Privacy Policy

1. Information We Collect

1.1 Information You Provide Directly

Payment Information

• When you purchase a paid subscription, our payment processors (such as Paddle, Apple App Store, and Google Play Store) collect your:
  • Billing name and address
  • Payment method details
  • Transaction history
• We do NOT store your credit card information on our servers.

Support Communications

• When you contact [email protected], we collect:
  • Your email address
  • Message content
  • Any technical information you choose to share

1.2 Information Collected Automatically

Device and Usage Information

• Application version
• Operating system type and version
• Device type and model
• Unique device identifiers (for license management)
• IP address (for authentication and security purposes)
• App usage statistics (crash reports, feature usage, session duration)
• Browser type (when using our website)

Technical Logs

• Authentication attempts
• License activation events
• Error logs and crash reports
• Performance metrics (memory usage, load times)

1.3 Encrypted Data Stored Locally on Your Device

The following data is stored ONLY on your device, encrypted with your personal encryption key:

• Vehicle connection profiles (VIN, Smartcar IDs)
• Cached vehicle telematics (battery, tire pressure)
• OAuth refresh tokens (securely managed)
• Vehicle activity history and preferences
• Custom themes and settings

Important: Due to our strict data access policies, we CANNOT recover your historical telematics data if you completely revoke vehicle authorization from your manufacturer account.

2. How We Use Your Information

We use your information for the following purposes:

• To Provide the Service
  • Authenticate your account
  • Synchronize encrypted data across your devices
  • Process license activations and renewals
  • Enable secure data sharing (when you choose to share)
• To Improve the Service
  • Analyze usage patterns to improve features
  • Identify and fix bugs
  • Develop new features
  • Optimize performance
• To Communicate With You
  • Send service announcements and security alerts
  • Respond to support requests
  • Send marketing communications (only if you opt in)
  • Notify you of updates and new features
• For Security and Fraud Prevention
  • Detect and prevent unauthorized access
  • Investigate potential violations of our Terms of Service
  • Comply with legal obligations

3. How We Store and Protect Your Data

3.1 Encryption

• End-to-End Encryption
  • All sensitive data is encrypted on your device before transmission
  • AES-256-GCM encryption for data at rest
  • Each user’s unique encryption key is derived from their master password
  • Only you can decrypt your data
• Data in Transit
  • All connections use TLS 1.3 or higher
  • Certificate pinning helps prevent man-in-the-middle attacks
• Data at Rest
  • Server-side data is encrypted using industry-standard encryption
  • Encryption keys are stored separately from encrypted data
  • Passwords are stored using cryptographic hashing (Argon2id)

3.2 Access Controls

• Strict access controls limit employee access to user data
• All access is logged and monitored
• Production systems are isolated from development environments
• Regular security audits and penetration testing

3.3 Infrastructure Security

• Data is hosted on secure, certified cloud infrastructure
• Regular backups are encrypted
• DDoS protection and network security monitoring
• Automated security patching

4. Information We Cannot Access

Due to our reliance on secure Smartcar API integration, we CANNOT access:

• Your manufacturer account password (handled by Smartcar)
• Your vehicle login credentials
• Raw telematics tokens beyond active sessions
• Continuous real-time vehicle movement (outside active polling)
• Control commands (unless explicitly requested for audit)
• Any private data you store locally

This means:

• ✓ We cannot log into your manufacturer app
• ✓ We cannot share your raw login info with third parties
• ✓ We cannot be compelled to provide your password to authorities
• ✗ We cannot recover your data if you permanently revoke vehicle authorization

5. Data Retention

Active Accounts

• We retain your account data for as long as your account is active
• Encrypted sync data is retained until you delete it or close your account

Closed Accounts

• When you delete your account, we delete your data within 30 days
• Some data may be retained for legal or security purposes (transaction records, support tickets)
• Backup copies are deleted within 90 days

Legal Requirements

• We may retain certain data to comply with legal obligations
• Transaction records are kept for tax and accounting purposes (7 years)

6. Your Rights and Choices

6.1 Access and Control

You have the right to:

• Access your personal information
• Correct inaccurate information
• Delete your account and data
• Export your data
• Object to certain processing activities

6.2 How to Exercise Your Rights

• Within the app: Use Settings > Account > Privacy to manage your data
• Email us: Send requests to [email protected]
• Delete account: Settings > Account > Delete Account

6.3 Marketing Communications

• You can opt out of marketing emails by clicking "unsubscribe"
• You cannot opt out of essential service communications (security alerts, billing notices)

7. Third-Party Services

7.1 Payment Processors

We use the following payment processors:

• Paddle.com (for web purchases)
• Apple App Store (for iOS purchases)
• Google Play Store (for Android purchases)

These services have their own privacy policies:

• Paddle: https://paddle.com/legal/privacy
• Apple: https://www.apple.com/legal/privacy/
• Google: https://policies.google.com/privacy

7.2 Analytics

We use privacy-focused analytics to understand how our app is used:

• Aggregate usage statistics (no personal identification)
• Crash reporting (anonymized)
• You can opt out in Settings > Privacy > Analytics

7.3 Cloud Infrastructure

Our services are hosted on secure cloud infrastructure providers who act as data processors under our instructions.

8. International Data Transfers

• Our primary servers are located in the United States
• If you access Car Play Connect from outside the US, your data may be transferred internationally
• We use standard contractual clauses and other legal mechanisms to protect international transfers
• Your encrypted data remains protected regardless of location

9. Children's Privacy

• Car Play Connect is not intended for users under 16 years of age
• We do not knowingly collect information from children
• If we learn we have collected data from a child, we will delete it promptly
• Parents who believe their child has provided information should contact us

10. Changes to This Policy

• We may update this Privacy Policy from time to time.
• We will notify you of significant changes via email or in-app notification.
• Continued use of the Service after changes constitutes acceptance.
• Previous versions are available upon request.

11. Contact Us

For privacy-related questions or requests:

• Email: [email protected]
• Mailing Address:
  Car Play Connect
  Lot C1-6 Apartment, D9 Street
  An Loi Dong Ward, Room B-00.11-2, Floor G
  Ho Chi Minh City
  Vietnam
• Response Time: We aim to respond within 48 hours