— Privacy

Privacy policy

Last updated: April 28, 2026

This policy explains what data we collect, why and how we protect it. We keep it plain, no legalese for its own sake. If anything is unclear, write to us at

1. Data controller

Carvix is operated from Romania. For any data-related question or to exercise your rights, write to us at contact@carvix.ro. For complaints about how your data is processed you may also contact the Romanian Data Protection Authority (ANSPDCP), www.dataprotection.ro, or your local supervisory authority in the EU.

2. What we collect

  • Account: email, first and last name, password (stored hashed; we never see it in plain text)
  • Vehicles: license plate, brand, model, VIN, year, color, starting mileage, fuel type
  • Expenses: type, amount, date, supplier, invoice number, notes, fuel quantity
  • Revisions: type, date, mileage, cost, description, supplier, next revision date and mileage
  • Documents: expiry dates for insurance, roadworthiness, vignette
  • Technical: server-side IP logs (kept short-term for security), browser type, last login time

3. Legal basis

  • Performance of contract (GDPR art. 6.1.b) — vehicle, expense and revision data are necessary for the app to work
  • Legitimate interest (GDPR art. 6.1.f) — technical logs for security and debugging
  • Consent (GDPR art. 6.1.a) — optional cookies (analytics), push notifications

4. Subprocessors

We do not sell data and do not share it with third parties for marketing. We do rely on the following providers who process your data strictly to keep the app running:

  • Supabase (Frankfurt, EU) — database and authentication
  • Vercel Inc. (US) — application hosting. Transfers covered by Standard Contractual Clauses
  • Resend (US / EU) — confirmation and alert emails

5. How long we keep your data

  • Active account: for as long as you use the app
  • Deleted account: removed immediately from active storage; backups are purged within 30 days
  • Technical logs (IP, user agent): 30 days
  • Soft-deleted records (trash): 30 days, then permanently removed

6. Your rights under GDPR

  • Access — we can send you an export of your data
  • Rectification — you can edit any field directly in the app
  • Erasure (“right to be forgotten") — via /account → Delete account, or by email
  • Portability — we provide your data in JSON or CSV
  • Objection — you can object to processing based on legitimate interest
  • Withdraw consent — for optional cookies and notifications, anytime
  • Complaint — file directly with ANSPDCP (www.dataprotection.ro) or your local DPA

7. Cookies and similar technologies

By default we only set strictly necessary cookies. Optional ones load only after you click "Accept all" in the cookie banner.

  • Essential: Supabase auth cookies, language preference (RO/EN)
  • Optional (with your consent): Vercel Analytics and Speed Insights, both anonymous, no personal identifiers

8. Security

Data is transmitted over HTTPS/TLS. Passwords are stored hashed with bcrypt via Supabase Auth. Database access is isolated per user with Row Level Security policies — no other user can see your records, whether through the app or via the raw API.

9. Changes

We may update this policy when we ship features that change data handling (e.g. payments, attachments). For significant changes we email you and bump the date above.

10. Contact

For any data-related question or to exercise your rights: contact@carvix.ro

Privacy Policy · Carvix