Privacy Policy

1. Data Controller and Contact

For purposes of applicable data protection laws, the data controller is Avalanche Software Company LLC, a California limited liability company. You may contact us with any questions, requests, or concerns regarding this Privacy Policy at support@managemyride.io.

2. Information We Collect

2.1 Information You Provide to Us

• Account information. If you create an account to enable cloud sync, we collect your email address and a hashed (one-way encrypted) password. We never store your password in plain text.
• Vehicle information. Vehicle names, year, make, model, odometer readings, mileage logs, maintenance schedules, repair logs, fix-it lists, reminders, photos you choose to attach, and any other data you voluntarily input into the App.
• Promotional codes. If you redeem a promotional code, we store the redeemed code, its expiration date, and its association with your account.
• Support communications. If you contact us by email, we retain a record of that correspondence (including your email address and the contents of your message).

2.2 Information Collected Automatically

• Purchase information (Web App). Subscriptions in the Web App are processed by Stripe, Inc. You enter your payment details directly with Stripe; we receive your subscription status and a Stripe customer/subscription identifier, but we do not receive or store your full card number or other financial-account details. Stripe's handling of your payment information is governed by Stripe's privacy policy.
• Purchase information (iOS App). Apple processes all in-app purchases and subscriptions in the iOS App through the App Store and StoreKit. We receive confirmation that a purchase or subscription is active and the associated product identifier, but we do not receive or store your credit card number, full payment method, or other financial-account details.
• Vehicle and recall lookups. When you add or update a vehicle, the App queries the National Highway Traffic Safety Administration (“NHTSA”) public APIs using only the year, make, and model of your vehicle to retrieve safety recall information and trim data. No personally identifying information is sent to NHTSA. Recall results are cached locally on your device and are not stored on our servers.
• Push notifications (Web App). If you enable “Push on this device” in the Web App, your browser creates a push subscription — an endpoint URL and cryptographic keys provided by your browser's push service (for example, Google, Apple, or Mozilla) — which we store on our servers so we can send you maintenance and recall notifications. Our servers send those notifications through that push service. You can turn push off at any time in Settings or in your browser, which removes the stored subscription.
• Background app refresh (iOS App). If you grant permission, the iOS App periodically wakes in the background to check for upcoming maintenance reminders and recall updates. These checks use vehicle data already stored on your device and trigger on-device local notifications; no personal data is transmitted as part of iOS background refresh.
• Server logs. When the App communicates with our servers, our infrastructure providers (Railway for our API and database, and Vercel for hosting the Web App) automatically record standard server log information including IP address, request timestamp, user agent, and request path. These logs are retained for a limited period for security, abuse prevention, and operational purposes (see “Data Retention” below).
• Usage and activity data. To operate and improve the App, we record limited, non-identifying usage information on our own servers — such as which features and pages you use, in-app actions you take, and the time you were last active. We use this for first-party product analytics to understand how the App is used. It is not used for advertising and is not shared for any third party's own purposes.

2.3 Information We Do Not Collect

• Precise or background geolocation
• Contacts, calendar, or phone-number data
• Photos, camera, microphone, or biometric data (other than photos you voluntarily attach to a record)
• Health, fitness, or HomeKit data
• Credit card numbers, bank account details, or other financial-account information (handled entirely by Apple)
• Social security numbers, driver's license numbers, or government identification numbers

3. How We Use Your Information

• To provide, operate, maintain, and improve the App and Services
• To synchronize your vehicle data across devices when you enable cloud sync
• To authenticate your account and prevent unauthorized access
• To process and validate promotional code redemptions
• To deliver password reset emails and respond to support inquiries
• To generate on-device local notifications for maintenance and date-based reminders, with your permission
• To detect, investigate, and prevent fraudulent, unauthorized, or illegal activity
• To comply with applicable legal obligations and enforce our Terms of Service

3.1 Siri and Shortcuts (iOS App only)

This applies only to the iOS App. If you use Siri voice commands or the iOS Shortcuts app to interact with the iOS App, your voice requests are processed by Apple's Siri framework on your device or on Apple's servers, and the App receives only the parsed intent (for example, “log mileage”). Vehicle data needed to fulfill the request is read locally on your device. We do not receive, store, or have access to Siri voice recordings, transcriptions, or interaction logs.

4. Legal Bases for Processing (EEA / UK Users)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (“GDPR”) and the UK GDPR to process your personal data:

• Performance of a contract. To provide the App and Services you request, including account authentication, cloud sync, and subscription management.
• Legitimate interests. To secure our Services, prevent fraud and abuse, and improve the App.
• Consent. Where required, for push notifications and background app refresh. You may withdraw consent at any time through iOS Settings.
• Compliance with legal obligations. To comply with applicable laws, court orders, and regulatory requirements.

5. Data Storage and Security

5.1 Where Data Is Stored

• Web App. The Web App uses an account, and your vehicle data is stored on our backend servers — operated by Railway, Inc. (“Railway”) in a PostgreSQL database — so it is available whenever you sign in. Data is transmitted over TLS-encrypted (HTTPS) connections.
• iOS App — local storage (default). In the iOS App, vehicle data is stored locally on your device by default. If you do not create an account or enable cloud sync, that data does not leave your device.
• iOS App — cloud sync (optional). If you create an account and enable cloud sync in the iOS App, your vehicle data is transmitted over TLS-encrypted connections to the same Railway-operated backend and stored in a PostgreSQL database. Railway provides hosting and database services as our processor and is contractually obligated to protect your data. Railway data centers are primarily located in the United States.

5.2 Login and On-Device Security

Web App. When you sign in to the Web App, your session is kept in a secure, HttpOnly cookie that your browser stores and that page scripts cannot read, sent only over encrypted (HTTPS) connections, with an additional anti-CSRF safeguard on authenticated requests.

iOS App. Authentication tokens are stored in the iOS Keychain, Apple's hardware-backed encrypted credential store. Vehicle data shared with the home-screen widget is stored in a sandboxed App Group container accessible only to the iOS App and its widget extension. In both the Web App and the iOS App, passwords are hashed (bcrypt) before storage; we never store or log plain-text passwords.

5.3 Security Measures

We use commercially reasonable administrative, technical, and physical safeguards designed to protect personal data, including TLS encryption in transit, rate limiting, secure password hashing, and access controls on backend systems. However, no method of electronic transmission or storage is completely secure. You are responsible for keeping your account credentials confidential.

5.4 Breach Notification

In the event of a data breach affecting your personal data, we will notify you and, where required, applicable regulators in accordance with applicable law.

6. How We Share Information

We do not sell or rent your personal information. We share information only as described below:

• Service providers and processors. We share information with vendors who process data on our behalf, including Railway (cloud hosting and PostgreSQL), Resend (transactional email), and Apple (subscription processing). These providers are bound by contract to use information only to perform services for us.
• Legal compliance. We may disclose information if we believe in good faith that disclosure is required by law, court order, subpoena, or other legal process, or to protect the rights, property, or safety of Avalanche Software Company LLC, our users, or the public.
• Business transfers. If we are involved in a merger, acquisition, financing, or sale of all or part of our assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have.
• With your consent. We may share information for any other purpose with your consent.

7. Third-Party Services

Stripe (Web App)

Stripe, Inc. processes payments for Web App subscriptions. You provide your payment details directly to Stripe; we receive your subscription status and a Stripe identifier, not your full card number. Stripe's privacy policy is available at stripe.com/privacy.

Vercel (Web App)

Vercel Inc. hosts the Web App and provides privacy-friendly usage analytics that measure aggregate page views and performance. Vercel Analytics does not use advertising cookies and does not track you across other websites. Vercel's privacy policy is available at vercel.com/legal/privacy-policy.

Apple (iOS App)

Apple processes all in-app purchases, subscription billing, App Store distribution, Sign in with Apple (where applicable), and Siri/Shortcuts interactions. Apple's privacy practices are described at apple.com/legal/privacy.

National Highway Traffic Safety Administration (NHTSA)

We query NHTSA's public vehicle and recall APIs to provide make/model data and safety recall information. Only vehicle year, make, and model are sent — no personal information. NHTSA's privacy policy is available at nhtsa.gov/privacy-policy. The App is not affiliated with, sponsored by, or endorsed by NHTSA.

Railway

Railway, Inc. provides hosting and database services for our cloud-sync backend. Their privacy policy is available at railway.com/legal/privacy.

Resend

Password reset emails and other transactional emails are delivered through Resend (resend.com). Only your email address and the contents of the message are shared with Resend for delivery. Resend's privacy policy is available at resend.com/legal/privacy-policy.

Sentry

The App uses Sentry (sentry.io) to collect crash reports and error diagnostics so we can find and fix bugs. Crash reports contain technical information about the state of the App at the time of a crash (such as stack traces, device model, and operating system version). They do not include your vehicle data, account information, or any content you enter into the App, and we have configured Sentry not to collect personally identifying information or IP addresses. Sentry's privacy policy is available at sentry.io/privacy.

8. Tracking and Analytics

The App does not display advertising and does not track you across apps or websites owned by other companies, and we do not sell or share your information for cross-context behavioral advertising.

Web App. We use Vercel Analytics to understand aggregate usage and performance (such as page views and load times). It is privacy-focused, does not use advertising cookies, and does not follow you to other websites. The Web App also uses a strictly necessary cookie to keep you signed in (see Section 5.2).

iOS App. We do not access your device's Advertising Identifier (IDFA), and the iOS App does not request permission under Apple's App Tracking Transparency framework because no tracking occurs.

9. Cookies and Similar Technologies

The Web App uses a small number of cookies and similar browser-storage technologies. We do not use advertising cookies, and we do not use cookies to track you across other websites.

• Strictly necessary cookies. When you sign in to the Web App, we set a secure, HttpOnly session cookie (and an associated anti-CSRF safeguard) that keeps you logged in. These are essential to operate the App; without them you cannot stay signed in. They are not used for advertising or tracking.
• Local storage. The Web App stores small amounts of data in your browser's local storage to remember your preferences and recognize you as a returning user (for example, to show “Sign In” instead of “Get Started”). This data stays in your browser and is not a cross-site tracking cookie.
• Analytics. Vercel Analytics measures aggregate, privacy-friendly usage (such as page views and load times) without advertising cookies and without following you to other sites, as described in Section 8.

You can control or delete cookies and local storage through your browser settings. Because the session cookie is strictly necessary, disabling it will prevent you from signing in to the Web App. The iOS App does not use web cookies.

10. Data Retention

• Local data. Vehicle data stored on your device persists until you delete it or uninstall the App.
• Account and synced data. Account information and cloud-synced vehicle data are retained for as long as your account remains active. If you delete your account, we will delete your account and associated synced data within thirty (30) days, except where retention is required by law or for legitimate operational purposes (such as fraud prevention or financial recordkeeping).
• Server logs. Standard server logs (including IP addresses) are retained for up to ninety (90) days for security and operational purposes.
• Support communications. Email correspondence with our support team is retained for up to two (2) years.

11. Your Rights

Subject to applicable law, you may have the following rights regarding your personal information:

• Access. Request a copy of the personal information we hold about you.
• Correction. Request correction of inaccurate or incomplete information.
• Deletion. Request deletion of your personal information, including account deletion.
• Portability. You can export your vehicle data at any time in JSON format from within the App.
• Withdraw consent. Where processing is based on consent, you may withdraw consent at any time.
• Object or restrict processing. Where applicable, you may object to or request restriction of certain processing activities.

To exercise these rights, contact us at support@managemyride.io. We will respond within the timeframe required by applicable law. We will not discriminate against you for exercising your rights.

12. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”), provides you with the following rights:

• Right to know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting it, and the categories of third parties with whom we shared it.
• Right to delete. You have the right to request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to correct. You have the right to request correction of inaccurate personal information.
• Right to opt out of sale or sharing. We do not sell personal information for monetary consideration, and we do not “share” personal information for cross-context behavioral advertising as defined by the CPRA.
• Right to limit use of sensitive personal information. We do not collect sensitive personal information as defined by the CPRA.
• Right to non-discrimination. We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at support@managemyride.io. We may need to verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf, subject to verification.

Categories collected (in the past 12 months): identifiers (email, account ID); commercial information (subscription status, promo redemptions); internet or other electronic activity (App usage data); inferences (none).

12.1 California “Shine the Light” Law

California Civil Code § 1798.83 (“Shine the Light”) gives California residents the right to request, once per calendar year, information about personal information (if any) that we shared with third parties for those third parties’ own direct marketing purposes during the immediately preceding calendar year.

We do not share personal information with third parties for their direct marketing purposes. If you are a California resident and would like to make a Shine the Light request, email support@managemyride.io with “California Shine the Light Privacy Request” in the subject line. We will respond within 30 days.

13. European Privacy Rights (EEA, United Kingdom & Switzerland)

If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, you have rights under the EU General Data Protection Regulation (“GDPR”) and the UK GDPR. The data controller is Avalanche Software Company LLC (see Section 1), and the legal bases on which we process your personal data are described in Section 4.

In addition to the rights described in Section 11 (Your Rights), you have the right to:

• Access the personal data we hold about you and obtain a copy of it.
• Rectification of inaccurate or incomplete personal data.
• Erasure (the “right to be forgotten”) of your personal data in certain circumstances.
• Restriction of processing in certain circumstances.
• Data portability — to receive your personal data in a structured, commonly used, machine-readable format (you can export your vehicle data from within the App).
• Object to processing carried out on the basis of our legitimate interests.
• Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
• Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects — we do not engage in such automated decision-making.

To exercise any of these rights, contact us at support@managemyride.io. We will respond within the time limits required by the GDPR and UK GDPR (generally within one month).

International transfers. Your personal data is processed and stored in the United States. Where we transfer personal data out of the EEA, the United Kingdom, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum, as described in Section 14.

Right to lodge a complaint. You have the right to lodge a complaint with your local data protection supervisory authority — in the United Kingdom, the Information Commissioner's Office (ICO) — if you believe our processing of your personal data infringes applicable law. We would appreciate the chance to address your concerns directly before you do so.

14. International Data Transfers

We are based in the United States, and the personal information we collect is processed and stored in the United States. If you access the App from outside the United States, you consent to the transfer of your information to the United States, which may have data protection laws different from those of your country. Where required by law, we use appropriate safeguards (such as Standard Contractual Clauses) for cross-border transfers of personal data.

15. Children's Privacy

The App is intended for adults and is not directed to anyone under the age of 18. We do not knowingly collect personal information from anyone under 18 and, consistent with the Children's Online Privacy Protection Act (“COPPA”), we never knowingly collect personal information from children under 13. If we learn that we have collected personal information from a person under 18, we will promptly delete it. If you believe a person under 18 has provided personal information to us, please contact us at support@managemyride.io.

16. Do Not Track Signals

Our Services do not respond to “Do Not Track” browser signals, as no industry consensus exists on how to interpret them. As described in Section 8 (Tracking), the App does not track you across apps or websites in the first place.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you through the App, by email (if we have your email address), or by updating the “Last Updated” date at the top of this page. Your continued use of the App after the updated Privacy Policy becomes effective constitutes your acceptance of the changes.

18. Contact Us

If you have questions, comments, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

Avalanche Software Company LLC
455 Market St Ste 1940 #468884
San Francisco, CA 94105
Email: support@managemyride.io