DATA & SECURITY STATEMENT

3.1 Information You Provide to Us

CarCare24x7 collects Personal Information that you voluntarily provide to us when you engage in the following activities:

• Create an account or profile on our platform
• Book services through our mobile applications
• Register as a garage or service provider
• Contact our customer support team
• Participate in surveys, promotions, or feedback programs
• Subscribe to our newsletters or marketing communications

This information may include:

• Personal Identifiers: Full name, email address, phone number, date of birth, and government-issued identification numbers when required for verification
• Vehicle Information: Vehicle make, model, year, vehicle identification number (VIN), license plate number, mileage, and vehicle service history
• Financial Information: Payment card numbers, billing addresses, bank account information (for garage partners), and transaction history
• Profile Information: Profile pictures, preferences, service history, ratings, and reviews
• Business Information: For garage partners, we collect business name, registration number, business address, tax identification numbers, and business licenses

3.2 Information Collected Automatically

When you use our Services, we automatically collect certain information, including:

• Device Information: Device type, operating system (iOS, Android), device identifiers, mobile network information, and app version
• Usage Information: Features used, pages viewed, time spent on the platform, clickstream data, and interaction patterns
• Location Information: Precise location data (GPS coordinates) when you enable location services, approximate location based on IP address, and location history for service tracking
• Log Information: IP address, browser type, access times, pages viewed, referring website addresses, and error logs
• Communication Data: Records of communications through our in-app chat features, customer support interactions, and AI-powered carChat conversations

3.3 Information from Third Parties

We may receive information about you from third-party sources, including:

• Social media platforms when you choose to log in using social authentication (Google, Facebook)
• Payment processors (Stripe, PayPal) regarding transaction status and payment methods
• Google Maps API and Google Places API for location and business information
• Garage partners who provide service history and vehicle maintenance records
• Public databases and business directories for garage verification

6.1 Service Providers

We share information with trusted third-party service providers who perform services on our behalf, including:

• Payment processing services (Stripe, PayPal)
• Cloud hosting and infrastructure providers (AWS EC2, AWS S3)
• Database and data storage services (MongoDB)
• Communication services (Twilio for SMS, Firebase Cloud Messaging for push notifications, SendGrid/Mailgun for email)
• Analytics and monitoring services (Google Analytics, Mixpanel, Datadog, New Relic)
• AI and machine learning service providers (OpenAI for GPT and Vision APIs)
• Mapping and location services (Google Maps API, Google Places API)
• Authentication services (Auth0, Firebase Auth)
• Customer support platforms

These service providers are contractually obligated to protect your information and use it only for the purposes we specify.

6.2 Garage Partners and Service Providers

We share necessary information with garage partners and mechanics to facilitate service delivery, including:

• Your name and contact information for service coordination
• Vehicle information (make, model, VIN, license plate) for service identification
• Service requirements and booking details
• Location information for service dispatch and tracking
• Service history relevant to the current booking

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity or successor organization.

6.4 Legal Requirements

We may disclose your information if required by law, court order, government regulation, or to:

• Comply with legal processes and government requests
• Protect our rights, property, and safety
• Protect the rights, property, and safety of our users and the public
• Enforce our Terms of Service and other agreements
• Investigate potential violations and prevent fraud

6.5 With Your Consent

We may share your information with third parties when you have provided explicit consent for such sharing.

7.1 Payment Processing

• Stripe API: Processes credit card and debit card payments. Stripe handles payment card information in accordance with PCI DSS standards. We do not store full payment card numbers on our servers.
• PayPal API: Provides alternative payment methods for international users. PayPal processes payments according to their privacy policy.

7.2 Cloud Infrastructure and Storage

• AWS EC2: Hosts our application servers and backend infrastructure. Data is stored in secure, encrypted data centers.
• AWS S3: Stores files, images, documents, and backups. All data is encrypted at rest and in transit.
• MongoDB: Our primary database system stores user accounts, bookings, service records, and application data. Data is encrypted and backed up regularly.

7.3 Communication Services

• Twilio API: Sends SMS notifications and handles phone number verification. Twilio processes phone numbers and message content.
• Firebase Cloud Messaging: Delivers push notifications to mobile devices. Device tokens and notification preferences are shared with Firebase.
• SendGrid / Mailgun: Sends transactional and marketing emails. Email addresses and email content are processed by these services.

7.4 AI and Machine Learning

• OpenAI GPT API: Powers our AI carChat feature for customer support and vehicle diagnostics. Chat conversations and vehicle information may be processed by OpenAI. We do not share personally identifiable information unless necessary for service delivery.
• OpenAI Vision API: Analyzes vehicle images for damage assessment and diagnostics. Vehicle images are processed by OpenAI for analysis purposes.

7.5 Location and Mapping Services

• Google Maps API: Provides mapping, navigation, and geolocation services. Location data and route information are shared with Google.
• Google Places API: Enables garage discovery and provides business information. Search queries and location data are shared with Google.

7.6 Authentication and Security

• Auth0 / Firebase Auth: Manages user authentication and authorization. Login credentials and authentication tokens are processed by these services.
• OAuth 2.0: Enables social login integration (Google, Facebook). When you choose social login, authentication is handled by the respective social media platform.
• JWT Tokens: We use JSON Web Tokens for secure API access and session management. Tokens are stored securely and expire after a set period.

7.7 Analytics and Monitoring

• Google Analytics: Tracks user behavior and website/app usage. Anonymized usage data is shared with Google Analytics.
• Mixpanel: Provides event tracking and user journey analysis. User interactions and events are tracked by Mixpanel.
• Datadog / New Relic: Monitors application performance and system health. System logs and performance metrics are shared with these services.

8.1 Encryption

• Transport Layer Security (TLS/SSL): All data transmitted between your device and our servers is encrypted using industry-standard TLS 1.2 or higher protocols
• Data at Rest: All data stored in our databases and cloud storage is encrypted using AES-256 encryption
• Payment Data: Payment card information is encrypted and tokenized. We do not store full payment card numbers on our servers
• Database Encryption: MongoDB databases are encrypted at rest, and sensitive fields are encrypted using application-level encryption

8.2 Access Controls

• Multi-factor authentication (MFA) is required for all administrative access
• Role-based access controls (RBAC) ensure employees only access data necessary for their job functions
• Regular access reviews and audits are conducted to ensure appropriate access levels
• Strong password policies and secure credential management
• Session management with automatic timeout and secure token handling

8.3 Infrastructure Security

• Cloud Infrastructure (AWS): Our services are hosted on Amazon Web Services (AWS) EC2 instances with security groups, network ACLs, and VPC isolation
• Firewall Protection: Network firewalls and security groups protect our servers from unauthorized access
• DDoS Protection: AWS Shield provides protection against distributed denial-of-service attacks
• Intrusion Detection: Automated monitoring systems detect and respond to security threats
• Regular Updates: All systems and dependencies are regularly updated with security patches

8.4 Application Security

• Secure Development: Our applications (Flutter mobile apps, Node.js backend, React.js web dashboards) are developed following secure coding practices
• Input Validation: All user inputs are validated and sanitized to prevent injection attacks
• API Security: RESTful APIs are secured with authentication tokens (JWT) and rate limiting
• Code Reviews: All code changes undergo security reviews before deployment
• Dependency Management: Third-party dependencies are regularly scanned for vulnerabilities

8.5 Monitoring and Incident Response

• 24/7 Monitoring: Our systems are monitored around the clock using Datadog and New Relic for performance and security events
• Security Audits: Regular security audits and penetration testing are conducted by internal and external security teams
• Incident Response Plan: We have a documented incident response plan to quickly address and mitigate security incidents
• Logging: Comprehensive logging of all system activities for security analysis and forensic investigations
• Backup and Recovery: Regular automated backups are performed, and disaster recovery procedures are tested regularly

8.6 Data Processing Technologies

• Message Queuing (Kafka): Handles asynchronous processing and background jobs securely
• Caching (Redis): In-memory caching improves performance while maintaining data security
• GeoSpatial Queries: MongoDB's built-in GeoSpatial capabilities enable secure location-based queries

9.1 Retention Periods

• Active Accounts: Personal information associated with active accounts is retained while your account remains active
• Transaction Records: Financial and transaction records are retained for 7 years to comply with accounting and tax regulations
• Service History: Vehicle service history and maintenance records are retained to provide ongoing service value and improve service quality
• Marketing Data: Marketing consent and preferences are retained until you withdraw consent or request deletion
• Legal Requirements: Some information may be retained longer if required by law, court order, or regulatory requirements

9.2 Account Deletion

You may request deletion of your account at any time by contacting us at privacy@carcare24x7.com. Upon receiving a deletion request:

• We will delete or anonymize your personal information within 30 days, except where retention is required by law
• Transaction records may be retained for legal compliance purposes but will be anonymized
• Service history may be retained in anonymized form for analytics and service improvement
• Some information may remain in backup systems for a limited period but will not be actively used

10.1 Access and Portability

You have the right to request access to your personal information and receive a copy of your data in a structured, commonly used, and machine-readable format.

10.2 Rectification

You can request correction of inaccurate or incomplete personal information. You can also update your information directly through your account settings.

10.3 Erasure

You have the right to request deletion of your personal information, subject to legal retention requirements. You can delete your account through the app settings or by contacting us.

10.4 Objection and Restriction

You can object to processing of your personal information for certain purposes, such as direct marketing, and request restriction of processing in certain circumstances.

10.5 Withdraw Consent

You can withdraw your consent for data processing at any time, particularly for marketing communications. Withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal.

10.6 Location Services

You can control location data collection through your device settings. Disabling location services may limit certain features, such as finding nearby garages and real-time service tracking.

10.7 Marketing Communications

You can opt out of marketing communications by:

• Clicking the "unsubscribe" link in marketing emails
• Adjusting notification preferences in your account settings
• Contacting us at privacy@carcare24x7.com

11.1 Types of Cookies

• Essential Cookies: Required for the platform to function properly, including authentication, security, and session management. These cannot be disabled.
• Analytics Cookies: Help us understand how users interact with our platform. We use Google Analytics and Mixpanel for this purpose.
• Marketing Cookies: Used to deliver relevant advertisements and track campaign effectiveness. These are only used with your consent.
• Functional Cookies: Remember your preferences and settings to enhance your experience.

11.2 Managing Cookies

You can manage cookie preferences through:

• Your browser settings (most browsers allow you to refuse or delete cookies)
• Our cookie consent banner when you first visit our website
• Your account settings within our mobile applications

Note: Disabling certain cookies may limit functionality and affect your user experience.