1. What we collect
- Account data: email, shop name, and any details you add to your profile.
- Inspection data: vehicle details, photos you upload, and AI-generated reports.
- Billing data: handled by Stripe — we never see your full card number. We store the last 4 digits and your customer ID only.
- Usage data: basic logs (pages visited, API calls) for security and debugging.
2. How we use your data
- To run AI analysis on the photos you upload and deliver reports to you.
- To send you transactional emails (inspection complete, failure alerts, billing).
- To improve the Service. De-identified, aggregated inspection data may be used to retrain or evaluate our AI models.
- To detect and prevent abuse or fraud.
3. Who we share data with
We share the minimum data required with these subprocessors:
- Anthropic — photos and prompts are sent to Claude for AI analysis. Anthropic does not train its models on API data.
- Supabase — database and storage.
- Vercel — hosting.
- Stripe — payments.
- Resend — transactional email delivery.
- Inngest — background job orchestration.
We do not sell your data. We do not share it with advertisers.
4. Data retention
- Uploaded photos: automatically deleted after 90 days.
- Reports and inspection metadata: retained for the life of your account so you can reference them.
- Account & billing records: retained for 7 years after account closure to comply with tax and financial-record laws.
5. Your rights
Regardless of where you live, you can:
- Access: download your inspection reports from your dashboard at any time.
- Delete: request full account deletion by emailing privacy@paintguard.app. We will delete your data within 30 days (minus records we must keep for legal/tax reasons).
- Correct: update your profile from your account settings, or email us.
- Object/restrict: GDPR and CCPA residents may object to or restrict certain processing — email us.
6. Security
We use TLS for all data in transit and encryption at rest on Supabase. Access to production data is restricted to engineers who need it for support. We run row-level security on all customer-owned tables.
No system is perfectly secure. If we discover a breach affecting your data, we will notify you within 72 hours as required by law.
7. International transfers
Our infrastructure is primarily in the United States. By using the Service, you consent to transfer of your data to the US and other countries where our subprocessors operate, under standard contractual clauses where applicable.
8. Children
The Service is not intended for users under 18 and we do not knowingly collect data from children.
9. Changes
We may update this Policy from time to time. Material changes will be emailed to you at least 14 days before taking effect.