Privacy Policy

Overview

SportsCarLog ("we", "us", "our") operates sportscarlog.com. This page explains what data we collect, how we use it, and your rights regarding that data. We believe in being straightforward: we collect only what's necessary to provide the service, and we never sell your data.

Information We Collect

Account Information

When you create an account, we collect:

• Email address — used for authentication (magic links) and account identification.
• Display name and avatar — provided optionally by you or imported from Google if you sign in with Google.
• Google account identifier — if you choose to sign in with Google, we store a unique identifier to link your Google account.

Vehicle and Activity Data

You may choose to store the following information in your account:

• Vehicle details (year, make, model, trim, VIN, color, mileage, purchase date, notes)
• Maintenance records (date, type, mileage, cost, notes)
• Event records (date, type, mileage, notes)
• Photos and receipt images

This data is provided voluntarily by you and is used solely to provide the service.

Automatically Collected Data

• Session data — we store a session token (hashed), your IP address, and user agent to maintain your login session. Sessions expire after 30 days of inactivity.
• Server logs — standard HTTP access logs including IP address, request path, status code, and timestamp. These are used for security monitoring and debugging.

How We Use Your Information

• To provide and maintain the SportsCarLog service
• To authenticate your identity via magic link emails or Google OAuth
• To process receipt images using AI for data extraction (images are sent to Google's Gemini API for processing)
• To monitor for security threats and abuse

What We Don't Do

• We do not sell your personal information to third parties.
• We do not serve advertisements.
• We do not use tracking pixels or third-party analytics.
• We do not share your vehicle data with anyone.

Third-Party Services

We use the following third-party services:

• Google OAuth (optional) — if you choose to sign in with Google, your authentication is handled by Google's OAuth service.
• Google Gemini API — receipt images are sent to Google's Gemini AI model for text extraction. Images are processed and not retained by Google beyond the API request.
• Google reCAPTCHA — used to protect the magic link login from automated abuse.
• Resend — used to deliver magic link emails to your address.

Data Security

We take reasonable measures to protect your data:

• Passwords are never stored — authentication uses cryptographic tokens.
• Session tokens are hashed with SHA-256 before storage.
• All connections use HTTPS in production.
• CSRF protection on all state-changing requests.
• Rate limiting to prevent abuse.
• Security headers (CSP, HSTS, X-Frame-Options) on all responses.

Cookies

We use a single essential cookie:

• session — an HttpOnly, Secure, SameSite=Lax cookie that maintains your login session. No tracking cookies, no analytics cookies.

Data Retention

• Your account and vehicle data are retained as long as your account is active.
• Sessions expire after 30 days of inactivity and are cleaned up automatically.
• Server logs are retained for security monitoring purposes.

Your Rights

You may request to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your account and all associated data

To exercise these rights, contact us at the email below.

Contact

For privacy-related questions or requests, email us at [email protected].

Changes to This Policy

We may update this privacy policy from time to time. Changes will be posted on this page with an updated revision date.