Privacy Policy

Carnate ("we," "us," or "our") is operated by Ken Milstone-Turner in Toronto, Ontario, Canada. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use the Carnate mobile application, website at carnate.app, and all related services (collectively, the "Service").

This policy covers your rights under Canada's PIPEDA, the California Consumer Privacy Act (CCPA), and other applicable US state privacy laws.

By creating an account or using the Service, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy.

1. Privacy Officer

Contact: legal@carnate.app, Toronto, Ontario, Canada

2. Information We Collect

2.1 Information You Provide

• Account information (email, password hash, auth tokens)
• Profile information (username, display name, avatar, bio, location, website)
• User preferences
• Content you create (posts, comments, vehicle lists)
• Vehicle information (VINs, plate numbers)

2.2 Information Collected Automatically

• IP address
• Device information
• App version

2.3 Information Generated by the Service

• Notification records
• Follower/following counts
• VIN decode results
• Plate-to-VIN cache (14-day retention)

2.4 Information We Do NOT Collect

• Precise GPS location
• Contacts
• Financial/payment info
• Biometric data
• Health data

3. How We Use Your Information

• Providing and operating the Service
• Improving the Service
• Safety and security
• Transactional communications

We do not use your information for targeted advertising or sell your personal information.

4. How We Share Your Information

• Publicly visible information (username, posts, etc.)
• Third-party service providers (Supabase, Cloudflare, Apple, Google, NHTSA, PlateToVIN, CarAPI)
• Legal disclosures
• Business transfers

5. Data Retention

• Active accounts: retained while active
• Plate-to-VIN cache: 14 days
• Deleted accounts: personal info deleted within 30 days; de-identified content retained as vehicle history

6. International Data Transfers

Data is processed in the United States and other countries where our infrastructure providers operate.

7. Data Sales and Sharing

We do not sell your personal information. We do not share it for third-party marketing.

8. Data Security

• Passwords are cryptographically hashed
• Row-Level Security on all database tables
• EXIF metadata stripped before upload
• TLS/HTTPS encryption

9. Your Privacy Rights

9.1 PIPEDA (Canada)

Access, correct, withdraw consent, file complaints. Response within 30 days.

9.2 CCPA (California)

Right to Know, Right to Delete, Right to Opt-Out, Right to Non-Discrimination. Response within 45 days.

9.3 Other US State Laws

Virginia, Colorado, Connecticut, Texas, and others. Contact legal@carnate.app.

10. Children's Privacy

Not directed to children under 13. Contact legal@carnate.app if you believe a child has provided personal information.

11. Changes to This Privacy Policy

Material changes communicated with 14 days notice.

12. Complaints

Contact legal@carnate.app. Canada: Office of the Privacy Commissioner. California: California Attorney General.

13. Contact Us

Email: legal@carnate.app

Mailing Address: Toronto, Ontario, Canada