Privacy Policy

Effective: June 10, 2025 · Version 1.0

This policy provides an overview of our data practices. For legal advice specific to your situation, consult a qualified attorney.

1. Who we are (Data Controller)

Vroom(“we”, “us”, “our”) is the data controller for personal data processed through this service, available at https://thevroomcar.com and the Vroom mobile application.

2. What data we collect and why

We collect only what is necessary to provide the service. The table below lists the categories of data, the purpose, and the legal basis under GDPR Article 6.

Data	Purpose	Legal basis
Name (optional), email address, hashed password	Account creation and authentication	Contract (Art. 6(1)(b))
Vehicle details (make, model, year, nickname, plate)	Core service — vehicle diary	Contract (Art. 6(1)(b))
Expense records (amount, date, category, odometer)	Core service — expense tracking	Contract (Art. 6(1)(b))
Preferences (currency, distance unit, fuel unit)	Personalising the display of your data	Contract (Art. 6(1)(b))
Consent timestamp and version (gdpr_consent_at, gdpr_consent_version)	Compliance audit record	Legal obligation (Art. 6(1)(c))

We do not collect payment card details, government identifiers, or sensitive categories of personal data (Art. 9 GDPR).

3. Analytics and cookies

We use Vercel Analytics and Vercel Speed Insights to understand aggregate usage patterns. These tools are privacy-friendly by design: they do not use cookies, do not track users across sites, and do not store personal identifiers. Data is derived from hashed request metadata and is retained by Vercel per their own privacy policy.

We use a single session cookie (accessToken) to authenticate you after login. This is strictly necessary for the service to function and does not require a cookie consent banner under ePrivacy rules.

4. Data retention

Your data is retained for as long as your account is active. If you delete your account, all associated data (vehicles, expenses, session tokens) is permanently and immediately erased from our systems. We do not maintain soft-deleted records or backups past our database provider's standard backup window (approximately 7 days).

Consent audit records are retained for 5 years from the date of collection to meet our legal obligations, even after account deletion.

We use the following sub-processors to deliver the service:

Supabase — PostgreSQL database hosting. Data stored in the EU.
Render — API server hosting.
Vercel — Web frontend hosting and analytics.

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

6. Your rights under GDPR

If you are in the EU or EEA, you have the following rights:

Right of access (Art. 15)— Request a copy of all data we hold about you. Use the “Export my data” button in Settings → Data & Privacy.
Right to data portability (Art. 20) — Download your data as a machine-readable JSON file. Use the same export button.
Right to erasure (Art. 17)— Delete your account and all associated data instantly. Use “Delete my account” in Settings → Data & Privacy.
Right to rectification (Art. 16) — Correct inaccurate data via the settings page.
Right to restrict processing (Art. 18) and Right to object (Art. 21) — Contact us at privacy@thevroomcar.com.
Right to lodge a complaint — You may contact your local data protection authority. A list of EU DPAs is available at edpb.europa.eu.

7. Security

Passwords are stored as bcrypt hashes and are never stored in plaintext. All connections use TLS. Authentication tokens are short-lived (7-day JWTs). Email verification tokens are single-use and SHA-256 hashed before storage.

8. Changes to this policy

If we make material changes, we will notify you by email or by a prominent notice in the application before the change takes effect. The current version and effective date are shown at the top of this page.

9. Contact

For any privacy-related requests or questions, email us at privacy@thevroomcar.com. We aim to respond within 30 days as required by GDPR Art. 12.

← Home Cookie Policy Terms of Service