Introduction

CarLogs ("we", "us", or "our") is committed to protecting your personal data. This Privacy Policy explains in clear terms how we collect, use, disclose, and protect your personal information when you use the CarLogs app, CarLogs website (https://carlogs.io/), and related services ("Services"). It also outlines your rights and choices under various privacy laws, including the Australia Privacy Act 1988 (and the Australian Privacy Principles, or APPs), the New Zealand Privacy Act 2020, and the privacy laws of the United States (including the California Consumer Privacy Act (CCPA) and other applicable state laws). Our goal is to be transparent and accessible so that you understand how your information is handled.

Scope of this Policy

This Privacy Policy applies to all users of CarLogs worldwide, with special provisions for residents of Australia, New Zealand, and the United States. It covers personal data collected through our mobile application, website, and any other interactions you have with CarLogs. By using our Services, you agree to the practices described in this Policy, subject to the rights and choices outlined for your jurisdiction. If you do not agree with this Policy, please discontinue use of the Services.

Personal data we collect and how we use it

We collect various types of personal data to provide and improve the CarLogs Services. Below, we explain the categories of information we collect, how we collect them, and the purposes for which we use them.

1. Account and contact information

What we collect: When you create a CarLogs account or contact us, we collect personal identifiers such as your name, email address, phone number, and password. If you subscribe to a paid plan, we (through our payment processor) collect payment information such as name, address, payment details, invoices, and payment history.

How we collect: You provide this information directly when registering, updating your profile, or communicating with us.

Why we collect: We use account and contact information to create and manage your account, authenticate you, process payments, communicate with you about service updates or support requests, and send necessary notifications. This information is also used to respond to your inquiries or complaints and to provide customer support.

Lawful basis for processing: Contract and consent.

2. Vehicle and telemetry data

What we collect: If you connect CarLogs to a vehicle or a third-party car system (for example, linking your Tesla account or using a Bluetooth OBD-II device), we collect vehicle-related data. This may include your vehicle’s identification (such as VIN or device ID), telemetry data (such as speed, odometer readings, battery level, engine status), diagnostic codes, and sensor data. 

We also collect route data and driving details such as GPS coordinates of your trips, timestamps, driving duration, distance, acceleration, and other driving behavior metrics.

How we collect: This data is collected automatically from your vehicle’s onboard systems via the CarLogs app when you have connected the app to your car’s data source (such as through an API integration with the car manufacturer or via a Bluetooth connection to an onboard device). Location and route telemetry are recorded by the app during your drives when you grant location access on your mobile device.

Why we collect: We use vehicle and telemetry data to provide core functionality of CarLogs, such as displaying your trip history on a map, giving you insights into your driving patterns, calculating statistics (e.g., distance traveled, fuel or battery efficiency), and alerting you to vehicle maintenance issues or driving events. This data also helps us improve our Services (for example, by analyzing driving data to enhance route accuracy and app performance) and develop new features. In some cases, aggregated telemetry data (stripped of personal identifiers) may be used for research and analytical purposes to improve road safety or optimize our services.

Lawful basis for processing: Contract and consent.

3. Location data

What we collect: Precise geolocation data of your device and vehicle, including real-time GPS coordinates and historical location trails (route maps of your trips). We may also collect general location information (e.g., city or region) based on your IP address for security and fraud prevention.

How we collect: We collect precise GPS location data when you grant the CarLogs app permission to access location services on your mobile device. This can include location access in the background if you enable continuous tracking for trip logging. You can control location sharing via your device settings (see Your Choices below). We may also derive location inferences from your vehicle telemetry data when you use location-based features for trip logging and route recording purposes.

Why we collect: Location data is essential to CarLogs’ functionality. We use it to log your driving routes, display maps and trip histories, provide navigation or route replays, and offer location-based insights (such as identifying frequent routes or places). We also use location info to enhance safety and security – for example, to detect anomalies in location data (which can help identify potential fraud or unauthorized access to your account) or to enable features like geo-fenced alerts if you use them. We do not use your precise location for any purpose unrelated to providing the CarLogs service without your consent.

Lawful basis for processing: Consent.

4. Bluetooth and device data

What we collect: If you enable Bluetooth to connect CarLogs with your vehicle or accessories, we collect certain Bluetooth-related data, such as the presence of paired devices, device names, signal strength, and identifiers (like the MAC address of a device). We also collect technical device data from your phone, such as device model, operating system version, unique device identifiers, and app version, as well as sensor data like device motion (if relevant to detecting driving status).

How we collect: This information is collected automatically by the app when you use Bluetooth features or when the app interacts with your device’s hardware. For example, when the app searches for your car’s Bluetooth signal to auto-start a trip log, it may record the identifier of the found device. General device information and app usage data are collected via the app’s analytics tools, and sensor access (like motion or orientation) is only used if you grant permission.

Why we collect: Bluetooth data allows CarLogs to detect your vehicle or connected sensor to automatically start or stop trip logging and to gather vehicle diagnostics. Device information and identifiers help with optimizing the app for your device model, debugging technical issues (for instance, diagnosing a crash on a specific phone model), and ensuring compatibility. Collecting this data also aids in securing your account (e.g., recognizing a new device login for fraud prevention) and improving the user experience by understanding how the app performs across different hardware.

Lawful basis for processing: Consent.

5. Usage and analytics information

What we collect: We gather data about how you use our app and website. This includes log data (such as the dates and times you access our servers, features or screens you use, and links or buttons you tap), usage patterns, error and crash reports, and other diagnostic data. We may also collect your IP address and infer your general location from it (city or country level) for security and analytic purposes. Additionally, we also collect your email address when you enter it into the waitlist form on our website so we can contact you with updates and notify you when CarLogs becomes available.

How we collect: This data is collected automatically through our Services and third-party analytics tools integrated into the app. For example, we might use Google Analytics or similar services that collect usage events. If you use our website, we may use cookies or similar tracking technologies to gather usage data (see Cookies and Tracking below, if applicable). Email addresses, on the other hand, are collected directly from you when you submit your information through the waitlist form on our website.

Why we collect: We use usage and analytics information to understand user engagement and interaction with CarLogs. This helps us troubleshoot issues, improve the stability and security of our Services, plan new features, and tailor our interface to better suit user needs. For example, we might analyze which features are most popular or detect if the app frequently crashes on a certain screen, then use that information to make improvements. This data is generally analyzed in aggregate form. When we use analytics providers, they act on our behalf under strict data processing agreements and cannot use the data for their own purposes. For waitlist sign-ups, your email address allows us to provide information about your status on the waitlist and keep you informed about when CarLogs becomes available.

Lawful basis for processing: Consent.

6. Other information you provide

What we collect: Any other information you voluntarily provide to us. This might include profile information like a profile photo or nickname, feedback or survey responses, and communications with us (such as emails or chat support conversations). If CarLogs allows you to input notes about trips, attach images to journey entries, or share logs with friends, those user-generated contents are also collected and stored as part of your account.

How we collect: We collect this information directly from you when you provide it. For example, updating profile settings, sending an email to support, filling out a survey, or using optional features in the app to annotate your trips or share information.

Why we collect: We use this information to personalize and enhance your experience (like displaying a profile picture in the app), to address your feedback or support queries, and to improve our Services. User-generated content like trip notes or photos are stored so that you can access and manage them as part of your account. Feedback and survey responses help us understand user satisfaction and areas for improvement.

Lawful basis for processing: Consent.

Summary of how we use personal data

We use the personal data we collect for the following purposes:

• Providing and improving the service: To operate CarLogs and provide all features, including logging trips, displaying data dashboards, generating reports and enabling connectivity with your vehicle. This also includes improving and customizing your experience, such as tweaking the interface or building new features based on common usage patterns.

• Account management: To create and maintain your account, verify your identity when you log in, process subscription payments, and communicate with you about your account or transactions (e.g., payment receipts or account changes).

• Communications: To respond to your inquiries, provide customer support, and send service-related announcements (like changes to terms or important app updates). If you opt in, we may also send newsletters or promotional communications – and you can opt out of these at any time.

• Security and fraud prevention: To protect the integrity of our Services and your data. For example, we use device and usage data to detect suspicious activity, implement anti-fraud measures, and prevent unauthorized access. Unusual access and data patterns might prompt us to verify that it’s really you using the account.

• Compliance with law: To comply with legal obligations, such as responding to lawful requests by authorities or fulfilling regulatory reporting requirements.

• Research and development: To analyze usage trends and driving data in order to develop new features, enhance algorithms (like improving trip detection accuracy), and generally improve CarLogs. Wherever possible, we use aggregated or anonymized data for these purposes so it no longer identifies you personally.

• Automated decision-making: To the extent we use any algorithms or automated systems that analyze personal data to make decisions, we describe these in Automated Decision-Making and Profiling below.

  
  

Automated decision-making and profiling

CarLogs does not make any automated decisions about you that have legal or similarly significant effects without human involvement. However, we do use automated processing in a few ways to enhance your experience:

• Automated trip start/stop: The app may automatically start or stop recording a trip based on certain triggers (like connecting to your car’s Bluetooth or movement detected by your device’s sensors). This automation is a convenience feature based on your settings. It does not adversely affect your rights; it simply automates a function of the service (you can always start/stop recording manually if you prefer).

• Driving insights: We may algorithmically analyze your driving telemetry to provide you with personalized insights. For example, the app may use time or route data to classify your trips automatically on your behalf. These analyses are forms of profiling intended for your information only. They are not shared with any third party (unless you choose to share them) and are not used to make decisions about you outside of the app experience.

• Personalization: Automated systems might adjust the app interface or suggest features based on your usage. For instance, if you frequently drive certain routes, or visit certain locations the app might proactively show you stats about those routes or suggest to save these locations, or if you haven’t used a new feature, it might highlight a tutorial. This kind of profiling is aimed at making CarLogs more useful to you.

  
  

Importantly, any automated processing we do is in service of providing the CarLogs functionality you expect. If you believe that an automated process is affecting you in a significant way, or if you object to an automated feature, you have the right to contact us and request a human review (see Your Rights below). We will listen to your concerns and, if appropriate, adjust the processing or provide an explanation in line with applicable laws.

How we share your personal data

We do not sell your personal data to third parties for profit. We only share your information in the following circumstances, with proper safeguards:

1. Service providers (processors): We use trusted third-party companies to help us operate CarLogs and provide the Services to you. These third parties process data on our behalf and are bound by contracts to protect your information and use it only for the agreed-upon purposes. Our key service providers include:

• Amazon Web Services (AWS): Cloud storage and hosting provider. We store our databases and server infrastructure on AWS. Your personal data (including account info, trip logs, and files) may be stored on AWS servers (which may be located in the United States or other countries - see International data transfers). AWS acts as our hosting cloud provider and does not access your data except to keep it stored and available for our app’s use. 

• Stripe: Payment processing for subscriptions or in-app purchases. If you provide payment details, they are transmitted directly to Stripe. Stripe may receive your name, email, and payment information to process transactions. We do not store your full credit card details on our servers, Stripe handles that securely in compliance with PCI-DSS standards.

• Google: We use various Google services. This includes Google Analytics for usage analytics (which may collect device identifiers, IP address, and usage data), Google Maps services for location features (like map display of your routes or address search), and Firebase Crashlytics for app error reporting and push notifications. When you use mapping features, Google may receive location coordinates to provide map tiles and navigation info. Google processes this data under its own privacy terms as an independent service provider, but only as needed to provide the service to us (we do not allow Google to use our app data for their own advertising purposes, for example).

• Apple: If you use the iOS app, Apple may process certain data such as crash reports via its operating system services, or payment transactions via Apple’s App Store and in-app purchase system. If you use "Sign in with Apple" to create an account, we receive your name and email from Apple with your consent. Apple does not receive your CarLogs telemetry or route data through us, but their platform may collect information about your app usage under your device’s privacy settings (e.g., Apple may log that you downloaded or opened our app).

• Vehicle integrations: If you choose to link CarLogs with a vehicle manufacturer’s account (for example, your Tesla account), we will interact with their systems to retrieve your vehicle data with your permission. This means either the manufacturer’s servers or your vehicle will send us data like your vehicle’s location, battery status, or driving telemetry when you request it through CarLogs. Your use of such integrations is optional and governed by the car manufacturer’s terms. You can revoke the connection at any time , for instance, by unlinking your vehicle in the CarLogs app.

• MapTiler: We use MapTiler (a mapping service) to provide map tiles and geographical data for visualizing your routes. When maps are displayed in the app, MapTiler’s servers receive requests that include map coordinates (to retrieve the correct map imagery) and an API key. MapTiler does not receive your personal account details, and we do not send them your trip history - we only fetch map images to display to you. MapTiler may log basic request data for service monitoring, but this is not tied to your identity from our perspective. Requests for each trip are made independently.

• Cloudflare: Our website and certain API traffic use Cloudflare for security and performance (e.g., protection against DDoS attacks and faster content delivery). As a result, any data transmitted to our online services passes through Cloudflare’s global network. Cloudflare may process data like IP addresses and server requests temporarily for caching and security analysis. Cloudflare is bound by its privacy commitments to only use this information to provide services to us and to delete it in accordance with their retention policies.

• OneSignal: Customer messaging and engagement platform. We use OneSignal’s SDKs and APIs to send push notifications, service e‑mails (e.g., trip‑summary digests, security alerts, product tips) and promotional campaigns. When you enable notifications, we provide OneSignal with:

• Basic contact/identity: your name, e‑mail address, and an internal user ID so we know whom to message.

• Device and app identifiers: the push‑token or device ID issued by Apple/Google, app version, OS, and locale, which OneSignal needs to deliver messages to the right device.

• Engagement events: whether a notification was delivered, opened, or clicked, plus timestamp, IP address, and user‑agent. We use this feedback to measure effectiveness and avoid spamming you.

• You can opt out at any time by disabling specific push notifications and email communications in your device settings or the CarLogs preference panel.

2. Affiliates: If CarLogs is part of a group of related companies, we may share data with our affiliates (such as a parent company or subsidiaries) for internal administrative purposes and to provide our Services to you. Any such affiliate receiving your data will abide by this Privacy Policy. 

3. Business transfers: If we undergo a business transaction such as a merger, acquisition, reorganization, or sale of some or all assets, your personal data may be transferred as part of that deal. We will ensure the new owner is bound to respect your personal data in a manner consistent with this Privacy Policy. We will also notify you (for example, via email or a notice in the app) of any such change in ownership or control of your personal information, along with any choices you may have.

4. Legal compliance and protection: We may disclose personal information to courts, law enforcement, government or public authorities, or other third parties if required to do so by law or if we believe in good faith that such action is necessary to:

• Comply with a legal obligation, process, or request (e.g., to respond to a court order or subpoena).

• Enforce our Terms of Service or other agreements and investigate potential violations.

• Detect, prevent, or address fraud, security, or technical issues (for example, investigating suspicious activity on your account).

• Protect the rights, property, or safety of CarLogs, our users, or the public against harm, as required or permitted by law. We will only disclose the minimum amount of information necessary and will object to overbroad requests when appropriate.

5. With your consent: In situations other than those above, if we need to share your information, we will do so only with your consent. For example, if we ever want to share certain data with a partner for a new feature or research project, we would present you with an opt-in notice and explanation so you can decide.

International data transfers

CarLogs operates globally, and the personal data we collect may be transferred to and stored on servers in countries other than your own. In particular, data may be processed in Australia, New Zealand, the United States, and other locations where our service providers have facilities. When we transfer personal data across borders, we take steps to ensure appropriate safeguards are in place to protect your information in accordance with this Policy and applicable laws.

If you are in Australia or New Zealand, your personal information may be sent to or accessed from countries with different privacy standards (e.g., the United States). In such cases, we will take reasonable steps to ensure that any overseas recipient (like our cloud providers) will handle your information in a manner consistent with the APPs and NZ Privacy Principles. This often involves contractual agreements with those service providers that require similar levels of data protection.

We will only transfer data to third parties in jurisdictions that are deemed to have adequate data protection laws, or where we have put in place alternative measures to protect your privacy, such as the Standard Contractual Clauses (SCCs) for international transfers, confidentiality and security obligations in our contracts, and adherence to recognized frameworks (if applicable).

You acknowledge that personal data processed in another country may be subject to different laws and potentially accessible to law enforcement or national security authorities in those countries. However, our agreements with our service providers protect your data to the extent possible, and we will notify you of any transfer and obtain consent if required by law (for instance, some countries require user consent for transferring data overseas).

Our commitment is that no matter where your data is processed, we will treat it in line with the promises of this Privacy Policy. If you would like more information about cross-border data transfers or the specific safeguards we use, you can contact our Privacy Officer (see Contact Us section below).

Data retention and deletion

We retain personal data only for as long as necessary to fulfill the purposes outlined in this Policy or as required by law. We believe in data minimization and want you to be aware of how long your data is kept. Here are our general retention practices:

• Route and Telemetry data: By default, we store your trip history and telemetry data for you to access in the app through the course of you using our app, so you can review past trips at any time, or until you choose to delete it. You have control over this data:

• In-app deletion: You can delete individual trip logs or your entire trip history from within the app, or by contacting us with a deletion request. When you delete a trip or route, it will be removed from your account view, and we will erase it from our active database. It may remain in our secure backups for a short period (e.g., up to 30 days) until those backups cycle out, after which it is completely removed.

• Account deletion: If you delete your account (or request us to do so), we will delete all personal data associated with your account, including route and telemetry data, after processing your request (typically within 30 days). Again, residual copies might remain in backups temporarily but will be purged according to our backup retention schedule.

• Account information: Personal details like your name, email, contact info, and any subscription details are kept for as long as you have an active account. Once you delete your account, we generally remove these from our active systems within 30 days. However, we may retain certain information for a longer period if necessary:

• Legal or financial recordkeeping: We might need to keep records of financial transactions (payments, invoices) for accounting and tax purposes, typically for 7 years (as required by law in some jurisdictions). This means your name, email, and transaction history might be kept in a secure archive separate from the main user database solely for these compliance reasons.

• Dispute resolution: If you've ever had an issue or dispute with us, we may retain correspondence or records related to that dispute until it is resolved, and then for an appropriate period after (to ensure we have documentation in case of any legal matters).

• Diagnostics and analytics: Crash logs and analytics data are generally retained only as long as they are useful for us to identify issues and trends. For example, raw crash reports might be kept for 1-2 years to track recurring issues. Aggregated analytics (which do not directly identify you) might be kept longer for historical analysis. Where possible, we either dissociate this data from user accounts or anonymize it over time.

• Backup storage: We periodically backup our databases to ensure resilience of the service. These backups are securely stored and encrypted. They are retained for a limited time (commonly 30-90 days) and then overwritten or deleted when no longer needed. If data is deleted from our live systems, it will be deleted from backups in the normal rotation.

• Retention for legal obligations: If we are under a legal obligation to retain certain data (for example, in response to a law enforcement request or data relevant to a legal case), we will retain that data for as long as required by the obligation. Similarly, if the law mandates a minimum retention period for certain information, we will keep it at least that long (and not longer than necessary).

  
  

After the applicable retention period ends, we will securely delete or anonymize your personal data. When we anonymize data, we remove or alter information that could identify you so it can no longer be linked to you and is no longer personal information. We may use anonymized data (for example, trip classification of a common route, with all personal details removed) for research or analysis without further notice to you since it no longer contains personal data.

Regardless of the above default retention practices, you always have the right to request deletion of your personal data sooner (see Your Rights below for how to exercise this). We will honor such requests in accordance with applicable law. Keep in mind that deleting certain data (like your route history) may mean you lose access to that information permanently, so please backup any data you wish to keep before requesting deletion of your account.

Your rights and choices

We respect your rights over your personal data. Depending on where you live, you have certain legal rights regarding your information. CarLogs aims to extend key privacy rights to all users, regardless of jurisdiction, as part of our commitment to privacy.

These rights include:

• Access: You have the right to request a copy of the personal data we hold about you. This includes information like your account details, contact information, and data we’ve collected such as your trip logs. We will provide this in a commonly used format. For example, we can export your driving routes and telemetry data in a CSV or JSON file upon request. (Under some laws, this is called the “Right to Know” or "Data Access" request.)

• Correction (Rectification): If any personal data we have about you is inaccurate or incomplete, you have the right to have it corrected. For example, if your name is misspelled in our records, or a trip is logged with an incorrect date due to a bug, you can ask us to fix it. In many cases, you can correct most basic information yourself via the CarLogs application. For things you cannot change yourself, contact us and we will make the correction if possible, or add a note if not (some historical telemetry might not be editable, but we can append a correction, reversal or explanation).

• Deletion (Erasure): You have the right to request deletion of your personal data. This is sometimes called the “Right to Erasure” or “Right to be Forgotten.” You can delete certain data on your own (such as removing a trip log or deleting your entire account via the app’s account settings if that feature exists). For any data you cannot delete yourself, you can send us a deletion request. We will then erase your personal data from our systems, unless we have a lawful reason to keep it (as described in the Data Retention section, e.g., for legal compliance). We will also direct our service providers to delete the data they hold on our behalf, to the extent required.

• Objection to Processing: In certain jurisdictions, you may have the right to object to specific types of processing of your data. You might object to your data being used for research purposes or for direct marketing. If you object, we will consider your request and stop or limit the processing unless we have a compelling legitimate ground to continue (or if it's legally exempted). For direct marketing, note that we only send marketing emails if you’ve opted in, and you can opt out anytime (see Your Choices below).

• Withdrawal of Consent: Where we rely on your consent to process data, you have the right to withdraw that consent at any time. The most common example is location sharing – you give consent by granting the app permission. You can withdraw it by turning off that permission in your phone settings. Withdrawing consent won’t affect processing already done, but it will stop future processing of the aspect you withdraw consent from. Another example is if you consented to receive newsletters, you can unsubscribe, which withdraws that consent.

• Data Portability: You have the right to receive certain data in a portable format. This typically applies to information you provided to us or that was generated by your use of the service, which we process by automated means. In CarLogs, this could include your driving records, routes, and associated telemetry. Upon request, we can compile your data (for example, all your trips and stats) into a commonly used machine-readable format (like CSV, JSON, or XML) so that you can store it or use it elsewhere. We will provide this free of charge up to once (or a few times) per year as legally required.

• California Privacy Rights: If you are a California resident, you have specific rights under the CCPA (as amended by CPRA):

  • Right to Know: You can ask us to disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting, and the categories of third parties with whom we share it. (This is fulfilled by the Access right above and the information in this Policy.)

  • Right to Delete: (Covered above as Deletion right.)

  • Right to Correct: (Covered above as Correction right.)

  • Right to Opt-Out of Sale or Sharing: CarLogs does not sell or share your personal information as those terms are defined under California law (we don’t provide your data to third parties for monetary value or for targeted advertising uses). Therefore, there is no need for you to opt out of sale/sharing. We also do not use or disclose sensitive personal information (like precise geolocation or vehicle data) for purposes other than providing you the service, so the CPRA “Limit Use of Sensitive PI” right is not applicable except for core service uses.

  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. That means we won’t deny you our Services, charge you a different price, or provide a lesser quality of service just because you made a privacy rights request. (However, note that deleting certain data might affect how features work, but that’s a consequence of the service not having the data, not a punitive action. We will inform you of any such impacts if relevant.)

  • Authorized Agent: You may designate an authorized agent to make requests on your behalf. We will take steps to verify the legitimacy of any request made by an agent to ensure security (for example, we might ask you to confirm that you did give them permission).

• Other U.S. state laws: If you reside in a state with its own privacy law (such as Virginia, Colorado, Connecticut, Utah, etc. in 2023 and beyond), you generally have similar rights to those described above (access, correction, deletion, data portability, and the right to opt out of certain processing like targeted advertising or profiling). CarLogs’ practices of not selling data and not engaging in targeted advertising without consent means many of those opt-out rights might not be directly needed. Nevertheless, if you have any privacy request under any state law, we will treat it with equal diligence. Some states also grant a right to appeal if you disagree with our decision on your privacy request - if we ever deny a request, we will let you know how you can appeal that decision.

• Australia and New Zealand: Under the Australian Privacy Act and NZ Privacy Act, you have the right to access the personal information we hold about you and to request corrections of any inaccuracies. We will provide access except in limited circumstances where we might be permitted to refuse (for example, if giving you access would unreasonably affect someone else’s privacy or if it relates to legal proceedings). We will also take reasonable steps to correct any information you show to be wrong. While these laws don’t explicitly give a right to deletion or data portability in the same way as some other jurisdictions, we honor deletion and portability requests as a matter of good practice (unless restricted by law). If for some reason we cannot comply with a request under Australian/NZ law, we will provide you with the reasons.

• Response time: We will respond to your privacy rights requests as soon as we can, generally within the timeframe your law requires. For example:

  • California/US law: within 45 days (and we can extend once by another 45 days if necessary, but we’ll let you know if so).

  • Australia/NZ: we aim for within 20 working days for access or correction requests.

  • If it’s a simple request like opting out of emails, we’ll act on it promptly (usually within a few days). If we need more time or if we cannot fulfill your request, we will inform you in writing.

• Verification: For certain requests (access, deletion, etc.), we will need to verify your identity to make sure we are providing data to the right person or deleting the correct account. We may ask you to verify information that we already have (for example, responding from your account email, or providing a recent trip detail that only you would know) to ensure the request is legitimate. We appreciate your cooperation on this, as it’s for your privacy protection.

• No Fee Usually Required: We will not charge you a fee for exercising your rights. However, if a request is repetitive, manifestly unfounded, or excessive, we might charge a reasonable fee or refuse to act on it (as allowed by law). If that happens, we will explain why.

  
  

To exercise any of these rights or if you have questions about your rights, you can contact us using the information in the Contact Us section at the end of this Policy. We will guide you through the process. For some requests (like data access or deletion), we may provide self-service options if available (for instance, an in-app data export or delete function), or handle it directly via our support team.

Your choices and consent management

We want to make sure you are in control of your data. Here are ways you can manage your preferences and consents regarding CarLogs:

• Privacy settings in the app: CarLogs provides a settings menu where you can adjust certain privacy-related preferences. For example, you may find toggles to enable/disable features like trip auto-start, background location tracking, or crash report sharing. You can also disconnect integrated services (like unlinking your vehicle account) from the settings.  By adjusting these settings, you directly control what data is collected or shared by specific features.

• Location services: You have full control over location tracking. If you do not want CarLogs to collect precise GPS data continuously, you can set the app’s location permission to “While Using the App” (so it only logs when the app is open) or “Never” (which disables location-based functions entirely). On most devices, these controls are found in your phone’s Settings > Privacy > Location Services. Keep in mind that if you disable or restrict location access, core features like automatic trip logging and route maps will be limited or unavailable.

• Bluetooth and sensors: Similarly, you can control whether CarLogs has access to your device’s Bluetooth and motion sensors. If you disable Bluetooth permission, CarLogs might not detect your car automatically, but you can still log trips manually. If you disable motion/activity recognition, CarLogs may not be able to tell when you start driving, which could affect features like auto-start. These settings are also managed in your phone’s privacy settings and in-app permissions.

• Notifications: We may send push notifications for things like trip start/stop alerts, weekly summaries, or important account notices. You can manage these notifications in two ways: through the app’s own notification settings (if available) and via your device’s notification settings for CarLogs (for example, you can turn off all CarLogs notifications in your phone settings). If you disable notifications, you might not receive alerts about ongoing trip recording or other timely info, but you can always see that info by opening the app.

• Marketing communications: If you’ve opted in to receive newsletters or promotional emails (for example, tips for using CarLogs or new feature announcements), you can opt out at any time. Every marketing email will have an “unsubscribe” link at the bottom – clicking that will stop further promotional emails. You can also manage your email preferences in the app or website account settings (if provided), or simply contact us to be removed from marketing lists. Note that we will still send you important service emails, like subscription confirmations, security alerts, or policy updates, as these are not promotional but part of our contractual or legal obligations.

• Analytics and tracking choices: We do not serve third-party ads in the app, so we don’t have ad tracking to turn off. The analytics we collect are for internal purposes as described. However, we understand if you have privacy concerns. While we don’t have an in-app switch to completely disable analytics (because that data helps maintain the service), you can request an opt-out. If you contact us to opt out of analytics, we can implement measures such as excluding your data from our analytics tools or using settings that minimize data collection for your account. Additionally, if your device has a “Limit Ad Tracking” or similar setting, it generally signals apps not to use certain identifiers; CarLogs respects such signals within the scope of our no-ads approach (meaning we don’t create ad profiles regardless).

• Do Not Track (for website use): Our primary service is a mobile app, not a web service, so “Do Not Track” signals from web browsers are not deeply applicable. On our website, we currently do not use any tracking cookies beyond essential analytics, and we do not respond to DNT signals because there is no profiling or cross-site tracking to stop. If this changes in the future, we will update our practices and honor standardized signals like the Global Privacy Control (GPC) as required by law (for example, in California).

• Consent for new features: Whenever we introduce a new feature that collects additional personal data or wants to use your data in a new way, we will ask for your consent before you use that feature. For example, if in the future CarLogs offers an integration with a health app to track walking and cycling commutes along with driving, we would clearly explain what data sharing is involved and let you opt in or out to the new feature.

• Third-party opt-outs: In cases where our service providers offer their own opt-out or privacy choices, we want you to be aware of them. For example, Google provides a browser opt-out add-on for Google Analytics (for web usage) and options to control personalized ads in your Google account (though we don’t use Google ads in CarLogs). If we ever used an analytics or crash service that allowed user opt-out, we would integrate that option. Currently, our third-party processors use your data only to help run our service, not for their independent marketing.

  
  

We strive to make all privacy options user-friendly and easy to find. If you are unsure how to exercise a particular choice, please refer to our FAQs or reach out to our support team for guidance. We will be happy to assist you in configuring the app to your comfort level regarding privacy.

Data security measures

We take the security of your personal data very seriously. CarLogs implements a variety of technical and organizational measures to protect your information from unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: We use encryption to protect data in transit and at rest. When data is sent between your device and our servers, it’s encrypted using HTTPS (TLS). This applies to all personal data, including location data and login credentials. Sensitive information like passwords is stored in hashed or encrypted form in our database. For example, your password is never stored in plain text - only a secure cryptographic hash of it is kept.

• Access controls: Access to our systems and databases is restricted to authorized personnel with a legitimate need. We employ role-based access control so that, for instance, a support agent can see your account email to assist you, but cannot access your password or raw telemetry data without further authorization. Administrative access to servers is protected by strong authentication (including multi-factor authentication) and is limited to a small number of our team.

• Secure development practices: Our development and operations follow industry best practices. We regularly update software libraries and apply security patches. We also use code reviews and security testing (including occasional third-party security audits or penetration testing) to catch vulnerabilities. The CarLogs app is submitted through app store reviews which include certain security checks as well.

• Network security: We utilize firewalls and monitoring to protect our infrastructure. Services like Cloudflare help us in mitigating malicious traffic. Our servers are configured to minimize open ports and we continuously monitor for suspicious activities or unauthorized access attempts.

• Data minimization: We strive to collect only the data that we need. By holding less data, we reduce the risk exposure in case of any security issue as well as reduce processing and storage costs. For example, if we don’t need a piece of information (like your location when you are not moving in a vehicle), we won’t collect or store it. We also pseudonymize data where feasible – separating personal identifiers from the telemetry content, so that analyzing trip classification patterns can be done on anonymized data.

• Training and policies: We train our employees about the importance of data privacy and security. We have internal policies and procedures for handling data securely. For example, employees are instructed not to download personal data to unsecured devices, and we require the use of encryption on employee laptops. Regular training helps our team stay vigilant about phishing and other security threats.

• Incident response: Despite best efforts, if an incident were to occur, we have a plan (see Data Breach Notification below) to respond swiftly and effectively to minimize any harm.

  
  

While we cannot promise that a security breach will never happen (no service can), we can promise that we work hard to protect your data and that we will act promptly and transparently if an issue arises.

Data breach notification and incident handling

In the event of a data breach that involves your personal data, CarLogs is prepared with a response plan to address and mitigate the incident. Our procedures include:

• Internal incident response: Upon discovering or suspecting a security incident, we immediately activate our incident response protocol. A dedicated team will investigate the scope and nature of the breach, contain it (for example, by isolating affected systems or revoking unauthorized access), and work to remediate the root cause (such as patching a vulnerability). We log all incidents and our responses to them for accountability and review.

• Assessment of impact: We will quickly assess what personal data (if any) was involved in the breach, whose data was affected, and the risk level to users. This helps determine our next steps, including who needs to be informed and what measures users might need to take.

• Notification to users: If a data breach is likely to result in a risk of harm to you (for example, risk of identity theft, financial loss, or any significant inconvenience), we will notify you as soon as possible. Notification will be made through appropriate channels, such as email, in-app alerts, and/or our website. We will provide you with:

  • A summary of what happened (to the extent we know at the time).

  • The data involved (e.g., “email addresses and hashed passwords, but no financial information” or whatever is applicable).

  • What we have done or are doing to respond to the breach.

  • Any steps you should take to protect yourself (for example, reset your password, watch out for phishing attempts, etc.).

  • Contact details for further information (so you can ask questions or get more assistance).

• Notification to authorities: We will comply with all laws regarding breach notification:

  • In Australia, if the breach is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and follow the process under the Notifiable Data Breaches scheme.

  • In New Zealand, we will notify the Office of the Privacy Commissioner if the breach has caused or is likely to cause serious harm (as required under the Privacy Act 2020).

  • In the United States, we will follow state-specific data breach laws. This typically means notifying affected individuals without unreasonable delay and, in some cases, notifying state attorneys general or other regulators, especially if a large number of individuals are affected. We are aware of our obligations in states like California and others concerning data breach response.

  • We may also notify other relevant regulatory bodies if appropriate (for instance, if CarLogs were subject to any industry-specific regulations).

• Ongoing communication: Sometimes, investigations take time. If we cannot answer all questions initially, we may send follow-up notices when more information is available. We want you to be fully informed.

• Post-incident measures: After handling the immediate aftermath, we review the incident to understand how to prevent a similar event in the future. This could involve strengthening security measures, providing additional training to staff, or updating our policies. We document these changes and ensure they are implemented. Our goal is continuous improvement of our security posture.

  
  

Your trust is extremely important to us, and part of earning that trust is being forthright if something goes wrong. We are dedicated to handling any such event with transparency and care for your protection.

Third-party links and integrations

The CarLogs app and website may contain links to third-party websites or services, as well as integrations that involve third-party systems. Examples include:

• External websites: If our website links to an article, a partner’s site, or an external resource (like a blog or social media page), clicking those links will take you outside of CarLogs. We are not responsible for the privacy practices of those external sites. We recommend you review the privacy policy of any website you visit.

• In-app integrations: CarLogs might allow you to integrate or share data with third parties. For instance, you might have the option to export your trip data to a third-party service, or log in through a third-party platform (e.g. Apple login). Such interactions may share some data with the partner at your direction.

• Vehicle manufacturer apps: If you link to a car manufacturer’s software, servers or vehicles, you are using their platform through our app. While we facilitate the connection, any data these manufacturers provide or receive beyond our requests is handled under their privacy notice and policies.

  
  

This Privacy Policy does not cover how those third-party services collect or use your data. We only cover what we do with data. So, whenever you leave our app or website or engage with a third-party integration, be mindful of their privacy policies and terms. We try to make it clear when you are doing this - for example, we might show a prompt like “Opening external site...” or require you to confirm before connecting with a vehicle manufacturer account.

Children’s privacy

CarLogs is not intended for use by children under the age of 16. Our Services are designed for adult drivers or users of driving age in their respective jurisdictions. We do not knowingly collect personal data from anyone under 16 years old. If you are under 16, please do not use our app or send us any personal information.

If we become aware that we have unknowingly collected personal data from a child under 16 (or the relevant minimum age in certain countries, which can be up to 18), we will take steps to delete that information promptly. Parents or guardians: if you discover that your child under 16 has created an account or provided us with personal data without your consent, please contact us immediately so we can take appropriate action, including deleting the data and closing the child’s account.

For California residents under 18, while our service isn’t aimed at minors, if any content was posted publicly, California law allows removal of that content upon request.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other considerations. When we make a significant change, we will notify you by appropriate means, for example, by sending an email to the address associated with your account, or by placing a prominent notice within the app - before the changes take effect, unless the changes are minor or not material, in which case we might just update the effective date at the top.

We include an “Effective Date” at the top of this Policy to indicate when the latest changes went into effect. For major updates, we may also include a brief summary of what’s new either in the notification or in an ‘Update Note’ within the policy itself so you can easily see what’s changed.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. If you continue to use CarLogs after any changes to the Privacy Policy become effective, it constitutes your acceptance of the updated terms (to the extent permitted by law). If you do not agree to the changes, you should stop using the Services and can request deletion of your data.

Contact us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us. We have appointed a Privacy Officer, who is responsible for overseeing questions in relation to this Policy and our data practices.

Contact Details for Privacy Inquiries:
Email: privacy@carlogs.io

We will do our best to respond to all legitimate requests or questions within a reasonable timeframe. For example, if you email us with a general question, we aim to reply within a few business days. If you are contacting us to exercise a privacy right or to lodge a complaint, we will respond acknowledging receipt as soon as possible and generally provide a resolution or answer within 30 days or the timeframe required by law.

Complaint resolution: If you have a complaint about how we handle your personal information, we encourage you to contact us first at the email above. Please provide details of your complaint and any relevant information (like what happened, dates, who you dealt with, etc.). We take privacy complaints seriously. The Privacy Officer (or their team) will investigate your complaint, and we may reach out to you for more information to ensure we understand the issue fully. We will then inform you of the outcome of our investigation and any steps taken to address your concerns.

If you are not satisfied with our response, you have the right to escalate your privacy complaint to a data protection authority or privacy regulator in your jurisdiction:

• Australia: You can contact the Office of the Australian Information Commissioner (OAIC) if you believe we have violated the Australian Privacy Principles and have not resolved your complaint. 

• Website: oaic.gov.au 

• Phone: 1300 363 992.

• New Zealand: You can contact the Office of the Privacy Commissioner (OPC) in NZ. The OPC can guide you on making a complaint and may investigate the issue.

• Website: privacy.org.nz 

• Phone: 0800 803 909.

• United States: There isn’t a single national privacy regulator for general consumer data, but you can reach out to your state’s Attorney General’s office. For example, California residents can contact the California Attorney General. Additionally, the Federal Trade Commission (FTC) accepts reports of unfair or deceptive business practices (which could include privacy issues). If your complaint pertains to a specific law (like CCPA), state authorities will be the ones to address it.

• Other Regions: If you are in a jurisdiction not explicitly listed, consult your local data protection authority (if one exists) or consumer protection authority.

Our Privacy Officer’s role is to monitor our compliance with privacy laws and this Policy, provide advice on privacy matters, and act as a point of contact for users and regulators regarding privacy. If you have any questions about anything in this Policy or about your personal data at CarLogs, do not hesitate to reach out to our Privacy Officer via the contact information above.