Privacy Policy

Crovalt Shop OS — Crovalt, LLC

Crovalt, LLC ("Crovalt," "we," "us," or "our") is committed to protecting the privacy of our users and the customers they serve. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use the Crovalt Shop OS platform (the "Service").

By accessing or using the Service, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with the practices described herein, please do not use the Service.

1. Information We Collect

1.1. Account Information

When you register for the Service, we collect information necessary to create and manage your account, including:

• Business name and address
• Contact name, email address, and phone number
• Login credentials (passwords are encrypted and never stored in plain text)
• Billing and payment information (processed by Stripe; see Section 5)

1.2. Customer Information

In the course of using the Service to manage your shop operations, you may enter information about your customers, including:

• Customer names, phone numbers, email addresses, and mailing addresses
• Communication preferences and history
• Service history and appointment records

1.3. Vehicle Data

The Service collects and stores vehicle-related data entered by users or obtained through integrated diagnostic tools, including:

• Vehicle identification numbers (VINs)
• Year, make, model, and trim
• Mileage and service history
• OBD-II diagnostic trouble codes (DTCs) and sensor data
• Maintenance schedules and repair records

1.4. Repair and Diagnostic Data

As part of shop operations and AI Diagnostics functionality, the Service collects:

• Repair orders, work descriptions, and technician notes
• Parts used, labor times, and repair outcomes
• AI diagnostic queries, suggestions presented, and selections made
• Diagnostic confidence scores and feedback data

1.5. Usage Data

We automatically collect certain information about how you interact with the Service, including:

• Log data (IP address, browser type, device information, access times)
• Feature usage patterns and navigation paths
• Error logs and performance data

1.6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to maintain session state, remember preferences, and analyze usage patterns. See Section 9 for more details on our cookie practices.

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1. Service Delivery

• Providing, operating, and maintaining the Service
• Processing transactions and managing subscriptions
• Facilitating shop operations including scheduling, invoicing, and repair tracking
• Delivering AI Diagnostic suggestions and recommendations

2.2. Service Improvement

• Analyzing usage patterns to improve features and user experience
• Identifying and resolving technical issues and bugs
• Developing new features and functionality

2.3. AI Training and Network Intelligence

• Training and improving AI diagnostic models using anonymized, aggregated data only
• Generating network intelligence insights (repair outcome trends, parts reliability data, labor time benchmarks) using anonymized data
• We never use identifiable customer information, shop identity, or pricing data to train AI models. All data used for AI training is stripped of personally identifiable information and aggregated so that no individual shop or customer can be identified. See our Data Policy for full details.

2.4. Communications

• Sending transactional emails (account confirmations, billing receipts, service updates)
• Providing product announcements and feature updates (you may opt out at any time)
• Responding to support requests and inquiries

2.5. Legal and Compliance

• Complying with applicable laws and regulations
• Enforcing our Terms of Service
• Protecting against fraud, abuse, and unauthorized access

3. How We Share Your Information

3.1. We Do Not Sell Personal Information

Crovalt does not sell, rent, or trade your personal information or your customers' personal information to third parties for their marketing purposes.

3.2. No Cross-Shop PII Sharing

We never share personally identifiable information (PII) across shops.Each shop's customer data, business information, and identifiable records are strictly isolated. No shop using the Service can access another shop's identifiable data.

3.3. Service Providers

We share information with trusted third-party service providers who assist in operating the Service, subject to strict confidentiality obligations. These include:

• Supabase — Cloud database hosting and storage (see Section 4)
• Stripe — Payment processing (see Section 5)
• Anthropic — AI diagnostic analysis (processes vehicle DTCs, symptoms, and repair data)
• Telnyx — SMS communications (processes customer phone numbers and message content)
• Resend — Email delivery (processes customer email addresses and message content)
• Voyage AI — Embedding generation for diagnostic intelligence (processes anonymized repair descriptions)
• Intuit QuickBooks — Accounting integration (optional; processes invoice, payment, and customer data on behalf of shops that connect their QuickBooks account)
• Vercel — Application hosting and CDN (processes HTTP requests)

3.4. Anonymized and Aggregated Data

We may share anonymized, aggregated data that cannot reasonably be used to identify any individual or business. This includes network intelligence data such as repair outcome trends and parts reliability metrics. See our Data Policy for details on what is and is not shared.

3.5. Legal Requirements

We may disclose information if required by law, regulation, legal process, or governmental request, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

3.6. Business Transfers

In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control.

4. Data Storage and Security

4.1. Storage Infrastructure

Your data is stored using Supabase, a secure cloud database platform. Supabase provides enterprise-grade security including encryption at rest and in transit, role-based access controls, and regular security audits.

4.2. Security Measures

We implement industry-standard security measures to protect your data, including:

• Encryption of data in transit (TLS/SSL) and at rest (AES-256)
• Role-based access controls and authentication
• Regular security assessments and vulnerability testing
• Secure development practices and code review
• Incident response procedures

4.3. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users and applicable regulatory authorities in accordance with applicable law.

5. Stripe Payment Data Handling

5.1. Payment Processing

All payment transactions are processed through Stripe, Inc. Crovalt does not directly store, process, or retain full credit card numbers or sensitive payment credentials on our servers.

5.2. Stripe's Role

When you provide payment information, it is transmitted directly to Stripe via their secure, PCI-DSS compliant infrastructure. Stripe's handling of your payment data is governed by their privacy policy, available at stripe.com/privacy.

5.3. Information We Retain

We retain limited billing information for account management purposes, including: the last four digits of your payment method, card type, expiration date, billing address, and transaction history.

6. Data Retention

6.1. Active Accounts

We retain your data for as long as your account is active and as needed to provide the Service.

6.2. After Cancellation

Following account cancellation or termination, Crovalt will retain your data for ninety (90) days to allow for account reactivation or data export. After this 90-day period, your data will be permanently deleted from our active systems.

6.3. Backup Retention

Residual copies of data in backup systems will be overwritten in accordance with our standard backup rotation schedule, typically within thirty (30) days following deletion from active systems.

6.4. Exceptions

Certain data may be retained beyond these periods if required by law, regulation, or legitimate business interest (such as resolving disputes or enforcing our agreements). Anonymized, aggregated data may be retained indefinitely.

7. California Consumer Privacy Act (CCPA) Compliance

If you are a California resident, you have the following rights under the CCPA:

7.1. Right to Know

You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom it is shared.

7.2. Right to Delete

You have the right to request the deletion of your personal information that we have collected, subject to certain exceptions permitted by law.

7.3. Right to Opt-Out of Sale

Crovalt does not sell personal information. Therefore, there is no need to opt out of the sale of personal information. If our practices change, we will update this policy and provide an opt-out mechanism.

7.4. Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing or quality of service for exercising your rights.

7.5. Exercising Your Rights

To exercise your CCPA rights, contact us at privacy@crovalt.com. We will verify your identity before processing any request and respond within forty-five (45) days.

7.6. Authorized Agents

You may designate an authorized agent to make requests on your behalf. We may require proof of authorization and identity verification.

8. Right to Deletion

8.1. Requesting Deletion

You may request the deletion of your personal information at any time by contacting us at privacy@crovalt.com or through the account settings in the Service.

8.2. Scope of Deletion

Upon a verified deletion request, we will delete your personal information from our active systems, except where retention is required by law or necessary to complete a transaction, detect security incidents, or exercise legal rights.

8.3. Processing Time

Deletion requests will be processed within thirty (30) days of verification. We will confirm deletion in writing upon completion.

8.4. Third-Party Notification

We will direct our service providers to delete your personal information upon receiving a verified request, to the extent applicable.

9. Cookies and Tracking Technologies

9.1. Types of Cookies We Use

• Essential Cookies: Required for the Service to function properly, including session management and authentication. These cannot be disabled.
• Functional Cookies: Remember your preferences and settings to improve your experience.
• Analytics Cookies: Help us understand how users interact with the Service so we can improve features and performance.

9.2. Managing Cookies

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Service.

9.3. Do Not Track

The Service currently does not respond to "Do Not Track" signals from web browsers.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child under 18 has provided us with personal information, we will take steps to delete such information.

11. International Data Transfers

If you access the Service from outside the United States, your information may be transferred to and processed in the United States. By using the Service, you consent to this transfer.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. Your continued use of the Service after changes are posted constitutes acceptance of the revised policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

Crovalt, LLC

Austin, TX 78701

Email: privacy@crovalt.com

Website: www.crovalt.com

For CCPA-specific requests:
Email: privacy@crovalt.com
Subject line: "CCPA Request"