Privacy Policy

1. Overview

AutoRevs provides a cloud-based Dealer Management System (DMS), advertisement automation tools, website builder, and CRM software to pre-owned car dealerships in India. In the course of providing these Services, we collect and process personal data about dealership owners, employees, customers, and website visitors.

This Privacy Policy complies with:

• The Information Technology Act, 2000 and the IT (Amendment) Act, 2008 (India)
• The Digital Personal Data Protection Act, 2023 (DPDPA) (India)
• Meta's Platform Policy and Developer Terms (applicable where our Services integrate with Meta products)
• The General Data Protection Regulation (GDPR) where applicable to EU data subjects

2. Data We Collect

2.1 Information You Provide Directly

• Account registration: Full name, business name, email address, mobile number, dealership address, GSTIN, PAN number
• Profile information: Dealership logo, branch locations, team member details
• Vehicle inventory: Vehicle details, photos, pricing, RC/insurance documents uploaded to the platform
• Customer records: Lead names, phone numbers, emails, enquiry details entered into the CRM
• Payment information: Billing address, GST details. Card/UPI details are processed by Razorpay and are never stored on AutoRevs servers.
• Communications: Messages sent via contact forms, support chats, emails, or WhatsApp to AutoRevs

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, actions taken within the platform, session duration, click patterns
• Device data: IP address, browser type, operating system, device model, screen resolution
• Log data: Server logs, error logs, API call logs with timestamps
• Location data: Approximate geolocation derived from IP address; precise location only if you grant permission on mobile
• Cookies and similar technologies: As described in Section 6

2.3 Information from Third-Party Integrations

When you connect third-party platforms to AutoRevs, we may receive data from those platforms:

• Meta (Facebook/Instagram): Ad account IDs, Page IDs, ad performance metrics, audience insights, lead form submissions — subject to Meta's permissions model and your granted access scopes
• Google: Google Ads account data, Google Analytics metrics, Google My Business data
• OLX / CarDekho / Cars24: Listing performance data, enquiry data via API
• WhatsApp Business API: Message metadata, lead contact numbers (no message content is stored without explicit consent)

3. How We Use Your Data

We use the data we collect for the following purposes:

3.1 Service Delivery

• To create and manage your AutoRevs account
• To provide, operate, and improve the DMS, CRM, advertising, and website builder features
• To process payments and generate GST invoices
• To sync inventory data across connected advertising platforms
• To send transactional communications (e.g., subscription confirmations, payment receipts, OTPs)

3.2 Analytics and Product Improvement

• To understand how users interact with the platform and improve feature design
• To diagnose bugs, errors, and performance issues
• To conduct internal research and develop new features

3.3 Marketing Communications

• To send newsletters, product updates, and promotional offers (with your consent; you may opt out at any time)
• To run retargeting campaigns on Meta, Google, and other platforms using anonymized or hashed audience data

3.4 Legal and Safety

• To comply with applicable laws, regulations, and legal processes
• To detect, prevent, and respond to fraud, abuse, and security threats
• To enforce our Terms of Service

Legal basis for processing (GDPR Article 6): Contract performance, legitimate interests, legal obligation, and consent (where indicated).

4. Meta Platform Data — Developer Policy Compliance

4.1 Meta Data We Access

AutoRevs integrates with Meta's Marketing API and Graph API to enable our Advertisement Tools feature. With your explicit authorization ("OAuth grant"), we may access:

• Your Facebook Page name, ID, and access token
• Your Facebook Ads Manager account — campaigns, ad sets, ads, spend data, and performance metrics
• Your Instagram Business Account linked to your Facebook Page
• Leads collected via Facebook Lead Ads / Instagram Lead Forms (with your explicit setup)
• Page Insights (reach, impressions, engagement) — only aggregated, anonymized data

4.2 How We Use Meta Data

• Meta data is used solely to provide the advertising automation features you have enabled within AutoRevs
• We do not sell Meta user data to any third party
• We do not use Meta data for independent profiling or any purpose outside the scope of services you have requested
• We do not share Meta data with data brokers, advertisers outside your account, or any unauthorized parties
• Lead data collected via Facebook Lead Ads is synced into your AutoRevs CRM for your use only — it is not shared with other AutoRevs customers

4.3 Meta Data Storage and Deletion

• Meta access tokens are stored in encrypted form and are automatically refreshed or revoked when you disconnect your Meta account
• Upon disconnecting Meta integration, all stored Meta tokens and associated campaign metadata are deleted within 30 days
• Upon account deletion, all Meta data is purged within 90 days
• Users may request immediate deletion of Meta-sourced data by contacting [email protected]

4.4 Meta Permissions Used

AutoRevs requests only the minimum permissions required to provide the services you activate:

• ads_management — to create and manage ad campaigns on your behalf
• ads_read — to read ad performance metrics
• pages_manage_ads — to manage ads connected to your Page
• pages_read_engagement — to read Page Insights
• leads_retrieval — to retrieve lead form submissions
• instagram_basic — to connect Instagram Business Account

You may revoke any or all permissions at any time via your Facebook App Settings.

4.5 Meta Data Sharing

AutoRevs does not transfer, sell, or license Meta user data to third parties except:

• As required by law or valid legal process
• To our infrastructure providers (AWS, encrypted) who are bound by data processing agreements
• To Meta itself for technical and security purposes as part of API usage

4.6 Compliance with Meta Platform Terms

AutoRevs complies with Meta's Platform Terms, Developer Policies, and Meta's Privacy Policy. Our use of Meta Platform data is governed by Meta's terms in addition to this Privacy Policy.

5. Data Sharing and Disclosure

We do not sell your personal data. We may share data in the following limited circumstances:

5.1 Service Providers (Sub-Processors)

We share data with trusted service providers who help us operate the platform. All sub-processors are bound by data processing agreements:

• Amazon Web Services (AWS): Cloud hosting and storage (data centers in Mumbai, India)
• Razorpay: Payment processing (PCI-DSS compliant)
• Twilio / WhatsApp Business API: Message delivery
• Google Analytics / Mixpanel: Product analytics (anonymized)
• Intercom / Freshdesk: Customer support
• SendGrid / Mailchimp: Email delivery

5.2 Business Transfers

If AutoRevs is involved in a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will provide notice before your data is transferred and becomes subject to a different privacy policy.

5.3 Legal Requirements

We may disclose data when required by law, court order, government authority, or to protect the rights and safety of AutoRevs, our users, or the public.

5.4 With Your Consent

We may share data for any other purpose with your explicit prior consent.

6. Cookies and Tracking Technologies

We use cookies and similar tracking technologies (web beacons, pixels) on our websites and platform. You can control cookies through your browser settings.

6.1 Types of Cookies We Use

• Strictly Necessary: Required for the platform to function (session cookies, authentication tokens). Cannot be disabled.
• Performance / Analytics: Help us understand usage patterns (Google Analytics, Mixpanel). You may opt out.
• Functional: Remember your preferences (language, theme, layout settings).
• Marketing / Advertising: Track conversions from ads we run on Meta and Google. Includes the Meta Pixel on our public website — which may collect your browser and activity data per Meta's own privacy policy.

6.2 Meta Pixel

Our public marketing website (autorevs.co.in) uses the Meta Pixel to measure the effectiveness of our Facebook/Instagram advertisements and to build custom audiences. This pixel collects:

• Standard events (PageView, Lead, Purchase) when you interact with our website
• Browser and device information
• Hashed email addresses (if you submit a form) sent to Meta in encrypted form

You can opt out of Meta Pixel tracking via Meta's Ad Preferences or by enabling "Do Not Track" in your browser.

7. Data Retention

• Active account data: Retained for the duration of your subscription plus 6 months after cancellation
• Financial records / Invoices: Retained for 8 years as required by Indian tax law (GST Act)
• Log data: Retained for 90 days
• Marketing communications consent logs: Retained for 3 years
• Meta API data: Deleted within 30 days of integration disconnection; within 90 days of account deletion
• Deleted account data: All personal data purged within 90 days of account deletion request, except where retention is legally mandated

8. Your Rights and Choices

Under applicable laws (DPDPA 2023, GDPR), you have the following rights regarding your personal data:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal data (subject to legal retention obligations)
• Right to Restriction: Request that we limit processing of your data in certain circumstances
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing
• Right to Lodge a Complaint: Lodge a complaint with the Data Protection Board of India or applicable supervisory authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8.1 Marketing Opt-Out

You can unsubscribe from marketing emails at any time using the "Unsubscribe" link in any email, or by emailing [email protected]. Transactional emails (receipts, OTPs) cannot be opted out of while your account is active.

9. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: All data transmitted between your device and AutoRevs servers is encrypted using TLS 1.2/1.3 (HTTPS)
• Encryption at rest: Sensitive fields (API tokens, passwords) are encrypted using AES-256
• Access control: Role-based access control (RBAC); principle of least privilege for all staff
• Infrastructure: Hosted on AWS Mumbai with SOC 2-compliant data centers; daily automated backups
• Vulnerability management: Regular security audits, penetration testing, and dependency scanning
• Incident response: We will notify affected users within 72 hours of a confirmed data breach per applicable law

While we take all reasonable precautions, no method of transmission over the internet is 100% secure. Use of our Services is at your own risk.

10. Children's Privacy

AutoRevs Services are intended for business use by adults aged 18 and above. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that a person under 18 has provided us with personal data, we will delete that information promptly. If you believe a minor has provided us with data, contact us at [email protected].

11. Third-Party Links and Services

Our platform may contain links to third-party websites (OLX, CarDekho, Google, Meta, etc.). This Privacy Policy applies only to AutoRevs. We are not responsible for the privacy practices or content of third-party sites. We encourage you to review the privacy policies of any third-party services you use in connection with AutoRevs.

12. International Data Transfers

AutoRevs primarily stores and processes data in India (AWS Mumbai). Where data is transferred outside India to fulfill service delivery (e.g., email delivery via SendGrid, support tools), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) for GDPR compliance where applicable.

13. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, platform features, or applicable law. When we make material changes:

• We will update the "Last Updated" date at the top of this page
• We will send an email notification to registered users at least 14 days before changes take effect
• For significant changes (e.g., new types of data sharing), we will seek fresh consent where required

Continued use of AutoRevs after the effective date of changes constitutes acceptance of the updated policy.

14. Contact Us / Data Protection Officer

For Meta-related data requests or to request deletion of data obtained via Meta Platform APIs, please email [email protected] with subject line "Meta Data Request".

For Data Protection Board of India grievances, write to our Grievance Officer at the address above, referencing the Digital Personal Data Protection Act, 2023.