Privacy Policy

Last updated: June 4, 2026. This policy explains what data Aircooled Index collects, where it lives, who can see it, and what your rights are. We keep it short because there is not much to disclose — this is a hobby-grade reference tool for vintage Volkswagen enthusiasts, not a data-mining operation.

What We Collect

Account data. When you sign up, we store your email address, display name, and a securely hashed password. We never store your password in plaintext or reversible form. If you sign in with Google, we receive your name, email, and profile picture from Google — nothing else.

Usage data. We track which features you use (decoder, chat, classifieds) to enforce plan quotas. This is stored as simple counters attached to your account — not behavioral profiles.

User-generated content. Garage vehicles, restoration builds, classified listings (including optional photos), community corrections, and support conversations. You own this content.

Analytics. We use Google Analytics for aggregate traffic statistics. It does not collect personally identifiable information by default, and we do not enable any enhanced measurement features that would change this. You can block it with any ad-blocker or the Google Analytics opt-out extension.

What we do NOT collect. No payment card numbers (we have no payment processing), no location tracking, no device fingerprinting, no cookies beyond session authentication, no cross-site tracking.

Where Your Data Lives

We believe you deserve to know exactly where your data is stored. Here is the full inventory:

DatabaseHosted in the United States (West Coast). Contains all account data, vehicles, builds, listings, corrections, and support messages.
File StorageCloud storage hosted in the United States (West Coast). Stores classified listing photos. Private by default; photos are served via temporary, expiring links.
ApplicationHosted in the United States. Serves the website and all application functionality.
AI ChatChat messages are processed in real time to generate responses. Messages are not permanently stored by the AI provider. Chat history exists only in your browser session.
AuthenticationSession tokens are stored in secure, HTTP-only cookies. Google sign-in uses standard OAuth 2.0. No credentials are stored in your browser's local storage.
AnalyticsGoogle Analytics — aggregate, anonymized traffic data only. No personally identifiable information is sent. Can be blocked by ad-blockers.
Email NotificationsUsed only for chassis watch alerts you opt into. No marketing emails, ever.

No data leaves the United States. We do not use any EU, APAC, or other regional data centers. If this changes, we will update this page first.

How We Protect It

  • Passwords are securely hashed using industry-standard one-way algorithms — never stored in plaintext or reversible form.
  • All traffic is encrypted in transit via HTTPS with strict transport security enforced.
  • Modern security headers are active on every response to protect against common web vulnerabilities.
  • Every request enforces authentication and ownership checks — you can only access your own data.
  • Admin access requires multiple layers of verification.
  • API keys are stored as one-way hashes; you see the key exactly once at creation.
  • Rate limiting is active on authentication and API endpoints to prevent abuse.
  • Uploaded photos are served via temporary, expiring links — no permanent public URLs.
  • Error messages shown to users are generic; internal details are never exposed.

Third-Party Services

The complete list of external services that touch your data:

  • Google — if you choose “Sign in with Google”, Google provides your name, email, and profile picture. We do not request any additional permissions. Google Analytics is used for anonymous, aggregate traffic data only — you can opt out entirely.
  • Infrastructure providers — we use US-based cloud services for hosting, database, file storage, AI chat processing, and email notifications. All data stays within the United States.

That is it. We do not use any advertising networks, tracking pixels (besides Google Analytics), social media embeds, CDNs that log user data, or third-party analytics beyond Google.

What We Will Never Do

  • Sell, rent, or trade your personal data to anyone, for any reason.
  • Send marketing emails. The only emails we send are chassis watch alerts you explicitly subscribe to.
  • Export user data to personal email addresses or external services not listed above.
  • Store passwords in plaintext or use reversible encryption for credentials.
  • Use your vehicle data, garage builds, or chat conversations for advertising or profiling.
  • Share individual user data with other users unless you explicitly post it (classifieds, corrections).

Your Rights & Contact

You can:

  • Access all your data through your account dashboard (garage, builds, classifieds, corrections).
  • Delete individual items (vehicles, builds, listings) at any time through the UI.
  • Request full account deletion by contacting us via the support page. We will delete your account and all associated data within 30 days.
  • Export your data on request — contact us through support and we will provide a JSON export of your account data.
  • Opt out of analytics by using any ad-blocker or the Google Analytics opt-out browser extension.

For any privacy-related questions or requests, use the support page and select a privacy-related subject. We aim to respond within 7 days.

If we make material changes to this policy, we will update the “Last updated” date at the top and, where practical, notify users via the support page or in-app banner. We will not retroactively weaken protections without explicit consent.