Privacy Policy

Effective date: May 22, 2026

Privacy questions? Email support@stackdrive.io

1. Who We Are

StackDrive Inc. ("StackDrive," "we," "us," or "our") is a corporation incorporated in Quebec, Canada, that operates an automotive CRM platform for car dealerships. This Privacy Policy explains how we collect, use, disclose, and safeguard information when dealerships and their personnel use the StackDrive platform at https://app.stackdrive.io and the StackDrive website at stackdrive.io (collectively, the "Service").

StackDrive is a business-to-business service. Our direct customers are automotive dealerships and dealer groups ("Customers" or "you"), not individual consumers. This Policy governs our relationship with you as a Customer.

2. Data We Collect

We collect different categories of data depending on how you interact with us:

2.1 Account and Registration Data

When you create a StackDrive account, we collect information about your dealership and the individuals who register, including:

• Business name, address, and dealership information
• Name, job title, and email address of the account owner and Authorized Users
• Phone number (optional, for support purposes)
• Billing information (credit card or payment details, processed securely by our payment processor — we do not store full card numbers)
• Subscription plan selection and billing history

2.2 Customer Data (Your Leads and Contacts)

As you use the platform, you upload, import, or create records that contain information about your dealership's leads and customers ("Customer Data"). This may include:

• Consumer names, email addresses, phone numbers, and mailing addresses
• Vehicle preferences, trade-in vehicle information, and purchase history
• Lead source, lead status, and notes entered by your sales team
• Communication history between your dealership and its leads
• Any other information your team enters into the CRM

You are the controller of Customer Data. (Plain English: that data belongs to you and your dealership. We only process it to run your CRM — we do not use it for our own marketing or sell it to anyone.)

2.3 Usage and Technical Data

When you and your team use the Service, we automatically collect:

• Log data: IP addresses, browser type, pages visited, timestamps, and referring URLs
• Device information: hardware model, operating system, and screen resolution
• Feature usage data: which features you use, how often, and in what sequence
• Error and crash reports to help us identify and fix bugs
• Performance metrics to monitor and improve the Service

2.4 Cookies and Tracking Technologies

We use cookies and similar technologies on our website and within the application:

• Essential cookies: Required for the Service to function (e.g., maintaining your session, remembering your login).
• Analytics cookies: Help us understand how users navigate the Service so we can improve it (e.g., Vercel Analytics). These are aggregated and not used for cross-site advertising.
• Preference cookies: Remember your settings and preferences within the application.

You can configure your browser to refuse cookies or alert you when cookies are being sent. Note that disabling essential cookies may impair Service functionality.

2.5 Communications Data

If you contact our support team by email, chat, or phone, we retain records of those communications to resolve your issue and improve our support quality.

3. How We Use Your Data

We use the data we collect for the following purposes:

3.1 Service Delivery

• Providing, operating, and maintaining the CRM platform
• Processing your Customer Data to power the features you use (lead management, AI scoring, messaging sequences, trade-in evaluations, analytics)
• Managing your Account, subscription, and billing
• Authenticating users and enforcing security
• Sending transactional emails (account confirmations, invoices, password resets)

3.2 Customer Support

• Responding to your support tickets and questions
• Diagnosing and fixing technical issues in your Account
• Providing onboarding assistance and training

3.3 Product Improvement

• Analyzing aggregated, de-identified usage patterns to improve features and workflows
• Training and refining our AI models using aggregated or anonymized data (see Section 7 on AI processing)
• Conducting internal research and testing of new features
• Fixing bugs and improving reliability

3.4 Communications

• Sending product updates, feature announcements, and release notes
• Notifying you of changes to pricing, terms, or policies
• Sending renewal reminders and billing notifications

You may opt out of non-transactional marketing emails at any time by clicking "Unsubscribe" in any such email. You cannot opt out of transactional communications (e.g., invoices, security alerts) while your Account is active.

3.5 Security and Fraud Prevention

• Monitoring for unauthorized access, abuse, and security threats
• Investigating and responding to suspected violations of our Terms of Service
• Complying with legal obligations and law enforcement requests

3.6 Legal Compliance

• Meeting our obligations under applicable law
• Asserting or defending legal claims
• Responding to lawful requests from government authorities

4. We Do Not Sell Your Data

For purposes of the California Consumer Privacy Act (CCPA) and similar state laws, StackDrive does not "sell" or "share" personal information as those terms are defined in applicable law. We do not share Customer Data with third-party data brokers, advertising networks, or data aggregators.

5. How We Share Data

We share data only in the limited circumstances described below:

5.1 Service Providers (Sub-Processors)

We engage trusted third-party companies to help us operate and improve the Service. These service providers act as processors on our behalf and are contractually obligated to protect data and use it only for the purposes we specify. Categories of service providers include:

• Cloud infrastructure: Hosting and data storage (e.g., Vercel, cloud database providers)
• Payment processing: Billing and payment collection (e.g., Stripe) — payment processors receive billing information but not your Customer Data
• Email delivery: Transactional email services for account communications
• AI and machine learning infrastructure: Third-party AI API providers that power AI Features (see Section 7)
• Analytics: Aggregated product usage analytics (e.g., Vercel Analytics)
• Customer support tools: Help desk and ticketing software
• Market data providers: Third-party vehicle valuation data used for trade-in estimates

We do not share Customer Data (your leads' personal information) with service providers unless it is strictly necessary to deliver the features you have enabled.

5.2 Legal Requirements

We may disclose data if required to do so by law, subpoena, court order, or government request. To the extent permitted by law, we will attempt to notify you before disclosing your data in response to a legal demand.

5.3 Business Transfers

In the event of a merger, acquisition, bankruptcy, or sale of all or substantially all of our assets, Customer Data and Account data may be transferred to the successor entity. We will notify you of any such transfer and the successor will be bound by privacy commitments no less protective than those in this Policy.

5.4 With Your Consent

We may share data with third parties for purposes not described in this Policy if we have your explicit written consent to do so.

5.5 No Advertising Networks

We do not share any data — yours or your customers' — with third-party advertising networks, social media platforms for targeting purposes, or data brokers.

6. Customer Data — Your Dealership Is the Controller

When you upload or generate records containing your customers' and leads' personal information into StackDrive, your dealership is the data controller (the party that determines the purpose and means of processing), and StackDrive is the data processor (we process the data on your behalf, at your direction, using the tools you configure). (Plain English: it is your data. You are responsible for it. We process it only to power your CRM.)

As the data controller, your dealership is responsible for:

• Having a lawful basis to collect and use your customers' personal information
• Providing your customers with appropriate privacy notices explaining how their data is used and that a third-party CRM system processes it
• Responding to consumer privacy rights requests (deletion, access, correction) relating to data in your CRM — we will assist you in fulfilling requests for data stored in the Service
• Obtaining proper consent before sending marketing or automated communications through the platform

StackDrive will process Customer Data only on your instructions as expressed through your use of the platform, and will not process it for any other purpose without your authorization, except as required by applicable law.

7. AI Features and Data Processing

StackDrive's AI Features — including lead scoring, AI-drafted messages, and predictive analytics — are powered by machine learning models. Here is how data flows through those features:

7.1 What Data AI Features Process

When you use AI Features, the relevant Customer Data fields (such as lead attributes, communication history, or message content you request the AI to draft) are submitted to AI processing systems. This may include data processed by third-party AI API providers (such as large language model providers) under service agreements that prohibit them from using your data for their own model training.

7.2 How We Use Data to Improve AI

We may use aggregated, de-identified, or anonymized usage data to improve our AI models and features. We do not use identified Customer Data (data that can be linked to a specific individual consumer of your dealership) to train AI models without your explicit consent.

7.3 AI Output Is Not Guaranteed

AI-generated outputs are probabilistic and may contain errors. As described in our Terms of Service, you are responsible for reviewing all AI-generated content before using it and for ensuring it is accurate and compliant with applicable law.

7.4 Third-Party AI Providers

We require our third-party AI API providers to: (a) maintain appropriate security measures; (b) process data only to provide the contracted service; and (c) not use submitted data for their own model training or commercial purposes beyond service delivery.

8. Data Retention

8.1 While Your Account Is Active

We retain Account data and Customer Data for as long as your subscription is active or as needed to provide you the Service.

8.2 After Cancellation

Following cancellation of your subscription, we retain your Customer Data for thirty (30) days to allow you to export it. After this period, we will delete or anonymize Customer Data from our production systems. Backup copies may persist for an additional period consistent with our backup rotation schedule (typically up to ninety (90) days) before being permanently deleted.

8.3 Account and Billing Data

Account and billing records may be retained for longer periods as required by accounting standards, tax law, or to resolve disputes (typically seven (7) years for financial records).

8.4 Legal Holds

We may retain data beyond the periods described above if required to do so by law, court order, or to preserve evidence for pending or anticipated litigation.

9. Security Measures

We implement commercially reasonable technical and organizational security measures to protect data against unauthorized access, disclosure, alteration, and destruction. These measures include:

• Encryption of data in transit using TLS (HTTPS)
• Encryption of data at rest in our database infrastructure
• Role-based access controls limiting who within StackDrive can access your data
• Regular security assessments and monitoring
• Vendor security reviews for service providers who handle Customer Data

No method of transmission over the internet or electronic storage is 100% secure. While we work diligently to protect your data, we cannot guarantee absolute security. If we become aware of a data breach that affects your Account in a material way, we will notify you as required by applicable law.

You are also responsible for implementing appropriate security measures on your end, including using strong passwords, enabling multi-factor authentication where available, and promptly revoking access for departed employees.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident — or if you represent a dealership whose customers include California residents — the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), may apply.

10.1 StackDrive's Role Under CCPA

For Customer Data (your leads' and customers' personal information): StackDrive acts as a service provider under CCPA. We process that data pursuant to our contract with you (the business) and are prohibited from selling or sharing it, or using it for any purpose other than providing the contracted services.

For Account data of California-resident individuals who use the platform as Authorized Users of a Customer: StackDrive acts as a business and the following rights apply.

10.2 California Rights

California residents have the right to:

• Know what personal information we collect, use, disclose, sell, or share
• Delete personal information we hold about them, subject to certain exceptions
• Correct inaccurate personal information
• Opt out of the sale or sharing of personal information (we do not sell or share personal information, so there is nothing to opt out of)
• Non-discrimination — we will not discriminate against you for exercising your CCPA rights
• Limit use of sensitive personal information (we do not use sensitive personal information beyond what is necessary to provide the Service)

10.3 How to Exercise California Rights

To submit a verifiable CCPA rights request, email support@stackdrive.io with the subject line "CCPA Privacy Request." We will respond within forty-five (45) days, with an additional forty-five (45) days available if needed with notice. We may need to verify your identity before fulfilling a request.

10.4 Shine the Light

California Civil Code Section 1798.83 ("Shine the Light" law) permits California residents to request once per year certain information about our disclosure of personal information to third parties for direct marketing purposes. Since we do not disclose personal information to third parties for their own direct marketing purposes, this law does not require any additional disclosures from us.

11. International Transfers and GDPR

StackDrive is a Canada-based service primarily designed for North American automotive dealerships. We do not actively market to or serve customers in the European Economic Area (EEA), the United Kingdom, or Switzerland.

If, however, you operate a dealership that processes personal data of individuals located in the EEA or UK (for example, if you sell to European nationals visiting the U.S.), the General Data Protection Regulation (GDPR) or UK GDPR may apply to your processing activities. In that case, you — as the data controller — are responsible for ensuring that your use of StackDrive is compliant with GDPR, including maintaining appropriate data processing agreements and transfer mechanisms.

If your dealership requires a Data Processing Agreement (DPA) for GDPR compliance purposes, please contact us at support@stackdrive.io.

12. Children's Privacy

The Service is intended for use by business professionals at automotive dealerships. It is not directed at, and we do not knowingly collect personal information from, individuals under the age of 18. If you believe a minor has submitted personal information to us without authorization, please contact us at support@stackdrive.io and we will promptly delete that information.

13. Other State Privacy Laws

Several U.S. states have enacted comprehensive consumer privacy laws, including Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and others. To the extent these laws apply to personal information processed through the Service, StackDrive operates as a processor (or equivalent) acting on your instructions as the controller (or business). Your dealership is responsible for ensuring your use of the Service complies with any applicable state privacy law.

We are committed to cooperating with you to fulfill your obligations under applicable state privacy laws, including by providing data deletion, access, and portability assistance upon request.

14. Links to Third-Party Services

The Service may contain links to or integrations with third-party websites or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party service you connect to StackDrive, such as your DMS provider or telephony platform.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email to your registered address and by posting a notice within the Service at least fourteen (14) days before the change takes effect. We will update the "Effective date" at the top of this page for any change.

Your continued use of the Service after the updated Policy takes effect constitutes acceptance of the revised Policy. If you do not agree to a material change, you may cancel your subscription before it takes effect.

16. How to Contact Us

For any privacy-related questions, rights requests, or concerns, please contact us:

• Email: support@stackdrive.io
• Subject line for privacy requests: "Privacy Request — [your company name]"
• Mailing address: StackDrive Inc., [ADDRESS], Quebec, Canada

We will respond to verifiable privacy requests within the timeframes required by applicable law (typically 30–45 days).

© 2026 StackDrive Inc. All rights reserved. · Effective: May 22, 2026