Privacy Policy

Effective: June 1, 2026
Last updated: June 1, 2026

This Privacy Policy describes how Carrus ("we", "our", "the app") handles your information when you use our mobile application.

Carrus is operated by Abdulrahman Ahmed Mohamed, trading as Plenus Studios, reachable at hello@carrus.app.

1. What we collect

We collect the minimum information needed to run the service.

Account data (only if you sign in):

Email address (used to identify your account and send password reset links).
Authentication tokens (managed by our auth provider, Supabase).

Your vehicle data:

Vehicle information you enter: make, model, year, nickname, color, body type, mileage, in-service date.
Maintenance records you create: service date, mileage, cost, notes, scanned receipts.
Maintenance preferences: notification settings, units (miles/km), region, theme.

Purchase data (only if you subscribe): handled by RevenueCat. Apple/Google retain payment details; we never see your card number.

Diagnostic data (anonymous): crash reports and error events sent to Sentry. We attach your anonymous user ID only — never your email or personal data.

Usage analytics (anonymous): anonymous interaction events sent to PostHog (which screens you visit, which features you use). No personal data; helps us improve the app.

AI features: when you chat with Carson or scan a receipt, your message text or receipt image is sent to OpenAI to generate a response. OpenAI does not retain this data for training. We do not store these messages on our servers beyond the duration of the request.

2. What we do NOT collect

We do not collect your name, phone number, address, or precise location.
We do not sell your data to anyone.
We do not share your data with advertising networks.
We do not access your phone's contacts, photos (other than ones you explicitly select for receipt scanning), microphone, or location.

3. Where your data is stored

Account + vehicle + maintenance data: stored in Supabase (United States data centers).
Vehicle + maintenance data while offline: stored locally on your device using encrypted system storage.
Crash reports: Sentry (United States).
Usage analytics: PostHog (European Union — Frankfurt).
Subscription state: RevenueCat (United States) and Apple/Google.

If you are in the European Economic Area (EEA) or United Kingdom, your data may be transferred to the United States; these transfers are protected by the relevant standard contractual clauses.

4. Your rights

Under data protection laws (including GDPR if you're in the EU, and CCPA if you're in California), you have the right to:

Access the data we hold about you. Use the in-app "Download My Data" button (Settings → Manage Account) to export a JSON file containing all your data.
Delete your account and all associated data. Use the in-app "Delete Account" button (Settings → Manage Account). This is permanent and immediate; cancelled accounts are removed from our database within 24 hours.
Correct inaccurate data by editing it directly in the app.
Withdraw consent by signing out and uninstalling the app. Your locally-stored data remains on the device until you uninstall.

To exercise any other right, email us at hello@carrus.app.

5. Children

Carrus is not intended for use by anyone under 13 (or 16 in the EU/UK). We do not knowingly collect data from children. If you believe we've inadvertently collected data from a child, contact us and we'll delete it.

6. Cookies + tracking

Carrus is a mobile app and does not use browser cookies. We don't use any cross-app tracking identifiers (IDFA on iOS, GAID on Android) for advertising.

7. Data retention

Account data: kept while your account is active. Deleted within 24 hours of account deletion.
Anonymous analytics + crash reports: retained for up to 90 days, then automatically deleted.
AI chat + receipt scans: processed in real time, not retained on our servers.

8. Security

All data in transit is encrypted using TLS.
Server-side databases use industry-standard encryption at rest.
We follow least-privilege access principles for our own staff.

No system is perfectly secure. If you believe your account has been compromised, contact us at hello@carrus.app immediately.

9. Changes to this policy

If we change how we handle data in a material way, we'll update this page and notify active users via an in-app notice at least 30 days before the change takes effect.

10. Contact

Questions, requests, or complaints: hello@carrus.app

If you're in the EU/UK and you believe we're not handling your data correctly, you also have the right to lodge a complaint with your local data protection authority.