CarCareTruth — Privacy Policy

Operator: SierraNova Labs LLC, a California limited liability company Site: carcaretruth.com (the "Platform" or "Site") Version: 2026-05-12 Effective date: May 12, 2026

The short version (in plain English)

The full policy is below. The short version is:

We don't sell your data. Not to advertisers, not to data brokers, not to anyone.
We don't run third-party ad tracking. No retargeting pixels, no ad-network cookies, no behavioral profiling.
We don't collect precise location, biometric data, financial data, or anything about children.
We collect what we need to run the site. Your account info, what you post, basic technical signals (IP, browser), and — if you choose to enter them at signup — your mailing address and phone number.
You can see, correct, export, or delete your data anytime. Email privacy@carcaretruth.com or use /privacy/request when signed in.
Affiliate links pay the bills. When you click an Amazon link, the purchase happens on Amazon — we don't see your card or order. Amazon doesn't see your CarCareTruth identity.
CSAM is reported to NCMEC, as federal law requires.
We are adults-only (18+).

The rest of this document is the legally precise version of those bullets.

Introduction and scope
Data inventory — what we collect
How we use your information
Data retention
Cookies, local storage, and similar technologies
Third-party processors, service providers, and statutory recipients
How we share your information
Security
Your California privacy rights (CCPA / CPRA)
Your rights under the GDPR (EU and EEA)
Your rights under the UK GDPR
Other jurisdictions
International data transfers
EU Digital Services Act compliance
EU / UK Article 27 representative
Data-subject access requests — process
Children's privacy (18+ adults-only service)
Affiliate and sponsored content — material connection
Email preferences and CAN-SPAM
Operator-set restrictions and kill switches
Changes to this privacy policy
Contact and supervisory authority

1. Introduction and scope

CarCareTruth.com is operated by SierraNova Labs LLC ("CarCareTruth," "we," "us," or "our"), a California limited liability company. We publish auto-detailing and autocare product reviews and host user-submitted content such as posts, comments, ratings, and photos. This Privacy Policy explains what personal information we collect when you use the Site, how we use it, how long we keep it, and the choices and rights you have over it.

A note on current launch state. Several account-related features described in this Policy — public signups, posting, commenting, photo uploads, the cookie consent banner, and opt-in marketing email — are still in pre-launch and may be temporarily disabled by operator-set kill switches (see §20). This Policy describes how the features handle personal information when they are active; when a feature is disabled, we collect nothing through that feature. Visitors who only read product reviews (without an account) generate only the server-log signals described in §2.4.

Who this Policy applies to. This Policy applies to everyone who visits CarCareTruth.com — whether you are reading reviews without an account, registered as a member, or interacting with our community features. It also applies if you contact us by email, submit a data-subject access request, or send a DMCA notice.

Adults only. CarCareTruth is intended for adults aged 18 and over. We do not knowingly collect personal information from anyone under 18. During signup we ask you to confirm with a checkbox that you are at least 18. We do not store your date of birth or year of birth. If we learn that an account belongs to someone under 18, we will close it and delete the associated personal information.

Our role. For the purposes of the EU GDPR (Regulation (EU) 2016/679) and the UK GDPR, SierraNova Labs LLC is the controller of personal data collected through the Site. For the California Consumer Privacy Act, we are the business that determines the purposes and means of processing your personal information.

Governing law. This Privacy Policy is governed by the laws of the State of California, without regard to its conflict-of-laws rules, except where mandatory local law gives you stronger rights — in which case the local rule applies.

Where to reach us. Privacy questions and data-subject requests go to privacy@carcaretruth.com. General questions go to support@carcaretruth.com. Legal notices and formal correspondence go to legal@sierranovalabs.com. Postal mail goes to SierraNova Labs LLC, 8605 Santa Monica Blvd, PMB 637961, West Hollywood, CA 90069-4109. Our public phone line is (559) 777-9019.

This Privacy Policy is part of our Terms of Service at /terms. If anything in the Terms conflicts with this Policy on a privacy matter, this Policy controls. Cross-references to Terms of Service section numbers reflect the version current as of the effective date of this Policy.

2. Data inventory — what we collect

The tables below list every category of personal information we collect, where it comes from, why we collect it, and how long we keep it. We do not collect anything that is not on this list.

2.1 Public profile (you give this to us)

These fields appear on your public profile and are visible to other visitors.

Field	Source	Purpose	Retention
Email address	Signup form	Account login, password reset, transactional email, account-related notices	Until you delete your account
Password (one-way hash only)	Signup form	Authentication. We never store or see your plaintext password.	Until you delete your account or change your password
Username / display name	Signup form	A single name you pick at signup — public handle and how your name appears on posts. The lowercased form is the unique URL slug; the original casing is what's displayed.	Until you change it or delete your account
Bio (optional)	Profile settings	Public profile content	Until you change or remove it, or delete your account
Free-text location (optional)	Profile settings	Public profile content. Free-text only — we do not collect GPS or precise location.	Until you change or remove it, or delete your account
Free-text "rides" (optional)	Profile settings	A short public list of the vehicles you maintain (e.g., "2019 GTI, 2014 Tacoma")	Until you change or remove it, or delete your account
Avatar image (optional)	Profile settings	Public profile display	Until you remove it or delete your account
Banner image (optional)	Profile settings	Public profile display	Until you remove it or delete your account
Website URL (optional)	Profile settings	Public profile link	Until you change or remove it, or delete your account
Direct-message permission setting	Profile settings	Controls who can message you on the platform	Until you change it or delete your account

2.2 Private profile — signup details we keep but never show publicly

These fields live in a separate, access-controlled record (the "private profile") enforced at the database layer. Other users cannot read them, and they are not exposed on any public page. Only your own account and authorized SierraNova Labs administrators can read this data.

Field	Required at signup?	Source	Purpose	Retention
Country	Required	Signup form	Apply the correct privacy law to your account; route legal disclosures; service-side fraud and abuse signals	Until account deletion
Region (state / province)	Required	Signup form	Same as country	Until account deletion
City	Required	Signup form	Same as country	Until account deletion
Street address	Optional	Signup form	Postal correspondence about your account if any; not used for marketing	Until you remove it or delete your account
Postal code	Optional	Signup form	Same as street address	Until you remove it or delete your account
Phone number (E.164 format)	Optional	Signup form	Account-recovery and security alerts only; not used for marketing	Until you remove it or delete your account
SMS opt-in flag	Optional checkbox	Signup form	Records your permission to receive SMS (not used today; reserved for future security/account-recovery SMS only)	Until you change it or delete your account
Marketing-email opt-in flag and timestamp of acceptance	Signup form / `/account/email-preferences`	Records your CAN-SPAM/GDPR consent for any commercial email	Until you change it or delete your account
Salted one-way hash of the IP you signed up from	Captured automatically at signup	Ban-evasion and multi-account abuse detection	Account lifetime
User-Agent string from your signup browser	Captured automatically at signup	Same as above; also helps when investigating a later account compromise	Account lifetime

Required vs. optional. Fields shown as required (email, password, username, country/region/city, 18+ confirmation, Terms acceptance) must be provided to create an account — without them we cannot perform the account-services contract with you. Fields shown as optional can be left blank at signup and added or removed later from your settings; declining to provide them has no effect on your ability to use the Site.

2.3 Garage, Storage Cabinet, and Accessory Kit (you give these to us)

Field	Source	Purpose	Retention
Garage vehicle profiles (make, model, year, optional trim, nickname, primary-vehicle flag, optional notes)	You add them	Lets you record the vehicles you maintain so we can show relevant products and you can reference them in posts	Until you remove the vehicle or delete your account
Storage Cabinet entries (consumables you own)	You add them	Personal product list / rebuy reminders	Until you remove the entry or delete your account
Accessory Kit entries (durables you own + wishlist items)	You add them	Personal product list and purchase-intent tracking	Until you remove the entry or delete your account
Free-text notes you add to a saved product (with a visibility setting: private to you, or visible on your profile)	You add them	Personal notes / public reviews of products you own	Until you remove the note or delete your account

2.4 Content you publish (you give this to us)

Field	Source	Purpose	Retention
Posts, comments, replies	You post them	Core community feature	Until you delete the item or your account; see §4 for soft-delete and anonymization rules
Reactions, votes, follows, blocks (including any optional free-text block reason you supply)	Your actions	Engagement and social-graph features	Until reversed by you, or until you delete your account
Bookmarks / saved posts	Your actions	Lets you keep a list of posts to return to	Until you remove the bookmark or delete your account
Group memberships	Your action	Group access and discussion participation	Until you leave the group or delete your account
Product ratings	You submit them	Aggregate community ratings on product pages	Until you remove the rating or delete your account; already-displayed aggregate scores may persist in anonymized form
FAQ submissions (where offered)	You submit them	Lets us answer common questions in public FAQs	Until removed or anonymized
Reports of other users' content	You submit them	Moderation and safety; abuse-prevention record	Retained as part of the moderation record (see §4)
Appeals of moderation actions	You submit them	Appeals process and accountability record	Retained as part of the moderation record (see §4)
Trophies you earn and the events that triggered them	Automatic based on your activity	Gamification / public profile badges	Until you delete your account
Reputation-score events (the per-event log that determines your platform trust tier)	Automatic based on your activity	Anti-abuse and trust-tier features	Until you delete your account
Uploaded photos	You upload them	Display alongside your posts/profile. Every uploaded image is held in a private, non-public staging area and scanned by a third-party content-safety service before it is made visible to anyone else; see §3 and §8.4.	Until you delete the post or your account; CSAM-flagged content is retained as required by 18 U.S.C. § 2258B

2.5 Technical information (collected automatically when you use the Site)

Field	Source	Purpose	Retention
IP address — edge access logs	Your connection to our servers	Security, rate limiting, abuse detection, debugging	Short — set by our hosting provider; see §6
IP address — authentication audit log	Supabase GoTrue audit records (sign-ins, password changes, MFA events)	Account-security forensics, ban-evasion detection	Account lifetime; deleted with the account record
IP-reputation and signup-IP counters	Stored in our database, keyed by a salted hash of your IP — never the raw IP	Signup-rate limiting, multi-account detection, ban-evasion prevention. We store a one-way hash, not the raw IP.	Until anonymized as part of routine cleanup or account-lifetime, whichever is sooner
Browser / device type (User-Agent)	Standard HTTP header	Compatibility, debugging, abuse detection. The signup-time User-Agent is also stored in your private profile (see §2.2) for account lifetime.	Edge log retention (typically under 24 hours), except where stated otherwise
Coarse geolocation (country, region)	Two sources: (a) what you enter in your signup form, stored in your private profile (see §2.2); (b) for unauthenticated visitors and edge-side checks, inferred at the edge from your IP by our hosting provider	Security, fraud and abuse investigation, routing of legal disclosures (e.g., DSA), applying the correct privacy law	Account lifetime for the user-entered values; edge log retention for the IP-inferred values
Session cookies and authentication tokens	Set by us when you sign in	Keep you signed in across pages	Session lifetime; cleared on sign-out
Last sign-in timestamp	Authentication system	Account security display, dormant-account detection	Until you delete your account
Affiliate-click events: which product / retailer listing you clicked, which on-site surface and referrer path the click came from, a one-way hash of your User-Agent used for same-day deduplication, the timestamp, and your account ID if signed in	Recorded when you click an outbound affiliate link	Attribute commissions from Amazon Associates and similar programs; reconcile retailer reports	2 years; the user-account link is removed on account deletion
Waitlist email (for features not yet launched), plus the referrer URL, source, and User-Agent of the submission	Your submission of a waitlist signup form	Notify you when the specific feature launches; not used for marketing of any other feature	Until the feature launches and you are notified, you unsubscribe, or you delete your account

We never sell IP addresses and do not use them for advertising. We do not use device fingerprinting beyond what a standard browser sends in normal HTTP headers, and we do not assign you a unique cross-site device identifier.

2.6 Sponsored-content metadata (administrative)

Field	Source	Purpose	Retention
`is_sponsored` flag on products and posts	Set by SierraNova Labs admin	Lets the Site display a clear "Sponsored" label, as required by FTC endorsement rules	For the lifetime of the product/post
Internal sponsorship records (brand name, term, scope)	Set by SierraNova Labs admin	Internal accounting and disclosure auditing. Stored separately from public, user-facing tables.	Up to 7 years (financial-records retention)

This category does not contain personal information about you; it is the administrative metadata that powers our sponsorship disclosures.

2.7 Data-subject access requests (DSARs)

When you submit a privacy request, we keep a record of it: your email address, the type of request, when it was received, what we did about it, when it was completed, the deadline by which we must respond, and — for requests submitted through the in-app form — the IP address and User-Agent of the submission (kept as the GDPR Art. 12(6) audit trail in case we later need to demonstrate why we did or did not grant a request). We are required to keep these records for audit purposes under both the California Consumer Privacy Act and the GDPR. We retain them for 2 years, then delete them.

2.8 What we do NOT collect

To make this explicit: we do not collect any of the following.

Precise geolocation. No GPS, no device location services.
Device fingerprinting beyond the User-Agent and IP that any web server sees.
Browsing history outside CarCareTruth.com. We do not track what you do on other sites.
Contact lists, address books, or social graphs from other platforms. We do not ask for, import, or scrape them.
Biometric, genetic, or health information.
Date of birth or year of birth. We use a single 18+ confirmation checkbox at signup and store the resulting boolean only.
Third-party social-login identities. We do not currently offer "Sign in with Google" or other third-party identity providers; signup is by email and password.
Financial information. When you click an affiliate link to Amazon (or another retailer), the purchase happens entirely on their site. We never see your card number, billing address, or order details.
Children's personal data. The Site is restricted to users 18 and over.
Search-query logs. We do not currently log on-site search queries. If we begin doing so, this Policy will be updated.

3. How we use your information

We use your personal information only for the purposes listed in this section. Each row shows the activity, the CCPA business purpose that applies to California residents, and the GDPR legal basis that applies to users in the EU, EEA, and UK.

What we do	CCPA business purpose (Cal. Civ. Code §1798.140)	GDPR legal basis (Art. 6)
Run the Site and provide the features you sign up for (account creation, posting, Garage, Storage Cabinet, Accessory Kit, ratings)	Providing the service you requested	Contract — Art. 6(1)(b)
Send transactional email (verify your email, reset your password, confirm account changes, security notices)	Providing the service	Contract — Art. 6(1)(b)
Send notifications you have opted into (replies, follows, mentions, opt-in digest emails)	Providing the service	Consent — Art. 6(1)(a) for opt-in; Contract — Art. 6(1)(b) for security/account-state notices
Confirm you are 18+ at signup (single confirmation checkbox)	Security; operating an adults-only service	Legitimate interest — Art. 6(1)(f)
Moderate content, enforce our Terms, investigate reports, act on appeals, retain records to defend our enforcement decisions, and apply automated restrictions (rate-limiting, probation periods, temporary suspensions) that are reversible by human moderator review and appealable	Detecting security incidents and protecting against malicious activity; establishment, exercise, and defense of legal claims	Legitimate interest — Art. 6(1)(f); also Art. 17(3)(e) when an erasure request is received
Hold uploaded images in a private staging area and scan them with a third-party content-safety service for child sexual abuse material, sexual content, violence, hate, and self-harm before they are made visible to anyone else; report confirmed CSAM matches to NCMEC. The current processor is listed in §6.	Compliance with law	Legal obligation — Art. 6(1)(c) for the NCMEC report (18 U.S.C. § 2258A); Legitimate interest — Art. 6(1)(f) for the pre-publication scan
Rate-limit, detect bots, prevent fraud and ban evasion (using IP-hash and account-activity signals)	Detecting security incidents and protecting against fraudulent or illegal activity	Legitimate interest — Art. 6(1)(f)
Attribute affiliate clicks to revenue (so we are paid by Amazon Associates and similar programs)	Business operations	Legitimate interest — Art. 6(1)(f). No personal data is sent to affiliate networks beyond what a normal outbound link discloses.
Display sponsored content with the required "Sponsored" label	Compliance with law	Legal obligation — Art. 6(1)(c): FTC Endorsement Guides
Respond to data-subject access requests, legal process, and government requests	Compliance with law	Legal obligation — Art. 6(1)(c)
Maintain financial and tax records	Compliance with law	Legal obligation — Art. 6(1)(c)

Where we rely on legitimate interests, we have run the required balancing test and concluded that operating a safe, ad-free, affiliate-funded service does not outweigh your privacy rights. You can request a summary of that test for any specific purpose at privacy@carcaretruth.com.

We do not sell your personal information as "sell" is defined by the CCPA, CPRA, and comparable state laws. We do not share your personal information for cross-context behavioral advertising as "share" is defined by the CPRA. We do not run third-party ad networks at this time. If that ever changes, we will update this Policy and obtain any consent that the law requires before the change takes effect.

Automated decisions. The only automated decisions we make about your account are (a) pre-publication content scanning of images for illegal content (every confirmed match is reviewed by a human before any further action) and (b) automated rate-limit / probation restrictions applied by our moderation system based on prior reports and sanction history. Automated restrictions are reversible by human moderator review and can be appealed (see §14). They do not produce legal effects within the meaning of GDPR Art. 22, and editorial product scores are not personalized — they are computed for every visitor from the same rubric inputs.

4. Data retention

We keep your personal information only as long as we need it for the purpose we collected it, or as long as the law requires. The rules below apply across the data inventory in §2.

4.1 While your account is active

We keep your account data, Garage, Storage Cabinet, Accessory Kit, posts, and other content for as long as your account is open. You can edit or delete most of this yourself at any time from your settings.

4.2 When you delete your account

You can delete your account by emailing privacy@carcaretruth.com (a self-service "delete account" page is in development). Once we verify the request, we apply the following schedule:

Immediately: your username is anonymized and freed so the account can no longer be signed into.
Within 30 days: the personal fields on your profile (email address in the auth system, display name, bio, free-text location, free-text rides, avatar, banner image, website URL, DM-permission setting, communications preferences, and every row in your private profile in §2.2) are deleted. Your Garage, Storage Cabinet, and Accessory Kit entries are deleted.
Within 30 days: your posts, comments, and other content are anonymized — the content remains visible in conversation threads (so other users' replies still make sense), but your name and profile link are removed and replaced with a generic "Deleted user" label. If you want the content removed and not just anonymized, say so in your deletion request; we will honor content removal except where we are legally required to keep it.
Within our database processor's backup-retention window (a short rolling window, with point-in-time recovery where enabled): routine database backups containing your data age out and are purged. See §4.6.

4.3 Specific retention windows by category

Category	How long we keep it
Email, username, password hash, profile fields (display name, bio, location, rides, avatar, banner, website, DM permission, 18+ confirmation)	Until account deletion (see §4.2)
Private-profile address and phone fields (country/region/city, street, postal code, phone, SMS opt-in, marketing opt-in + timestamp)	Until you remove the field or delete your account
Signup-time IP hash and User-Agent (kept on the private-profile row)	Account lifetime
Garage / Storage Cabinet / Accessory Kit entries (including per-product notes)	Until you remove them or delete your account
Posts, comments, photos, ratings, FAQ submissions	Until you delete the item, your account is deleted (see §4.2), or moderation removes it
Reactions, votes, follows, bookmarks, group memberships, last sign-in timestamp	Until reversed by you or your account is deleted
Trophies and reputation-score events	Until your account is deleted
Affiliate-click events	2 years; the user-account link is removed on account deletion
Waitlist email + referrer/source/User-Agent	Until feature launch + notification, or you unsubscribe, or account deletion
IP address — edge access logs	Short rolling window set by our hosting provider
IP address — Supabase authentication audit log	Account lifetime; deleted with the account
IP-reputation / signup-IP counters	Reviewed periodically for continued necessity; pruned as a function of account lifecycle and risk signal staleness
Server logs (User-Agent, request metadata)	Short rolling window set by our hosting provider
Coarse geolocation — user-entered country / region / city	Until you remove the value or delete your account
Coarse geolocation — IP-inferred (edge header)	Edge log retention
Moderation records (reports filed, appeals, sanctions, probation status, moderator action log, administrator-action audit records)	Retained for as long as needed to keep the community safe and to defend our enforcement decisions, reviewed for continued necessity at least every 24 months. After account deletion these records no longer identify you by name. Basis: CCPA § 1798.105(d)(2) and (d)(7); GDPR Art. 17(3)(e).
Data-subject access request records (including the submission IP and User-Agent)	2 years (CCPA + GDPR audit requirement), then deleted
Financial and tax records (where applicable)	Up to 7 years (California and IRS standard retention)
Sponsorship contracts and disclosure records	Up to 7 years (financial-records retention)
Cookie consent record	Until you change your choice, or 12 months, whichever is sooner
Other §2 fields not enumerated above	The lifetime of the account record they attach to

4.4 CSAM content — required retention

If we identify content as child sexual abuse material, we are required by 18 U.S.C. § 2258A to report it to the National Center for Missing & Exploited Children (NCMEC), and under 18 U.S.C. § 2258B to preserve the content and related records for at least 90 days (and longer if law enforcement requests it). This obligation overrides a deletion request and the GDPR Article 17 right to erasure (Article 17(3)(b) — compliance with a legal obligation). The rest of your account is still deletable on the normal schedule.

4.5 Disputes, claims, and litigation holds

If we receive a credible legal claim, subpoena, preservation letter, or litigation hold that requires us to keep specific records longer than the schedule above, we will keep just those records for as long as the obligation requires, and delete them when it ends. While a litigation hold is in place, the affected records are exempt from DSAR deletion under CCPA § 1798.105(d)(5) and GDPR Art. 17(3)(e); we will tell you which records are held and delete them when the hold lifts.

4.6 Backups

Our database backups are encrypted and used only to restore the Site if something goes wrong. Backup retention is a short rolling window, with point-in-time recovery where enabled. When data is deleted from the live database, it ages out of backups within the configured retention window as part of normal backup rotation. We do not restore deleted user data from backups except as part of a full disaster-recovery event.

5. Cookies, local storage, and similar technologies

We use cookies and similar browser-storage (localStorage, sessionStorage) only where needed to operate the Site or — for non-essential categories — where you have given consent. We do not use third-party advertising cookies, cross-site tracking pixels, or device-fingerprinting libraries. "Cookie" below covers cookies, localStorage, sessionStorage, and equivalent client-side storage; the same consent rules apply regardless of mechanism.

5.1 Categories

1. Strictly necessary. Always on; required for core functionality.

Item	Storage	Purpose	Lifetime
Supabase auth-token cookies (chunked) and the PKCE code-verifier cookie	Cookie (Supabase `@supabase/ssr`)	Keeps you signed in	Session / refresh-token lifetime
Framework-level CSRF protection cookie	Cookie (`SameSite=Lax`, `Secure`)	Defends server-side mutations against cross-site request forgery	Session
Cookie-consent record	localStorage	Records your consent choices	12 months
Draft-post recovery (group and profile composers)	localStorage	Recovers a draft if your browser crashes mid-compose	7 days

Without these we cannot keep you signed in, defend against CSRF, or remember your consent answer. No consent is required for this category under GDPR Art. 5(3) / ePrivacy or the CCPA.

2. Functional. On by default; clearable from your browser at any time.

Item	Storage	Purpose	Lifetime
Recent-searches list	localStorage	Search autocomplete	30 days
Theme preference	localStorage	Light/dark UI preference	Until changed
Recently-viewed products	localStorage	"Recently viewed" rail	30 days
Dismissed-banner flags	localStorage	Hides dismissed banners	90 days

These do not leave your browser and are not transmitted to any third party.

3. Analytics.

Plausible Analytics (cookieless). Loaded on every page, always on. Plausible sets no cookies, does not retain IP addresses (IP is used only as one input to a daily-rotating session hash and then discarded), and does not assign cross-session identifiers. Because nothing is stored on your device and no persistent identifier is created, consent is not required under GDPR Art. 5(3) / ePrivacy — consistent with the EDPB's position on truly cookieless aggregate analytics. You can still suppress it via DNT or by blocking plausible.io at the network level.
PostHog product analytics (planned future processor — not yet integrated). If we add PostHog, it will be gated on consent in the EU and UK and on a DNT signal anywhere, and will be configured with session replay off, form-content autocapture off, and IP discarded at ingest. Until we publish an update to this Policy adding PostHog, no PostHog code runs on the Site.

4. Advertising — none. No third-party advertising cookies, retargeting pixels, conversion tags, or behavioral-advertising SDKs; no real-time bidding. If we ever introduce advertising, we will update this Policy, add a Consent Management Platform, and refresh EU/UK consent before any advertising script loads.

5.2 The cookie consent banner

When you visit from the EU/EEA or UK (detected via our edge network's country signal, with the banner shown by default if that signal is missing or unrecognized), we show a consent banner on first visit. The banner offers "Accept all" and "Reject non-essential" with equal prominence — no pre-ticked checkboxes, no nudge patterns, consistent with EDPB Guidelines 03/2022 §86. Until you choose, no non-essential cookies are set and no non-essential scripts are loaded.

Your choice is stored in your browser's localStorage and — if you are signed in — mirrored to your account so the same choice applies across every device you sign in on. The record is refreshed if it gets older than 12 months. You can revisit and change your choice at any time via "Cookie preferences" in the footer.

5.3 Do Not Track and Global Privacy Control

DNT. A browser Do Not Track signal is treated as withdrawal of Analytics consent. PostHog (if and when active) will not initialize.
GPC. Global Privacy Control is a browser signal recognized by the California Privacy Protection Agency and by the regulators of several other US states (including Colorado, Connecticut, and Texas) as a universal opt-out of sale and targeted advertising. We honor GPC across all jurisdictions, irrespective of your state of residence. We receive the signal, log it on the session and (where you are signed in) against your account, and treat it as a confirmed opt-out of "sale" and "share" under CCPA/CPRA. Because — as the next sections explain — we do not sell or share, no downstream processing changes; but the signal is recorded against your session and account, and would automatically suppress any future sale-or-share processing without further action from you.

6. Third-party processors, service providers, and statutory recipients

We rely on a small number of vetted third-party processors. Each acts only on our documented instructions, under a written Data Processing Agreement (DPA) where the law requires one.

A few terms used below:

EU / EEA — the European Union plus Iceland, Liechtenstein, Norway.
UK — United Kingdom.
SCCs — European Commission Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor).
IDTA — UK International Data Transfer Addendum issued under s.119A of the Data Protection Act 2018.
DPF — EU-U.S. Data Privacy Framework and its UK Extension, applicable only where the specific processor is on the active DPF participant list at dataprivacyframework.gov at the time of transfer.

6.1 Processors

Processor	Role	Data shared	Location	Transfer mechanism	Privacy policy
Supabase Inc.	Managed PostgreSQL, GoTrue auth, and Storage.	All Account, Activity, Technical-and-Usage Data, and Uploaded Content described in §2.	United States.	EU SCCs Module 2 and UK IDTA in DPA; DPF where Supabase Inc. is on the active participant list.	https://supabase.com/privacy
Vercel Inc.	Hosting, edge network, request routing, and Vercel Analytics (privacy-preserving traffic baseline).	Request logs (IP, user-agent, referrer, path, timestamp), edge geolocation header, deployment logs. Vercel Analytics configured for fully-anonymous aggregate counts.	United States.	EU SCCs Module 2 and UK IDTA in DPA; DPF where applicable.	https://vercel.com/legal/privacy-policy
Resend (Resend Inc.)	Transactional email (signup, password reset, security alerts, DSAR responses; opt-in digests when enabled). Resend's own infrastructure and sub-processors. A current sub-processor list is available on request — see below.	Recipient address, sender address, subject, body, delivery telemetry.	United States.	EU SCCs Module 2 and UK IDTA in Resend DPA; DPF only if Resend is on the active participant list at the time of transfer.	https://resend.com/legal/privacy-policy
Microsoft Azure Content Safety (Microsoft Corporation)	Pre-publication scan of every user-submitted image for child sexual abuse material, sexual content, violence, hate, and self-harm.	Image bytes for the duration of the scan only; Microsoft contractually represents that it does not retain image content beyond the API call. No account identifiers shared.	United States (Azure US regions).	EU SCCs Module 2 and UK IDTA via the Microsoft Products and Services DPA; Microsoft Corporation is additionally DPF-certified.	https://privacy.microsoft.com
Plausible Analytics (Plausible Insights OÜ)	Privacy-friendly, cookieless aggregate site analytics. Always on. No cookies, no retained IP, no cross-session identifiers.	Aggregate non-personal traffic data (page URL, country, browser family, anonymized referrer).	Estonia (controller) / Germany (servers).	EU-internal processing for EU/UK users; for US users, the recipient is an EU processor — no Chapter V transfer concern.	https://plausible.io/privacy
Google Workspace (Google LLC)	Inbound and outbound staff email for `support@`, `dmca@`, `legal@`, `privacy@carcaretruth.com`; storage of the resulting threads; spam and abuse filtering.	Inbound mail (sender address, subject, body, attachments) and outbound replies, including any personal data we include in a response (e.g., DSAR fulfilment material, account-level disclosures).	United States (with global Google infrastructure).	EU SCCs and UK IDTA in the Google Workspace DPA; Google LLC is additionally DPF-certified.	https://policies.google.com/privacy
Rainforest API (server-to-server product-data API)	Retrieves Amazon product data (price, ratings, review counts, listing images) so we can show current information on product pages.	No personal information about you. Our servers send only the product identifier we are querying. The API is not listed for personal-data purposes — it appears here for transparency.	United States.	n/a (no personal data transferred).	https://www.rainforestapi.com/privacy
Large-language-model API providers (currently Anthropic PBC and/or OpenAI, L.L.C.)	Generates AI-assisted editorial drafts and AI-persona content described in §5 and §17 of the Terms (each AI persona post and comment is labelled "AI" inline; see also `/disclaimer`).	Inputs are limited to product SDS text, public product data, CCT-authored prompt scaffolding, and persona briefing documents. No registered-user personal data, account email, IP address, private profile fields, or private content is sent to LLM providers. Outputs (the generated text itself) are stored in our database and visibly labelled.	United States.	Zero-retention API terms in provider DPAs; EU SCCs Module 2 where applicable. Anthropic and OpenAI are additionally DPF-participants where the active participant list includes them.	https://www.anthropic.com/legal/privacy · https://openai.com/policies/privacy-policy
PostHog Inc. (planned future processor — not yet integrated)	If added: product analytics, A/B testing, feature flags, gated on EU/UK consent.	Would receive anonymized event data only; session replay disabled, form-content autocapture disabled, IP discarded at ingest.	United States.	EU SCCs Module 2 and UK IDTA will be in place before activation; DPF where applicable.	https://posthog.com/privacy
Sentry (Functional Software, Inc.) (planned future processor — not yet integrated)	If added: server and client error/performance monitoring, configured with `sendDefaultPii: false`, data scrubbers, and a `beforeSend` filter to scrub emails, passwords, tokens, and free-text.	Would receive stack traces, request method/path, an anonymized user ID, and browser/OS metadata.	United States.	EU SCCs Module 2 and UK IDTA will be in place before activation; DPF where applicable.	https://sentry.io/privacy
Stripe, Pay.gov, or equivalent payment processor (not active at launch)	Payment processing for paid features when launched.	Payer name, billing address, payment instrument tokens (we never receive the full card number), amount, transaction status.	United States (primary).	EU SCCs Module 2 and UK IDTA in processor DPA; DPF where the processor is on the active participant list.	To be added when active.

6.2 Statutory recipients

Recipient	Role	Data shared	Location	Basis
NCMEC CyberTipline	Statutorily designated U.S. reporting body for apparent CSAM under 18 U.S.C. § 2258A. Not a commercial processor; no DPA.	The flagged content and the offending account's identifiers (email, username, IP if available) plus required CyberTipline metadata. Triggered only when apparent CSAM is identified.	United States.	Statutory reporting under 18 U.S.C. § 2258A; not a commercial transfer.

We do not currently use additional CDN or network-security intermediaries beyond the processors listed above. If we add a processor not listed above, this Policy will be updated before any personal data is shared with it.

A current list of executed DPAs and the active DPF participant status of each processor is available on request to privacy@carcaretruth.com. None of the processors listed above is authorized to use the personal data we share for its own marketing, profile-building, or onward sale.

7. How we share your information

We share personal information only as described in this section. The defaults are restrictive.

1. We do not sell personal information. We do not sell — and have not in the preceding 12 months sold — your personal information, as "sell" is defined by CCPA, CPRA, and the comparable statutes of Virginia, Colorado, Connecticut, Utah, Texas, and Oregon. No money or other valuable consideration changes hands in exchange for your data.

2. We do not share for cross-context behavioral advertising. We do not share your personal information, as "share" is defined by CPRA, with any third party for cross-context behavioral advertising. We do not participate in advertising auctions or ad-network sync events. We honor Global Privacy Control as an opt-out of "sale" and "share," even though we do neither.

3. Service providers and processors. We share personal information with the processors listed in §6, strictly to operate the Site, under written contracts containing the provisions required by Cal. Civ. Code § 1798.100(d) and meeting the "service provider" definition in § 1798.140(ag) (or the "contractor" definition in § 1798.140(j) where applicable), GDPR Article 28 "processor" requirements, and the UK GDPR equivalents. They may not use your data for their own purposes, may not retain it beyond what is needed, and must delete or return it on termination.

4. Legal, safety, and law-enforcement disclosures. We may disclose personal information in good faith when required or permitted to:

comply with valid legal process — subpoena, court order, search warrant, 18 U.S.C. § 2703(f) preservation request, or equivalent;
respond to authority requests under the Digital Services Act (Regulation (EU) 2022/2065) or comparable law;
enforce our Terms of Service or this Privacy Policy;
detect, prevent, or address fraud, security incidents, or abuse — including sharing minimal identifying signals (banned-account hashes, abusive IP ranges) with other operators or industry trust-and-safety consortia when reasonably necessary;
protect the rights, property, or safety of SierraNova Labs, our users, or the public — including disclosure without legal process in cases of imminent risk of death or serious bodily injury, as authorized by 18 U.S.C. § 2702(b)(8).

We push back on overbroad requests and, where legally permitted, notify the affected user before complying so they can seek to quash — subject to gag orders or other restrictions.

5. NCMEC reporting. We are required by 18 U.S.C. § 2258A to report apparent CSAM to the NCMEC CyberTipline. When we identify such content we share it, plus the associated account identifiers and metadata, with NCMEC. This is a statutory obligation; it cannot be opted out of, and it overrides GDPR Art. 17 erasure requests via the legal-obligation exception in Art. 17(3)(b).

6. Corporate transactions. In a merger, acquisition, financing, reorganization, bankruptcy, or asset sale, personal information may be transferred to the successor or a prospective acquirer for due-diligence, under confidentiality and use-restriction terms. We will provide notice through the Service and, where required, by email before any such transfer takes effect.

7. Aggregated and de-identified information. We may create, use, and publish aggregated or de-identified data that does not identify any individual (e.g., "X reviews this month"). We use commercially reasonable measures, per CCPA §1798.140(h), including a contractual prohibition on re-identification, to keep it de-identified.

8. Content you make public. Public posts, comments, profile fields, and votes are visible to anyone who can reach the Site, including search engines. This is not "sharing" in the legal sense — it is publication by you. You can edit, delete, or restrict your content at any time, but cached or republished copies on third-party services are outside our control.

Sharing we do not engage in. We do not share personal information with data brokers, do not run audience-matching or look-alike modeling, do not onboard user lists to advertising platforms, and do not embed third-party scripts that exfiltrate personal information to undisclosed processors. If any of this changes, we will update the Policy and refresh consent before the change takes effect.

8. Security

We take the security of your information seriously, but no system on the public internet is impenetrable. This section describes what we have in place, the limits, and what we do if something goes wrong.

8.1 How we protect your data

Encryption in transit. All connections use HTTPS with modern TLS, enforced at the edge on every request.
Encryption at rest. Our database processor encrypts production databases, file storage, and automated backups at rest using industry-standard strong encryption.
Password handling. Passwords are stored only as a one-way cryptographic hash using an industry-standard algorithm. We do not store, log, or have any technical means to recover your plaintext password. Password resets use short-lived signed tokens — we never email your existing password.
Session security. Session tokens rotate on sensitive events (login, password change, email change) and are held in a secure, HttpOnly, SameSite cookie scoped to carcaretruth.com.
CSRF protection. Server-side mutations are protected by framework-level token verification.
Rate limiting and fraud detection. Login, account creation, password reset, posting, and other sensitive endpoints are rate-limited; credential stuffing and abusive automation are detected and blocked.

8.2 Access controls

Row-level security (RLS) on every public-schema table — authorization is enforced at the database layer, so a bug in a single route cannot override the rules governing who may read or write a row. Your private-profile row (§2.2) is protected this way and is not readable by other users.
Least privilege. Privileged credentials capable of bypassing user-level access controls are held server-side only and are never shipped to the browser.
Multi-factor authentication (MFA) is available on every account and strongly recommended; administrators are required to enroll.
Administrative access to sensitive fields is logged and attributable to the administrator who performed the action.

8.3 Backups

Our database processor takes daily encrypted backups on a short rolling retention window, with point-in-time recovery enabled where configured. Backups are restorable only by authorized personnel under our incident-response procedures, and inherit the same encryption-at-rest protections as live data.

8.4 Pre-publication content scanning

Every image a user uploads — avatars, banners, and post media — is held in a private, non-public staging area and scanned by a third-party content-safety service (the current processor is listed in §6) for child sexual abuse material (CSAM) and other prohibited content (sexual content, violence, hate, self-harm) before any other user can see it. Only images that pass the scan are moved to public storage and referenced from posts or profiles; images that fail the scan are quarantined and never become live content.

Confirmed CSAM additionally triggers the legal-reporting workflow in our Terms of Service and 18 U.S.C. §§ 2258A–2258B: an NCMEC CyberTipline report is filed within the statutory timeframe, and the file and related records are preserved in access-restricted storage for at least 90 days (and longer on law-enforcement request) under § 2258B. Only authorized SierraNova Labs personnel and any law-enforcement recipient acting under § 2258B can access the preserved material.

8.5 Honest limits — no security is perfect

No method of internet transmission or electronic storage is 100% secure. We do not promise our security will work in every circumstance, and we cannot eliminate the inherent risk of sending data over the internet. Nothing in this section limits or excludes any liability that cannot be limited or excluded under California Civil Code §1668 or other applicable law — including liability for our own fraud, willful injury, or violation of law. This section describes the inherent risks of internet transmission; it is not a waiver of our duty of care.

8.6 Breach notification

If we discover a security incident that has compromised, or that we reasonably believe is likely to have compromised, your personal information, we will notify you in accordance with applicable law:

California — Cal. Civ. Code § 1798.82. We will notify California residents of any breach of unencrypted personal information (or encrypted personal information where the encryption key or security credential was also acquired) in the most expedient time possible and without unreasonable delay, once we have determined the scope of the incident and restored the reasonable integrity of the data system, consistent with the needs of law enforcement.
EU / EEA — GDPR Arts. 33 and 34. Where the incident is a personal-data breach within the meaning of Art. 4(12), we notify the lead supervisory authority within 72 hours of becoming aware of it unless the breach is unlikely to result in a risk to the rights and freedoms of data subjects (Art. 33). Where the breach is likely to result in a high risk to data subjects, we also notify you, without undue delay, in clear and plain language (Art. 34).
UK. UK GDPR imposes the same Art. 33 and Art. 34 obligations via the Information Commissioner's Office (ICO).
Other jurisdictions. We comply with any other notification obligations that apply.

Where law enforcement is permitted to delay notification (for example, because notice would impede an active investigation), we may delay to the minimum extent permitted and notify you as soon as the delay lifts.

9. Your California privacy rights (CCPA / CPRA)

If you are a California resident, you have the following rights with respect to your personal information. We honor each right under applicable law and will not discriminate against you for exercising it.

9.1 Notice at Collection (Cal. Civ. Code § 1798.100(b))

Category of personal information (Cal. Civ. Code § 1798.140)	What this means at CarCareTruth	Why we collect it	Categories of recipients	Retention
Identifiers	Account email, username, display name, account ID	Authentication, transactional email, post attribution, account recovery	Supabase, Resend, Vercel	Until account deletion; soft-deletes kept 30 days
Customer records (§ 1798.80(e))	Optional profile fields (bio, free-text location, free-text rides, website URL, avatar, banner image) and your private-profile address and contact fields (country/region/city, optional street address, optional postal code, optional phone, optional SMS opt-in flag)	Display public profile; apply correct privacy law; enable optional features	Supabase	Until you remove the field or delete your account
Internet or other electronic network activity	Pages viewed, posts and comments, votes/reactions, follows, bookmarks, group memberships, product tags, trophies and reputation events, affiliate-click events (including referrer path, surface, and a hashed User-Agent)	Operate features, attribute affiliate revenue, prevent abuse, improve the product	Supabase, Vercel, Plausible (aggregate only)	Activity: until account deletion. Affiliate clicks: 2 years, user-link removed on deletion
Geolocation (coarse)	Country / region / city you enter at signup; country inferred from IP at the edge. We do not collect precise or GPS location.	Apply correct privacy law; security; fraud and abuse investigation; routing of legal disclosures	Supabase, Vercel	User-entered: until account deletion. Edge-inferred: edge log retention
Audio, electronic, visual	Images you upload (avatars, banners, post media)	Display your content; pre-publication content-safety scan	Supabase Storage; Microsoft Azure Content Safety (not retained beyond the scan)	Until you remove the content or delete your account
Inferences	Trust-tier and reputation signals computed from your platform activity	Moderation, safety, access control	Supabase, Vercel	Until account deletion
Professional, employment, education, biometric, genetic, racial / ethnic, religious, union-membership, sex-life / orientation, immigration, financial-account information	Not collected.	n/a	n/a	n/a

Sources. Directly from you (registration, profile, posts, votes, follows, affiliate clicks); automatically through your use of the Site (server logs, edge headers, click/view events); and from service providers (authentication, image-safety, email-delivery signals).

Categories of third parties to whom we disclose, sell, or share. For each category listed above, the categories of third parties to whom we disclose personal information for the business purposes in §3 are (i) the service providers and contractors listed in §6.1; (ii) the statutory recipient in §6.2 (NCMEC, when triggered); and (iii) the legal, safety, and corporate-transaction recipients described in §7.

Sold or shared? No. We have not sold or shared (as those terms are defined by Cal. Civ. Code § 1798.140) any personal information in any category above in the preceding twelve (12) months, and we do not currently sell or share it.

9.2 Sensitive Personal Information (Cal. Civ. Code § 1798.140(ae))

CCPA defines a closed category of "sensitive personal information": Social Security number; driver's license, state ID, or passport number; financial-account login or payment-card data; precise geolocation; racial or ethnic origin; citizenship or immigration status (AB 947); religious or philosophical beliefs; union membership; the contents of mail, email, and text messages where we are not the intended recipient; genetic data; biometric information processed to uniquely identify a person; health information; and information concerning sex life or sexual orientation.

What we do not collect. CarCareTruth does not collect or process any sensitive personal information in that closed list. We never take payments (affiliate links transact on the retailer's site under the retailer's terms), never collect precise geolocation, never collect government IDs, and never collect biometric, health, racial/ethnic, religious, union, genetic, or sex-life information.

Credentials and correspondence. We store only a one-way cryptographic hash of your password; we never see plaintext. Inbound email to our privacy/support/DMCA addresses is retained as long as reasonably necessary to handle your request; we are the intended recipient, so it is not "sensitive" under § 1798.140(ae)(1)(C).

Right to limit. Because CarCareTruth uses sensitive personal information only within the purposes enumerated at Cal. Civ. Code § 1798.121(a) and 11 CCR § 7027(l), no Right-to-Limit-eligible processing occurs. You may still submit a request to limit; we will respond by confirming this disclosure.

9.3 Your California rights

Right to Know (§§ 1798.100, 1798.110, 1798.115). You may request that we disclose, for the 12 months preceding your request — and, on specific request, for the period beginning January 1, 2022 (unless providing information beyond the 12-month period would be impossible or require disproportionate effort, per Cal. Civ. Code § 1798.130(a)(2)(B)) — the following:

the categories of personal information we have collected about you;
the categories of sources;
the business or commercial purposes for collecting, selling, or sharing it;
the categories of third parties to whom we have disclosed it;
the specific pieces of personal information we hold about you.

Those categories, sources, purposes, and recipients appear in §9.1 above.

Right to Correct (§ 1798.106). If personal information we maintain about you is inaccurate, you may request that we correct it. Most fields are user-editable in your account settings. For fields you cannot edit yourself, email privacy@carcaretruth.com with the requested correction and a brief explanation. We will use commercially reasonable efforts to verify and correct; where we cannot verify the correction, we will note your dispute in the record.

Right to Delete (§ 1798.105). You may request deletion of personal information we have collected from you. Email privacy@carcaretruth.com (or use the self-service delete-account flow when it ships). We will delete or de-identify the requested information and instruct our service providers to do the same, except where a statutory exception in § 1798.105(d) applies, including:

completing a transaction you requested;
detecting security incidents or fraud (§ 1798.105(d)(2));
complying with a legal obligation (§ 1798.105(d)(8));
exercising or defending legal claims (§ 1798.105(d)(5));
internal uses reasonably aligned with the consumer's relationship with us (§ 1798.105(d)(7)).

We retain moderation records (mod-action log, reports, sanctions, probation status, appeals, administrator-action audit records) under § 1798.105(d)(2) and (d)(7), and we retain anonymized affiliate-click records (with your user identifier removed) under § 1798.105(d)(7) for affiliate-program accounting.

Right to Limit Use and Disclosure of Sensitive Personal Information (§ 1798.121). See §9.2. The right is preserved; a request will be honored and answered with that disclosure.

Right to Opt Out of Sale or Sharing (§ 1798.120). We do not sell personal information, and we do not share personal information for cross-context behavioral advertising; we have not done so in the prior twelve months. Because no sale or sharing occurs, the opt-out is not operative and no "Do Not Sell or Share My Personal Information" link is required. The right is preserved; we will honor any opt-out request by confirming this disclosure in writing.

Right to Non-Discrimination (§ 1798.125). We will not deny you the Site, charge you a different price, provide you a different level of quality, or otherwise treat you adversely because you exercised a privacy right. We do not operate any financial incentive program that conditions service on the collection or retention of personal information.

Right to Data Portability (§ 1798.130(a)(2)). When you exercise the right to access personal information you provided to us, we provide it in a structured, commonly used, and machine-readable format — typically JSON, packaged as a ZIP archive with one file per category, covering your profile (public and private), posts, comments, reactions, follows, bookmarks, group memberships, your Garage / Storage Cabinet / Accessory Kit entries, trophies and reputation events, affiliate clicks, and the notifications we still hold for you.

Right Regarding Automated Decision-Making. CarCareTruth does not use personal information to make solely automated decisions that produce legal or similarly significant effects concerning you. Automated moderation restrictions (rate limits, probation periods) are reversible by human moderator review and can be appealed (see §14). Editorial product scores are not personalized; they are computed for every visitor from the same rubric inputs. If we ever introduce solely automated decision-making within the scope of forthcoming CCPA regulations, we will update this Privacy Policy and offer the access and opt-out rights then required.

California "Shine the Light" (Cal. Civ. Code § 1798.83). We don't disclose personal information to third parties for their own direct marketing. So a Shine the Light request will get a one-line confirmation of that. If you want it in writing, email privacy@carcaretruth.com with subject "California Shine the Light Request"; we respond within 30 days.

Do Not Track and Global Privacy Signals (CalOPPA, Cal. Bus. & Prof. Code § 22575). We treat DNT as a withdrawal of Analytics consent (see §5.3); there is otherwise no cross-context advertising or sale-of-data behavior for DNT to opt out of. We recognize and honor the Global Privacy Control ("GPC") signal as a valid opt-out of "sale" and "sharing" for the browser or device from which it is sent, in line with California Attorney General and California Privacy Protection Agency guidance.

9.4 How to exercise your California rights

Where to send your request. Email privacy@carcaretruth.com with subject "California Privacy Request"; indicate which right(s) you are exercising. You may also use the in-app form at /privacy/request when signed in.

Identity verification. To protect your information, we verify your identity before fulfilling a request to know, correct, delete, or port. For account-holder requests, verification consists of confirming control of the registered email address (a reply from that address, or a one-time link we email to it). For requests to know the specific pieces of personal information we hold about you, we verify to a reasonably high degree of certainty as required by 11 CCR § 999.325(c) — typically by matching three data points we already maintain, or by a signed declaration under penalty of perjury, in addition to email confirmation. For non-account requests or where the registered email is unavailable, we may ask for two or three data points that match information we already maintain. Verification data is used only for verification and deleted after the request closes.

Response timeline. We confirm receipt within 10 business days and provide a substantive response within 45 calendar days of receipt per Cal. Civ. Code § 1798.130(a)(2). Where reasonably necessary we may extend by an additional 45 days (90 days total) and will notify you of the extension and reason within the initial 45-day window.

If we deny your request. If we cannot verify your identity, if a statutory exception applies, or if the request is otherwise denied in whole or in part, we will respond in writing explaining the basis, identifying the statutory exception relied upon, and informing you of your right to lodge a complaint with the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General (oag.ca.gov/privacy). You may resubmit a corrected or narrowed request at any time.

Authorized agent requests (§ 1798.140(a)). You may designate an authorized agent to submit a CCPA request on your behalf. The agent must provide: (i) the consumer's signed written permission or a valid power of attorney under Cal. Prob. Code §§ 4000–4465; (ii) sufficient information to identify the consumer's account; and (iii) the agent's own contact information. We will verify the consumer's identity directly with the consumer using the process above. Even where a power of attorney is provided, we may, at our option and consistent with 11 CCR § 7063(b), require the consumer to confirm the agent's authority directly.

10. Your rights under the GDPR (EU and EEA residents)

If you live in the European Union or the European Economic Area, the GDPR gives you rights in relation to the personal data we hold about you. CarCareTruth is operated from the United States and is not actively marketed to the EU/EEA, but if you create an account, we honor these rights.

10.1 The rights you have

Right of access (Article 15). Ask us for a copy of your personal data and information about how we use it, how long we keep it, and who we share it with. Supplied as a downloadable file — see "Data portability" below.
Right to rectification (Article 16). Correct personal data that is wrong or incomplete. Most fields (display name, username, bio, email, vehicle info, address fields) you can edit yourself in account settings. For anything you can't change in-app, email privacy@carcaretruth.com.
Right to erasure / "right to be forgotten" (Article 17). Ask us to delete your account and the personal data tied to it. We act on confirmed requests within 30 days. A small set of records is retained on a recognized erasure exception: child-safety reports and related evidence under Art. 17(3)(b) (compliance with the legal obligation in 18 U.S.C. § 2258A–B); moderation logs and enforcement records retained to defend our decisions under Art. 17(3)(e) (establishment, exercise, or defense of legal claims); and anonymized affiliate-click rows after pseudonymization — see §4.
Right to restriction of processing (Article 18). Ask us to pause processing — for example, while you contest the accuracy of something we hold, or while we consider an objection. While restricted, your record is preserved but not used. Acknowledged within 72 hours; effected promptly, and in any event within one month.
Right to data portability (Article 20). Get a copy of the personal data you've given us in a structured, commonly used, machine-readable format (JSON, packaged in a ZIP with one file per category — same scope as the California portability export in §9.3). You can also ask us to transmit it directly to another controller where technically feasible.
Right to object (Article 21). Object at any time to processing carried out on the legal basis of "legitimate interests" — including analytics. You have an absolute right to object to processing for direct marketing; any marketing email we send will include a one-click unsubscribe.
Right not to be subject to automated decision-making (Article 22). We do not make legal or similarly significant decisions about you by purely automated means. Automated systems screen uploaded images for illegal content and may apply rate-limit or probation restrictions based on prior reports and sanction history — but these are reversible by human moderator review and can be appealed (see §14). A human moderator decides every account-level action.
Right to withdraw consent (Article 7(3)). Where we rely on your consent (non-essential cookies, marketing email), you can withdraw it at any time. Withdrawal doesn't affect processing already done, or processing carried out on a different legal basis.
Right to lodge a complaint (Article 77). Complain to your national supervisory authority. The European Data Protection Board maintains the list of EU/EEA DPAs at edpb.europa.eu/about-edpb/about-edpb/members_en. You may also contact us first.

Article 14 — indirect sources. Where we receive personal data about you from a source other than you directly — for example, coarse country inferred by our edge provider from your IP address — we provide the Article 14 disclosures in this Policy itself, which is published publicly and made available no later than at the moment of first contact (page load). This serves as our Article 14(5)(b) measure to protect data subjects' rights where direct provision would be impossible or disproportionate.

10.2 How to exercise these rights

Email privacy@carcaretruth.com with the right you want to exercise, your account email, and (for access, portability, or erasure) enough detail for us to verify you. We respond without undue delay and in any event within one month of receipt (Art. 12(3)); for unusually complex requests we may extend by up to two further months and will tell you within the first month. Exercising these rights is free unless a request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse — and explain why.

10.3 Legal bases for processing (Article 6)

We rely on the following legal bases:

Purpose	Legal basis under Article 6
Account creation, authentication, transactional email, displaying your posts/comments/profile	Contract — Art. 6(1)(b)
Fraud prevention, abuse detection, security monitoring, rate-limiting, automated probation restrictions	Legitimate interests — Art. 6(1)(f)
Product analytics and aggregate usage measurement	Legitimate interests — Art. 6(1)(f), with a right to object; non-essential analytics cookies in the EU/UK additionally rely on consent — Art. 6(1)(a)
Content moderation, appeals, and enforcement	Legitimate interests — Art. 6(1)(f); illegal-content takedowns also rely on legal obligation — Art. 6(1)(c)
Non-essential cookies, marketing email, optional opt-in features	Consent — Art. 6(1)(a), withdrawable at any time
Tax records, lawful subpoenas/court orders, NCMEC reporting under 18 U.S.C. § 2258A, government requests	Legal obligation — Art. 6(1)(c)
Affiliate-link click attribution	Legitimate interests — Art. 6(1)(f); user-account link removed on account deletion

10.4 Data Protection Officer

CarCareTruth is not required to designate a Data Protection Officer under GDPR Article 37: we are a US-based controller, EU/EEA processing is incidental, and our core activities do not involve large-scale systematic monitoring or large-scale processing of special-category data. Our pre-publication content-safety scan is ancillary content-moderation processing under EDPB Guidelines on DPOs (WP 243 rev.01); it does not by itself constitute "regular and systematic monitoring of data subjects on a large scale." We have nevertheless designated a privacy contact at privacy@carcaretruth.com.

11. Your rights under the UK GDPR (United Kingdom residents)

If you live in the United Kingdom, the UK GDPR and the Data Protection Act 2018 give you the same rights described in §10 — access, rectification, erasure, restriction, portability, objection, the right not to be subject to automated decision-making, and the right to withdraw consent. Exercise them the same way: email privacy@carcaretruth.com.

The UK supervisory authority is the Information Commissioner's Office (ICO). You can lodge a complaint at ico.org.uk or by phone at 0303 123 1113.

12. Other jurisdictions

We honor data-protection rights wherever you live, even when our service is not actively targeted at your country. Email privacy@carcaretruth.com to exercise any right below; we respond within 30 days at most.

Canada (PIPEDA). The Personal Information Protection and Electronic Documents Act gives you the right to access the personal information we hold and to correct anything inaccurate. Complaints: Office of the Privacy Commissioner of Canada at priv.gc.ca.
Brazil (LGPD). The Lei Geral de Proteção de Dados Pessoais gives you rights broadly comparable to the GDPR — access, correction, deletion, portability, information about sharing, revocation of consent. Complaints: Autoridade Nacional de Proteção de Dados (ANPD).
US state privacy laws. Several US states have adopted comprehensive consumer-privacy statutes — including California, Colorado, Connecticut, Delaware, Indiana, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia. Specific rights and thresholds vary by state, but we honor the equivalent rights (access, deletion, correction, portability, opt-out of "sale" or "targeted advertising," and non-discrimination) for residents of any state with such a law. We do not sell your personal information, and we do not engage in cross-context behavioral or targeted advertising. California residents: see §9. Residents of states whose laws require an internal appeal process (including Texas Tex. Bus. & Com. Code § 541.054 and Oregon ORS § 646A.578) may submit an appeal of a denied request by replying to our response email; we will rule on the appeal within 45 days and, where the appeal is denied, identify the state attorney general's contact channel.

13. International data transfers

CarCareTruth is operated from the United States, and our third-party processors (Supabase, Vercel, Resend, Microsoft Azure Content Safety, Plausible, Google Workspace) store and process data on US servers, except Plausible, which is EU-resident (Estonia controller / Germany servers). If you access the service from outside the US, your personal data will be transferred to and processed in the US.

For EU, EEA, and UK users, we make transfers on the following legal bases:

Standard Contractual Clauses (SCCs). We rely on the SCCs approved by the European Commission (Implementing Decision (EU) 2021/914), Module 2 (controller-to-processor), in our DPAs with each non-EU processor. Where a processor is not on the active DPF participant list, the SCCs alone provide the legal basis for the transfer.
EU-US Data Privacy Framework (DPF). Where, and only where, the processor is on the active DPF participant list at the time of transfer (https://www.dataprivacyframework.gov/list), we additionally rely on the framework (Commission adequacy decision of 10 July 2023).
UK IDTA and UK Extension to the DPF. For UK users, we rely on the UK International Data Transfer Addendum (issued under s.119A of the Data Protection Act 2018) in combination with the SCCs, and on the UK Extension to the DPF where the processor has certified to it.
Art. 49(1)(b) derogation. Where you create an account and we must transfer your data to the US to provide the service you requested, the transfer is additionally necessary for the performance of the contract between you and us within the meaning of GDPR Art. 49(1)(b) and UK GDPR Art. 49(1)(b).
Transfer Impact Assessment and supplementary measures. Consistent with Schrems II (Case C-311/18) and EDPB Recommendations 01/2020, we have documented a Transfer Impact Assessment for each non-EU processor. Supplementary measures include: modern TLS in transit; industry-standard strong encryption at rest; contractual restrictions on government-access disclosure; processor personnel access logged and limited to what is necessary; and a documented obligation on the processor to notify us of any government access request, where law permits.

You can request a copy of the SCCs, IDTA, or Transfer Impact Assessment for a specific processor by email.

14. EU Digital Services Act compliance

Where the EU Digital Services Act (Regulation (EU) 2022/2065, the "DSA") applies to our service, we comply with the following baseline obligations:

Single point of contact (Articles 11, 12). For users and EU Member-State authorities, our single point of contact under the DSA is support@carcaretruth.com (English preferred). Authority requests are acknowledged within 5 business days.
Notice-and-action mechanism (Article 16). Report illegal content or Community Guidelines violations using the in-app report button on any post, comment, or profile, or by emailing support@carcaretruth.com. Reports are acknowledged on submission and triaged by a human moderator.
Statement of reasons (Article 17). When we restrict, remove, demote, or otherwise act on content, we provide a per-decision statement of reasons identifying the policy, date/time, and your appeal options — in-app and, where appropriate, by email.
Internal complaint-handling (Article 20). Every moderation decision can be appealed in-app; appeals are reviewed by a different moderator and outcomes issued in writing.
Out-of-court dispute settlement (Article 21). If you remain dissatisfied after internal appeal, you may refer the dispute to a certified out-of-court body under Article 21. This does not deprive you of the right to go to court.
Transparency reporting (Article 15). We will publish an annual transparency report covering moderation actions, reports, appeals, and authority requests. The first report will be published no later than 12 months after launch of the community features.
Reporter notifications (Article 16(5)). EU/EEA reporters receive a per-decision notification when a report is resolved, with the action, reasoning, and appeal pathway.

Full operational detail is in our Terms of Service and Community Guidelines.

15. EU / UK Article 27 representative

GDPR Article 27 and UK GDPR Article 27 require non-EU/UK-established controllers that process EU/UK residents' personal data in connection with offering goods or services to them — or monitoring their behavior — to designate a representative in the EU and the UK respectively.

CarCareTruth is operated from the United States. We are not actively marketed to the EU or UK, we do not offer services in EU/UK languages, our prices are in US dollars, and EU/UK access is incidental. On that basis, we have provisionally determined that we are not currently required to designate an Article 27 representative in the EU or the UK; we have documented that analysis and will provide it to a supervisory authority on request. Our privacy contact (privacy@carcaretruth.com) and DSA single point of contact (support@carcaretruth.com) serve the same practical purpose for inquiries and authority correspondence.

We will reassess and appoint EU and UK representatives if any of the following becomes true: (a) our EU or UK monthly active user base exceeds 1,000; (b) we add EU-language marketing, EU-currency pricing, or EU-region-specific features; or (c) a supervisory authority instructs us to appoint one. If we appoint a representative, we will publish their name, address, and contact email in this section.

16. Data-subject access requests — process

This section explains how to exercise your rights over the personal information we hold about you, regardless of which privacy law applies to you.

16.1 How to submit

Email privacy@carcaretruth.com with the subject line "DSAR — [right being exercised]" — for example, DSAR — Access, DSAR — Deletion, DSAR — Correction, DSAR — Portability, DSAR — Restriction, or DSAR — Objection. You may also use the in-app form at /privacy/request when signed in. If you do not have an account or cannot sign in, email privacy@carcaretruth.com and we will verify your identity manually. If you have an account, please send the request from the email address associated with it where possible — it speeds up verification.

When you submit through the in-app form, we record the IP address and User-Agent of the submission as part of the audit trail (see §2.7 and GDPR Art. 12(6)).

16.2 Verification

To prevent fraudulent disclosure of someone else's data, we will ask you to confirm your identity before we act. Verification is proportionate to the sensitivity of the request: low-risk requests (for example, deletion from the verified account email) normally need only email confirmation; higher-risk requests (full data export, identity-linked corrections) may require additional account details or a one-time challenge to your registered email; sensitive requests may require two-factor verification.

16.3 Authorized agents

You may use an authorized agent. The agent must provide written authorization signed by you, and we may contact you directly to confirm the agent's authority and your intent. For deletion requests submitted by agents, we will require direct confirmation from you before we delete.

16.4 Response time

Acknowledgement: within 10 business days of receipt, with request ID, a description of our verification process, and the expected timeline for substantive response, per 11 CCR § 999.313(a).
CCPA: substantive response within 45 calendar days of receipt (Cal. Civ. Code § 1798.130(a)(2)), extendable by an additional 45 days with notice and a stated reason.
GDPR / UK GDPR: substantive response without undue delay and in any event within one month of receipt (Art. 12(3)), extendable by up to two further months for complex or numerous requests, with notice in the first month.
Other jurisdictions: within the period set by your applicable law, and within 30 days where no specific period is set.

16.5 Format

Where we provide a copy of your personal information, we deliver it in a portable, machine-readable format — typically a JSON export, optionally with CSV companions — sent to your verified email address as an attachment or a signed download link. The export covers your public profile, your private profile, posts, comments, reactions, follows, bookmarks, group memberships, your Garage / Storage Cabinet / Accessory Kit entries, trophies and reputation events, affiliate clicks, and the notifications we still hold for you.

16.6 Fees

Requests are free of charge in the normal case. If a request is manifestly unfounded or excessive — in particular, repetitive — we may either charge a reasonable administrative fee that reflects our costs, or refuse the request, with reasons.

16.7 Denials and right to complain

If we deny a request in whole or in part, we will tell you which parts we denied, explain the specific legal basis (for example, a statutory retention obligation under 18 U.S.C. § 2258B, or a legitimate interest such as moderation history needed for platform safety), and inform you of your right to appeal or complain to the supervisory authority listed in §22.

17. Children's privacy (18+ adults-only service)

CarCareTruth is intended for adults aged 18 and older only. The platform is not designed for, marketed to, or directed at children. Two thresholds apply: a federal one (COPPA, under 13) and our own policy (the platform is adults-only, 18+).

We do not knowingly collect personal information from anyone under 18, and we do not knowingly collect personal information from anyone under 13. Registration requires confirmation that you are at least 18.

If we have actual knowledge (as that term is used in 15 U.S.C. § 6502(b)(1)(A)(ii)) that an account belongs to someone under 18, we will suspend the account and delete the personal information associated with it.

17.1 COPPA (15 U.S.C. §§ 6501–6506)

CarCareTruth is not directed to children under 13 within the meaning of COPPA, and COPPA's operator obligations therefore do not apply to the Service. As an additional safeguard, if we receive actual knowledge that we hold personal information from a child under 13, we delete it promptly and do not condition any feature of the Service on the child's participation.

17.2 California Age-Appropriate Design Code (AB 2273)

The California Age-Appropriate Design Code Act (AB 2273) applies to online services "likely to be accessed by children." CarCareTruth is an adults-only service; users under 18 are not permitted and accounts identified as under 18 are removed. On that basis we have determined the Act does not apply to the Platform. AB 2273's enforceability is currently subject to litigation in NetChoice v. Bonta; we monitor its status. Regardless of the Act's enforceability, we apply the heightened defaults — minimal data collection, no profiling, no dark patterns to obtain consent — consistent with the Act's principles.

17.3 Parents and guardians

If you are a parent or legal guardian and you believe a child under 18 has provided personal information to CarCareTruth, contact us immediately at privacy@carcaretruth.com with subject "Under-18 Account — Parental Notice" and the username or registered email of the account. We will investigate, suspend the account, delete the personal information, and confirm in writing once complete.

18. Affiliate and sponsored content — material connection

CarCareTruth earns revenue principally through the Amazon Associates affiliate program and, in the future, through clearly labeled sponsored content. What that means for your personal information:

Affiliate links are click-attribution, not data sales. When you click an Amazon affiliate link, your browser navigates to amazon.com with our affiliate tag attached. Amazon — not CarCareTruth — sets and reads cookies on amazon.com and attributes any resulting commission to us from its own records. We do not transmit your personal information to Amazon as part of the affiliate relationship, and Amazon does not transmit your personal information back to us.
User-posted product chips route through our product pages. When another user's post links to a product, the link routes through the CarCareTruth product page rather than directly to Amazon. No identifier about you (the viewer) is included in the outbound URL — Amazon receives only our affiliate tag and an anonymous surface-code identifier used for our own commission attribution.
No "sale" or "sharing" of personal information. The affiliate relationship is not a "sale" or "sharing" as defined under the CCPA/CPRA, GDPR, or comparable laws. We do not receive payment for transferring your personal information to any third party.
Sponsored content is editorial, not data placement. When we publish sponsored reviews or posts, the sponsorship is clearly labeled, editorial methodology is unchanged, and no personal information about you is conveyed to the sponsor.
Amazon's privacy notice governs your activity on amazon.com. Once you click through, your interaction with that site is between you and Amazon.

19. Email preferences and CAN-SPAM

Every commercial email we send carries a clear unsubscribe link in the footer, as required by the federal CAN-SPAM Act (15 U.S.C. §§ 7701–7713) and equivalent laws elsewhere. You can update your email preferences or unsubscribe from any non-transactional email at any time:

via the unsubscribe link in any commercial email footer, or
by visiting /account/email-preferences when signed in, or
by replying to any message with "unsubscribe" in the subject line.

We process unsubscribe requests within 10 business days, as required by 15 U.S.C. § 7704(a)(4). The footer of every commercial email also carries our valid physical postal address: SierraNova Labs LLC, 8605 Santa Monica Blvd, PMB 637961, West Hollywood, CA 90069-4109 (15 U.S.C. § 7704(a)(5)).

Transactional and account-state emails (security alerts, password resets, account closures, DSAR responses, NCMEC-required notifications) are not subject to opt-out and will continue to be sent regardless of your marketing preferences.

20. Operator-set restrictions and kill switches

From time to time we may disable, restrict, or rate-limit specific features (for example, signups, posting, commenting, photo uploads, reactions) for safety, legal, or stability reasons. We keep an internal record of which features are disabled and when. When a feature is disabled, we collect no personal information through it; when it is re-enabled, the collection described in this Policy resumes.

Material, durable removals are also surfaced in the version history described in §21.

21. Changes to this privacy policy

We will update this Privacy Policy when our data practices change, when the law changes, or when we add features that touch personal information. We also review this Policy at least once every 12 months, as required by Cal. Civ. Code § 1798.130(a)(5).

A material change is any change that meaningfully expands what we collect, how we use it, who we share it with, how long we keep it, or your rights with respect to it.

Material changes. We give at least 30 days' advance notice before the change takes effect, by both (a) emailing the address on your account and (b) displaying a persistent in-app banner linking to the updated policy and a summary of what changed.
Non-material changes — typos, clarifications, contact-detail updates, formatting — may publish without advance notice. The "Version" and effective date at the top of the page change; the prior version remains in version history.

Acceptance and decline. Continued use on or after the effective date constitutes acceptance, and we record the version you most recently acknowledged on your account. You have the right to refuse a material change. Before the effective date, you may:

export your data under the DSAR process above, or
delete your account by emailing privacy@carcaretruth.com, or
decline the change — your account is then placed in the 30-day read-only grace period described in the Terms of Service, during which you can still export and download your data before the account closes.

Export and deletion are free throughout the notice window.

Version history. Every version of this Policy carries a version string and an effective date at the top of the page. Prior versions are preserved and available on request to privacy@carcaretruth.com.

22. Contact and supervisory authority

You can reach us about anything in this Privacy Policy below. We acknowledge substantive privacy inquiries within 5 business days; data-subject access requests follow the §16.4 timeline.

Purpose	Contact
Privacy questions, general privacy contact	privacy@carcaretruth.com
Data-subject access requests (CCPA / GDPR / UK GDPR / other)	privacy@carcaretruth.com with subject `DSAR — [right]`, or the in-app form at `/privacy/request` when signed in
Copyright / DMCA takedown notices	dmca@carcaretruth.com
General customer support	support@carcaretruth.com
Legal notices, subpoenas, law-enforcement requests	legal@sierranovalabs.com
EU Digital Services Act single point of contact (Art. 11 / Art. 12)	support@carcaretruth.com
Telephone	(559) 777-9019

Mailing address:

SierraNova Labs LLC 8605 Santa Monica Blvd, PMB 637961 West Hollywood, CA 90069-4109 United States

Right to complain to a supervisory authority

If you believe we have not handled your personal information in accordance with applicable law, you have the right to complain to the supervisory authority for your jurisdiction. We encourage you to contact us first at privacy@carcaretruth.com, but that is your choice, not a precondition.

California (CCPA / CPRA). California Attorney General — https://oag.ca.gov/privacy — and the California Privacy Protection Agency at https://cppa.ca.gov.
EU / EEA (GDPR). Your national Data Protection Authority. Directory at the European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
UK (UK GDPR). Information Commissioner's Office (ICO) — https://ico.org.uk — tel. 0303 123 1113.
Canada (PIPEDA). Office of the Privacy Commissioner of Canada — https://www.priv.gc.ca.

For other jurisdictions, the supervisory authority designated by your local law applies; we will cooperate with valid inquiries on receipt of lawful process at legal@sierranovalabs.com.