Privacy Policy

MyCarPast is operated by Renan Barbosa da Silva, an individual professional based in Portugal, acting as the controller of your personal data. For any privacy-related matters, contact contact@mycarpast.com.

• Account data: name, email, and password (encrypted).
• Vehicle data: make, model, year, license plate, mileage, and photo.
• Maintenance history: dates, workshop, costs, notes, and photos of invoices.
• Technical data: IP address, device, and access dates (security logs).

• Provide the service (register and display your vehicle's history).
• Generate public links when you choose to share the history.
• Ensure security and prevent abuse.
• Communicate with you regarding your account.

We process data based on the performance of the contract with you (Art. 6(1)(b) of the GDPR) and your consent when creating an account. Public sharing only occurs at the user's initiative.

Only you can access your private history. Anyone with the public link you generated can view that vehicle's history. To provide the service, we use the following processors, all of whom have contractual obligations for confidentiality and security:

• Supabase (via Lovable Cloud), database, authentication, and file storage. Servers in the European Union.
• Cloudflare, Inc., CDN, attack protection, and content delivery (edge). Global processing.
• Google LLC, Google Workspace for the email contact@mycarpast.com. Processing in the USA.
• Lovable, application hosting.
• Stripe Payments Europe, Ltd., payment processing, billing, VAT calculation and remittance, fraud prevention, and chargeback management. Receives name, email, billing address, and transaction data. Headquartered in Ireland (EU).

Some processors may process data outside the European Economic Area. These transfers are protected by:

• EU-US Data Privacy Framework (Google), recognized by the European Commission as ensuring an adequate level of protection.
• Standard Contractual Clauses approved by the European Commission, for all other cases.

We keep your data for the time strictly necessary:

• Account and vehicle history: while the account is active.
• After account deletion: we delete the data immediately; backups are removed within a maximum of 30 days.
• Security logs (IP, access): 12 months.
• Billing data (if you subscribe to a paid plan): 10 years, due to tax obligations (Art. 123 of the CIRC).

Under the GDPR, you have the right to access, rectify, erase, restrict processing, object, data portability and to withdraw consent at any time (without affecting the lawfulness of previous processing).

You can exercise these rights directly in Settings or by sending an email to contact@mycarpast.com. We respond within a maximum of 30 days.

You also have the right to lodge a complaint with the CNPD, National Data Protection Commission.

To permanently delete your account and all associated data, see the detailed instructions on Delete your account.

We apply appropriate technical and organizational measures to protect your data:

• Passwords encrypted with modern algorithms (bcrypt).
• Traffic always encrypted via HTTPS/TLS.
• Database-level access control (Row Level Security), each user can only access their own data.
• In the event of a personal data breach that poses a risk to your rights, we will notify the CNPD within 72 hours and, if applicable, communicate directly with you (Articles 33 and 34 of the GDPR).

The license plate is considered personal data as it allows the holder to be indirectly identified. By generating a public link, you make it visible to whoever receives it. You can deactivate the link at any time in the vehicle's Settings.

We only use cookies that are strictly necessary for the operation of the service, we do not require prior consent for these (Art. 5, no. 3 of the ePrivacy Directive):

• sb-access-token and sb-refresh-token, to maintain the authentication session.

We do not use marketing, advertising, analytics cookies, or third-party trackers.

The service is intended for persons over 18 years of age (driver's license holders). We do not knowingly collect data from minors. If you become aware of such a situation, please contact us so that we can proceed with immediate deletion.

We do not carry out profiling or automated decisions with legal effects or that significantly affect you.

We may update this policy. Significant changes will be communicated by email or through the application with reasonable notice.

We use essential cookies for the website to function and, with your authorization, analytics and marketing cookies to improve the service.