Privacy Policy

This policy explains what data AutoEdge (the "App") collects, how it is used, who it is shared with, and what choices you have. AutoEdge is a vehicle-evaluation tool for buyers, sellers, mechanics, and small-volume auction shoppers. We are committed to collecting only what is needed to make the App work.

01Who we are

AutoEdge is developed by James Byland. Questions about this policy or how the App handles your data: james@bylandindustries.com.

02What we collect

2.1 Account data — Google Sign-In

If you sign in with Google we receive the following from Google's OpenID Connect id_token:

• Your Google account identifier (Google's stable "sub" claim)
• Your email address
• Your display name and profile picture URL
• Your locale

We use this data to identify you across devices, populate the "Signed in as" line in Settings, and link your vehicle evaluations, service log entries, and preferences to your account.

2.2 Account data — Email & password

If you sign up with email and password instead of Google we collect and store:

• Your email address (normalized to lowercase). This is your account identifier and the address we send password-reset emails to.
• A salted PBKDF2-SHA256 hash of your password (100,000 iterations, 16-byte random salt). Your password itself is never stored, never logged, and never leaves the request handler in cleartext — the hash is computed on receipt and only the hash is persisted.
• Short-lived password-reset tokens, retained only as SHA-256 hashes with a one-hour expiry. The raw token only ever exists inside the link in your reset email; after the link is used (or after one hour, whichever comes first) the hash is discarded.

After you sign in we issue a session token (an HMAC-SHA256-signed JWT) used to authenticate your subsequent requests. The token expires automatically after 30 days and is wiped from device storage on sign-out.

2.3 App content you create

• Vehicle evaluations (year, make, model, VIN, mileage, condition notes, damages, photos, and the pricing the App computes)
• Service log entries (date, mileage, category, notes, cost)
• Settings (target profit margin, ZIP code, market search radius, service-log opt-in, default labor rate)

2.4 Subscription state

• Your current tier (free, trial, monthly, annual, or lifetime)
• The Google Play purchase token corresponding to your subscription (so we can verify access across devices and process renewals). We do not receive your payment-card details — those stay with Google Play.
• The number of vehicle evaluations you have started in the current calendar month (used only to enforce the free-tier limit)

2.5 Usage logs

Our hosting provider (Cloudflare) records standard HTTP request logs (timestamp, request method, URL path, response status, IP address). We do not export these logs into our own datastore; they are retained on Cloudflare's schedule for diagnostic use only and are not used for advertising or analytics.

2.6 What we do NOT collect

• Precise device location, unless you tap the "Use my location" button on the ZIP input — and in that case we use the resolved ZIP only and discard the underlying coordinates immediately.
• Contacts, photos outside the App's own gallery, calendar, SMS, microphone audio, or browsing history.
• Advertising identifiers. AutoEdge does not contain advertising and does not call any advertising SDK.
• Camera images. The App uses your camera to scan VIN barcodes and read printed VIN text; all image processing happens on your device using Google ML Kit. Camera images are never uploaded.

03How we use your data

• To authenticate you with our backend so your data follows you across devices.
• To compute vehicle valuations, repair estimates, and market comps.
• To deliver the features of your subscription tier (free, trial, or Pro).
• To prevent abuse of the free tier (the per-month evaluation counter).
• To respond to your support requests when you email us.

04Where data goes

We do not sell or rent your personal data, and we do not share it for advertising. We share only what is necessary to power a specific feature you have used.

05Where it's stored

Account data, vehicle evaluations, service log entries, and settings are stored in Cloudflare D1 (an SQLite database) in Cloudflare's globally-replicated network. Subscription state lives there too. We retain this data as long as your account exists. When you delete your account (see section 7) we remove it within 24 hours.

For email/password accounts, your password is stored only as a salted PBKDF2-SHA256 hash — we cannot recover or display it and a database breach would not expose the original password. Password-reset tokens are stored only as one-way SHA-256 hashes that auto-expire one hour after issuance.

A copy of your most recent vehicle history and service log is also cached locally on your device (in Android AsyncStorage) so the App works without a connection. The cache is wiped on sign-out.

06How long we keep it

Data in Cloudflare D1 is retained until you delete your account or individual entries. Anonymous request logs are retained on Cloudflare's schedule and cannot be associated with you after account deletion. Data you send to Auto.dev, eBay, or NHTSA is governed by their respective retention policies; we do not control what they keep.

07Deleting your data

You can delete your account at any time:

• From inside the App: Settings → Account → Delete account. Confirmation is required. Deletion is immediate and irreversible.
• Without installing the App: see the account deletion request page for the web flow.

Cancelling a Google Play subscription does not delete your data — your account simply drops back to the free tier. Use "Delete account" above for full removal.

08Your rights

Depending on your jurisdiction (GDPR, CCPA, etc.) you may have the right to:

• Access the personal data we hold about you (email us; we respond within 30 days)
• Correct inaccurate personal data (most fields are user-editable directly in the App)
• Delete your personal data (see section 7)
• Object to or restrict processing
• Data portability — we can export your vehicle history and service log entries as JSON or CSV on request

09Security

All requests between the App and our backend travel over HTTPS. If you sign in with Google, your id_token is verified server-side against Google's published JWK set on every authenticated request — Google Sign-In never shares your Google password with us. If you sign in with email and password, your password is hashed with PBKDF2-SHA256 (100,000 iterations plus a 16-byte random salt) before it ever leaves the request handler; we store only the resulting hash and never log, transmit, or retain the plaintext password. Authenticated sessions are tracked via short-lived signed tokens (Google id_tokens for Google sign-in; HMAC-SHA256 JWTs we issue ourselves for email sign-in), and password-reset tokens are stored as one-way SHA-256 hashes with a one-hour TTL.

10Children's privacy

AutoEdge is not directed at children under 13. We do not knowingly collect personal data from children under 13. If you believe a child has signed in, please contact us and we will delete the account.

11Changes to this policy

If we change this policy materially we will update the Effective date at the top and surface a notice inside the App at next launch. Continued use after a material change constitutes acceptance.

12Contact

Questions, requests, or complaints: james@bylandindustries.com.