Privacy and Data Protection Policy

1. Introduction and Scope

CarFlipper.ai ("Service") is operated by Fontos Consulting LTDA. ("Company," "we," "us," or "our") and respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, process, and protect information when you use the CarFlipper.ai service ("Service").

Regulatory Compliance: This policy complies with Brazilian Lei Geral de Proteção de Dados (LGPD), European GDPR, US state privacy laws including the California Consumer Privacy Act (CCPA), Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), and applicable international data protection regulations.

Service Overview: Our Service provides automated automotive deal discovery through AI-powered analysis of publicly available car listings from US and Canadian sources, delivered via Telegram bot integration.

2. Data Controller Information and Contact Details

• Data Controller: Fontos Consulting LTDA.
• Privacy Inquiries: privacy@carflipper.ai
• Customer Support: support@carflipper.ai

3. Categories of Personal Information We Collect

Information You Provide Directly:

• Account Information: Email address, preferred notification settings, user preferences
• Payment Information: Billing details processed through our secure payment platform (we do not store full payment card information)
• Communication Data: Support inquiries, feedback, and correspondence
• Telegram User Data: Telegram username, user ID, and basic profile information accessible through bot interactions

Information Collected Automatically:

• Usage Data: Service interaction patterns, feature usage, search queries, and preferences
• Technical Information: IP addresses, device information, browser type, access times
• Bot Interaction Data: Commands used, response patterns, service configuration choices
• Session Information: Login timestamps, session duration, geographic location data

Marketing and Analytics Data:

• Website Analytics: Google Analytics, Facebook Pixel, Yahoo marketing pixels for website optimization
• Marketing Attribution: Campaign effectiveness, referral sources, user acquisition metrics
• Cookie Data: Session management cookies, preference settings, authentication tokens

4. Legal Basis for Processing and Purposes of Use

LGPD Legal Bases:

• Consent: For marketing communications, analytics, and optional features
• Contract Execution: For service delivery, payment processing, and account management
• Legitimate Interest: For service improvement, fraud prevention, and customer support
• Legal Compliance: For tax obligations, regulatory reporting, and law enforcement requests

GDPR Legal Bases (for EU users):

• Consent (Article 6(1)(a)): Marketing, analytics, and optional data processing
• Contract Performance (Article 6(1)(b)): Service delivery and payment processing
• Legitimate Interests (Article 6(1)(f)): Service improvement, security, and fraud prevention
• Legal Obligation (Article 6(1)(c)): Regulatory compliance and legal requirements

Processing Purposes:

• Service Delivery: Providing automotive deal notifications and personalized recommendations
• AI Processing: Using Claude AI and ChatGPT for content analysis, filtering, and recommendation generation
• Payment Processing: Managing subscriptions, token purchases, and billing through our secure payment platform
• Customer Support: Responding to inquiries, troubleshooting, and service assistance
• Service Improvement: Analyzing usage patterns to enhance features and functionality
• Marketing and Analytics: Understanding user behavior and promoting relevant services
• Legal Compliance: Meeting tax, regulatory, and law enforcement obligations

5. AI Processing and Automated Decision-Making

AI Systems Used: Our Service employs Claude AI (Anthropic) and ChatGPT (OpenAI) for:

• Content Analysis: Processing automotive listing information for relevance and quality
• Deal Scoring: Algorithmic evaluation of listing value and user relevance
• Auto-Context Expansion: Enhancing listing information with additional relevant details
• Recommendation Generation: Personalizing deal suggestions based on user preferences

Automated Decision-Making Rights:

• Request human review of AI-driven recommendations
• Understand the logic behind automated processing affecting their service experience
• Opt out of certain AI-powered features while maintaining core service access
• Access information about how AI systems process their data

AI Transparency: AI processing involves analyzing user preferences, search history, and interaction patterns to improve recommendation accuracy. Users can request detailed explanations of AI decision-making processes affecting their service experience.

6. Data Sharing and Third-Party Processors

Payment Processing:

• Payment Processor: Processes all payment transactions within the CarFlipper app. Data shared includes billing information and transaction details, handled according to industry security standards.

Service Infrastructure:

• Cloud Hosting Providers: Technical service data and user information stored on secure cloud infrastructure
• Telegram Platform: Bot interaction data processed through Telegram's platform in accordance with their privacy policies

AI Processing Partners:

• Anthropic (Claude AI): User queries and automotive data processed for analysis and recommendations
• OpenAI (ChatGPT): Similar processing for content enhancement and user assistance

Marketing and Analytics:

• Google Analytics: Website usage analytics for service improvement
• Facebook Pixel: Marketing attribution and campaign optimization
• Yahoo Analytics: Additional marketing performance analysis

No Data Sales: We do not sell personal information to third parties for their direct marketing purposes.

7. International Data Transfers

Transfer Locations: Personal data may be transferred to and processed in:

• United States: For AI processing (Anthropic, OpenAI) and payment processing
• European Union: For cloud infrastructure and service delivery
• Other Countries: As necessary for service operation and third-party processing

Transfer Safeguards:

• Standard Contractual Clauses: ANPD-approved SCCs for transfers from Brazil (mandatory implementation by August 2025)
• Data Processing Agreements: Comprehensive agreements with all international processors
• Privacy Shield Successors: Appropriate frameworks for US data transfers where available
• Adequate Protection: Ensuring recipient countries provide adequate data protection levels

User Rights Regarding Transfers: Users can request information about international transfers affecting their data and the safeguards protecting their information in foreign jurisdictions.

8. Data Retention and Deletion

Retention Periods:

• Account Data: Retained while account is active plus 30 days after closure
• Payment Information: 7 years for tax and financial record keeping (Brazil/international requirements)
• Usage Analytics: 24 months for service improvement analysis
• Marketing Data: Until consent is withdrawn or maximum 3 years
• Legal Compliance Data: As required by applicable laws and regulations

Automatic Deletion:

• We implement automated deletion processes to remove data after retention periods expire. Users receive notification before automatic deletion where required by law.
• We collect and retain only data necessary for specified purposes and regularly review retention practices to minimize storage duration.

9. Comprehensive User Rights Framework

Universal Rights (Available to All Users):

• Right to be Informed: Clear information about data processing at collection
• Right of Access: Obtain copies of personal data and processing information
• Right to Rectification: Correct inaccurate or incomplete information
• Right to Deletion: Request erasure of personal data ("right to be forgotten")
• Right to Data Portability: Export data in machine-readable format
• Right to Object: Oppose processing for direct marketing and legitimate interests

Brazilian Users (LGPD Rights):

• Right to Confirmation: Confirm existence of data processing
• Right to Information: Detailed information about processing activities
• Right to Anonymization: Request anonymization of unnecessary data
• Right to Withdraw Consent: Easy consent withdrawal mechanism
• Right to Explanation: Understand automated decision-making processes

US State Law Rights (California, Virginia, Colorado, etc.):

• Right to Know: Categories of personal information collected and processed
• Right to Delete: Request deletion of personal information
• Right to Opt-Out: Opt out of sale/sharing and targeted advertising
• Right to Non-Discrimination: Equal service regardless of privacy choices
• Right to Correct: Rectify inaccurate personal information

Canadian Users (PIPEDA Rights):

• Right to Access: Access personal information held by organization
• Right to Challenge: Challenge accuracy and completeness of information
• Right to Withdraw Consent: Withdraw consent subject to contractual restrictions
• Right to Complain: File complaints with Privacy Commissioner

10. Exercising Your Rights

How to Submit Requests:

• Email: privacy@carflipper.ai with "Privacy Request" in subject line

Request Processing:

• Response Time: 15 days (LGPD), 30 days (GDPR), 45 days (CCPA)
• Identity Verification: Reasonable measures to confirm requester identity
• No Fee: Generally free unless requests are excessive or repetitive
• Status Updates: Regular communication about request processing status

Request Fulfillment:

• Data Access: Comprehensive information about data processing
• Data Deletion: Complete erasure subject to legal retention requirements
• Data Portability: Machine-readable format (JSON, CSV, XML)
• Consent Withdrawal: Immediate cessation of consent-based processing

11. Cookies and Tracking Technologies

Cookie Types Used:

• Essential Cookies: Required for basic service functionality and security
• Analytics Cookies: Google Analytics for website performance analysis
• Marketing Cookies: Facebook Pixel, Yahoo marketing pixels for campaign optimization
• Preference Cookies: Remember user settings and preferences

Cookie Consent:

• Granular Control: Users can accept/reject specific cookie categories
• Consent Management: Easy-to-use cookie preference center
• Withdrawal Rights: Simple mechanism to withdraw cookie consent
• Equal Prominence: Accept and reject options given equal emphasis

Opt-Out Mechanisms:

• Global Privacy Control (GPC): Honor browser-based opt-out signals
• Cookie Settings: Accessible preference management on all pages
• Marketing Opt-Out: Direct opt-out links in marketing communications
• Analytics Opt-Out: Google Analytics opt-out browser add-on support

12. Data Security and Breach Procedures

Security Measures:

• Encryption: AES-256 encryption for data at rest, TLS 1.3 for data in transit
• Access Controls: Role-based access permissions and multi-factor authentication
• Regular Audits: Periodic security assessments and penetration testing
• Staff Training: Comprehensive privacy and security training programs

Breach Response:

• Detection: 24/7 monitoring and incident detection systems
• Assessment: Rapid risk evaluation and impact analysis
• Notification: Regulatory notification within 72 hours (GDPR), 3 working days (LGPD)
• User Communication: Prompt notification if breach likely to cause harm
• Remediation: Immediate measures to contain and remedy security incidents

Data Protection Measures:

• Privacy by Design: Built-in privacy protections in system architecture
• Data Minimization: Collect only necessary information for specified purposes
• Regular Deletion: Automated removal of data after retention periods
• Vendor Security: Comprehensive security requirements for all data processors

13. Children's Privacy

While our Service is available to all Telegram users, we do not knowingly collect personal information from children under 13 without parental consent in compliance with COPPA.

If we become aware of collecting information from children under 13, parents may:

• Request access to their child's information
• Request deletion of their child's personal information
• Refuse further collection of their child's information

Enhanced Protections: Users aged 13-16 in EU jurisdictions receive enhanced privacy protections under GDPR requirements.

14. Marketing and Communication Preferences

Marketing Communications:

• Express Consent: Explicit opt-in for marketing communications
• Service Relationship: Transactional messages related to service use
• Legitimate Interest: Service improvement communications where permitted

Communication Controls:

• Subscription Management: Easy unsubscribe links in all marketing emails
• Granular Preferences: Choose specific types of communications to receive
• Immediate Effect: Opt-out requests processed within 10 business days
• Telegram Controls: Use bot commands to manage notification preferences

15. Updates to This Privacy Policy

• Website Notice: Prominent posting of updated policy with effective date
• Email Notification: Direct communication to registered users
• Service Notification: In-app notices for significant changes

Users have 30 days to review changes before they take effect. Continued use after the effective date constitutes acceptance of updated terms.

16. Contact Information and Complaints

Privacy Inquiries:

• Email: privacy@carflipper.ai
• Response Time: 15 business days for general inquiries

Regulatory Complaints:

• Brazil (LGPD): Brazilian National Data Protection Authority (ANPD) - www.gov.br/anpd
• EU (GDPR): Relevant EU supervisory authority in your member state
• California: California Attorney General - oag.ca.gov
• Canada (PIPEDA): Office of the Privacy Commissioner of Canada - priv.gc.ca

We are committed to resolving privacy concerns promptly and encourage users to contact us directly before filing regulatory complaints. We maintain detailed records of complaint resolution efforts to demonstrate compliance with applicable privacy laws.

This Privacy Policy complies with Brazilian LGPD, US state privacy laws, Canadian PIPEDA, EU GDPR, and international data protection standards. Regular updates ensure continued compliance with evolving regulatory requirements.