Privacy

The controller of your personal data is Pedro Pujol Garrido, an individual based in Spain. You can reach us at help@garashe.com. Garashe is a digital vehicle portfolio tracking service operated by the controller as an information society service provider under Spanish law (LSSI-CE).

Account data

When you register and use your account, we process:

• Email and password (passwords are stored hashed, never in plain text).

• Username, avatar, banner, short bio, favorite brands, and privacy settings you control.

• Preferred language, market country, currency, units, and price alert threshold.

If you register with Google (OAuth), we receive from Google: your email, name, profile photo, and an internal identifier. What Google shares with us is also subject to Google's privacy policy.

Vehicle data

When you add a car to your garage, we record:

• VIN when you provide it, make, model, year, mileage, purchase price, date, and vehicle condition.

• Photos you upload.

• VIN verification data if you choose to validate it.

The VIN is decoded to identify make, model, and year. Decoding runs against external sources: first, the public NHTSA database (U.S. agency, free); and as a fallback, Vincario (paid service, based in the European Union). The VIN on its own is not, generally, personal data under Spanish law, but combined with your account, photos, or location it may become so, and we treat it with the same diligence as the rest of your data.

Messages you send us

When you write to us through the help form (/help), we collect your name, your email, and the content of your message. The content of the message, along with your name and email, is sent to Anthropic (an AI provider) to be automatically classified by priority (urgent, important, normal, or spam). The classification result and the reasoning generated by the AI are stored in our database alongside the original message. See section 7 (Artificial intelligence processing) for more detail.

Technical and usage data

• Your IP address when you interact with the service. We use it to apply rate limits on sensitive actions such as VIN decoding or message sending, and we keep it next to help form messages as technical evidence in case of abuse.

• Strictly necessary cookies (see section 10).

• Aggregate usage data collected by Vercel Analytics and Vercel Speed Insights without tracking cookies or personal identifiers (see section 8).

• The date and version of the consent you gave at registration.

What we don't do

We don't use advertising or tracking cookies. We don't sell your data to third parties. We don't share it with social networks for ads. We don't send commercial emails or newsletters: the only emails you'll receive from us are operational (welcome, password recovery, price alerts you opt into, and human replies to your correspondence with help@garashe.com).

We process your data on the following legal grounds under the GDPR (Art. 6):

• Performance of a contract(Art. 6(1)(b)): to provide the service you contracted by registering.
• Consent(Art. 6(1)(a)): for specific actions such as accepting this policy and the terms during registration.
• Legitimate interest(Art. 6(1)(f)): to ensure the security of the service, prevent abuse and fraud, and classify messages received through /help by priority.
• Legal obligation(Art. 6(1)(c)): when a law requires us to retain or hand over information (for example, in response to a court order).

Account and vehicle dataWhile your account is active, we keep your data to provide the service. When you ask us to delete your account:

• Your account enters a 30-day grace period. During those 30 days, your profile is no longer publicly visible, but the data still exists in our database.

• If within those 30 days you email help@garashe.com asking to undo the deletion, we can restore your account.

• After the 30 days, we execute the definitive physical deletion: your profile, vehicles, historical valuations, photos, preferences, and authentication account are erased irreversibly.

Help form messagesMessages you send us through /help are retained for a maximum of 24 months from receipt, together with their automatic classification and the AI's reasoning. You can request early deletion of your messages by writing to help@garashe.com with a reasonable reference (for example, the email address you sent them from).

Backups and technical logsRoutine backups by our providers may retain your data for a few additional days until the next purge cycle; they are not used except for incident recovery. IP records in rate limits are kept for a maximum of 90 days.

Legal obligationsWe keep separately, and for as long as legally required, the minimum data necessary to comply with legal obligations.

As the data subject, you have the rights recognized by the GDPR (Arts. 15 to 22):

• Access and portability(Arts. 15 and 20): you can download all your data in JSON format from Settings → Privacy & data → Download my data.
• Rectification(Art. 16): you can modify your profile, settings, and vehicle data within the application itself. For changes the interface does not allow, contact us.
• Erasure / right to be forgotten(Art. 17): you can delete your account from Settings → Privacy & data → Delete my account. The 30-day grace period described above will apply.
• Restriction of processing(Art. 18): you can ask us to pause the processing of certain data.
• Objection(Art. 21): you can object to processing based on legitimate interest, including the automatic classification of your support messages.
• Automated decisions and human review(Art. 22): the automatic classification of messages you send through /help may affect the priority with which we respond, and even whether they are reviewed at all (for messages classified as spam). You have the right to request human review, to express your point of view, and to challenge it. To exercise this, write to help@garashe.com referencing the original submission. Market valuations of vehicles are also automated calculations, but they are informational and do not produce legal effects concerning you (see section 6).

To exercise any of these rights, you can use the tools built into the application or email help@garashe.com. We will respond within one month of the request.

For many vehicles, Garashe displays an estimated market value. It's important to understand what this figure is and isn't:

• It is an algorithmic estimate calculated from public sale listings of vehicles comparable to yours.

• The market data source is AutoScout24, collected automatically via a scraping provider (Apify) and refreshed periodically with intermediate caching to limit queries.

• The algorithm applies statistical filters (outlier removal via IQR, mileage adjustment, cascading geographic search) to produce a confidence range, not a single price.

• It is not an official appraisal. It does not replace the professional judgment of an appraiser, valuer, seller, or dealer. You should not base purchase, sale, insurance, or financing decisions solely on this number.

• We are not liable for economic consequences arising from the use of these valuations as the sole reference for a transaction.

If you'd like to understand how it's calculated in more detail, email help@garashe.com.

We use artificial intelligence models provided by Anthropic (Anthropic, PBC, United States) for three specific tasks. Queries travel to Anthropic's API under a commercial agreement: inputs are not used to train their models and are retained for up to 30 days for abuse detection purposes, in accordance with the service's current terms.

• Classification of help form messages. When you write to /help, we send your name, your email, and the content of your message to Anthropic's model to assign an automatic priority (urgent, important, normal, or spam). The result and the reasoning generated by the AI are stored in our database alongside the original message. Legal basis: legitimate interest (Art. 6(1)(f) GDPR) in managing support efficiently. Your right to human review is described in section 5.
• Weekly digest for the controller. Once a week, an automated process sends Anthropic the help form messages received over the past seven days (including names, emails, and contents) to generate a digest that the controller receives. This means that data from several users may be processed in the same query for internal administration purposes. Legal basis: legitimate interest in reviewing service activity.
• Historical information on vehicle models. When you view a car or generation page, we may send Anthropic the make, model, and year (public vehicle information) to generate a brief historical summary. No personal data is sent in this operation.

We do not use AI services from OpenAI or any other provider in production. If we incorporate other providers or flows in the future, we will update this policy.

To provide the service, we work with the following data processors. All are bound by data processing agreements (Art. 28 GDPR), and when they process data outside the European Economic Area, they do so under the European Commission's Standard Contractual Clauses (SCCs):

• Supabase. Supabase Inc., U.S., with data hosted on European infrastructure — authentication, relational database, and image storage.
• Vercel. Vercel Inc., U.S., under SCCs — frontend hosting, content delivery, Vercel Analytics (aggregate analytics without tracking cookies), and Vercel Speed Insights (performance metrics).
• Resend. Resend, Inc., U.S., under SCCs — delivery of all transactional emails: registration, password recovery, email confirmation, price alerts you opt into, and forwarding of help form messages to the administrative inbox. Resend is configured as Supabase Auth's SMTP provider, so it also covers the emails generated by the authentication layer.
• Zoho Mail. Zoho Corporation, India / U.S., under SCCs — human inbox at help@garashe.com where help form messages land and from which the controller replies manually.
• Anthropic. Anthropic, PBC, U.S., under SCCs — AI models used for the tasks described in section 7.
• Apify. Apify Technologies s.r.o., Czech Republic, EU — runs automated collection of public listings from AutoScout24 on our behalf. It does not access your personal data, but we declare its role as a processor due to the queries it executes on behalf of Garashe.
• Vincario. Lithuania, EU — optional VIN decoding when you add a vehicle, to identify make, model, and year.

If we add or replace providers in the future, we will update this list.

To enrich the service, we consult several public sources that do not process your personal data, but rather information that is publicly available. We mention them for transparency:

• AutoScout24 — public vehicle sale listings, used as the basis for market valuations (section 6).

• NHTSA (National Highway Traffic Safety Administration, U.S.) — public VIN decoding.

• API Ninjas and Car2DB — public catalogs of vehicle models and technical specifications.

• Frankfurter API — exchange rates published by the European Central Bank.

None of these sources receives personal data from our users.

Garashe uses only strictly necessary cookies for the operation of the service:

• NEXT_LOCALE: remembers the language you've chosen.

• Supabase session cookies (sb-*): keep you logged in.

Vercel Analytics and Vercel Speed Insights, which we use to understand aggregate use and performance of the service, do not use tracking cookies and do not allow you to be personally identified.

We do not use advertising, social-network, or third-party tracking cookies. For this reason, we do not display a cookie banner: the Spanish Data Protection Agency allows operating without a banner when all cookies are strictly necessary to provide the service the user has requested.

If at any point we add non-essential cookies or technologies (tracking analytics, advertising pixels, etc.), we will first implement a compliant consent management system. You can consult the dedicated cookie page at /cookies for more detail.

We apply reasonable technical and organizational measures to protect your data:

• Communications encrypted via HTTPS throughout the service.

• Passwords stored using modern hashing functions (not in plain text).

• Database access restricted via row-level security rules.

• Administrative access limited to the controller.

• Rate limits by IP address on sensitive endpoints to prevent abuse.

No security measure is perfect. If you detect a problem or vulnerability, please contact us at help@garashe.com.

Garashe is not directed at persons under 16 years of age, in accordance with Spanish legislation on the digital consent of minors. If you are under 16, you should not register or provide personal data through the service. If we become aware that an account has been created for a minor below that age without the consent of their legal guardians, we will proceed to delete it.

If we modify this policy in a substantive way, we will notify you by email at the address you registered with and, when appropriate, ask you to accept it again. Minor changes (wording, clarifications, provider list updates) will be published directly on this page by updating the "last updated" date.

This policy is governed by Spanish and European Union law: the General Data Protection Regulation (GDPR), Spanish Organic Law 3/2018 on Personal Data Protection and the guarantee of digital rights (LOPDGDD), and Spanish Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE).

In case of any discrepancy between this English version and the Spanish version of this Privacy Policy, the Spanish version shall prevail.