicable legal bases, including:

• Performance of a contract (delivering what you signed up for);
• Legal/regulatory obligation;
• Legitimate interest (e.g., security, fraud prevention, careful improvement);
• Consent, where required (e.g., promotional communications and non-essential technologies, if adopted).

For EU/EEA/UK users: processing is based on GDPR Article 6 grounds. For US users: we comply with applicable state privacy laws including the CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), and similar statutes. For Canadian users: processing follows PIPEDA principles. For Australian users: the Australian Privacy Principles (APPs) apply.

5.1. Web: The Platform uses essential cookies (and/or equivalent mechanisms) for authentication and session integrity, as part of Bubble's operation.

5.2. Without these essential cookies, features such as login and staying logged in may not function properly.

5.3. If analytics/marketing cookies are used, the Platform will present a consent mechanism and category details.

We share data only when necessary, with:

• Infrastructure and hosting: Bubble and associated infrastructure (including AWS).
• Payments and subscriptions: Stripe (web), Apple/Google (app stores), RevenueCat and/or equivalent entitlement/billing services, Google Pay/Apple Pay where applicable.
• Content and media: image/asset delivery and optimization providers (e.g., imgix) and hosting services (e.g., Vercel).
• DevOps and code: repositories and development tools (e.g., GitHub).
• AI and processing: model providers and platforms (e.g., OpenAI, Anthropic, Google AI Studio/Google Cloud) for Output generation and related features.
• Vehicle data and validations: BigDataCorp, NHTSA, NMVTIS, DataOne Software, VinAudit, MarketCheck, CarMD, and other lookup/decoding/validation providers, where applicable.
• Authorities: pursuant to legal obligation, court order, or to protect rights and prevent fraud.

Vendors currently used and/or planned (examples): Bubble, AWS, NHTSA, NMVTIS, Stripe, RevenueCat, Google Pay, Apple Pay, Vercel, imgix, GitHub, OpenAI, Anthropic, Google Cloud, Google Play Store/Google, Google AI Studio, BigDataCorp, Apple App Store/Apple, DataOne Software, VinAudit, MarketCheck, CarMD.

Extended non-exhaustive list to minimize update frequency:

• Public databases and government services: SERPRO, SENATRAN (Brazil), FIPE (Brazil), state DMV agencies (US), DVLA (UK), and equivalent bodies internationally;
• Observability and security: error/crash monitoring, logs, anti-fraud, abuse detection, and transactional email services;
• Analytics: product metrics and event platforms;
• CDN/storage: CDN providers, managed storage, and databases, as the architecture evolves.

Depending on infrastructure and providers, data may be stored or processed outside your country of residence. In such cases, we adopt reasonable protection measures and contractual safeguards.

For EU/EEA/UK users: transfers outside the EEA rely on adequacy decisions or Standard Contractual Clauses (SCCs) where applicable. For Australian users: we take reasonable steps to ensure overseas recipients handle data in accordance with the APPs.

We implement technical and organizational measures to protect data against unauthorized access, loss, and breach. However, no system is infallible.

• We retain data for as long as necessary to provide the service, comply with legal obligations, auditing, security, and the regular exercise of rights.
• You may request deletion where applicable, subject to mandatory retention periods and legal requirements.

Depending on your jurisdiction, you may request: confirmation of processing, access, correction, anonymization/blocking/deletion, portability, information about data sharing, and withdrawal of consent, where applicable.

EU/EEA/UK (GDPR): You have the right to access, rectification, erasure, restriction, portability, and to object to processing. You may also lodge a complaint with your local supervisory authority.

US (CCPA/CPRA and state laws): California residents may request disclosure, deletion, and opt out of the sale/sharing of personal information. Similar rights exist under Virginia, Colorado, Connecticut, and other state privacy laws.

Canada (PIPEDA): You have the right to access and correct your personal information.

Australia (Privacy Act): You may access and correct your personal information under the Australian Privacy Principles.

Channel: suport@gadsden.cc (we may request identity verification).

If you are a Service Provider and enter client data, you represent that you have the necessary legal basis and authorizations. You are responsible for informing your clients and handling data requests under your management, where applicable.

The Platform is not intended for minors without a legal guardian. The minimum age is 13 (or 16 in certain EU/EEA jurisdictions). If we identify unauthorized minor use, we may suspend the account and request regulation.

We may update this Policy. Material changes will be communicated via the app/website, with a new effective date.

In case of expansion to other countries, local addenda may apply (language, equivalent rights, legal bases, and support workflows).