Privacy Policy

SupercarIQ is designed with a minimal data footprint. Here is exactly what we collect:

• Account credentials — your name, email address, and a hashed password. Required to authenticate you. Stored in our database.
• Session data — an IP address and user agent string, stored temporarily by our authentication layer (Better Auth) to detect session hijacking. This is a security measure, not a tracking mechanism.
• Vehicle search queries — the VIN, plate number, or text you search, along with decoded vehicle data (make, model, year, trim, paint). Stored to power your Garage history. These are vehicle records, not personal information about you.
• Buy/inquiry clicks — when you click "Talk to GTM" or a partner link, we record which vehicle and destination. No personal information beyond your user ID.

We do not collect: browsing history outside this app, location, device identifiers, social profiles, demographics, or any data for advertising purposes. We do not run third-party ad scripts.

Your search queries are vehicle identification data — VINs, license plates, make/model combinations. This information is used to decode vehicles and build your saved Garage. It is never used to profile you as an individual, sold to data brokers, or shared with advertisers. Aggregate, non-identifiable query patterns may be used to improve decode accuracy and model coverage. All query data stored in our database is encrypted at rest using AES-256.

Vehicle search queries are encrypted using AES-256-GCM before any storage or caching. This means that even in the event of unauthorized database access, stored query values are unreadable without the encryption key. Your account password is hashed using bcrypt and is never stored in plaintext. All data in transit is protected by TLS 1.3, which also uses AES-256 under the hood.

We use Better Auth for session management. Sessions are token-based and stored server-side. The IP address and user agent associated with each session are retained only for the life of that session and are used exclusively to detect session hijacking — not for tracking or analytics. Sessions expire automatically and can be revoked by signing out.

Subscription payments are processed by Stripe on behalf of GoTime Motorsports. We never see or store your full card number, CVV, or billing address. Stripe handles all payment data under their own PCI DSS compliance program. You will see "GoTime Motorsports" on your card statement.

We share data only with the service providers required to operate SupercarIQ:

• Vercel — hosting and edge infrastructure
• Neon — PostgreSQL database (AES-256 encrypted at rest)
• Stripe — payment processing (GoTime Motorsports)
• Resend — transactional email (report delivery only)

None of these providers may use your data for their own marketing or advertising. We do not sell, rent, or trade personal information.

Account data is retained as long as your account exists. Vehicle search history is retained to power your Garage. You may request complete deletion of your account and all associated data at any time by contacting us at support@supercariq.com. We will process deletion requests within 30 days. Stripe billing records may be retained as required by financial regulations.

You have the right to:

• Know exactly what data we hold about you (request a copy)
• Correct inaccurate account information
• Delete your account and all associated data
• Export your Garage search history in a portable format
• Opt out of transactional emails (except billing)

Contact us at support@supercariq.com to exercise any of these rights.

SupercarIQ is not directed at users under 13. We do not knowingly collect data from children. If you believe a child has created an account, contact us immediately and we will delete it.

We will post any material changes to this policy on this page with an updated effective date. If changes are significant, we will notify you by email. Continued use of the service after the effective date constitutes acceptance of the updated policy.