DealerVLO
Sign inStart free trial

Privacy Policy

Effective date: May 25, 2026

1. Who we are

DealerVLO (“DealerVLO,” “we,” “us,” or “our”) provides a software-as-a-service platform for used-vehicle dealerships to manage inventory, customers, deals, sales documents, and a public-facing dealer website. This Privacy Policy explains what information we collect, how we use it, and the choices you have.

2. Information we collect

From dealerships (our direct customers)
  • Account: name, email, password (hashed by our authentication provider)
  • Dealership: legal name, DBA, license number, tax ID, address, phone, email, hours, logo, brand colors
  • Billing: handled by Stripe; we receive only metadata (last 4 digits, expiration, customer ID), never full card numbers
  • Settings and preferences you configure within the Service
From dealership data entry
  • Customer records you create: customer names, addresses, phone numbers, email addresses, dates of birth, and driver's license numbers. Driver's license numbers are encrypted at rest using AES-256-GCM.
  • Vehicle inventory: VINs, year/make/model/specs, photos you upload, descriptions
  • Deal records: pricing, finance terms, trade-in information, generated documents
From end-customers (visitors to dealer websites)
  • Contact-form submissions: name, email, phone, optional message, vehicle of interest
  • We do not place tracking, analytics, or advertising cookies on dealer websites
Automatically
  • Log data for security and debugging: IP address, browser, requested URL, timestamp
  • Authentication cookies required for the CRM to remember you between requests

3. How we use information

  • To operate, maintain, and improve the Service
  • To authenticate users and protect accounts
  • To process subscriptions and billing
  • To populate the legal sale documents (Bill of Sale, RMV-1, Buyers Guide, Odometer Disclosure) from your deal data
  • To host and display each dealership's public website using inventory and customer-facing information you enter
  • To communicate about your account, security alerts, and material Service changes
  • To comply with legal obligations

We do not use customer data to train machine-learning models or sell it to third parties.

4. How we share information

We share information only with the following sub-processors, each contractually obligated to protect it:

  • Supabase — database, authentication, file storage. US data centers.
  • Stripe — payment processing. PCI-DSS Level 1 certified.
  • Vercel — application hosting and edge delivery.
  • NHTSA vPIC — public US government VIN-decode API. Only the VIN is transmitted; no PII.

We do not sell personal information.

We may disclose information if required by a valid legal process (subpoena, court order) or to protect the rights, property, or safety of DealerVLO, our users, or the public.

5. Data retention

  • Account data is retained for the life of the account.
  • Customer, vehicle, and deal data is owned by the dealership; the dealership can export or delete it at any time.
  • Generated sale documents are retained as a versioned audit trail per deal.
  • After account deletion, your data is removed from active systems within 30 days. Backups are rotated within 60 days.
  • We may retain limited records (e.g. invoices) longer where required by law.

6. Security

  • HTTPS / TLS for all data in transit
  • AES-256-GCM encryption at rest for sensitive PII (driver's license numbers)
  • Password hashing handled by our authentication provider (bcrypt)
  • Generated documents stored privately; download links are short-lived signed URLs
  • Regular dependency updates and security patches
  • Role-based access within each dealership (OWNER, ADMIN, SALES, FNI)

No system is perfectly secure. We will notify affected users without undue delay if we become aware of a personal-data breach affecting their information.

7. Your rights

You may, at any time:

  • Access and download your data via the Service
  • Correct or update your information from within the application
  • Request deletion of your account and associated data
  • Ask us a question about your data by contacting us at the email below

California residents: the CCPA grants you the right to know what personal information we collect, to delete it, and to opt out of any sale (we do not sell).

EU/UK residents: the GDPR grants you the rights of access, rectification, erasure, restriction, portability, and objection. Our legal basis for processing is contract performance (operating the Service you subscribed to) and legitimate interest.

8. Cookies

We use only cookies that are strictly necessary to operate the Service — primarily authentication session cookies. We do not use tracking, analytics, or advertising cookies on the dealer-facing website or on dealer-owned public sites we host.

9. Children's privacy

The Service is intended for use by licensed motor-vehicle dealerships and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have, please contact us so we can delete it.

10. International users

DealerVLO is operated from the United States. By using the Service, you understand your information may be processed in the United States, where data-protection laws may differ from those in your country.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to account owners and posted here with an updated effective date. Continued use of the Service after a change constitutes acceptance.

12. Contact us

Questions, requests, or complaints about this Privacy Policy:

privacy@dealervlo.com
DealerVLO