Privacy Policy

1. Who We Are

UNDER THE HOOD ("we," "us," "our") operates the website and service at this domain. This Privacy Policy explains what information we collect, how we use it, and your choices.

2. Information We Collect

Account data (from Whop): When you sign in via Whop, we receive your Whop user ID, username, email, and membership/tier information. We do NOT receive your full payment card or banking details — those are handled by Whop and its payment processor.

Profile data you create: Vehicles you add to My Garage (year, make, model, trim, mileage), savings entries (which guides you marked complete), bookmarks, recently viewed guides, and any text you send to the Rex AI advisor or estimate decoder.

File uploads: Photos or PDFs you upload to the Estimate Decoder are sent to our AI provider for processing. Original files are NOT permanently stored on our servers — they are processed in-memory and discarded after the response is generated. The text we extract may be logged briefly for abuse prevention.

Anonymous browsing: If you use the Free tier without signing in, we create an anonymous identifier in your browser (a UUID stored in localStorage and an httpOnly cookie) to keep your bookmarks, garage, and savings between visits on the same device. This identifier is not linked to your real identity.

Technical data: Standard server logs (IP address, user-agent, request timestamps) for security, abuse prevention, and debugging. No third-party trackers are used unless explicitly disclosed.

3. How We Use Your Information

• Provide and operate the Service — verify your tier, save your garage, sync your bookmarks.
• Generate AI responses tailored to your question (Rex chat, estimate decoder).
• Enforce daily rate limits per tier to prevent abuse and control costs.
• Send transactional messages (account changes, refunds) via Whop.
• Detect and prevent fraud, abuse, or violations of our Terms.
• Improve our content and product (in aggregated, de-identified form).

We do NOT sell your personal data to third parties. We do NOT use your data for advertising profiling.

4. Third-Party Service Providers

To run the Service we rely on these vendors, who may process limited data on our behalf:

• Whop: account, authentication, billing, subscription management. Receives email, username, payment.
• Anthropic / Claude (via Emergent): AI processing for Rex and the estimate decoder. Receives the question text and any extracted estimate text or images.
• MongoDB Atlas: stores your account, garage, savings, bookmarks.
• Hosting provider (e.g., Vercel): runs the web application; sees request logs.

Each of these providers has their own privacy policy and contractual obligations to protect data.

5. Data Retention

Account data: retained while your account is active and for up to 12 months after deletion (for fraud, refund, and legal-hold purposes), then deleted or anonymized.

AI queries and responses: retained for up to 90 days for safety review and abuse prevention, then deleted or anonymized.

Estimate decoder uploads: original files NOT retained; extracted text held with AI logs (up to 90 days).

Server logs: retained for up to 30 days for security and operational reasons.

6. Your Rights

Depending on your jurisdiction (US, EU, UK, California), you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Delete your data (right to be forgotten) — contact us to request.
• Object to certain processing, withdraw consent.
• Export your data (right to portability).
• Not be discriminated against for exercising these rights.

To exercise any of these rights, contact us at the email on our Whop product page. We respond within 30 days.

7. Cookies and Tracking

We use the following cookies/storage:

• uth_session (httpOnly): your authenticated session after Whop sign-in. Required for the service to function.
• uth_anon_id (short-lived): lets us merge your anonymous data into your Whop account on first sign-in.
• uth_pkce, uth_state (short-lived): security cookies during sign-in flow to prevent CSRF attacks.
• localStorage — uth_user, uth_tier: anonymous browsing identifiers, used only on the Free tier and only on your device.

We do NOT use third-party advertising cookies, analytics pixels, or social-media trackers without explicit notice.

8. Security

We use HTTPS for all traffic, HMAC-signed httpOnly session cookies, signature-verified webhooks, and industry-standard cloud security practices. No system is 100% secure; you are responsible for protecting your own Whop credentials.

9. Children's Privacy

The Service is intended for users 18 years of age and older. We do not knowingly collect personal information from children under 18. If you believe a child has provided us data, contact us and we will delete it.

10. International Transfers

Our service may be hosted in the United States. By using the Service, you consent to the transfer and processing of your data in the United States, which may have data protection laws different from your country.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the site. Continued use after changes constitutes acceptance.

12. Contact

Privacy questions, data requests, or complaints: contact us via the email on our Whop product page.