Privacy Policy

Effective 2026-04-13

This Privacy Policy explains what personal information Auto-Lift collects, how we use it, who we share it with, and the choices you have. It applies to our web application and related services.

1. Information we collect

We keep data collection deliberately narrow:

  • Account data — your email address, a hashed password (if you don't sign in via a third-party identity provider), and a Supabase user id. This is the minimum required to let you sign in and scope your saved reports and preferences to your account.
  • Usage events — categorical records of in-app actions (ZIP searches, VIN scans, report exports). We explicitly do NOT record the free-text content of your queries or the VIN strings you scan. Each event has an allow-listed name (see our public repository) and a small bag of categorical properties.
  • Error events — when the app crashes or an API call fails, we record the error name, message, stack trace, your user id, and the URL that was being loaded. This lets us fix bugs without needing you to write a support ticket.
  • API call log — each request to our backend records the route, status, duration, your user id, and the Anthropic token usage for AI endpoints. Used for debugging, cost attribution, and abuse detection.
  • Search + report data — the ZIP codes, radii, and capture rates you search, and any reports you save. Saved reports are stored in Supabase and visible only to you (enforced by row-level security).
  • Browser + device signals — your user agent and the route you were on at error time. No fingerprinting, no third-party analytics scripts, no cross-site trackers.

We do NOT collect: your address, phone number, date of birth, real name (unless you enter it), payment card data (processed directly by our payment processor when paid plans launch), or the VIN strings you scan.

Note on demographic overlays: the map can surface aggregate Census ACS 5-Year statistics at the ZIP Code Tabulation Area (ZCTA) level (median income, age, race/ethnicity, poverty rate, etc.) in response to your searches. These are publicly-available aggregate statistics about areas, not about individuals. We do not collect demographic information about you.

2. How we use it

  • Operating the Service (auth, rate limits, saved reports).
  • Debugging errors, measuring performance, and preventing abuse.
  • Communicating with you about your account, security issues, or material product changes.
  • Aggregating anonymous usage statistics for product decisions. No individual user is identified in any aggregate report.

We do NOT sell your data to anyone, for any purpose.

3. Third-party services we rely on

Running this service requires passing some data through third-party infrastructure. Each vendor has its own privacy commitments:

  • Supabase (auth, database, row-level security). Stores your email, password hash, and your saved reports / preferences.
  • Vercel (hosting + serverless functions). Sees request metadata (IP, user agent) but not the contents of your saved reports.
  • Anthropic (Claude) — AI-powered features send the relevant context to Anthropic for inference. Specifically: the VIN photo you capture (VIN scanner); the free-text string you type into the AI search bar, including demographic phrasings like "younger population with families" (natural-language search parser); decoded vehicle fields (specs / parts / maintenance agents). Anthropic's terms prohibit them from training on the data we send through their API. We never send your account email to Anthropic.
  • Google (Places API) — nearby-services lookups send your search coordinates to Google. No account info is included.
  • Open-Meteo, NHTSA, US Census, state DMV portals, EPA — we query these public data sources with coordinates, VINs, or ZIPs. They are public government / open APIs and do not tie requests to your account.

4. Cookies & local storage

We use a small number of essential cookies and localStorage entries, all strictly necessary for the app to function:

  • Supabase auth session — keeps you signed in across page reloads.
  • User preferences — default ZIP / radius / capture rate, your cached dashboard snapshot for instant loads.
  • Cookie banner acknowledgement — so we don't show the disclosure banner on every visit.

We do NOT use third-party analytics cookies, advertising cookies, social-media tracking pixels, or cross-site trackers.

5. Data retention

  • Account + saved reports — kept until you delete your account, then removed within 30 days.
  • Usage events, error events, API call log — 90 days, then automatically purged.
  • Payment records — kept as long as required by tax + accounting law (typically 7 years in the US).

6. Your choices and rights

Depending on your jurisdiction, you may have rights to access, correct, delete, or export your personal data (including rights under GDPR and CCPA). You can:

  • Update your email and preferences from the Account page.
  • Request account deletion by emailing support@auto-lift.io. Self-service deletion is on our roadmap.
  • Request a data export of everything tied to your user id by emailing the same address.
  • Opt out of non-essential emails from your Account page (transactional security + billing notices cannot be turned off).

7. Security

Data in transit is encrypted with TLS. Data at rest is encrypted by Supabase. API access requires a signed Supabase JWT; row-level security enforces per-user boundaries server-side. We operate a vulnerability-disclosure process described in our public SECURITY.md. Reports of security issues should be sent to support@auto-lift.io with "SECURITY" in the subject.

8. Children

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

9. International transfers

Our infrastructure is hosted in the United States. If you access the Service from outside the US, your data will be transferred to the US for processing. We use standard contractual clauses or equivalent mechanisms where required.

10. Changes

We may update this Policy. Material changes will be announced in-app and by email. The effective date above will always reflect the latest version.

11. Contact

Privacy questions, access/deletion requests, or any other concerns: support@auto-lift.io.