Privacy Policy

This Privacy Policy explains how [Company Legal Name] (“ApexPitCore,” “we,” “us,” or “our”) handles personal information in connection with the ApexPitCore software-as-a-service platform. It applies to:

• Shop accounts: Auto repair shop owners and their employees who use ApexPitCore to manage their business.
• Vehicle owners / customers: Individuals whose vehicle and repair information is managed within ApexPitCore by a shop account.
• Visitors: People who visit our website or contact us.

Shop accounts act as independent data controllers for the personal data of their vehicle owner customers. ApexPitCore acts as a data processor on their behalf for that data. See our Data Processing Agreement for details.

Shop Account Data

When a shop creates an account and uses ApexPitCore, we collect:

• Business name, address, phone number, and website
• Owner and employee names, email addresses, phone numbers, and job titles
• Account credentials (passwords are hashed — never stored in plain text)
• Billing information processed through Stripe (we do not store card numbers or CVV codes)
• Shop configuration settings, labor rates, and business preferences
• Login history and session metadata

Vehicle Owner / Customer Data

Shops enter and manage information about their vehicle owner customers. This data is stored in ApexPitCore on the shop’s behalf and may include:

• Names, email addresses, phone numbers, and mailing addresses
• Vehicle information: year, make, model, VIN, license plate number, color, and mileage
• Repair history, service descriptions, technician notes, and inspection results
• Photos and documents uploaded during inspections or repair orders
• Estimates, invoices, and payment transaction metadata
• SMS and email communication history with the shop
• Appointment records and scheduling history

Payment Data

Payment processing is handled entirely by Stripe, a PCI DSS Level 1 certified payment processor. ApexPitCore does not store credit card numbers, debit card numbers, CVV codes, or bank account details. We store only Stripe transaction identifiers and payment metadata (amount, date, status).

Analytics and Log Data

We collect application usage logs, error reports, and basic analytics to operate and improve the service. This includes IP addresses, browser/device information, and page interaction data. Log data is retained for 90 days.

SMS and Email Communications

SMS messages are sent through Twilio and email through Resend. We log message metadata (recipient, channel, timestamp, delivery status) and store a preview of message content. We record consent status for SMS communications in accordance with TCPA requirements.

We use the information we collect to:

• Provide, operate, and maintain the ApexPitCore platform
• Process payments and manage shop subscriptions
• Send transactional communications: appointment reminders, estimate approvals, invoices
• Respond to support requests and troubleshoot issues
• Monitor for security incidents and prevent fraud
• Comply with legal obligations including tax record retention
• Improve the platform through aggregate, de-identified analytics

We do not sell personal information to third parties. We do not use vehicle owner customer data to build advertising profiles or to market unrelated services.

We share information only as necessary to deliver the service or comply with legal requirements:

• Service providers / subprocessors: Stripe (payments), Twilio (SMS), Resend (email), AWS (infrastructure), and others listed at /legal/subprocessors. These providers are contractually bound to use data only to provide services to us.
• Legal compliance: We may disclose information when required by law, court order, or to protect the rights and safety of our users.
• Business transfers: If ApexPitCore is acquired or merges with another company, your information may be transferred. We will notify affected users before such a transfer takes effect.

We retain different categories of data for different periods:

• Account data: Retained for the duration of the subscription plus 3 years.
• Financial records (invoices, payments): 7 years, as required for tax and business record purposes.
• Vehicle and repair records: 7 years from last service date, or longer if required by state law.
• Application logs: 90 days.
• Security events: 2 years.
• Deleted customer data: PII is anonymized. Financial record structure is retained for legal compliance with personal identifiers removed.

Full retention schedules are available at /legal/data-retention.

We implement technical and organizational measures to protect personal information, including encryption in transit (TLS 1.2+), encryption at rest for sensitive fields, role-based access controls, multi-factor authentication support, audit logging, and intrusion monitoring. See our Security page for details.

No system is perfectly secure. If you discover a security vulnerability, please contact security@[yourdomain].com.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You may request a copy of the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to exceptions for legal record retention.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out: You may opt out of the sale or sharing of your personal information (see Section 8 below).
• Right to Limit Sensitive PI: You may request that we limit our use of sensitive personal information (see Section 9 below).
• Right to Non-Discrimination: We will not discriminate against you for exercising these rights.
• Right to Appeal: If we deny your request, you may appeal that decision.

To exercise any of these rights, submit a request at autoshopos.com/privacy/request or email privacy@[yourdomain].com. We will respond within 45 days.

We may need to verify your identity before processing your request. We will not require you to create an account or provide more information than is necessary for verification.

ApexPitCore does not sell personal information. We do not share personal information with third parties for their direct marketing purposes. We share data only with service providers (subprocessors) who process it on our behalf under contractual restrictions.

If you are a California resident and wish to formally opt out of any future sale or sharing of your personal information, submit a request at /privacy/request and select “Opt out of sale/share.”

We collect certain categories of sensitive personal information as defined under CPRA. In the context of ApexPitCore, this may include vehicle identification numbers (VINs) and precise geolocation if location services are enabled.

We use sensitive personal information only as necessary to provide the core service. You may request that we limit our use of this information to purposes permitted under CPRA by submitting a request at /privacy/request and selecting “Limit use of sensitive personal information.”

You may submit a privacy request through any of these channels:

• Online: autoshopos.com/privacy/request
• Email: privacy@[yourdomain].com
• Mail: [Company Legal Name], [Company Address], Attn: Privacy

We will acknowledge your request within 10 business days and complete it within 45 calendar days. If we need more time (up to an additional 45 days), we will notify you before the original deadline.

We use essential cookies and similar technologies to operate the platform. See our Cookie Policy for details.

ApexPitCore is intended for use by adults operating businesses. We do not knowingly collect personal information from children under 16. If you believe we have collected such information inadvertently, contact privacy@[yourdomain].com.

We may update this policy from time to time. When we make material changes, we will notify shop account holders by email at least 30 days before the changes take effect. Continued use of the service after the effective date constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights:
privacy@[yourdomain].com
[Company Legal Name]
[Company Address]