Skip to main content

Privacy Policy

Last Updated: April 18, 2026

1. Controller

The controller responsible for data processing on this website is BSI OÜ (Maakivi tn 8-2, Räni alevik, Kambja vald, Tartu maakond, 61708, Estonia). For privacy-related inquiries, contact us at info@carlytics.eu.

2. What Data We Collect

2.1 VIN Check Results (Summary Records)

When you perform a VIN or license plate check, we store the decoded vehicle information (make, model, specifications, recall data, etc.) in a Summary record. This allows you to access your report results. Summary records are not linked to your identity — they contain only the vehicle data, a random report ID, and (for paid reports) payment metadata.

  • Paid reports expire 30 days after purchase.

  • Unpaid/free results expire 30 days after creation.

2.2 Page Views & Analytics

We log page views for internal analytics. Each page view records: the page path, referrer, country (from Vercel headers), and a hashed IP address. IP addresses are hashed with a daily-rotating salt and cannot be reversed to your original IP. Page views are linked to a session ID stored in an httpOnly cookie (_sid) that expires after 24 hours.

2.3 Cookies

We use the following cookies:

  • _sid (httpOnly, 24h) — session identifier for page view analytics. Set automatically.

  • _consent — stores your consent choice. No analytics cookies are loaded until you accept.

  • _admin (httpOnly, 24h, /admin path only) — admin authentication. Only set for administrators.

2.4 Third-Party Analytics (Consent Required)

Only if you accept analytics cookies via our consent banner, we load the following third-party services:

  • Google Analytics (Google Tag) — web analytics. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Data may be transferred to the USA under the EU-U.S. Data Privacy Framework. Google Privacy Policy

  • Microsoft Clarity — session replay and heatmap analytics. Provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA. Data may be transferred to the USA under the EU-U.S. Data Privacy Framework. Microsoft Privacy Statement

  • PostHog — product analytics (anonymized usage data, no PII). Provider: PostHog Inc., hosted on the EU instance (eu.posthog.com). Data stays within the EU. PostHog Privacy Policy

  • Vercel Analytics — privacy-focused web analytics. Provider: Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Only loaded after consent. Vercel Privacy Policy

2.5 Payment Processing

Premium reports are processed by Stripe, Inc. (510 Townsend Street, San Francisco, CA 94103, USA). We never receive or store your full credit card number. Stripe processes payments as our data processor under a Data Processing Agreement. We store only: Stripe payment ID, amount, currency, and timestamp. Stripe Privacy Policy

2.6 Hosting

This website is hosted on Vercel Inc. (340 S Lemon Ave #4133, Walnut, CA 91789, USA). Vercel processes server logs (including IP addresses) as part of operating the infrastructure. Vercel Privacy Policy

2.7 AI-Powered Data Verification

We use Anthropic's Claude API to verify and fact-check decoded vehicle specifications. Only vehicle data (make, model, engine specs) is sent to the API — no personally identifiable information (no IP addresses, names, or email addresses) is transmitted. Provider: Anthropic, PBC, San Francisco, CA, USA. Anthropic Privacy Policy

2.8 Conversion Measurement (Google Ads)

When you complete a purchase, we transmit a hashed identifier of your email address (SHA-256), the transaction value, and (where present) the Google click identifier from the ad you arrived through to Google Ads for the purpose of attributing your purchase to any prior advertising click. The legal basis is performance of contract (Article 6(1)(b) GDPR). No cookie storage is required for this server-side transmission. Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

2.9 Email Delivery

Transactional emails (e.g., report delivery) are sent via Resend. Only your email address is shared with Resend for the purpose of delivering the email. Provider: Resend, Inc., San Francisco, CA, USA. Resend Privacy Policy

3. Legal Basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — VIN decode and report generation are necessary to provide the service you requested.

  • Legitimate interest (Art. 6(1)(f)) — page view logging with hashed IPs for site analytics and security.

  • Consent (Art. 6(1)(a)) — Google Analytics, Microsoft Clarity, PostHog, and Vercel Analytics are loaded only after your explicit consent. You can withdraw consent at any time by clearing cookies and rejecting on your next visit.

  • Legal obligation (Art. 6(1)(c)) — payment records are retained as required by tax and accounting regulations.

4. Data Retention

  • Page views: deleted upon request via GDPR endpoint.

  • Free VIN check results: 30 days from creation.

  • Paid reports: 30 days from purchase.

  • Payment metadata: retained as required by law (typically 10 years for tax records in Germany).

  • Session cookies: expire after 24 hours.

5. Your Rights (GDPR Art. 15–21)

You have the right to:

  • Access your data (Art. 15)

  • Rectification of inaccurate data (Art. 16)

  • Erasure ("right to be forgotten") (Art. 17)

  • Restrict processing (Art. 18)

  • Data portability (Art. 20)

  • Object to processing based on legitimate interest (Art. 21)

To exercise these rights, use our self-service GDPR endpoint at /api/gdpr (export or delete your data by session ID), or contact us at info@carlytics.eu.

You also have the right to lodge a complaint with a supervisory authority. In Germany, the competent authority depends on the federal state of the controller.

6. Data Transfers Outside the EU

Some of our processors are based in the USA (Stripe, Vercel, Google, Microsoft, Anthropic, Resend). These transfers are safeguarded by the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses (SCCs) as applicable. PostHog data is processed on the EU instance and does not leave the EU.

7. Data Security

We implement appropriate technical and organizational measures including: HTTPS encryption, Content Security Policy headers, rate limiting on all endpoints, hashed IP storage, httpOnly cookies, and server-side secret validation.

8. Children's Privacy

Our service is not directed to children under 16. We do not knowingly collect information from children under 16.

9. Changes to This Policy

We may update this policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

10. Contact

For privacy-related questions, contact us at:

Email: info@carlytics.eu
BSI OÜ, Maakivi tn 8-2, Räni alevik, Kambja vald, Tartu maakond, 61708, Estonia

Privacy Policy | Carlytics