Privacy Policy

Last updated: November 28, 2025

At YugoVIN ("we," "us," or "our"), we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our VIN decoding API service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Email address
Name (optional)
Company name (optional)
Password (stored securely using industry-standard hashing)

1.2 Payment Information

When you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We do not store your full credit card number. We receive and store:

Last 4 digits of your card
Card brand (Visa, Mastercard, etc.)
Billing address
Payment history and invoices

1.3 API Usage Data

When you use our API, we automatically collect:

VINs you decode (stored for caching and improving service performance)
API request timestamps
Response times and status codes
IP addresses
API key identifiers

1.4 Technical Information

We automatically collect certain technical information:

Browser type and version
Operating system
Referring URLs
Pages viewed and time spent

2. How We Use Your Information

We use the information we collect to:

Provide our services: Process VIN decode requests, manage your account, and deliver API responses
Improve performance: Cache decoded VINs to provide faster responses
Process payments: Bill for subscription services and manage your subscription
Communicate with you: Send service updates, security alerts, and support responses
Ensure security: Detect and prevent fraud, abuse, and security threats
Comply with legal obligations: Meet regulatory requirements and respond to legal requests
Improve our services: Analyze usage patterns to enhance features and user experience

3. Data Storage and Security

3.1 Data Storage

Your data is stored on secure servers provided by:

Supabase: Authentication and user data (EU and US data centers)
Hetzner: API services and cached data (Germany)
Redis: Temporary caching (in-memory, no persistent storage)

3.2 Security Measures

We implement industry-standard security measures including:

TLS 1.3 encryption for all data in transit
AES-256 encryption for sensitive data at rest
API key hashing using SHA-256
Regular security audits and penetration testing
Access controls and audit logging

3.3 Data Retention

We retain your data for the following periods:

Account data: Until you delete your account, plus 30 days
API usage logs: 90 days for troubleshooting, then aggregated for analytics
Cached VIN data: Indefinitely (used to improve response times)
Payment records: 7 years (legal requirement)

4. Third-Party Services

We use the following third-party services that may process your data:

Stripe: Payment processing (Privacy Policy)
Supabase: Authentication and database (Privacy Policy)
Resend: Transactional emails (Privacy Policy)
NHTSA: Vehicle data source (US Government agency)
Cloudflare: CDN and security (Privacy Policy)

5. Your Rights

Depending on your location, you may have the following rights:

5.1 Access and Portability

You can request a copy of your personal data in a machine-readable format.

5.2 Correction

You can update your account information through your dashboard or by contacting us.

5.3 Deletion

You can request deletion of your account and associated data. Some data may be retained for legal compliance or legitimate business purposes (e.g., payment records, cached VIN data).

5.4 Restriction and Objection

You can request that we limit processing of your data or object to certain processing activities.

5.5 Withdraw Consent

Where we rely on consent, you can withdraw it at any time by updating your preferences or contacting us.

6. Cookies and Tracking

We use cookies and similar technologies for:

Essential cookies: Required for authentication and security
Analytics cookies: To understand how you use our service (can be disabled)

You can manage cookie preferences through your browser settings.

7. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place, including Standard Contractual Clauses for EU data transfers.

8. Children's Privacy

Our service is not intended for children under 16. We do not knowingly collect personal information from children. If you believe we have collected such information, please contact us.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through our service. Your continued use after changes constitutes acceptance of the updated policy.

10. Contact Us

Privacy Inquiries

For privacy-related questions, data requests, or concerns:

Email: [email protected]
Support: [email protected]

We aim to respond to all privacy inquiries within 30 days.

11. Data Protection Officer

For EU residents, you can contact our Data Protection Officer at [email protected] or lodge a complaint with your local supervisory authority.