Privacy at a glance
- What we collect
- Account details, content you post, and minimal technical logs. No location, no contacts, no browsing history.
- Advertising & tracking
- None. We do not run ads, use analytics SDKs, or track you across other apps or websites.
- Who we share with
- Only the infrastructure providers required to run the service: Supabase and Apple Push Notification service.
- Selling your data
- We do not sell or "share" personal information for cross-context behavioural advertising, under any definition, including the CCPA/CPRA.
- Account deletion
- Available from inside the app at any time. Deletion is immediate and permanent.
- Contacting us
- Email [email protected]. We reply within 30 days.
01 Introduction and scope
Whealz ("Whealz," "we," "us," or "our") operates a community platform for vehicle owners to share updates, guides, and repairs about their cars and to engage with owners of the same make and model. This Privacy Policy (the "Policy") applies to information we collect through the Whealz mobile application, our websites at whealz.com, and related services (together, the "Service").
This Policy does not apply to third-party services, websites, or applications, even if they link to or from the Service. Their practices are governed by their own privacy policies.
For the purposes of the EU and UK General Data Protection Regulation, Whealz is the "controller" of the personal information described in this Policy. Under the California Consumer Privacy Act as amended by the CPRA, Whealz is a "business" with respect to that information.
02 Definitions
In this Policy the following terms have the following meanings:
- Personal Information — any information that identifies, relates to, describes, or could reasonably be linked with an identified or identifiable natural person. Equivalent to "personal data" under GDPR and "personal information" under CCPA/CPRA.
- Processing — any operation performed on Personal Information, whether or not by automated means, including collection, storage, use, disclosure, and erasure.
- Sub-processor — a third-party service provider that processes Personal Information on our behalf under our instructions.
- Sensitive Personal Information — categories of Personal Information given heightened protection under applicable law (e.g. government ID numbers, precise geolocation, contents of private messages). We do not knowingly collect Sensitive Personal Information.
- Content — any text, image, video, audio, or other material you upload to the Service.
03 Information we collect
3.1 Information you provide directly
| Category | Description |
|---|---|
| Account credentials | Email address and password. Passwords are stored using industry-standard salted hashing (bcrypt); we cannot recover the plaintext password. |
| Profile information | Display name, handle, biography, optional avatar image, and optional cover image. |
| Vehicle "garage" | Vehicles you add: brand, model, generation, trim, model year, optional nickname, and optional photos. |
| User-generated content | Text, images, video, and thumbnails you upload when publishing a guide or update, plus any structured fields you complete (title, category, difficulty, steps, parts). |
| Engagement data | Comments, replies, likes, saves, follows, blocks, and reports you submit. |
| Communications | Information you provide when contacting support, submitting feedback, or reporting content, including the contents of your correspondence with us. |
3.2 Information collected automatically
| Category | Description |
|---|---|
| Device information | Device type, operating system version, application version, and language preference — sent as part of ordinary API requests. |
| Push tokens | The Apple Push Notification service ("APNs") device token issued by iOS, associated with your account so we can deliver notifications you have consented to receive. |
| Log data | IP address, HTTP request timestamps, endpoint accessed, and status codes, retained short-term for security, abuse prevention, and debugging. |
| Authentication tokens | Time-limited access and refresh tokens issued when you sign in, stored on your device and validated on each request. |
3.3 Information we do not collect
We do not knowingly collect any of the following:
- Precise geolocation. We do not request or use the operating system's precise location APIs.
- Contents of your device's address book, calendar, photo library (beyond specific files you choose to upload), microphone, or camera roll.
- Behavioural information from other apps or websites. We do not use third-party advertising or analytics SDKs.
- Government identifiers, financial account numbers, health data, or biometric identifiers.
- Children's information (see Section 13).
04 Sources of Personal Information
We obtain Personal Information from the following sources:
- Directly from you — when you create an account, edit your profile, add cars to your garage, publish content, or interact with other users.
- Automatically from your device — as described in Section 3.2, when the Whealz app makes network requests or registers for push notifications.
- From other users — when another user tags, mentions, replies to, reports, or blocks you, that action is associated with your account.
We do not purchase Personal Information from data brokers and we do not enrich our records with information from third-party marketing sources.
05 How we use Personal Information
We process Personal Information for the following purposes:
- Provide the Service. Create and maintain your account, display your profile and content, deliver comments and notifications, and enable follows, likes, saves, and blocks.
- Personalise your experience. Surface content from creators you follow and guides that match cars in your garage. Personalisation is based on data you have provided; we do not build behavioural advertising profiles.
- Deliver notifications. Send push notifications for likes, comments, replies, follows, and new posts from creators you follow — subject to your device's notification permission and any per-category preferences you set in the app.
- Keep the community safe. Investigate reports of policy violations, enforce our Terms of Service, and prevent, detect, and respond to fraud, abuse, and security incidents.
- Operate and improve the Service. Diagnose bugs, monitor reliability and performance, and develop new features.
- Communicate with you. Respond to support inquiries, security notices, and legal requests. We do not send marketing email.
- Comply with law. Meet our legal, regulatory, and law-enforcement obligations and respond to lawful requests.
06 Lawful bases (EEA, UK, Switzerland)
If you are in the European Economic Area, the United Kingdom, or Switzerland, we process Personal Information under one or more of the following lawful bases:
| Purpose | Lawful basis | Notes |
|---|---|---|
| Providing the Service you signed up for | Contract (Art. 6(1)(b)) | Necessary to perform our Terms of Service. |
| Push notifications | Consent (Art. 6(1)(a)) | You control this via the iOS permission prompt and per-category toggles in the app; withdrawable at any time. |
| Security, abuse prevention, log retention | Legitimate interests (Art. 6(1)(f)) | Keeping the Service safe and reliable. |
| Enforcing our Terms and investigating reports | Legitimate interests (Art. 6(1)(f)) | Protecting our users and the integrity of the community. |
| Responding to legal requests | Legal obligation (Art. 6(1)(c)) | Where required by applicable law. |
Where we rely on legitimate interests, you have the right to object as described in Section 12. Where we rely on consent, you may withdraw it at any time; withdrawal does not affect the lawfulness of processing carried out before withdrawal.
07 How we share Personal Information
We share Personal Information only in the limited circumstances below:
- Publicly with other users. Your profile (display name, handle, bio, avatar, cover image), your posted content, and your public engagement (comments, likes, follows) are visible to other users of the Service. Your email address, push tokens, IP address, and account settings are not visible to other users.
- With sub-processors that provide the infrastructure we run on, as listed in Section 8.
- To comply with law. We may disclose Personal Information if we believe in good faith it is required by law, court order, subpoena, or other legal process, or to protect the rights, property, or safety of Whealz, our users, or the public.
- In connection with a corporate transaction. If Whealz is involved in a merger, acquisition, financing, reorganisation, bankruptcy, or sale of assets, Personal Information may be transferred to the successor or acquirer as part of that transaction. We will notify you before your information becomes subject to a different privacy policy.
- With your explicit consent for any purpose we describe to you at the time you consent.
We do not sell your Personal Information and we do not "share" your Personal Information for cross-context behavioural advertising within the meaning of the CCPA/CPRA or any other US state privacy law.
08 Sub-processors and third-party services
We rely on the following sub-processors to operate the Service. Each is bound by contract to process Personal Information only as instructed and to maintain appropriate technical and organisational safeguards.
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Supabase, Inc. | Managed database, object storage, authentication, and edge compute. | All Personal Information described in Section 3. | United States (data residency configurable). |
| Apple Inc. — Apple Push Notification service | Delivering push notifications you have opted in to. | APNs device token, notification title, notification body, deep-link metadata. | United States and other Apple regional infrastructure. |
09 International data transfers
Personal Information we collect may be processed in countries other than the country in which you reside, including the United States. When we transfer Personal Information from the EEA, the UK, or Switzerland to a country not subject to an adequacy decision by the European Commission or the UK Government, we rely on appropriate safeguards, including:
- Standard Contractual Clauses adopted by the European Commission and, where applicable, the UK International Data Transfer Addendum;
- Supplementary technical measures such as encryption in transit and at rest;
- Contractual confidentiality and access-restriction obligations on our sub-processors.
You may request a copy of the safeguards we rely on for a specific transfer by emailing [email protected].
10 Retention
We retain Personal Information only for as long as necessary to fulfil the purposes described in this Policy or as required by law.
| Category | Retention period |
|---|---|
| Account & profile | For the life of your account. Deleted when you delete your account. |
| Content you posted | For the life of your account or until you delete the content, whichever is earlier. |
| Comments left on other users' posts | Retained after account deletion, attributed to a deleted user, so threads remain coherent. |
| Push tokens | Until you disable notifications, sign out, or delete your account. |
| Log data (IP, request metadata) | Typically 30 days. Longer where necessary for an active security investigation. |
| Reports and moderation records | Retained after account deletion in a form necessary to enforce our Terms and prevent recurrence of abuse. |
| Backups | Encrypted rolling backups may retain deleted content for up to 35 days before being overwritten in normal rotation. |
| Legal and tax records | Retained for the period required by applicable law. |
11 Security
We use administrative, technical, and physical safeguards designed to protect Personal Information against unauthorised access, disclosure, alteration, and destruction. These include:
- Transport-layer encryption (TLS 1.2 or higher) for data in transit.
- Encryption at rest for stored content and database volumes.
- Salted password hashing; plaintext passwords are never stored.
- Row-level security policies enforced at the database layer to isolate user data.
- Short-lived, revocable authentication tokens.
- Access controls that limit sub-processor and internal access on a need-to-know basis.
- Routine monitoring for anomalous activity and abuse patterns.
No system is perfectly secure. If you believe your account has been compromised or you have discovered a security vulnerability, please contact [email protected]. We will acknowledge your report within 72 hours.
12 Your privacy rights
12.1 Rights available to everyone
Regardless of where you live, you can at any time:
- Review and update most profile information from Edit Profile inside the app.
- Delete individual pieces of Content you have posted.
- Delete your entire account from Settings ▸ Delete Account (see Section 17).
- Control push notifications through iOS Settings and the app's notification preferences.
12.2 EEA, United Kingdom, and Switzerland
If your Personal Information is subject to the GDPR, UK GDPR, or the Swiss FADP, you have the following rights, subject to the limits set out in applicable law:
- Right of access — obtain confirmation that we process your Personal Information and a copy of it.
- Right to rectification — correct inaccurate or incomplete information.
- Right to erasure ("right to be forgotten") — request deletion of your Personal Information where the legal conditions are met.
- Right to restriction — request that we limit processing in certain circumstances.
- Right to data portability — receive Personal Information you provided in a structured, commonly used, machine-readable format.
- Right to object — object to processing that is based on our legitimate interests, including for direct marketing (we do not carry out marketing).
- Right to withdraw consent — where we rely on consent, withdraw it at any time.
- Right not to be subject to solely automated decision-making — including profiling that produces legal or similarly significant effects (see Section 15).
To exercise these rights, email [email protected] from the address associated with your account. We respond within 30 days (extendable by two months for complex requests, in which case we will inform you).
12.3 California residents (CCPA/CPRA)
If you are a California resident, you have the right to:
- Know what categories and specific pieces of Personal Information we collect, use, disclose, and (if applicable) sell or share.
- Access a copy of the Personal Information we have collected in the preceding 12 months.
- Request that we delete Personal Information we collected from you.
- Correct inaccurate Personal Information we maintain.
- Opt out of the "sale" or "sharing" of Personal Information. We do not sell or share Personal Information as those terms are defined in the CCPA/CPRA, so there is no opt-out to exercise, but you can still tell us to treat you as opted out by emailing [email protected].
- Limit the use and disclosure of Sensitive Personal Information. We do not knowingly collect Sensitive Personal Information.
- Not be discriminated against for exercising your rights.
We do not use Personal Information for purposes that would trigger the CCPA/CPRA disclosure requirements for cross-context behavioural advertising, financial incentives, or automated decision-making.
12.4 Other U.S. state residents
If you are a resident of Colorado, Connecticut, Utah, Virginia, or another U.S. state with a comprehensive privacy law in force, you have rights broadly similar to those described in Section 12.3, including the right to access, delete, correct, and (where applicable) opt out of targeted advertising, sale of Personal Information, and certain profiling. Requests can be made to [email protected].
12.5 Brazil (LGPD)
If you are in Brazil, you have rights under the Lei Geral de Proteção de Dados including confirmation of processing, access, correction, anonymisation, blocking or deletion of unnecessary data, data portability, information about sharing, information about the possibility of not providing consent and its consequences, and revocation of consent. Requests can be made to [email protected].
12.6 Canada (PIPEDA and provincial equivalents)
If you are in Canada, you have the right to access and correct your Personal Information and to withdraw consent (subject to legal or contractual restrictions). Contact [email protected].
12.7 Verifying your identity
To protect your Personal Information, we take reasonable steps to verify your identity before responding to a rights request. Typically we verify by matching identifying information you provide with information already associated with your account. We do not require you to create an account with us solely to make a rights request.
12.8 Authorised agents
You may designate an authorised agent to make a request on your behalf. We may require the agent to demonstrate written authorisation and may require you to verify your identity directly.
13 Children's privacy
The Service is not directed to children under 13 (or under 16 in the EEA and UK, where applicable). We do not knowingly collect Personal Information from children below the applicable age. If we learn we have collected Personal Information from a child in a manner that requires parental consent we have not obtained, we will delete that information promptly. If you are a parent or guardian and believe your child has provided us with Personal Information, please contact [email protected].
14 Cookies and similar technologies
The Whealz mobile application does not use cookies. Our website may set a minimal set of strictly necessary cookies (for example, to remember dark-mode preference or to maintain a signed-in session). We do not use advertising, analytics, or cross-site tracking cookies. If we introduce non-essential cookies in the future, we will update this Policy and, where required, obtain your consent through a consent banner.
15 Automated decision-making
We do not make decisions concerning you that produce legal or similarly significant effects based solely on automated processing, and we do not conduct profiling of that kind. Content ranking in your feed is based on straightforward relevance signals (whether the content matches a car in your garage, whether you follow the author) and does not involve automated evaluation of your personal characteristics.
16 Third-party links and content
The Service may contain links to third-party websites or resources (for example, links to parts retailers embedded in a guide). We are not responsible for the availability, content, or privacy practices of those third parties. When you follow a link out of the Service, this Policy no longer applies. Review the third party's own privacy policy before providing any Personal Information to them.
17 Account deletion
You can delete your account at any time from Settings ▸ Delete Account inside the app. Deletion is confirmed by typing your handle, requires a two-tap confirmation to avoid accidental triggering, and is immediate and permanent. There is no grace period.
When you delete your account, we permanently erase:
- Your profile — display name, handle, bio, avatar, cover image.
- Every guide, video, thumbnail, and photo you uploaded.
- All comments and replies you left on your own posts.
- Your likes, saves, follows, blocks, and push tokens.
- Your garage — every vehicle you added and any car-level media.
- Notifications addressed to you.
We retain in a residual form:
- Comments and replies you left on other users' posts, so the surrounding conversation remains coherent to other participants. These are attributed to a deleted user and no longer linked to your identity.
- Reports or moderation actions you were involved in, retained as necessary to enforce our Terms and prevent recurrence of abuse. Personal identifiers are minimised where possible.
- Encrypted backups may contain deleted content for up to 35 days before being overwritten in normal rotation.
If you would like a copy of your data before deleting your account, request an export by emailing [email protected] and wait for delivery before initiating deletion.
18 Changes to this Policy
We may update this Policy from time to time. When we do we revise the "Effective" date and version at the top of the page. For material changes we will provide additional notice, such as an in-app notification or an email to the address associated with your account, at least 30 days before the changes take effect where feasible. Continued use of the Service after changes become effective constitutes acceptance of the updated Policy. Prior versions of this Policy are available on request.
19 How to contact us
You can reach the appropriate team at the following addresses:
- Privacy inquiries and rights requests — [email protected]
- Security reports — [email protected]
- General support — [email protected]
We aim to acknowledge privacy correspondence within 5 business days and to substantively respond within 30 days.
20 Complaints and supervisory authority
If you believe we have not handled your Personal Information in accordance with this Policy or applicable law, please contact us first at [email protected] so we can work with you to resolve the issue.
You also have the right to lodge a complaint with your local data-protection authority:
- EEA residents — the supervisory authority of your Member State of residence, place of work, or place of the alleged infringement.
- United Kingdom residents — the Information Commissioner's Office (ico.org.uk).
- Swiss residents — the Federal Data Protection and Information Commissioner (edoeb.admin.ch).
- California residents — the California Privacy Protection Agency (cppa.ca.gov) or the California Attorney General's office.
- Brazilian residents — the Autoridade Nacional de Proteção de Dados (gov.br/anpd).
This Policy is written in English. In the event of any conflict between an English version and a translation, the English version prevails to the extent permitted by applicable law.