Privacy Policy

Effective date: June 9, 2026 · Last updated: June 9, 2026

1. Introduction

MotoMetrics ("MotoMetrics," "we," "us," or "our") provides a vehicle diagnostic and purchase-protection platform that helps consumers evaluate used vehicles, monitor on-board diagnostics (OBD-II), capture condition evidence, and understand repair and recall risk. This Privacy Policy explains what information we collect, how we use it, with whom we share it, and the choices available to you.

By using MotoMetrics — including our website at app.motometrics.co, progressive web experience, iOS application, Android application, or related APIs — you agree to this Privacy Policy. If you do not agree, please do not use the service.

2. Scope

This policy applies to:

The MotoMetrics web application and hosted backend services operated on Netlify;
Native MotoMetrics apps distributed via TestFlight, the Apple App Store, or other official channels;
Cloud APIs used for sign-in, telemetry sync, AI advisory chat, market valuation, and receipt intake;
Local processing performed on your phone, tablet, or computer (including Bluetooth OBD communication and on-device storage).

MotoMetrics is intended for individuals evaluating or owning passenger vehicles. It is not a medical, legal, or financial advisory service. Diagnostic outputs are informational estimates and do not replace a professional inspection or certified emissions test.

3. Information we collect

We collect information in the categories below. Not every category applies to every user or session.

3.1 Account and identity

Email address — when you sign in to sync runs or use cloud features;
Display name — optional name you provide at sign-in;
Invite code — if you authenticate with a beta tester invite code instead of email;
Tester cohort / label — internal tags assigned for beta program management (e.g., "beta", field-test group);
Session token — a cryptographic token stored on your device to keep you signed in; we store a hashed form on our servers.

3.2 Vehicle and OBD diagnostic data

When you connect an OBD-II adapter (Bluetooth, Wi‑Fi, or simulation mode), MotoMetrics may process:

Vehicle Identification Number (VIN) read from the ECU or entered manually;
Year, make, model, trim decoded from VIN or selected manually;
OBD-II PID responses — e.g., coolant temperature, engine speed, vehicle speed, module voltage, oil temperature;
Readiness monitor status and emissions-related indicators;
Diagnostic trouble codes (DTCs) and related hex responses;
ELM327 session logs — command/response transcripts used for scan quality and debugging;
Code-wipe / readiness heuristics — derived flags when scan patterns suggest recent ECU resets;
Bluetooth adapter identifiers — device ID and advertised name saved locally to enable reconnect;
Background monitor samples — periodic OBD readings while connected, including baseline learning metadata.

3.3 Capture and user-provided content

Photos and videos of VIN plates, vehicle condition, receipts, or issues (Capture tab);
Audio recordings — engine sound samples when you respond to monitor prompts or upload media;
Free-text notes — questions, symptom descriptions, smell/sound observations, negotiation notes;
VIN verification checklists — which physical VIN locations you inspected;
Invoice / receipt text — extracted via on-device OCR or uploaded documents;
Scenario mode — whether you are buying, owning, or selling a vehicle (affects analysis framing).

3.4 Location and market preferences

Country / region — e.g., United States, Canada, Ontario, California (user-selected);
ZIP or postal code — optional, for regional market valuation and tax estimates;
Currency and units — imperial vs. metric preferences.

MotoMetrics does not continuously collect precise GPS location. We do not request always-on location permission. Postal codes are provided by you and used only for market context.

3.5 AI advisor interactions

When you use Ask Moto (vehicle AI advisor), we send:

Your chat messages and conversation history within the session;
A structured context snapshot derived from your current vehicle, scan results, financial exposure estimates, recall counts, and scenario mode — not your full raw OBD transcript unless included in that snapshot.

AI responses are generated by third-party large language model providers (see Section 6).

3.6 Device, app, and technical data

Telemetry records may include:

Browser or app user agent, host name, language, time zone;
Screen dimensions and device pixel ratio;
Approximate network type (e.g., 4G, Wi‑Fi) where exposed by the browser;
App version and build timestamp;
Connection mode (simulation, Bluetooth, or Wi‑Fi bridge);
Session identifiers used to group runs on a single device.

3.7 Aggregated knowledge base

When cloud sync succeeds, your run metadata may contribute to an internal aggregate knowledge base (counts by vehicle, scan quality trends, tester activity). Aggregates do not publish your raw photos or full chat logs to other users.

4. How we use information

We use collected information to:

Perform OBD-II scans, silent monitoring, and multi-modal vehicle analysis;
Decode VINs, look up NHTSA recalls and complaints, and estimate repair exposure;
Store and display your session history, garage, and capture evidence on your device;
Sync runs to your account in the cloud when you are signed in and online;
Power the AI vehicle advisor with context-aware answers;
Improve scan quality, adapter compatibility, and field-test workflows;
Operate beta programs, authenticate testers, and prevent abuse of cloud APIs;
Comply with law and enforce our terms.

We do not sell your personal information. We do not use your data for third-party advertising profiles.

5. Where data is stored

5.1 On your device (local)

Much of your data stays on your phone or computer unless you sign in and cloud sync succeeds:

IndexedDB — telemetry runs, capture metadata;
IndexedDB (capture media) — photo, audio, and video blobs linked to records;
localStorage — sign-in session, UI preferences, saved Bluetooth adapter ID, theme, tab state, odometer entries, and similar settings.

Local data remains until you clear app storage, uninstall the app, or use in-app delete/export controls where available.

5.2 Cloud (when sync is enabled)

When you are signed in and connected, diagnostic and capture records may be transmitted to our backend hosted on Netlify (including Netlify Blobs storage) at endpoints such as /api/telemetry and /api/user-auth. Cloud records are associated with your tester account when authenticated.

5.3 What typically stays local only

Full-resolution capture media blobs (unless you explicitly export or a future feature uploads them);
Raw Bluetooth pairing secrets beyond adapter ID/name;
Unsigned / offline sessions when cloud sync fails (queued for retry).

We share or transmit data only as described below.

6.1 Service providers

Netlify — hosting, serverless functions, and encrypted blob storage for telemetry and user accounts;
OpenAI and/or Google (Gemini) — AI advisor chat completions when those API keys are configured server-side; your message and structured vehicle context are sent to generate a reply;
Auto.dev (optional) — market listing comparables when an API key is configured; query includes vehicle attributes and postal code you provided;
Apple — TestFlight and App Store distribution, crash diagnostics per Apple's policies;
Google — Play Store distribution if Android builds are published.

6.2 Public and government data sources (client-initiated)

Your browser or app may call these APIs directly for vehicle research:

NHTSA vPIC — VIN decoding (vpic.nhtsa.dot.gov);
NHTSA Recalls & Complaints APIs — safety campaigns and consumer complaints by YMM;
CDN libraries — e.g., Lucide icons and Tesseract.js for on-device OCR (requests go to those CDNs; image bytes are processed locally when OCR runs on-device).

6.3 Legal and safety

We may disclose information if required by law, court order, or to protect rights, safety, and security of users and the public.

6.4 Business transfers

If MotoMetrics is involved in a merger, acquisition, or asset sale, user information may transfer as part of that transaction with notice where required by law.

7. Device permissions

7.1 Bluetooth (iOS and Android native apps)

Used to discover and connect to ELM327 OBD-II adapters. We access Bluetooth only when you initiate a scan or enable auto-reconnect. iOS uses Core Bluetooth with the bluetooth-central background mode so connections can persist briefly when the app is backgrounded (see Settings → Auto Analysis).

7.2 Camera and photo library

Used to photograph VIN labels, vehicle condition, and receipts in the Capture flow. Images are processed on-device unless you export or sync text-derived metadata to the cloud.

7.3 Microphone

Used when you record engine audio for monitor prompts or capture uploads. Audio is analyzed locally and stored in device IndexedDB when saved.

7.4 Network

Required for sign-in, cloud sync, NHTSA lookups, AI chat, and optional market data. The app can perform OBD scans offline; cloud features need connectivity.

8. Data retention

Local device data — retained until you delete it, clear site data, or uninstall;
Cloud telemetry — retained for product improvement and beta analysis unless deleted upon request;
Account tokens — valid until sign-out, token revocation, or account deactivation;
AI provider logs — governed by OpenAI/Google enterprise/API retention policies where applicable;
Backups — residual copies may persist in encrypted backups for a limited period after deletion.

You may request deletion of cloud-linked data by contacting us (Section 14).

9. Security

We use reasonable administrative, technical, and organizational measures, including:

HTTPS for all production API traffic;
Hashed session tokens server-side (raw tokens are not stored in plaintext);
Optional ingest keys for administrative export endpoints;
Least-privilege access to cloud storage.

No method of transmission or storage is 100% secure. You are responsible for securing your device, invite codes, and export files. Do not share admin telemetry keys or exported JSON bundles containing VINs in public channels.

10. Your choices and rights

Depending on your location, you may have rights to access, correct, delete, or export personal information.

Sign out — clears your session token on device; cloud data already synced remains until deletion request;
Disable cloud sync — use offline/local mode; runs stay in IndexedDB only;
Export local runs — JSON export from Sessions (does not automatically upload);
Decline permissions — you can deny Bluetooth, camera, or microphone; related features will not work;
Opt out of background sampling — disable "Sample when app is in background" in Settings;
Do not sign in — limited features; auth-gated flows require an account on production.

10.1 California residents (CCPA/CPRA)

California residents may request to know, delete, or correct personal information, and opt out of "sale" or "sharing" as defined by California law. MotoMetrics does not sell personal information. To exercise rights, contact us below. We will not discriminate against you for exercising privacy rights.

10.2 Canadian users

If you are in Canada, you may have rights under applicable provincial privacy laws (e.g., PIPEDA). Contact us for access or correction requests regarding cloud-stored account and telemetry data.

11. Children's privacy

MotoMetrics is not directed to children under 13 (or 16 in certain jurisdictions). We do not knowingly collect personal information from children. If you believe a child provided us data, contact us and we will delete it.

12. International users

MotoMetrics is operated from the United States. If you access the service from outside the U.S., your information may be processed in the U.S. and other countries where our service providers operate. By using MotoMetrics, you consent to this transfer where permitted by law.

13. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the "Last updated" date at the top. Material changes may be announced in-app or via TestFlight release notes. Continued use after changes constitutes acceptance.

14. Contact us

For privacy questions, data access, correction, or deletion requests:

Email: simonmbrightman@gmail.com
Web: https://app.motometrics.co

Please include the email address associated with your account (if any) and a description of your request. We aim to respond within 30 days.