CarFlow AIPrivacy Policy
This Privacy Policy explains how we collect, use, disclose, and protect your information when you use CarAd AI (the "Service"). By using the Service, you agree to this Privacy Policy.
1) Data Controller
SPEKTR
ul. Złota 75a/lok.7, 00-819, Warszawa, Poland
NIP: 5272982014 · REGON: 520735800
Privacy contact: contact@carflowai.com
If we appoint a Data Protection Officer (DPO), their contact details will appear here.
2) Scope
This Policy applies to our website, web/mobile apps, public APIs, and integrations with third-party systems (e.g., DMS/ERP/CRM). It covers personal data we process as controller and, where applicable, as processor on behalf of our business customers.
3) Definitions
- Account — your user profile for accessing the Service.
- Personal Data — any information relating to an identified or identifiable natural person.
- Service Providers / Sub-processors — third parties that process data for us under contract.
- Usage Data — technical data collected automatically (e.g., IP, device, logs, diagnostics).
4) What we collect
- Account data: name, email, auth identifiers (Google OAuth via Firebase), organization details (if provided).
- Billing: plan, invoices, payment status (card data handled by Stripe).
- Content: images and text you upload for AI processing; outputs we generate for you.
- Usage & logs: IP address, device/browser, pages/events, time stamps, error logs.
- Cookies: see Cookies & Consent.
- Support: messages, attachments, contact preferences.
5) Why we process your data (GDPR Art. 6)
| Category | Purpose | Legal basis | Retention | Key recipients |
|---|---|---|---|---|
| Account (name, email, OAuth ID) | Registration, access, security | Art.6(1)(b) contract; Art.6(1)(f) legitimate interests (security) | Active account + up to 90 days archive | Firebase Authentication (Google OAuth) |
| Billing & payments | Subscription, invoicing, fraud prevention | Art.6(1)(b) contract; Art.6(1)(c) legal obligations; Art.6(1)(f) fraud prevention | As required by accounting/tax laws (typically 5–10 years) | Stripe |
| Uploaded images/text | AI image editing & content generation | Art.6(1)(b) contract | Until you delete or delete your account | Firebase Storage, Eachlabs (AI proxy), AI model providers (see Sub-processors) |
| Usage data & logs | Reliability, security, debugging, anti-abuse | Art.6(1)(f) legitimate interests | 30–180 days | Hosting/monitoring (Firebase/GCP), security tools |
| Analytics cookies | Product analytics | Art.6(1)(a) consent (EU/EEA/UK) | 14–26 months (per vendor) | PostHog, Google Analytics (if enabled) |
| Marketing emails | Updates & offers (opt-in) | Art.6(1)(a) consent / soft opt-in where permitted | Until you unsubscribe | SendGrid (or equivalent) |
We do not intentionally collect special categories of data (GDPR Art. 9). Do not upload sensitive data.
6) How we use data
- Provide, operate, and secure the Service.
- Process your uploaded images/text to generate outputs you request.
- Communicate about account, billing, security, and product updates.
- Improve performance, usability, and features (aggregated analytics).
- Comply with legal obligations and enforce terms; prevent fraud and abuse.
- With consent: send newsletters/marketing; set non-essential cookies.
7) Cookies & Consent (ePrivacy/GDPR)
We use strictly necessary cookies to run the site. We use analytics and marketing cookies only with your consent (default: off in EU/EEA/UK). You can review or change your choices anytime here: Cookie settings.
8) International transfers (SCC & TIA)
Where data is transferred outside the EEA/UK, we use the European Commission's Standard Contractual Clauses (SCC) and, where applicable, the UK IDTA/Addendum. We conduct Transfer Impact Assessments (TIA) and apply supplementary measures (encryption, access controls, minimization). Key recipient regions may include the EU and US.
9) Sharing & sub-processors
We share data with trusted Service Providers who process it on our behalf under Art. 28 GDPR:
- Google Cloud / Firebase — hosting, databases, storage, authentication
- Vercel — frontend hosting (if used)
- Stripe — payments
- PostHog / Google Analytics — analytics (consent-based)
- SendGrid (or equivalent) — transactional email
- Eachlabs — AI inference proxy service (technical intermediary for image generation; does not use data for training or other purposes)
- AI model providers (e.g., OpenAI / image-processing vendors) — generate outputs you request
We maintain a live Sub-processor list and notify users at least 30 days before materially adding or replacing a sub-processor. You may object to changes or stop using the Service.
10) AI processing & your content
- You retain rights to the content you upload and the outputs we generate for you, subject to our Terms.
- We use AI providers only to perform the requested processing (inference). Data is not used to train generalized models unless you explicitly opt in.
- When processing images through AI models, we may route requests via Eachlabs as a technical intermediary. Eachlabs acts as a sub-processor under our instructions. Their handling of data is governed by their own privacy practices and contractual obligations.
- License plates and other identifying details in car images may be anonymized according to your settings.
- Uploaded content is stored in your account and remains available until you delete it or delete your account. We do not enforce automatic deletion after a fixed period.
11) Payments
We use Stripe to process payments. We do not store full card details. See Stripe Privacy Policy.
12) Security
- TLS encryption in transit; encryption at rest (e.g., AES-256) for stored data.
- Password hashing using industry-standard algorithms (e.g., bcrypt/argon2) if we store passwords.
- Role-based access control (RBAC), least-privilege, access logging, regular reviews.
- Vendor and key management via cloud KMS; backups with limited retention.
- Incident response aligned with GDPR Arts. 33/34 (notify supervisory authority and affected users where required).
13) Retention & deletion
- Account data: retained while the account is active; deleted upon account deletion.
- Uploaded content (images, text, outputs): retained until you delete it or delete your account.
- Billing data: retained per legal obligations (e.g., tax/accounting laws, typically 5–10 years).
- Usage logs: typically 30–180 days, unless required longer for security/legal reasons.
Request deletion at contact@carflowai.com. We may retain limited data as required by law.
14) Your rights (GDPR/EEA/UK)
You have the right to access, rectify, erase, restrict, port data, and object to processing based on legitimate interests. Where we rely on consent, you may withdraw it at any time (this does not affect past lawful processing). We respond within one month (can be extended by two months for complex requests).
You may lodge a complaint with your local authority or the Polish regulator: UODO, ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.
15) CCPA/US state privacy
If you are a California resident, you may have rights to know, access, delete, and opt out of certain sharing. We do not sell personal information as defined by the CCPA. Contact contact@carflowai.com.
16) Children's privacy
The Service is not intended for children under 16 in the EEA/UK and under 13 in the US. We do not knowingly collect data from children. If you believe a child provided data, contact us to delete it.
17) Links
Our Service may link to third-party sites. Their privacy practices are their own; review their policies.
18) Changes to this Policy
We may update this Policy from time to time. We will notify you via email and/or an in-app notice for material changes prior to the change taking effect.
19) Contact
Questions or requests: contact@carflowai.com
Controller: SPEKTR, ul. Złota 75a/lok.7, 00-819, Warszawa, Poland · NIP 5272982014 · REGON 520735800