1. Scope of This Policy
This Privacy Policy applies to:
- Visitors to our website
- Users who create accounts
- Buyers and Sellers on our platform
- Individuals who communicate with us
- Users who complete identity verification
- Individuals who interact with us through advertising or analytics platforms
This Policy applies only to information collected by Carulu Automotive, LLC.
2. Information We Collect
We collect information in three primary ways:
- Information you provide directly
- Information collected automatically
- Information received from third parties
2.1 Information You Provide to Us
Account Registration Information
When you create an account, we may collect:
- First and last name
- Email address
- Phone number
- Password (stored securely and encrypted)
- Mailing address
- Profile photo
Identity Verification Information
If you complete verification, we may collect:
- Government-issued ID (e.g., driver's license)
- Selfie/photo for identity confirmation
- Date of birth
- Address confirmation details
Identity verification may be processed by third-party verification providers.
Vehicle Listing Information
If you are a Seller, we collect:
- VIN or license plate
- Vehicle specifications
- Mileage
- Condition disclosures
- Accident history disclosures
- Title and lien status
- Photos of vehicle
- Pricing information
- Listing description
Transaction Information
If you engage in a transaction, we may collect:
- Offer amounts
- Purchase hold information
- Transaction status data
- Payment-related metadata (processed via third parties)
Communications
We collect:
- Messages sent via the Platform
- Customer support communications
- Dispute resolution information
2.2 Information Collected Automatically
When you use our Services, we may automatically collect:
- IP address
- Device type
- Browser type
- Operating system
- Device identifiers
- Pages viewed
- Clickstream data
- Referral URLs
- Approximate location (via IP)
- Timestamps
- Cookies and similar tracking technologies
2.3 Information from Third Parties
We may receive information from:
- Identity verification vendors
- Vehicle data providers
- Payment processors
- Fraud prevention vendors
- Analytics providers (e.g., Google Analytics)
- Advertising networks
3. How We Use Your Information
We use personal information to:
- Provide and operate the Services
- Create and manage accounts
- Facilitate Listings and Offers
- Process fees and payments
- Provide identity verification
- Detect and prevent fraud
- Enforce our Terms of Service
- Improve platform functionality
- Communicate with Users
- Respond to support requests
- Comply with legal obligations
- Protect safety and security
- Conduct analytics and product development
- Market our Services (where permitted)
4. How We Share Information
Important Notice
We do not sell personal information for money.
We may share information in the following circumstances:
4.1 With Other Users
Certain information is visible to other Users, including:
- Name
- Profile photo
- Verification status
- Listing details
- Messaging content (only to intended recipients)
4.2 With Service Providers
We share information with vendors who help us operate the Platform, including:
- Cloud hosting providers
- Identity verification services
- Payment processors
- Fraud detection services
- Analytics providers
- Customer support platforms
These providers are contractually restricted from using your information for unrelated purposes.
4.3 For Legal Reasons
We may disclose information:
- To comply with law enforcement requests
- To respond to subpoenas or court orders
- To protect rights, property, or safety
- To investigate fraud or illegal activity
4.4 Business Transfers
If Carulu undergoes a merger, acquisition, or asset sale, personal information may be transferred as part of the transaction.
5. Cookies and Tracking Technologies
We use:
- Cookies
- Pixel tags
- Analytics tools
- Session storage
- Advertising identifiers
Cookies help us:
- Authenticate users
- Remember preferences
- Measure performance
- Prevent fraud
- Improve functionality
You may manage cookies through your browser settings or through our Cookie Preference Center, accessible via the “Cookies” link in the footer of every page.
6. Data Retention
We retain personal information for as long as necessary to:
- Provide Services
- Complete transactions
- Resolve disputes
- Comply with legal obligations
- Prevent fraud
- Enforce agreements
Even after account deletion, certain records may be retained as required by law or for legitimate business purposes.
7. Data Security
We implement reasonable administrative, technical, and physical safeguards, including:
- Encryption of sensitive data
- Secure hosting infrastructure
- Access controls
- Monitoring and logging
- Limited internal access to personal data
Important Notice
No system is 100% secure. You use the Services at your own risk.
8. Your Privacy Rights (United States)
Depending on your state of residence, you may have rights under applicable privacy laws.
9. California Privacy Rights (CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect
- Know the categories of sources
- Know the purposes for collection
- Know the categories of third parties with whom we share
- Request deletion of personal information
- Request correction of inaccurate information
- Request access to specific pieces of personal information
- Opt out of the sale or sharing of personal information
- Limit use of sensitive personal information (where applicable)
- Not be discriminated against for exercising rights
Carulu does not sell personal information for monetary value.
To exercise your rights, contact: support@carulu.com
We may verify your identity before processing requests.
10. Categories of Personal Information Collected (Last 12 Months)
We may collect:
- Identifiers (name, email, phone, IP address)
- Personal records (address, vehicle ownership data)
- Commercial information (transaction data)
- Internet activity (usage data)
- Geolocation data (approximate)
- Sensitive personal information (ID documents for verification)
We collect this information for business purposes as described above.
11. “Do Not Track” Signals
Carulu does not currently respond to browser “Do Not Track” signals.
12. Children's Privacy
The Services are not intended for individuals under 18. We do not knowingly collect personal information from minors.
13. Third-Party Links
The Services may contain links to third-party websites. We are not responsible for their privacy practices.
14. Data Transfers
All Services are operated in the United States. If you access the Services from outside the U.S., your information will be transferred to and processed in the United States.
15. Account Deletion
You may request account deletion by contacting support@carulu.com.
We may retain certain information:
- For fraud prevention
- For legal compliance
- For transaction recordkeeping
- For dispute resolution
16. Changes to This Privacy Policy
We may update this Privacy Policy periodically. Material changes will be communicated via:
- Email notice
- In-app notification
- Website posting
Continued use of Services after updates constitutes acceptance.
17. Contact Information
18. Sensitive Data Handling
Carulu recognizes that certain categories of information require heightened protection. We limit the collection, use, storage, and disclosure of sensitive personal information to what is strictly necessary to provide the Services and comply with legal obligations.
18.1 Categories of Sensitive Personal Information
We may collect the following types of sensitive personal information in limited circumstances:
- Government-issued identification numbers (e.g., driver's license number)
- Copies of government-issued identification documents
- Biometric identifiers used solely for identity verification (e.g., selfie comparison)
- Financial account tokens or payment-related metadata (processed via third parties)
- Precise location information (only if expressly enabled by the User)
- Fraud detection and risk scoring outputs
We do not intentionally collect:
- Social Security numbers (unless required by a third-party identity verification or payment provider and processed directly by that provider)
- Full bank account numbers (unless processed directly by a payment provider)
- Biometric templates stored by Carulu (biometric comparisons are handled by third-party vendors where applicable)
18.2 Purpose Limitation
Sensitive personal information is collected and used only for:
- Identity verification
- Fraud prevention and risk mitigation
- Regulatory compliance
- Payment processing
- Security monitoring
- Dispute resolution
- Legal obligations
We do not use sensitive personal information for marketing purposes.
18.3 Storage and Protection of Sensitive Data
Sensitive information is protected through layered safeguards including:
- Encryption in transit (TLS/HTTPS)
- Encryption at rest (where applicable)
- Role-based access controls
- Strict internal access limitations
- Vendor contractual data protection requirements
- Logging and monitoring of access events
- Secure document storage practices
Access to sensitive data is limited to authorized personnel with a legitimate business need.
18.4 Third-Party Processing of Sensitive Data
When identity verification or payment services are provided by third-party vendors, those vendors process sensitive data under contractual obligations requiring:
- Confidentiality
- Data protection standards
- Use limitation
- Security controls
- Compliance with applicable privacy laws
Carulu does not sell or monetize sensitive personal information.
18.5 Limiting Use of Sensitive Personal Information (California)
If you are a California resident, you have the right to request that we limit the use and disclosure of your sensitive personal information to what is necessary to perform Services reasonably expected by you.
To submit a request, contact: support@carulu.com
19. Data Minimization and Purpose Limitation
Carulu is committed to collecting only the personal information that is reasonably necessary and proportionate to operate the Services.
19.1 Data Minimization Principles
We follow these principles:
- Collect only what is needed
- Limit use to stated purposes
- Avoid retaining data longer than necessary
- Restrict access internally
- Avoid unnecessary duplication of data
We evaluate data collection practices regularly to ensure alignment with business necessity and risk mitigation.
19.2 Functional Necessity
Personal information is collected only when necessary to:
- Create and maintain accounts
- Enable vehicle Listings and Offers
- Facilitate transactions
- Provide identity verification
- Prevent fraud and abuse
- Comply with law
We do not collect data unrelated to these purposes.
19.3 Retention Limits
Personal data is retained only for as long as reasonably necessary to:
- Provide Services
- Complete transactions
- Maintain transaction records
- Resolve disputes
- Prevent fraud
- Comply with tax, financial, and legal obligations
When information is no longer needed, it is:
- Securely deleted,
- Anonymized, or
- Aggregated for statistical purposes
19.4 De-Identification and Aggregation
Carulu may create de-identified or aggregated datasets that cannot reasonably identify individuals. These datasets may be used for:
- Market analytics
- Product improvements
- Research and statistical modeling
- Business insights
De-identified data is not considered personal information under applicable law.
20. Data Breach Notification Policy Summary
Carulu maintains incident response procedures designed to address suspected data security incidents promptly and effectively.
20.1 Security Incident Response
If we become aware of unauthorized access, acquisition, disclosure, alteration, or destruction of personal information, we will:
- Promptly investigate the incident
- Contain and mitigate the impact
- Assess scope and affected data categories
- Identify affected individuals where feasible
- Implement corrective measures
20.2 Notification to Affected Individuals
Where required by applicable law, Carulu will provide notice to affected individuals without unreasonable delay and within legally required timeframes.
Such notification may include:
- Description of the incident
- Categories of information involved
- Steps we are taking to address the incident
- Steps individuals may take to protect themselves
- Contact information for additional assistance
Notification may be provided by:
- In-app notification
- Website notice
- Direct written notice
20.3 Regulatory Notification
If required by law, we will notify appropriate state attorneys general, regulatory authorities, or other government agencies in accordance with applicable data breach laws.
20.4 Law Enforcement Coordination
Carulu may delay notification if a law enforcement agency determines that notice would impede a criminal investigation.
20.5 Continuous Improvement
Following any security incident, we review and strengthen:
- Technical safeguards
- Vendor controls
- Internal access controls
- Monitoring systems
- Security policies and procedures
Related policies: