Privacy Policy - report.VIN

privacyPolicy.lastUpdated

1. Data Controller

2. What data we process

Technical data and logs: IP address, request date and time, identifiers, User-Agent, referrer, response status, error/security events.
Report query data: entered VIN and/or registration plate and request metadata (IP, timestamp) – solely for query handling and short-term caching; cache does not include user-identifying data.
Transactional data (when purchasing a report): email for report delivery, billing data (e.g., first and last name/company name, address, tax ID – when required for the invoice), payment data (identifiers/tags from the payment system).
Communication: email/phone address and correspondence content if you contact us.

We do not register accounts or newsletters. We do not use marketing cookies.

3. Purposes and legal bases

Service execution – acceptance of the inquiry, generation and delivery of the report, handling payments and any complaints: Article 6(1)(b) GDPR.
Legal obligations – accounting and tax settlements (invoices, accounting documents): Article 6(1)(c) GDPR.
Legitimate interest – security (anti-abuse, rate-limit), diagnostics, short-term cache, simple statistics without profiling, correspondence, and claims investigation/defense: Article 6(1)(f) GDPR.
Sources of vehicle data (Article 14 GDPR) – technical/incident data are obtained from cooperating automotive information providers and publicly available sources solely for the purpose of generating the report; as a rule, these do not include data identifying individuals.

We do not conduct direct marketing, remarketing, or user profiling.

4. Data sources and report content

VIN/license plate is provided by the user. Vehicle data is obtained from cooperating automotive information providers and publicly available sources solely to generate the report. The report may include data about events and vehicle history; it generally does not include data identifying individuals.

5. Cookies and browser technologies

We use only files essential for the service operation (e.g., session, language preferences, fraud protection) and short-term storage for caching. You can manage Cookies in your browser settings; disabling them may limit functionality. We do not use marketing cookies.

6. Data recipients

Hosting/CDN and protection (e.g., Cloudflare) – logs, network traffic, cache without users' personal data.
Payment operator (disclosed during payment) – transaction settlement.
Vehicle data providers – solely VIN/plate and query parameters necessary to obtain technical data.
IT/email service providers, accounting, legal advisors – to the extent necessary to provide services or fulfill obligations.

These entities act as processors or independent controllers – in accordance with contracts and/or standard contractual clauses (SCC).

7. Transfers outside the EEA

Due to supplier infrastructure, technical data may be processed outside the EEA (including in the USA). We apply appropriate safeguards (SCCs, technical and organizational measures).

8. Retention periods

Technical/security logs: up to 90 days (or longer if resulting from claims determination/investigation).
Query results cache: until the set TTL expires or manual invalidation.
Transactional and billing data: for the period required by accounting and tax regulations (generally 5 years from the beginning of the year following the financial year).
Correspondence: up to 6 years from the end of communication or until effective objection (if based on Art. 6(1)(f)).

9. Your rights

You have the right to request: access to data, copies, rectification, deletion, restriction of processing, data portability, and objection to processing based on Art. 6(1)(f) GDPR.

You may file a complaint with the President of the Personal Data Protection Office (ul. Stawki 2, 00-193 Warsaw, uodo.gov.pl).

Requests are handled at: pomoc(at)autoiso.pl.

10. Voluntariness of data

Providing VIN/license plate is voluntary but necessary to generate the report. Providing billing data is required by regulations for transactions/invoices.

11. Automated decisions

We do not make fully automated decisions with legal effects regarding you. Report generation is technical processing of vehicle data without user profiling.

12. Security

We apply appropriate technical and organizational measures (including network protection, access control, TLS transmission encryption, event logging, edge protection).

13. Indexing by search engines/AI

Public service content may be indexed by search engines and AI systems in accordance with the robots.txt file and fair use policies.

14. Policy changes

We may update the Policy in case of legal changes, functionalities, or suppliers. Changes are published with a new date.

Report.VIN – how we protect your data