Privacy Policy
Effective date: March 8, 2026
1. Data Controller & Processor Roles
The operator of VehicleStudio is:
- Company: [COMPANY_LEGAL_NAME]
- Org. nr: [XXXXXX-XXXX]
- Address: [STREET], [POSTAL CODE] [CITY], Sweden
- Email: support@vehiclestudio.app
Our GDPR roles
VehicleStudio serves automotive dealerships and professionals. Under the GDPR, different roles apply depending on the type of data:
| Data Category | GDPR Role | Explanation |
|---|---|---|
| Account, billing, usage data | Controller | We determine the purposes and means of processing your account information. |
| Uploaded vehicle images | Processor | You (the dealer/professional) are the controller of the images you upload. We process them solely on your instructions to deliver the Service. |
Where we act as processor, the processing is governed by our Data Processing Agreement (DPA), which forms part of our Terms of Service and satisfies the requirements of GDPR Art. 28.
Throughout this policy "VehicleStudio", "we", "us" and "our" refer to the entity above. This policy covers data for which we act as controller. For data we process on your behalf, see the DPA.
2. Data We Collect
| Category | Details |
|---|---|
| Account info | Email address, name, dealership name, phone (optional) |
| Uploaded images | Vehicle photos you submit for processing |
| Usage data | Pages visited, features used, processing counts |
| Payment info | Managed by Stripe — we never see or store your card number |
| Technical data | Hashed IP address (for rate limiting), browser type, device info |
3. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR), we must have a lawful basis for processing your personal data. We rely on the following:
| Processing Activity | Legal Basis (GDPR Art. 6) |
|---|---|
| Account creation & authentication | Contract performance (Art. 6(1)(b)) |
| Image processing & storage | Contract performance (Art. 6(1)(b)) — we process as processor on your documented instructions; see DPA |
| Payment processing via Stripe | Contract performance (Art. 6(1)(b)) |
| Transactional emails (verification, receipts) | Contract performance (Art. 6(1)(b)) |
| Rate limiting & abuse prevention (hashed IP) | Legitimate interest (Art. 6(1)(f)) — security of the Service |
| Usage analytics (aggregate, no tracking cookies) | Legitimate interest (Art. 6(1)(f)) — service improvement |
| Invoices & accounting records | Legal obligation (Art. 6(1)(c)) — Swedish Bokföringslagen |
We do not rely on consent as a legal basis for any core processing. Where we process data based on legitimate interest, you have the right to object (see Section 8).
4. How We Use Your Data
- Provide and improve the Service (photo processing, account management).
- Process payments via Stripe.
- Send transactional emails (verification, password reset, receipts).
- Enforce rate limits and prevent abuse (using hashed, not raw, IP addresses).
- Respond to support requests.
- Comply with legal obligations (e.g., Swedish accounting law).
We do not sell your data, use your images for AI training, profile you for advertising, or share personal information with advertisers.
5. Data Storage & Retention
| Data | Retention Period |
|---|---|
| Account data | While your account is active + 30 days after deletion |
| Uploaded & processed images | While your account is active; deleted within 30 days of account deletion |
| Processed image cache | Up to 90 days, then automatically purged |
| Rate limit logs (hashed IP) | 24 hours (rolling window) |
| Payment/invoice records | 7 years (required by Swedish Bokföringslagen) |
Data is stored in Supabase (EU region). See Section 7 for international transfer details.
6. Third-Party Services (Sub-Processors)
We use the following third-party services to operate VehicleStudio:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Authentication, database, file storage | EU (Frankfurt) |
| Stripe | Payment processing | EU/US (Privacy Policy) |
| Vercel | Hosting & edge delivery | Global CDN (EU edge nodes) |
7. International Data Transfers
Our primary data storage is in the EU (Supabase Frankfurt region). Some sub-processors (Stripe, Vercel) may process data in the United States. Where personal data is transferred outside the EU/EEA, it is protected by:
- The EU-U.S. Data Privacy Framework (for certified US companies like Stripe and Vercel), and/or
- Standard Contractual Clauses (SCCs) approved by the European Commission.
You may request details about the safeguards in place by emailing support@vehiclestudio.app.
8. Cookies
We use only strictly necessary cookies required for authentication and session management. These cookies are exempt from consent requirements under the EU ePrivacy Directive because the Service cannot function without them.
| Cookie | Purpose | Duration |
|---|---|---|
| sb-*-auth-token | Supabase authentication session | Session / 1 year |
We do not use analytics, advertising, or tracking cookies.
9. Your Rights Under the GDPR
As a data subject in the EU/EEA, you have the following rights:
- Right of access (Art. 15) — request a copy of your personal data.
- Right to rectification (Art. 16) — correct inaccurate data via your Account page.
- Right to erasure (Art. 17) — delete your account and all associated data.
- Right to restriction (Art. 18) — request we restrict processing of your data while a dispute is resolved.
- Right to data portability (Art. 20) — export your data in a machine-readable JSON format.
- Right to object (Art. 21) — object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)) — where consent is the basis, you may withdraw at any time (note: we do not currently rely on consent for core processing).
To exercise these rights, use the controls on your Account page (data export, account deletion) or email support@vehiclestudio.app. We will respond within 30 days as required by the GDPR.
10. Supervisory Authority
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the Swedish data protection authority:
- Authority: Integritetsskyddsmyndigheten (IMY)
- Website: imy.se
- Email: imy@imy.se
You may also lodge a complaint with the supervisory authority in your country of residence.
11. Children
The Service is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If we learn that we have collected data from a child under 16, we will delete it promptly.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or in-app notice at least 30 days before taking effect. The latest version is always available at vehiclestudio.app/privacy.
13. Contact
For any questions or requests related to this Privacy Policy or your personal data, email support@vehiclestudio.app.