Privacy Policy

Effective date: May 15, 2026  ·  Applies to: Carspel mobile applications, related web experiences where offered, and this marketing website (carspel.ca / linked domains).

We are committed to protecting the privacy and security of your personal information. We collect, use, and process your data lawfully, transparently, and only for legitimate purposes related to operating Carspel. We do not sell your personal information and share it only as necessary to provide our services, while supporting your rights to access, correct, or delete your data.

Agreement when you use Carspel. By installing Carspel from an app store, creating an account, or continuing to use our mobile apps or related web services, you confirm that you have read this Privacy Policy and agree to the general privacy practices described here. If you do not agree, do not install or use Carspel. Where mandatory local law provides you additional rights or requires different disclosures, those rights apply to you as described in the regional sections below; nothing in this global Policy is intended to limit non-waivable protections.

This Privacy Policy describes how Carspel (“Carspel,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information. Carspel is developed by FundaMedia. Where laws such as the EU and UK GDPR or California privacy laws apply, supplemental disclosures appear below.

This Policy is not legal advice. Please review it alongside your product roadmap (billing, analytics toggles, optional AI/redaction workflows). Update disclosures whenever vendors or processing materially change.

1. Who is responsible?

For privacy inquiries and requests described in this Policy:

• Email: hello@carspel.ca
• Website: www.carspel.ca

If we designate an EU/UK representative or US postal address for privacy notices in the future, we will publish it here.

2. Scope

This Policy applies when you:

• download or use Carspel mobile apps or interactive web surfaces branded Carspel;
• visit our marketing pages or interact with emails referencing this Policy;
• contact support or participate in surveys we initiate.

Third-party websites or stores (for example Google Play) have their own policies for checkout flows they operate. Where purchases occur via Google Play billing or similar platforms, payment validation may be handled by the store, subject to its policies.

3. Categories of information we collect

Depending on how you use Carspel, we may collect or receive:

3.1 Account and identity information

• Identifiers such as email address, authentication identifiers issued by our backend (for example Supabase Auth), household identifiers, device/session identifiers necessary for secure sessions.
• Profile fields you choose to provide (such as display name or avatar selections).

3.2 Vehicle and operational records

• Vehicle descriptors you enter (nickname, make/model where applicable, VIN where used for recalls or reporting).
• Fuel and energy logs, service logs, mileage/trip entries, reminders, receipts or notes you attach.
• Household membership relationships where multi-user garages are enabled.

3.3 Photos, videos, audio, documents

• User-provided photos or scans (including receipts), videos, voice notes, or PDF-style exports generated inside the product.
• Optional barcode/OCR workflows may process imagery you initiate; portions may occur on-device, while uploads are transmitted securely when saved to our backend storage.

3.4 Derived safety / recall context

• Where features rely on regulators’ APIs (for example safety recalls referenced against your vehicle information), we process VIN or campaign identifiers necessary to operate those features.

3.5 Payments and subscriptions

• If subscriptions are purchased via Google Play or another platform, we typically receive entitlement signals (plan tier, renewal dates, identifiers tied to your account and store receipts), not full payment card numbers entered in the store checkout.
• If web card billing via Stripe or similar becomes available, payment instruments will be handled primarily by the payment processor subject to its privacy notice; we receive transaction metadata needed for subscription status.

3.6 Communications and diagnostics

• Messages you send us (support tickets, emails).
• Error reports and limited performance telemetry where configured (for example via Sentry), typically including stack traces, device/app metadata, coarse timestamps, and identifiers necessary for diagnostics.
• Logs necessary for fraud prevention, abuse detection, security monitoring, or legal compliance.

3.7 Marketing website usage data

• Technical logs standard for HTTPS hosting (IP address, user agent, timestamps, coarse geography inferred by CDN / hosting providers).
• Browser storage values you consent to or configure locally (see our Cookie Policy).

3.8 Optional cloud-assisted receipt/document workflows

Where Carspel offers optional sanitization/redaction or analysis that sends user-selected documents through managed cloud infrastructure (for example documented Cloud Run workflows referencing Google Gemini), those documents are processed transiently for the stated purpose (such as detecting sensitive regions before display/storage). Such processing occurs only when you explicitly invoke the feature where implemented.

4. Sources

• Directly from you when you register, enter logs, upload media, purchase subscriptions, or email us.
• Automatically through app telemetry necessary for reliability and security.
• Third-party integrations you enable (maps tiles/API responses; recall/regulatory lookups).
• Affiliated households when another authorized household member invites you or shares garage data consistent with product permissions.

5. Why we use information (purposes)

• Provide core functionality (authentication, syncing households, storing logs and attachments).
• Maintain safety and integrity (security monitoring, spam/abuse mitigation).
• Improve reliability (crash analytics and sampling-based performance diagnostics).
• Communicate service notices, respond to requests, honor regulatory inquiries.
• Process subscriptions or trials consistent with billing integrations.
• Comply with legal obligations.

6. Legal bases (EEA/UK/Switzerland)

Where GDPR-like laws apply, we rely on appropriate lawful bases such as:

• Contract — delivering Carspel features you signed up for.
• Legitimate interests — securing accounts, debugging aggregated reliability issues, preventing fraud, improving features proportionately where not overridden by your rights.
• Consent — where required for optional analytics or optional AI-assisted workflows.
• Legal obligation — responding to lawful requests.

You may withdraw consent where processing is consent-based without affecting prior lawful processing.

7. How we share information

We disclose personal information only as described below:

• Infrastructure / processors. We use vendors such as Supabase (authentication, database, object storage over HTTPS), Sentry (diagnostics where configured), Google services underlying maps where enabled, hosting/CDN providers for web assets, and—when invoked—managed cloud APIs for optional document workflows.
• Household collaborators. Data visible inside shared garages follows permission rules enforced by application logic and backend policies.
• Corporate transactions. A merger or acquisition may involve transferring personal information subject to safeguards.
• Legal & safety. We may disclose information to comply with law, enforce terms, or protect users.

We do not sell personal information for money as traditionally understood under California law, and we do not “share” personal information for cross-context behavioral advertising unless we explicitly notify you and offer applicable controls.

8. International transfers

We operate primarily from Canada with processors that may store or process data in the United States or other regions. Where GDPR/UK GDPR applies, we implement appropriate safeguards such as Standard Contractual Clauses or other mechanisms recognized by regulators, supplemented by technical and organizational measures.

9. Retention

We retain personal information only as long as necessary for the purposes above, including legal, accounting, or reporting requirements. Vehicle logs or attachments remain until you delete them or delete your account subject to backup/cache latency and lawful holds. Diagnostics retention follows vendor/project configuration (review your Sentry organization retention).

10. Security

We implement administrative, technical, and organizational safeguards appropriate to risk—including TLS for data in transit and least-privilege access patterns enforced via backend policies where engineered (for example Row Level Security concepts highlighted in internal engineering docs). No online service is perfectly secure; please protect your credentials.

11. Your privacy rights

Deleting your account and associated data

To delete your Carspel account and the data tied to it:

• In the app: Sign in → open Users → choose Leave household → select Delete my Carspel account and confirm. This is available in the Carspel Android app and at app.carspel.ca when you are signed in.
• By email: If you cannot sign in or need help, contact hello@carspel.ca from the email address on your account.

Deletion removes your account profile and associated data we control, subject to brief backup or cache latency, lawful retention requirements, and other exceptions noted in this Policy. For step-by-step instructions (including deleting specific data without closing your account), see our data deletion request page.

11.1 EEA, UK, Switzerland

You may request:

• access to personal information;
• rectification or deletion;
• restriction or objection where applicable;
• data portability for information processed by automated means based on contract or consent;
• withdrawal of consent;
• information about transfers and safeguards;
• lodge a complaint with your supervisory authority.

Contact hello@carspel.ca. We respond within timelines required by applicable law (typically within one month for GDPR requests, subject to extensions).

11.2 California residents (CPRA)

California residents may exercise rights under the California Consumer Privacy Act as amended (“CCPA/CPRA”), including:

• Right to know/access specific pieces and categories of personal information collected.
• Right to delete personal information subject to exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of sale/sharing for certain targeted advertising contexts if applicable.
• Right to limit use/disclosure of sensitive personal information where applicable.
• Right not to receive discriminatory treatment for exercising privacy rights.

Submit requests via hello@carspel.ca. We verify requests commensurate with risk (typically confirming control of your email/account). Authorized agents may submit requests with appropriate proof.

11.3 CPRA metrics

If legally required to publish annual metrics covering consumer requests, we will host them here or link from this section.

12. Children

Carspel is intended for adults managing household vehicles. We do not knowingly collect personal information from children under 13 (or higher age where required). If you believe a child provided information, contact us so we can delete it.

13. Automated decision-making

We do not perform automated decisions producing legal or similarly significant effects under GDPR Article 22 unless we introduce such features with separate transparency.

14. Changes

We may update this Policy by posting a revised version with a new effective date. Material changes may require additional notice where mandated.