carpybara.AI
Sign in

Privacy Policy

Last updated: April 28, 2026

1. Introduction

Carpybara.AI Ltd, a company registered in England and Wales ("carpybara.AI", "we", "us", or "our"), respects your privacy. This policy explains what personal data we collect, why we collect it, and how we protect it when you use carpybara.ai and related services ("the Service"). For the purposes of the UK GDPR and the Data Protection Act 2018, Carpybara.AI Ltd is the data controller for personal data processed through the Service.

2. Data We Collect

Account data: When you register, we collect your name (optional), email address, and authentication credentials. If you sign in via Google, we receive your name, email, and profile picture from Google.

Usage data: We collect anonymous analytics (page views, feature usage) via Vercel Analytics. No cookies are used for tracking; Vercel Analytics is privacy-focused and does not use cookies.

Calculator inputs: Vehicle details you enter (VIN, auction price, engine specs) are processed in your browser and are not stored on our servers unless you explicitly save a vehicle to your account.

Payment data: Payments are processed by Stripe Payments Europe, Ltd. ("Stripe"). We do not collect, store, or have access to your full credit card number, CVV, or other sensitive payment details — these are sent directly to Stripe's PCI-DSS compliant infrastructure. We receive and store a Stripe customer identifier, the last four digits and brand of your card, billing country, and subscription status so we can provision your account, issue invoices, and handle refunds.

AI analysis data: When you use the AI damage analysis feature, vehicle photos from public auction listings are sent to third-party AI providers (Google Gemini, OpenAI) for processing. We do not upload your personal photos.

3. How We Use Your Data

  • To provide, maintain, and improve the Service.
  • To manage your account and deliver subscription features.
  • To send transactional emails (e.g., magic link sign-in, password reset). We do not send marketing emails unless you opt in.
  • To generate anonymous, aggregated statistics about Service usage.

4. Data Sharing

We share personal data only with:

  • Stripe - payment processing, invoicing, fraud prevention, and tax calculation (Stripe Payments Europe, Ltd., acting as a data processor).
  • Google Gemini & OpenAI - AI damage analysis (vehicle photos from public listings only).
  • Vercel - hosting and anonymous analytics.
  • Google Analytics - anonymous usage analytics (only if you accept analytics cookies).
  • MongoDB Atlas - database hosting (encrypted at rest and in transit).

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

5. Cookies & Analytics

We use a single essential cookie (next-auth.session-token) for authentication. We use localStorage for user preferences (theme, language, country, cookie consent choice).

If you accept analytics cookies via our cookie consent banner, we load Google Analytics to understand how visitors use the Service. Google Analytics uses cookies to collect anonymous usage data (pages visited, session duration, device type). No personally identifiable information is sent to Google Analytics. You may opt out at any time by choosing "Essential only" in the cookie banner, or by clearing your browser cookies.

We do not use advertising or tracking cookies. We do not share cookie data with any third party for marketing purposes.

6. Data Retention

Account data is retained for as long as your account is active. If you delete your account, we remove your personal data within 30 days. Anonymous analytics data is retained indefinitely.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Request correction or deletion of your data.
  • Object to or restrict certain processing.
  • Export your data in a portable format.

To exercise any of these rights, email us at support@carpybara.ai.

8. Security

We implement industry-standard security measures including TLS encryption in transit, encryption at rest for stored data, and secure authentication flows. However, no method of transmission or storage is 100% secure.

9. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related questions or requests, including requests to exercise your rights under the UK GDPR, contact us at support@carpybara.ai.

Data controller:
Carpybara.AI Ltd
A private limited company registered in England and Wales
Company number: 17185841
Registered office: 66 Paul Street, London EC2A 4NA, England
Email: support@carpybara.ai

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.