1. Who We Are
Vehium is a garage management platform built and operated by its founders, based in Cyprus. This Privacy Policy explains what data we collect, why, how we protect it, and your rights.
This policy applies to all users of the Vehium platform, including workshop owners, mechanics, employees, and end customers whose data is managed through the platform, across all Vehium products: the website (vehium.com), web application (app.vehium.com), desktop application, and mobile applications.
- Data protection contact: info@vehium.com
2. Data We Collect
2.1 Account & Employee Data
| Data Field | Purpose | Legal Basis |
|---|---|---|
| First Name, Last Name | User identification within the workshop | Contract performance |
| Email Address | Authentication, password resets, notifications | Contract performance |
| Phone Number, Home Number | Account verification, contact | Contract performance |
| Username | Login authentication | Contract performance |
| Password (hashed) | Account security. Stored as a one-way hash, never in plain text | Contract performance |
| Profile Photos | User identification within the platform | Consent |
| Locale, Theme Preference | User experience personalization | Legitimate interest |
2.2 Business Data (Workshop Registration)
| Data Field | Purpose | Legal Basis |
|---|---|---|
| Company Name, Company Email, Phone | Business identification, customer-facing invoices | Contract performance |
| VAT / Tax Number | Tax compliance and invoice generation | Legal obligation |
| Business Address (Street, City, State, Post Code, Country) | Invoicing, business records | Contract performance |
| Logos, Favicon, Gallery Images | Workshop branding and public listing | Consent |
| Work Hours, Business Description | Public discoverability listing | Consent |
2.3 Customer Data (End Customers of Workshops)
Mechanics and workshop owners use Vehium to track their customers. The following data may be stored:
| Data Field | Purpose | Legal Basis |
|---|---|---|
| First Name, Last Name | Customer identification and record management | Contract performance / Legitimate interest |
| Email Address | Customer communication, optional customer account | Contract performance |
| Phone Number | Workshop-to-customer contact | Contract performance / Legitimate interest |
| Address (Street, City, State, Post Code, Country) | Customer records, invoicing | Contract performance / Legitimate interest |
2.4 Vehicle Data
| Data Field | Purpose | Legal Basis |
|---|---|---|
| Vehicle Identification Number (VIN) | Unique vehicle identification, service history tracking | Contract performance |
| Brand / Manufacturer | Vehicle categorization and parts compatibility | Contract performance |
| Model | Accurate service records and parts identification | Contract performance |
| Year of Manufacture | Vehicle age tracking, parts compatibility | Contract performance |
| License Plate | Vehicle identification | Contract performance |
| Engine Type (Petrol, Diesel, Electric, Hybrid) | Service recommendations and parts compatibility | Contract performance |
| Vehicle Photos | Visual documentation of vehicle condition | Consent |
2.5 Service & Inspection Records
| Data Field | Purpose | Legal Basis |
|---|---|---|
| Odometer Reading (km/miles) | Service tracking, next service recommendations | Contract performance |
| Service Date, Description, Status | Service history and workflow management | Contract performance |
| Inspection Items & Status | Detailed record of what was checked/changed | Contract performance |
| Service Photos | Visual documentation of work performed | Consent |
2.6 Invoice & Payment Data
| Data Field | Purpose | Legal Basis |
|---|---|---|
| Invoice Number, Date, Notes | Billing records and financial documentation | Contract performance / Legal obligation |
| Line Items (description, unit price, quantity, VAT rate) | Itemized billing for services rendered | Contract performance |
| Stripe Customer ID, Subscription ID | Subscription billing management via Stripe. We never store your credit card details | Contract performance |
2.7 Technical Data
| Data Field | Purpose | Legal Basis |
|---|---|---|
| IP Address | Security, fraud prevention, access logging | Legitimate interest |
| Device & Browser Info | Compatibility, troubleshooting | Legitimate interest |
| Application Logs | Error detection, platform stability (retained 30 days) | Legitimate interest |
2.8 Mobile Application Data
Our mobile applications (iOS and Android) collect additional technical data necessary to deliver push notifications and improve app stability. This data does not include advertising identifiers (IDFA / GAID) and is not used for tracking across apps or websites owned by other companies.
| Data Field | Purpose | Legal Basis |
|---|---|---|
| Push Notification Token (FCM) | Deliver service reminders, appointment confirmations, and transactional notifications via Firebase Cloud Messaging | Contract performance |
| Firebase Installation ID (Device ID) | Internal identifier used by Firebase to associate the device with notifications and analytics. Not linked to advertising. | Legitimate interest |
| App Usage Events (screen views, sessions, app opens) | Understand which features are used, improve product quality. Aggregated and anonymized. | Legitimate interest |
| Crash Reports & Performance Data | Detect and fix app crashes, monitor app performance and stability | Legitimate interest |
| Device Type, OS Version, App Version | Compatibility, troubleshooting, crash diagnostics | Legitimate interest |
Push notifications can be disabled at any time from your device's system settings. Disabling notifications does not affect other app functionality.
3. Data Processing Roles
- Vehium as Data Processor: We process Customer Data (names, phones, emails, addresses, vehicle info) on behalf of workshop owners to deliver our platform. We do not use Customer Data for our own independent purposes.
- Workshop Owners / Mechanics as Data Controllers: You decide what Customer Data to collect and for what purpose. You are responsible for obtaining consent from your customers and complying with local data protection laws.
- Vehium as Data Controller: For data we collect directly (account registration, billing, website usage) we are the data controller.
4. Who We Share Data With
We do not sell personal information. We share data only with the following service providers:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Stripe | Subscription billing and payment processing | Email, company name. Credit card data is handled exclusively by Stripe. We never store, process, or see card details. | USA / EU (PCI DSS compliant) |
| Namecheap PrivateEmail | Transactional email delivery (password resets, confirmations, notifications) | Recipient email address, email content | USA |
| Hetzner Cloud | Encrypted database backups | Encrypted backup data | EU (Germany / Finland) |
| Google Firebase Cloud Messaging (Google LLC) | Push notification delivery to iOS and Android mobile apps | Push notification token, device identifier (Firebase Installation ID), notification payload (title, body, action data) | USA / Global (SCCs apply) |
| Google Firebase Analytics (Google LLC) | Aggregated, anonymized mobile app usage analytics, crash reporting, and performance monitoring. Not used for advertising. | App usage events, device type, OS version, app version, Firebase Installation ID, crash diagnostics, performance metrics | USA / Global (SCCs apply) |
Google's Firebase services are governed by the Firebase Privacy and Security policy and Google Privacy Policy. We do not use Firebase for advertising, audience building, or sale of personal data.
We do not share data with advertisers, data brokers, or social media platforms.
5. Data Storage & Security
- Primary storage: All data is stored on private dedicated infrastructure located in Cyprus (EU).
- Backups: Encrypted daily backups stored on Hetzner Cloud within the EU (Germany/Finland).
- Encryption: All data encrypted in transit (TLS 1.2+) and at rest.
- Passwords: Stored using one-way cryptographic hashing. Minimum 12 characters with uppercase, lowercase, digits, and special characters required.
- Authentication: Short-lived JWT tokens (15-minute expiry) with secure refresh token rotation. Tokens are blacklisted on logout.
- Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
- Multi-tenant isolation: Each workshop's data is fully isolated. Workshops cannot access each other's data.
- Access control: Role-based access control (Admin, Manager, Worker, Client) restricts data access based on role.
- Email confirmation: Required before account activation.
6. Data Retention
| Data Category | Retention Period | After Deletion |
|---|---|---|
| Account & employee data | Duration of active account + 30-day grace period | Permanently deleted (hard delete of all tenant data) |
| Customer records | Soft-deleted on request; permanently removed with account | Hard-deleted with tenant |
| Vehicle & service records | Soft-deleted on request; permanently removed with account | Hard-deleted with tenant |
| Invoice & billing records | Up to 7 years (tax/legal requirement) | Permanently deleted |
| Uploaded photos | Deleted when parent record is removed or on request | Permanently removed from storage |
| Application logs | 30 days rolling | Automatically purged |
| Unverified customer accounts | Automatically cleaned up | Permanently deleted |
| Backups | 30 days rolling | Automatically purged |
7. Your Rights
Depending on your location, you have the following rights regarding your personal data:
- Access: Request a copy of all personal data we hold about you.
- Correction: Request correction of inaccurate or incomplete data.
- Deletion: Request deletion of your personal data.
- Portability: Receive your data in a structured, machine-readable format (JSON or CSV).
- Restriction: Request that we limit how we process your data.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time.
For workshop users: Contact us at info@vehium.com.
For end customers: Contact the workshop that manages your data first. If you need further help, contact us at info@vehium.com.
We do not make decisions based solely on automated processing that produce legal effects concerning you.
8. For EU, EEA & UK Residents (GDPR)
If you are located in the European Union, European Economic Area, or United Kingdom, the following additional disclosures apply under the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018.
Lawful Basis for Processing (GDPR Article 6)
- Article 6(1)(b), Contract performance: Processing your data (name, email, phone, username, company details) is necessary to provide the Vehium platform services.
- Article 6(1)(f), Legitimate interests: We process technical data (IP address, device info, logs) for security, fraud prevention, and error detection.
- Article 6(1)(c), Legal obligation: We retain invoice records and VAT numbers as required by tax regulations.
- Article 6(1)(a), Consent: For optional data such as photos, gallery images, and public discoverability settings. You may withdraw consent at any time.
Your GDPR Rights (Articles 15–22)
- Right of Access (Art. 15): Request a copy of your personal data. We will provide it within 30 days.
- Right to Rectification (Art. 16): Request correction of inaccurate data.
- Right to Erasure (Art. 17): Request deletion of your data when no longer necessary.
- Right to Restriction (Art. 18): Limit how your data is processed.
- Right to Data Portability (Art. 20): Receive your data in JSON or CSV format.
- Right to Object (Art. 21): Object to processing based on legitimate interests.
International Data Transfers
Your primary data is stored on infrastructure located in Cyprus (EU). Backups are stored on Hetzner Cloud within the EU (Germany/Finland). These transfers remain within the EU/EEA and do not require additional safeguards.
For services located outside the EU (Stripe, USA; Namecheap PrivateEmail, USA; Google Firebase Cloud Messaging and Firebase Analytics, USA / Global), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure adequate data protection. Google additionally maintains its own SCCs and supplementary measures for international Firebase data transfers.
How to Exercise Your GDPR Rights
- Email info@vehium.com with the subject "GDPR Request".
- We will verify your identity and respond within 30 days (extendable by 60 days for complex requests, with notice).
- No fee for exercising your rights, unless requests are manifestly unfounded or excessive.
Supervisory Authority
You have the right to lodge a complaint with your local Data Protection Authority if you believe your rights have been violated. For Cyprus, this is the Commissioner for Personal Data Protection (dataprotection.gov.cy).
9. For California & US Residents
If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide additional rights. Many other US states have similar laws (Virginia, Colorado, Connecticut, Texas, Oregon, and others).
Categories of Personal Information We Collect (CCPA)
| Category | Examples | Collected |
|---|---|---|
| A. Identifiers | First name, last name, username, email, phone, home number, address, IP address, mobile device identifier (Firebase Installation ID), push notification token | Yes |
| B. Personal Information (Cal. Civ. Code 1798.80) | Name, address, phone, company name, VAT number | Yes |
| D. Commercial Information | Subscription records (via Stripe), invoices, service order history | Yes |
| F. Internet/Network Activity | Application logs, API access logs, error reports, mobile app usage events (screen views, sessions), crash and performance diagnostics | Yes |
| G. Geolocation | Approximate location from IP address | Yes |
| H. Sensory Data | Photos (vehicle, service, profile, gallery, user-uploaded only) | Yes |
Your CCPA / US State Privacy Rights
- Right to Know: Request what personal information we collect, the sources, purposes, and who we share it with.
- Right to Delete: Request deletion of your personal information.
- Right to Correct: Request correction of inaccurate information.
- Right to Opt-Out of Sale/Sharing: We do NOT sell personal information. We do NOT share personal information for cross-context behavioral advertising.
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights.
How to Exercise Your Rights
- Email info@vehium.com with the subject "CCPA Request" (or "Privacy Request" for other US states).
- We will verify your identity and respond within 45 days (extendable by 45 days with notice).
- You may designate an authorized agent with written authorization.
10. Cookies, Local Storage & Mobile App Analytics
The Vehium marketing website (vehium.com) does not use tracking cookies or analytics cookies. We store your theme preference (light/dark mode) in your browser's local storage. This is not a cookie and is not transmitted to our servers.
The Vehium web platform (app.vehium.com, customer.vehium.com) uses essential technical mechanisms only:
- JWT authentication tokens: Used to keep you logged in. These are required for the platform to function and cannot be disabled.
- Refresh tokens: Used to maintain your session securely.
- User preferences: Language and theme settings stored locally in your browser.
The web platform does not use advertising cookies, third-party tracking pixels, or web analytics services such as Google Analytics for Web.
Mobile applications (iOS & Android): Our mobile apps use Firebase Analytics and Firebase Cloud Messaging to provide push notifications and to collect aggregated, anonymized usage statistics (screen views, sessions, crashes, performance). Firebase Analytics in our apps:
- Does not use the iOS Identifier for Advertisers (IDFA) or Android Advertising ID (GAID).
- Does not trigger Apple's App Tracking Transparency (ATT) prompt because we do not track users across other apps and websites.
- Is not shared with Google for advertising or audience-building purposes.
- Can be disabled at the operating-system level via your device's privacy settings, or by uninstalling the app.
11. Your Obligations as a Workshop
If you use Vehium to manage customer data, you act as a data controller and have these responsibilities:
- Obtain consent: Ensure you have lawful basis to collect and store your customers' personal data (first name, last name, phone, email, address) and vehicle data (VIN, brand, model, year, license plate, engine type) on Vehium.
- Inform customers: Tell your customers that their data is stored on the Vehium platform and how it is used.
- Handle requests: Respond to your customers' data access, correction, and deletion requests promptly.
- Keep data accurate: Maintain accurate and up-to-date customer and vehicle records.
- Report incidents: Notify us immediately if you become aware of any data breach affecting data stored on Vehium.
12. Data Breach Response
In the event of a data breach:
- We will investigate and contain the breach within 24 hours of discovery.
- Affected users will be notified within 72 hours, as required by GDPR.
- Relevant supervisory authorities will be notified as required by law.
- We will provide a detailed incident report and implement corrective measures.
13. Children's Privacy
Vehium is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If we discover we have collected data from a child under 16, we will promptly delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before changes take effect. Continued use of the platform after changes constitutes acceptance.
15. Contact Us
For any privacy-related questions, data requests, or concerns:
- Email: info@vehium.com