Privacy Policy

App: CARTECA

Last updated: 2026-06-13

Controller: Innabit (innabitcontact@gmail.com)

1. Who We Are

CARTECA is a vehicle maintenance tracking application developed and operated by Innabit ("we", "us", "our"). This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the CARTECA mobile application (the "App").

We are the data controller within the meaning of the General Data Protection Regulation (GDPR) and Polish data protection law.

Contact: innabitcontact@gmail.com

2. Data We Collect

2.1 Account Data

When you register or sign in, we collect:

Email address

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — necessary to create and maintain your account.

2.2 Vehicle & Maintenance Data

Data you enter manually in the App:

Vehicle details (make, model, year, fuel type, mileage)
Parts, service records, and maintenance history
Photos or documents attached to service entries

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — this is the core service you signed up for.

2.3 Purchase & Subscription Data

When you subscribe to CARTECA Pro:

Subscription status and tier (Free / Pro)
Purchase history and transaction identifiers (processed by RevenueCat)
We do not store payment card details — these are handled entirely by the App Store (Apple) or Google Play.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR); Legal obligation for billing records (Art. 6(1)(c) GDPR).

2.4 Crash Reports & Analytics

We collect technical data to improve app stability:

Crash logs and stack traces (via Google Firebase Crashlytics)
Aggregated usage statistics — screens visited, feature usage frequency (via Google Firebase Analytics)
Device type, OS version, app version

This data is anonymised or pseudonymised and cannot be used to identify you directly. Analytics collection is off by default and only starts if you opt in within the App; you can decline and the App will collect no usage analytics.

Legal basis: Legitimate interests (Art. 6(1)(f) GDPR) — improving app reliability; consent (Art. 6(1)(a) GDPR) for usage analytics.

2.5 Invoice Scanning

If you use the optional invoice-scanning feature, the photo of the invoice you capture is sent to Anthropic's API for one-time text extraction. The image is processed transiently to return the extracted data and is not used to train models.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) — you requested the extraction.

3. How We Use Your Data

Purpose	Data used	Legal basis
Provide the CARTECA service	Account, vehicle, maintenance data	Contract
Sync your data across devices	Account, vehicle, maintenance data	Contract
Process Pro subscription	Purchase data	Contract
Send account emails (e.g. password reset)	Email address	Contract
Fix bugs and crashes	Crash reports	Legitimate interests
Improve features	Aggregated analytics	Legitimate interests
Comply with legal obligations	Billing records	Legal obligation

We do not sell your data to third parties. We do not use your data for targeted advertising.

4. Third-Party Services

We use the following sub-processors. Each operates under its own GDPR-compliant data processing agreements:

Service	Provider	Purpose	Privacy policy
Clerk	Clerk, Inc.	Account sign-in & authentication	https://clerk.com/legal/privacy
Neon	Neon, Inc.	Cloud database (your vehicle & maintenance data)	https://neon.tech/privacy-policy
Vercel	Vercel, Inc.	API hosting	https://vercel.com/legal/privacy-policy
Anthropic	Anthropic PBC	Invoice text extraction (transient)	https://www.anthropic.com/legal/privacy
Firebase Crashlytics	Google LLC	Crash reporting	https://policies.google.com/privacy
Firebase Analytics	Google LLC	Usage analytics (opt-in)	https://policies.google.com/privacy
RevenueCat	RevenueCat, Inc.	Subscription management	https://www.revenuecat.com/privacy

These providers are located in the United States. Data transfers are covered by Standard Contractual Clauses (SCCs) under Art. 46 GDPR.

5. Data Retention

Data type	Retention period
Account data	Until account deletion + 30 days
Vehicle & maintenance data	Until account deletion + 30 days
Purchase records	5 years (tax/legal obligation)
Crash logs	90 days (Firebase default)
Analytics data	14 months (Firebase default)

6. Your Rights (GDPR)

As an EU/EEA resident you have the right to:

Access — request a copy of your personal data
Rectification — correct inaccurate or incomplete data
Erasure ("right to be forgotten") — request deletion of your data
Data portability — receive your data in a machine-readable format
Restriction of processing — limit how we use your data in certain circumstances
Objection — object to processing based on legitimate interests
Withdraw consent — where processing is based on consent, you can withdraw it at any time

To exercise any of these rights, contact us at innabitcontact@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Polish supervisory authority:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warsaw
https://uodo.gov.pl

7. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

Encrypted data transmission (TLS/HTTPS)
Access controls restricting your data to authenticated account owners
No storage of plain-text passwords (authentication handled by Clerk)

8. Children's Privacy

CARTECA is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via the App or by email. Continued use of the App after the update constitutes acceptance.

10. Contact

Data Controller:
Innabit Tymoteusz Sikora
VAT ID: PL5833470933
ul. Nowomiejska 3 lok. II
80-864 Gdańsk, Poland
Email: innabitcontact@gmail.com

For data protection enquiries or to exercise your GDPR rights, please email the address above.