Dream Car GaragePrivacy Policy
Last updated: 2026-05-24
1. Data controller
- Operator: Dream Car Garage
- Address: Spain
- Contact email: privacy@dreamcargarage.app
2. Data we collect
We collect the following personal data:
2.1 Registration data
- Email address
- Password (stored as bcrypt hash, never in plain text)
- Name (optional)
- Username (auto-generated from email)
2.2 Google OAuth data
If you sign in with Google, we receive your name, email address, and profile picture from Google. We also store OAuth access tokens necessary for authentication.
2.3 Usage data
- Garage collections (vehicle selections, names, descriptions)
- Evolution timelines (collection stages)
- Likes and user follow data
- Scores and view counts (public garages)
2.4 Technical data
- IP address (only for login rate limiting, stored in server memory for 15 minutes)
- Cookie preferences and consent
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and manage your account | Art. 6(1)(b) — Performance of contract |
| Enable garage creation and collections | Art. 6(1)(b) — Performance of contract |
| Publish garages on the public leaderboard | Art. 6(1)(a) — Consent (user chooses to publish) |
| Display personalised advertising (Google AdSense) | Art. 6(1)(a) — Consent (via cookie banner) |
| Web analytics (Google Analytics GA4) | Art. 6(1)(a) — Consent (via cookie banner) |
| Prevent abuse and fraud (login rate limiting) | Art. 6(1)(f) — Legitimate interest |
4. Data recipients
| Third party | Purpose | Location | Transfer basis |
|---|---|---|---|
| Google (OAuth) | Authentication | USA | Art. 49(1)(b) — necessary for contract |
| Google AdSense | Advertising (consent only) | USA | EU-US Data Privacy Framework |
| Google Analytics (GA4) | Web analytics (consent only) | USA | EU-US Data Privacy Framework |
We do not sell, rent, or share your personal data with third parties for marketing purposes other than those described above.
5. International transfers
Your database is hosted in the European Union (Hetzner Cloud, Nuremberg, Germany). The only data transferred outside the EU is:
- Google OAuth authentication data (USA) — necessary for the service you request.
- Google AdSense advertising data (USA) — only if you accept advertising cookies. Google LLC is certified under the EU-US Data Privacy Framework.
- Google Analytics GA4 data (USA) — only if you accept analytics cookies. Google LLC is certified under the EU-US Data Privacy Framework.
6. Data retention
- Account data: while the account is active.
- Session data (JWT): 30 days.
- IP data for rate limiting: 15 minutes (in memory, not persistent).
- Consent records: for the duration of the contractual relationship plus 5 years.
7. Your rights
Under the GDPR (Articles 15 to 22) and the Spanish LOPDGDD, you have the right to:
- Access: request a copy of your personal data.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interest.
- Restriction: request restriction of processing in certain circumstances.
To exercise any of these rights, contact us at privacy@dreamcargarage.app. We will respond within one month.
For data processed directly by Google (advertising and analytics), you can manage your preferences and request deletion through Google's privacy controls at myaccount.google.com.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
8. Children
In accordance with Article 7 of the Spanish LOPDGDD, children under 14 require parental or guardian consent to register on Dream Car Garage.
9. Security
We implement technical and organisational measures to protect your data, including: encryption in transit (HTTPS/HSTS), password hashing (bcrypt), security headers (CSP, X-Frame-Options, X-Content-Type-Options), rate limiting on authentication endpoints, and a restrictive permissions policy.
10. Cookies
For detailed information about the cookies we use, see our Cookie Policy.
11. Changes
We reserve the right to update this privacy policy. Any changes will be posted on this page with the revised update date. We recommend checking this page periodically.