Privacy Policy

Last updated: May 15, 2026 · Effective: launch date

Plain English: We collect only what we need to make Auttiv work for you. We never sell your data. You own your leads and can delete them anytime.

In this document

Who we are
What information we collect
How we use it
Who we share it with
How long we keep it
Your rights (GDPR, CCPA, LGPD, etc.)
International transfers
Security
Cookies & tracking
Changes to this policy
Contact

1. Who we are

Auttiv ("we", "us", "our") is operated by Auttiv Group LLC, a Texas limited liability company. Our website is auttiv.com. For privacy questions: privacy@auttiv.com.

2. What information we collect

From sellers (our customers)

Account info: email, name, password (hashed), phone, city, state, dealership, preferred language, role
Billing: handled by Stripe — we never see your full card number; we store the last 4 digits and expiry only
Lead data you input: the contact info and conversation history of your prospects
Usage data: which features you use, when, from which device — to improve the product

From buyers (visitors to the public marketplace)

Browsing data: approximate location (city-level via IP), pages viewed, time on page
When you submit interest in a car: first name, phone, email, vehicle of interest
Cookies: see Section 9 below

3. How we use it

We use your information to:

Operate the platform (CRM, messaging, marketplace)
Process payments and prevent fraud
Send service emails (account alerts, billing, security)
Improve the product (anonymized usage analytics)
Comply with legal obligations (tax records, TCPA consent, GDPR requests)

We do not:

Sell your data to third parties
Share lead lists with other Auttiv sellers (your leads stay yours)
Use your data to train AI models that benefit other customers
Send marketing emails without your opt-in

4. Who we share it with

We share information only with service providers who help us run the platform, under strict data processing agreements:

Supabase: hosted database and authentication (AWS us-east region)
Stripe: payment processing
Twilio: SMS and voice (when you use those features)
Anthropic / OpenAI: AI features (we send the minimum text needed; no PII is retained for training)
ElevenLabs / Vapi: voice cloning and AI phone receptionist (Pro+ only)
Vercel / Netlify: static site hosting
Sentry / LogRocket: error monitoring (no message content)

We do not transfer data to law enforcement except as required by valid legal process. We will notify you of any such request unless legally prohibited.

5. How long we keep it

Account data: while your account is active + 30 days after deletion request
Lead data: as long as you keep it in your CRM; you can delete any lead anytime
Billing records: 7 years (tax law)
SMS / call logs: 2 years (compliance with TCPA)
AI conversation logs: 90 days, then aggregated/anonymized

6. Your rights

Depending on where you live, you have rights to access, correct, delete, export, and object to processing of your data:

EU / UK (GDPR): Articles 15-22 — access, rectification, erasure, restriction, portability, objection
California (CCPA/CPRA): right to know, delete, correct, opt-out of sale (we don't sell)
Brazil (LGPD): Articles 18-22 — access, correction, anonymization, portability, deletion
Mexico (LFPDPPP): ARCO rights — access, rectification, cancellation, opposition
Canada (PIPEDA), Australia (Privacy Act), India (DPDPA): equivalent rights

To exercise any right: email privacy@auttiv.com. We respond within 30 days (or shorter where law requires).

7. International transfers

Auttiv operates globally. Your data may be processed in the United States, European Union, and other regions where our service providers operate. For EU/UK customers, we use Standard Contractual Clauses (SCCs) approved by the European Commission. For Brazil, we use ANPD-approved transfer mechanisms.

8. Security

See our Security page for full detail. Highlights:

All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Row-Level Security on every database table
SOC 2 Type I (in progress), Type II within 12 months of launch
SSO + MFA available for Enterprise customers
Quarterly third-party penetration tests

9. Cookies & tracking

See Cookies Policy. Quick summary:

Strictly necessary: session cookies for login (cannot disable)
Functional: remember your language and theme (opt-in)
Analytics: aggregated usage stats via Plausible (privacy-respecting, no PII, no cross-site tracking)
No advertising cookies. No tracking pixels. No third-party data brokers.

10. Changes to this policy

If we make material changes, we'll email all active customers at least 30 days before they take effect. Minor changes (clarifications, typo fixes) are noted in the "Last updated" date above.

11. Contact

Data Protection Officer: dpo@auttiv.com
General privacy: privacy@auttiv.com
Legal: legal@auttiv.com
Mailing address: [TO BE FILLED — LLC address]

For EU representative: [GDPR Art. 27 rep to be appointed].