Dream Car GarageПолитика конфиденциальности
Последнее обновление: 2026-06-02
Current status (June 2026): We are currently minimising data processing while our operating company is being formally registered as data controller. During this period, web analytics (Google Analytics) and advertising (Google AdSense) are disabled, the cookie consent banner is switched off, and the newsletter is not active — only data strictly necessary to operate your account and the service (see below) is processed. The provisions below describing analytics, advertising, and marketing will apply once those features are reactivated and the responsible entity is named here.
1. Data controller
- Operator: Dream Car Garage
- Address: Spain
- Contact email: privacy@dreamcargarage.app
2. Data we collect
We collect the following personal data:
2.1 Registration data
- Email address
- Password (stored as bcrypt hash, never in plain text)
- Name (optional)
- Username (auto-generated from email)
2.2 Google OAuth data
If you sign in with Google, we receive your name, email address, and profile picture from Google. We also store OAuth access tokens necessary for authentication.
2.3 Usage data
- Garage collections (vehicle selections, names, descriptions)
- Evolution timelines (collection stages)
- Likes and user follow data
- Scores and view counts (public garages)
2.4 Technical data
- IP address (only for login rate limiting, stored in server memory for 15 minutes)
- Cookie preferences and consent
3. Purposes and legal bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Create and manage your account | Art. 6(1)(b) — Performance of contract |
| Enable garage creation and collections | Art. 6(1)(b) — Performance of contract |
| Publish garages on the public leaderboard | Art. 6(1)(a) — Consent (user chooses to publish) |
| Display personalised advertising (Google AdSense) — currently disabled | Art. 6(1)(a) — Consent (via cookie banner) |
| Web analytics (Google Analytics GA4) — currently disabled | Art. 6(1)(a) — Consent (via cookie banner) |
| Prevent abuse and fraud (login + AI-feature rate limiting; minimal device signals for the members-only AI builder) | Art. 6(1)(f) — Legitimate interest |
| Build garages from your description (AI garage builder) | Art. 6(1)(a) — Consent (AI notice; no personal identifiers) |
4. Data recipients
| Third party | Purpose | Location | Transfer basis |
|---|---|---|---|
| Google (OAuth) | Authentication | USA | Art. 49(1)(b) — necessary for contract |
| Google AdSense | Advertising (currently disabled; consent only) | USA | EU-US Data Privacy Framework |
| Google Analytics (GA4) | Web analytics (currently disabled; consent only) | USA | EU-US Data Privacy Framework |
The AI garage builder runs on our own infrastructure in the European Union (Hetzner Cloud, Germany); your message is not sent to any external AI provider and never leaves the EU.
We do not sell, rent, or share your personal data with third parties for marketing purposes other than those described above.
5. International transfers
Your database is hosted in the European Union (Hetzner Cloud, Nuremberg, Germany). The only data transferred outside the EU is:
- Google OAuth authentication data (USA) — necessary for the service you request.
- Google AdSense advertising data (USA) — currently disabled. When reactivated, only if you accept advertising cookies. Google LLC is certified under the EU-US Data Privacy Framework.
- Google Analytics GA4 data (USA) — currently disabled. When reactivated, only if you accept analytics cookies. Google LLC is certified under the EU-US Data Privacy Framework.
The AI garage builder does NOT transfer data outside the EU: inference runs on an open-source model hosted on our own infrastructure in the European Union.
6. Data retention
- Account data: while the account is active.
- Session data (JWT): 30 days.
- IP data for rate limiting: 15 minutes (in memory, not persistent).
- Consent records: for the duration of the contractual relationship plus 5 years.
7. Your rights
Under the GDPR (Articles 15 to 22) and the Spanish LOPDGDD, you have the right to:
- Access: request a copy of your personal data.
- Rectification: correct inaccurate data.
- Erasure: request deletion of your data ("right to be forgotten").
- Portability: receive your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interest.
- Restriction: request restriction of processing in certain circumstances.
To exercise any of these rights, contact us at privacy@dreamcargarage.app. We will respond within one month.
For data processed directly by Google (advertising and analytics), you can manage your preferences and request deletion through Google's privacy controls at myaccount.google.com.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD): www.aepd.es.
8. Children
In accordance with Article 7 of the Spanish LOPDGDD, children under 14 require parental or guardian consent to register on Dream Car Garage.
9. Security
We implement technical and organisational measures to protect your data, including: encryption in transit (HTTPS/HSTS), password hashing (bcrypt), security headers (CSP, X-Frame-Options, X-Content-Type-Options), rate limiting on authentication endpoints, and a restrictive permissions policy.
10. Cookies
For detailed information about the cookies we use, see our Cookie Policy.
11. Changes
We reserve the right to update this privacy policy. Any changes will be posted on this page with the revised update date. We recommend checking this page periodically.