# Privacy Policy
> **DRAFT — pending review by qualified IT counsel and (for EU) by a Data Protection consultant before public launch.**
**Effective:** _to be set on launch date_
**Controller:** _Estonia OÜ name and address to be inserted_
## 1. What we collect
| Category | Examples | Source |
|---|---|---|
| Identity | name, email, phone | you |
| Account | role, language, timezone, region | you |
| Profile | bio, photo, specializations, languages | you |
| Verification | KYC documents, license certificates | you / KYC provider |
| Vehicle context | make, model, year, OBD codes (no raw VIN) | you |
| Usage | pages, clicks, requests, sessions | automatic |
| Device | IP, browser, device IDs (where consented) | automatic |
| Payment | masked card details, billing country | Stripe |
| Communications | messages, session metadata, recordings (where consented) | you |
| AI inputs | photos, video, voice transcripts (when using AI features) | you |
We do **not** sell or rent personal data. We do **not** use personal data for behavioral advertising.
## 2. Legal bases (GDPR Art. 6)
- **Contract** — to provide the Service you signed up for
- **Legal obligation** — tax, sanctions, anti-fraud, recordkeeping
- **Legitimate interest** — fraud prevention, platform security, product improvement (analytics)
- **Consent** — marketing communications, optional cookies, recording, sensitive features
## 3. How we use it
- Operate, secure, and improve the Service
- Match clients with electricians
- Process payments and payouts
- Provide AI features (only on your action)
- Enforce our Terms and AUP, comply with law
- Notify you about service updates and (with consent) marketing
## 4. AI processing
When you use AI features, your inputs are sent to our AI subprocessors:
- **Anthropic, PBC** (Claude) — text, photos, video frames
- **ElevenLabs Inc.** — voice (when using voice agent)
These providers process inputs solely to return AI output and do not train models on your data (per their zero-retention business agreements). EU data is processed under Standard Contractual Clauses.
## 5. Sharing
We share personal data with:
- **Service providers (subprocessors)** — listed at `obd2.online/legal/subprocessors`. Includes AWS (hosting), Stripe (payments), Anthropic, ElevenLabs, Twilio (SMS), AWS SES (email), Cloudflare (CDN), Sentry (error logs)
- **Other users** — your public profile and (post-session) reviews
- **Authorities** — when required by valid legal process or to prevent serious harm
- **Acquirers** — in a merger, sale, or restructuring
## 6. International transfers
We host EU user data in the EU (`eu-central-1`, Frankfurt). Some subprocessors operate outside the EU. Transfers rely on Standard Contractual Clauses (EU Commission Decision 2021/914) and supplementary measures.
## 7. Retention
- Account: while active and 6 months after closure (longer for tax / dispute records as required by law — generally 7 years)
- Recordings (with consent): 90 days, then auto-deleted unless flagged for dispute
- Moderation logs: 2 years
- Anonymized analytics: indefinitely
## 8. Your rights
Subject to local law you have rights to:
- **Access** the data we hold about you
- **Rectify** inaccurate data
- **Erase** ("right to be forgotten") — exercised in product or by emailing `privacy@obd2.online`
- **Restrict** or **object** to processing
- **Portability** — export in machine-readable format
- **Withdraw consent** at any time
- **Lodge a complaint** with your supervisory authority (e.g. Estonian AKI for our HQ)
For California / U.S. state law residents (CPRA, VCDPA, CPA, CTDPA, UCPA, etc.):
- We do not sell your personal information
- We honor Global Privacy Control (GPC) browser signals
- You may exercise rights via `privacy@obd2.online` or the in-product **Privacy** page
We respond within 30 days (45 for U.S. state law where applicable, with one extension where allowed).
## 9. Cookies
See our [Cookie Policy](./cookies.en.md). Strictly necessary cookies are set without consent; analytics and preference cookies are opt-in.
## 10. Children
The Service is not for users under 18. We do not knowingly process data of children under 16 (under 13 in the U.S.). If you believe a child has provided us data, contact `privacy@obd2.online` and we will delete it.
## 11. Security
We use industry-standard controls: encryption in transit (TLS) and at rest (KMS), least-privilege IAM, audit logging, MFA for admin access, regular reviews. No system is perfectly secure. Suspected breach? Email `security@obd2.online`.
## 12. AI transparency (EU AI Act Art. 50)
Our voice agent and vision diagnostics are AI systems that interact with humans. We disclose this clearly at the start of every interaction. You can always escalate to a human electrician.
## 13. Changes
We will notify material changes by email and in-product at least 30 days before they take effect.
## 14. Contact
- **Data protection:** `privacy@obd2.online`
- **Postal:** _Estonia OÜ address to be inserted_
- **EU representative (Art. 27 GDPR):** _to be appointed if/when we become subject_
- **Supervisory authority:** Estonian Data Protection Inspectorate (AKI), `info@aki.ee`