Privacy Policy

Effective Date: March 19, 2026 · Last Updated: March 19, 2026 · Jurisdiction: California, USA

Bryan St. Clair ("Company," "we," "us," or "our") operates Vehicle Recon Tracker ("Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service. This policy is designed to comply with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), and other applicable privacy laws.

1. Information We Collect

1.1 Information You Provide

When you create an account or use the Service, we collect the following categories of personal information:

Category	Examples	Purpose
Identifiers	Full name, email address, position/title	Account creation, authentication, communication
Professional Information	Job position, dealership affiliation	Role-based access, dealership association
Account Credentials	Email (as username), password (hashed)	Authentication and account security
User-Generated Content	Vehicle notes, support messages, contact form submissions, in-app messages to other users, vehicle photographs	Service functionality, support, team communication, vehicle documentation
Uploaded Media	Vehicle photographs (JPEG, PNG, GIF, WebP), image metadata (file size, type)	Vehicle documentation and reconditioning workflow

1.2 Information Collected Automatically

When you use the Service, we automatically collect:

Category	Examples	Purpose
Internet Activity	IP address, browser user agent, login/logout timestamps	Security, activity logging, fraud prevention
Usage Data	Actions performed (vehicle edits, status changes, notes added)	Audit trail, reporting, accountability
Session Data	Session identifiers, CSRF tokens	Security, session management
Analytics Data	Pages visited, time on site, referral source (public pages only, via Google Analytics)	Website usage analysis, service improvement

1.3 Mobile Device Access

When using the mobile application, we may request access to the following device features:

Permission	Purpose	Required?
Camera	To take photographs of vehicles for upload to vehicle records	Optional — only when using "Take Photo" feature
Photo Gallery / Media	To select existing photographs from your device for upload	Optional — only when using "Choose from Gallery" feature
Internet	To communicate with the server for all app functionality	Required

We do not access your camera or photo library in the background. These permissions are only used when you explicitly initiate a photo upload. Photos selected for upload are compressed on your device before transmission and are not stored on your device by the app after upload.

2. How We Use Your Information

We use the information we collect for the following business purposes:

To provide, maintain, and improve the Service
To authenticate your identity and manage your account
To enforce role-based access controls and permissions
To send email notifications you have opted into (vehicle alerts, registration alerts, approval notifications, Pending Approval alerts, support responses)
To maintain audit logs for security and accountability
To generate reports and analytics for dealership administrators
To detect, prevent, and respond to security incidents and unauthorized access
To respond to support requests submitted through the application

3. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following limited circumstances:

Within Your Dealership: Your name, email, position, role, and activity may be visible to administrators at your dealership as part of the Service's user management and reporting features.
Multi-Store Access: If you are granted access to multiple dealerships, administrators at those dealerships may see your account information.
Vendor Communications: If an administrator sends a vendor email that includes vehicle notes you authored, your name may appear in those notes.
Legal Requirements: We may disclose your information if required by law, regulation, legal process, or governmental request.
Protection of Rights: We may disclose information to protect the rights, property, or safety of the Company, our users, or others.

4. Your California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

4.1 Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which your information was collected, the business purpose for collecting your information, and the categories of third parties with whom we share your information.

4.2 Right to Delete

You have the right to request that we delete the personal information we have collected about you, subject to certain exceptions provided by law. Note that deletion of your account data may be handled by your dealership administrator through the Service's user management features.

4.3 Right to Correct

You have the right to request that we correct inaccurate personal information that we maintain about you. You may update your name, position, and email (if permitted by your role) directly through your Profile page in the Service.

4.4 Right to Opt-Out of Sale/Sharing

We do not sell or share your personal information for cross-context behavioral advertising purposes. Therefore, there is no need to opt out.

4.5 Right to Limit Use of Sensitive Personal Information

We do not collect or process sensitive personal information as defined by the CPRA beyond what is necessary to provide the Service.

4.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your privacy rights. You will not receive different pricing, quality, or service levels for exercising your rights.

4.7 How to Exercise Your Rights

To exercise any of these rights, you may:

Update your information directly through the Service's Profile page
Contact your dealership administrator to request account changes or deletion
Submit a request through the application's support contact form

We will verify your identity before processing any request. We aim to respond to verifiable consumer requests within 45 days of receipt.

5. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

Account Data: Retained until the account is deleted by an administrator.
Activity Logs: Login/logout records, vehicle action logs, and failed login attempts are retained according to the log retention policy configured for your dealership. If no retention period is set, logs are retained indefinitely for security and audit purposes. Administrators can configure retention periods from 1 to 3,650 days per dealership.
IP Ban Data: IP addresses involved in repeated failed login attempts are temporarily stored for brute force protection. Records are cleared upon successful login or manual removal by an administrator.
Vehicle Data: Vehicle records, notes, and status history are retained until explicitly deleted by an authorized user.
Vehicle Photos: Uploaded photographs and auto-generated thumbnails are stored on our servers until deleted by an authorized user or when the associated vehicle record is deleted. Original files and thumbnails are permanently removed from storage upon deletion.
Messages: In-app messages between users are automatically deleted based on the message retention policy configured for your dealership (default: 90 days). Set to 0 for indefinite retention.
Session Data: Session data expires after the configured session lifetime (default: 1 hour of inactivity).
Exported Data: When the CSV Export Add-on is enabled, authorized administrators may export activity logs, user lists, vehicle notes, and message archives. Once exported, the recipient is solely responsible for the retention, security, and disposal of that data.
Testimonials: Submitted testimonials are retained indefinitely unless deleted by an administrator. Testimonial submissions include the submitter's name, email, dealership name, testimonial text, and IP address. Only first name, last initial, and dealership name are displayed publicly on approved testimonials.

6. Data Security

We implement appropriate technical and organizational security measures to protect your personal information, including:

Passwords are hashed using bcrypt with a cost factor of 12
HTTPS encryption enforced in production environments
CSRF token protection on all forms
Session security with HTTP-only cookies and SameSite=Strict policy
Role-based access controls enforced server-side on every request
Password lock feature allowing administrators to restrict account changes
Failed login attempt tracking with IP address logging
Automatic IP-based brute force protection with configurable ban duration
Email domain ban list to prevent registration from unauthorized domains
Secure password reset via time-limited tokens

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

7. Cookies & Tracking

The Service uses the following types of cookies and tracking technologies:

Session Cookies: Strictly necessary for authentication and security. Automatically deleted when you sign out or when your session expires.
Google Analytics (GA4): We use Google Analytics on public-facing pages (marketing page, login, terms of service, and privacy policy) to understand how visitors interact with our site. Google Analytics may set cookies to collect anonymized usage data including pages visited, time on site, and referral source. This data is processed by Google in accordance with Google's Privacy Policy.

We do not use:

Advertising cookies or retargeting technologies
Cross-site tracking on authenticated (logged-in) pages

Google Analytics is not loaded on authenticated pages within the application (dashboard, vehicle management, reports, etc.) — only on public-facing pages.

8. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

9. Do Not Track Signals

The Service does not track users across third-party websites and therefore does not respond to Do Not Track (DNT) signals. As stated above, we do not use any third-party tracking technologies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last Updated" date at the top of this policy. Your continued use of the Service after any changes constitutes acceptance of the updated policy.

11. California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. As stated in this policy, we do not disclose personal information to third parties for their direct marketing purposes.

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your California privacy rights, or have concerns about how your information is handled, you may:

Submit a request through the application's support contact form
Contact your dealership administrator