Back to settings

Privacy Policy

Last updated: April 25, 2026

CarVital AI ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at carvital.ai, our mobile applications on the Apple App Store and Google Play, and any related services (collectively, the "Service").

1. Information We Collect

We collect the following types of information:

  • Account Information: Name, email address, and profile picture when you create an account or sign in with Google.
  • Vehicle Information: Car make, model, year, color, mileage, modifications, and notes that you provide when adding cars to your garage.
  • Diagnostic Data: Responses to diagnostic questions and AI-generated health reports for your vehicles.
  • Usage Data: How you interact with our platform, including features used, pages visited, and actions taken. This is collected via Mixpanel analytics and a small internal events table.
  • Payment Information: Subscription and billing data processed securely through Stripe (web), Apple App Store, or Google Play. We do not store your credit card details on our servers.
  • Community Content: Posts, comments, likes, and images you share in the community section.
  • Profile & Social Data: Username, display name, bio, avatar, friends list, and friendship requests.
  • Direct Messages: Text and image messages you send to other users via the in-app messaging feature. Messages are stored on our servers so they can be delivered and viewed by both participants.
  • Voice Call Data (Walkie Talkie): When you use the walkie talkie feature, your microphone audio is streamed in real time to the other participant via WebRTC. We do not record the audio. We do store short-lived signaling messages (call setup data such as session descriptions and ICE candidates) and presence rows so the call can be established. These rows are deleted when the call ends.
  • Routine & Maintenance Logs: Routine checklist items you tick off and maintenance entries you record for your cars.
  • Reminder Preferences: Timezone and time-of-day settings you choose for maintenance reminder emails.
  • Device & Technical Data: Browser or device type, operating system, screen size, IP address, approximate location (derived from IP), referrer URL, and timestamps of your requests. This is logged automatically by our hosting and security infrastructure.
  • Crash Reports & Session Replays: When the app crashes or hits an error, our error monitoring tool (Sentry) captures stack traces, the URL you were on, and a short replay of the user-interface events leading up to the error. Replays mask text inputs and images by default; we never deliberately capture passwords, payment fields, or message content.

1a. Public vs Private Information

Some information is public by default and some is private. You control most of this from Settings → Privacy:

  • Public by default: Your username, display name, avatar, bio, community posts, comments, and (unless you disable it) the cars in your garage when viewed via your public profile page.
  • Private by default: Your email address, mileage, diagnostic results, maintenance logs, routine checklist, direct messages, voice calls, payment information, reminder settings, and crash reports.
  • You can opt out of: Appearing on the Discover sidebar, appearing in "People to Meet" suggestions, and displaying your cars on your public profile.

2. How We Use Your Information

  • To provide and personalize AI-powered car diagnostics and recommendations
  • To generate model-specific car profiles and maintenance schedules
  • To process your subscription and manage your account
  • To send you maintenance reminders and important updates via email
  • To improve our platform and develop new features based on aggregated usage patterns
  • To enable community features, friendships, direct messaging, and walkie-talkie voice calls between users
  • To deliver direct messages, image attachments, and voice audio to their intended recipients
  • To suggest people you might want to follow or message
  • To detect, investigate, and prevent abuse, fraud, spam, and security incidents
  • To diagnose and fix bugs via crash reports and session replays
  • To provide customer support
  • To comply with legal obligations

We do not sell your personal information, and we do notuse your data to train AI models — neither ours nor any third party's.

3. Third-Party Services

We use trusted third-party services to operate our platform. Each is bound by its own privacy policy:

  • Supabase: Database hosting, user authentication, file storage (avatars, community images, DM images), and realtime delivery for messages and posts.
  • OpenAI: AI processing for diagnostics, car profiles, chat, and maintenance recommendations. Your car data and questions are sent to OpenAI for analysis. OpenAI's API terms state that submitted data is not used to train their models.
  • Stripe: Payment processing for web subscriptions. Stripe handles all card data under their own privacy policy and PCI-DSS compliance.
  • Apple App Store / Google Play: Payment processing for in-app subscriptions purchased through our mobile apps. These transactions are handled entirely by Apple or Google under their own terms.
  • Mixpanel: Analytics to understand how users interact with our platform. We track feature usage and aggregate engagement, not personal browsing habits.
  • Resend: Email delivery for welcome emails, maintenance reminders, and account notifications.
  • Sentry: Error tracking, performance monitoring, and session replay (used to debug crashes). Replays mask text and images by default.
  • Metered: TURN relay servers for the walkie-talkie feature. When peer-to-peer audio cannot connect directly, your audio packets are relayed (not recorded) through Metered. Your IP address is visible to Metered for the duration of the call.
  • Google Public STUN servers: Used to discover your public IP/port for WebRTC calls. No audio passes through these servers.
  • Vercel: Application hosting and deployment.

3a. Mobile App Permissions

Our mobile apps request the following operating-system permissions only when you use the relevant feature:

  • Microphone: Required for the walkie-talkie voice feature. Audio is streamed live to the other participant and is not recorded or stored.
  • Photo Library / Camera: Required when you choose to upload an avatar, attach an image to a community post, or send an image in a direct message. We only access the specific photos you select.
  • Notifications (optional): If granted, used to alert you to maintenance reminders, friend requests, new messages, or someone joining your walkie room. You can disable notifications in your device settings at any time.
  • Network access: Required for the app to function. We do not request, use, or collect precise GPS location, contacts, calendar, health data, or background location.
  • No background recording: The microphone and camera are only active while you are using the relevant feature in the foreground. We do not access either when the app is backgrounded or your device is locked.
  • App Store & Google Play: When you download or update CarVital from the Apple App Store or Google Play, those platforms collect their own usage and crash data per their respective privacy policies. We receive aggregated install and crash metrics from them but do not receive personal device identifiers tied to individual users.

4. Data Security

We implement appropriate technical and organizational measures to protect your personal information. All data is transmitted over encrypted connections (HTTPS/TLS), passwords are hashed by Supabase Auth, row-level security policies restrict access to your own data, and administrative access to production systems is limited to authorized personnel. However, no method of transmission over the Internet or storage system is 100% secure, and we cannot guarantee absolute security.

5. Data Retention

  • Account & profile data: Retained for as long as your account is active.
  • Cars, diagnostics, routine logs: Retained for as long as your account is active, then permanently deleted within 30 days of account deletion.
  • Direct messages: Retained until you or the other participant deletes them, or your account is deleted.
  • Walkie-talkie signaling rows: Deleted automatically at the end of each call (typically within seconds).
  • Crash reports & session replays: Retained for up to 90 days, then automatically purged by Sentry.
  • Analytics events: Retained for up to 12 months in aggregated form.
  • Billing records: Retained as required by tax and accounting law (typically 7 years).

6. Your Rights

Subject to applicable law (including the Malaysian PDPA, the EU GDPR, and the California CCPA), you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data and account
  • Withdraw consent for data processing at any time
  • Export your data in a portable format
  • Object to or restrict certain processing
  • Lodge a complaint with your local data protection authority

You can delete your account directly from Settings → Account → Delete Account in the app, which permanently removes your profile, cars, diagnostics, posts, comments, and messages within 30 days. For data export, correction, or any other privacy request, contact us at support@carvital.ai and we will respond within 30 days.

7. Children's Privacy

Our Service is not directed to children under the age of 13 (or 16 in jurisdictions where that is the applicable minimum age, including the European Union). We do not knowingly collect personal information from children under that age. If you believe a child has provided us with personal information, please contact us at support@carvital.ai and we will delete it.

8. Cookies & Local Storage

We use essential cookies for authentication and session management. We do not use advertising or third-party tracking cookies. We also use a small amount of browser local storage to remember UI state such as completed routine items and dismissed in-app notices. You can clear this from your browser settings at any time.

8a. Direct Messages

  • Direct messages are not end-to-end encrypted. They are stored in our database so they can be delivered, displayed, and retrieved across your devices.
  • CarVital AI staff do not routinely read user messages, but we may access them when required to investigate abuse reports, enforce our Terms, or comply with legal obligations.
  • Image attachments sent in DMs are stored in a private Supabase Storage bucket and are only accessible to the sender and recipient.
  • Deleting your account removes your messages from our active database within 30 days.

8b. Community & Public Profiles

  • Anything you post to the community feed (text, images, comments, likes) is visible to all signed-in users and may appear on your public profile at /u/your-username.
  • Your public profile shows your username, display name, avatar, bio, post history, friend count, and — unless you opt out — the cars in your garage.
  • Public profile pages may be indexed by search engines.
  • You can disable Discover listing, "People to Meet" suggestions, and public car display from Settings → Privacy at any time.

8c. Voice Calls (Walkie Talkie)

  • Walkie-talkie calls use peer-to-peer WebRTC. Audio is streamed live and is never recorded by us, and we do not have the technical ability to play back past calls.
  • To establish a call, we exchange short signaling messages (session descriptions and network candidates) through our database. These are deleted at the end of each call.
  • When peer-to-peer connectivity fails (typically about one in five calls due to restrictive networks), audio is relayed through our TURN provider (Metered). The relay forwards encrypted packets in real time and does not store them.
  • Your IP address is exposed to the other participant during the call and to Metered when relaying. This is inherent to how WebRTC works.
  • Calls are Pro-only. Both parties must be Pro subscribers to talk.

8d. International Data Transfers

We are based in Malaysia, but several of our service providers (Supabase, OpenAI, Stripe, Mixpanel, Resend, Sentry, Vercel) operate from the United States, the European Union, or Singapore. By using the Service you understand and consent to your information being transferred to and processed in these jurisdictions, which may have data-protection laws that differ from your own. We rely on the providers' standard contractual clauses and equivalent safeguards where required.

8e. Mobile App Stores

When you install our app from the Apple App Store or Google Play, the store collects information about your installation (device identifier, install date, crash reports it generates) under its own privacy policy. We may receive aggregated, anonymized install and engagement metrics from these stores. If you subscribe through the app, payment is processed by Apple or Google, not by us, and the store's refund and billing policy applies to that transaction.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice on our platform, by in-app message, or by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

10. Contact Us

CarVital AI is operated from Kuala Lumpur, Malaysia. If you have any questions about this Privacy Policy or wish to exercise any of your rights, please contact us at support@carvital.ai.

© 2026 CarVital AI. All rights reserved.