Privacy Policy

1. Who We Are

Dealer-OS (“Dealer-OS,” “we,” “us,” or “our”) operates the platform available at https://dealer-os.io (the “Platform”). We provide all-in-one dealer management software for independent automotive dealers, including inventory management, sales tracking, lead management, title processing, tax automation, and dealer website tools.

This Privacy Policy explains how we collect, use, disclose, and safeguard information about you when you access or use our Platform. Please read it carefully. If you do not agree with its terms, please stop using the Platform.

For questions or concerns, contact us at privacy@dealer-os.io.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: name, business email address, dealership name, phone number, and role when you register or join a team.
• Dealership business data: dealer license information, address, business hours, tax IDs, and other operational details you enter.
• Inventory data: vehicle details, photos, pricing, VIN numbers, condition notes, and cost records.
• Customer and lead data: names, phone numbers, email addresses, and communication history for prospective and existing customers — entered by dealer staff or submitted by end users via dealer microsites.
• Deal and transaction records: bill-of-sale data, financing information, trade-in values, and tax/fee computations.
• Support communications: any messages you send to our team.

2.2 Information Collected Automatically

• Log data: IP address, browser type and version, operating system, pages visited, timestamps, and referring URLs.
• Usage data: features accessed, actions taken within the Platform, and session duration.
• Device information: device type, screen resolution, and unique device identifiers.
• Cookies and similar technologies: session cookies for authentication (e.g., dealer_os_session) and functional cookies to maintain your preferences. We do not use third-party advertising cookies.

2.3 Information from Third-Party Integrations

When you choose to connect a third-party service to your Dealer-OS account, we receive only the data necessary to provide the integration:

• Google Maps Platform: we use your dealership address to render maps and calculate accurate tax rates for customer locations. No personal location data is stored beyond what you explicitly enter.
• Gmail (optional): if you connect your Gmail account to send emails to leads directly from Dealer-OS, we request access to gmail.send and userinfo.email. See Section 4 for our Google API Limited Use Disclosure.
• Stripe: payment processing for Dealer-OS subscriptions. We do not store full card numbers; Stripe handles all payment data under their own privacy policy.

3. How We Use Your Information

We use the information we collect to:

• Create and manage your Dealer-OS account and team.
• Provide, operate, maintain, and improve the Platform and its features.
• Generate documents such as bills of sale, window stickers, and buyer’s guides using your inventory and deal data.
• Send transactional emails (deal confirmations, password resets, system alerts) via our email service provider.
• Respond to your support requests and communicate with you about your account.
• Monitor and analyze usage patterns to improve platform performance and user experience.
• Detect and prevent fraud, abuse, and security incidents.
• Comply with applicable legal obligations.
• If you opt in, send product updates and feature announcements (you may unsubscribe at any time).

We do not sell your personal data to third parties, use it for advertising profiling, or share it for purposes other than those described in this policy.

5. Data Sharing

We share your information only in the following limited circumstances:

5.1 Service Providers

We work with trusted sub-processors who process data solely on our behalf and under strict data protection agreements:

5.2 Legal Requirements

We may disclose your information if required to do so by law or in response to a valid legal request (e.g., subpoena, court order) — but only to the extent required and, where legally permissible, after notifying you.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the successor entity. We will notify you before any such transfer and before your data becomes subject to a materially different privacy policy.

6. Data Security

We implement industry-standard technical and organizational security measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption in transit via TLS 1.2+ for all data exchanged with our Platform.
• Encryption at rest for all data stored in Firebase/Google Cloud infrastructure.
• Role-based access controls ensuring team members can only access data relevant to their role.
• Secure, HTTP-only session cookies with CSRF protection for all authentication flows.
• Firebase Authentication with support for multi-factor authentication.

No method of transmission over the Internet or electronic storage is 100% secure. For a full description of our security practices, see our Security page.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Platform. Specifically:

• Account data is retained for the duration of your subscription. Upon account closure, we delete or anonymize your personal data within 90 days, except where longer retention is required by law.
• Transaction and deal records may be retained for up to 7 years to comply with financial record-keeping requirements applicable to automotive dealers.
• OAuth tokens (e.g., Gmail) are deleted immediately upon disconnection of the integration.
• Security and access logs are retained for up to 12 months.

8. Your Privacy Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: request a copy of the personal data we hold about you.
• Correction: request correction of inaccurate or incomplete data.
• Deletion: request deletion of your personal data (subject to legal retention obligations).
• Portability: receive a machine-readable copy of your data to transfer to another service.
• Objection / Restriction: object to or request restriction of certain processing activities.
• Withdrawal of consent: where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

California Residents (CCPA / CPRA)

California residents have the right to know what personal information we collect, to delete personal information, to opt out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising these rights. To submit a CCPA request, contact us at privacy@dealer-os.io.

EEA / UK Residents (GDPR / UK GDPR)

Our lawful bases for processing personal data are: (a) performance of a contract when processing is necessary to deliver the Platform; (b) legitimate interests (security, fraud prevention, service improvement); and (c) consent where required. You may exercise your rights or lodge a complaint with your local supervisory authority. Contact us at privacy@dealer-os.io.

9. Cookies and Tracking Technologies

We use the following types of cookies:

• Strictly necessary cookies: required for authentication and session management (e.g., dealer_os_session). These cannot be disabled.
• Functional cookies: remember your preferences (locale, display settings).

We do not use advertising, behavioral tracking, or third-party analytics cookies. You may disable cookies in your browser settings; however, doing so may prevent you from logging in or using the Platform.

10. Children’s Privacy

The Platform is intended solely for use by business professionals and is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at privacy@dealer-os.io and we will promptly delete it.

11. International Data Transfers

Dealer-OS is operated in the United States. If you access the Platform from outside the US, your information may be transferred to and processed in the US, where data protection laws may differ from those in your country. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses) to ensure your data is adequately protected.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by posting a prominent notice on the Platform at least 30 days before the changes take effect. The “Last updated” date at the top of this page indicates when the policy was most recently revised. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions, requests, or concerns about this Privacy Policy or our data practices, please contact us: