Privacy Policy
Version 1.0 — Effective May 2026
1. Who we are
MyGarageStory is a personal vehicle-management web app, available at https://mygaragestoryapp.com. In this policy, "MyGarageStory", "we", "our" and "us" refer to the team operating the service. Contact us any time at [email protected].
2. Information we collect
We collect information you provide directly:
- Account details — username, email, password (stored as a salted hash, never in plain text). Display name, bio, favourite brands and avatar are optional.
- Vehicle data — make, model, year, VIN, licence plate, ownership dates and purchase / sale price you enter for each car, motorcycle, truck or work machine.
- Cost records — purchase, fuel, service and sale entries with amounts and dates.
- Reminders — service, registration and insurance reminder configurations.
- Inspections and watchlist entries — vehicles you are considering buying, with notes and the photos you upload.
- Uploaded files — vehicle gallery images, profile avatar, inspection photos, and private documents (registration scans, insurance PDFs, etc.).
- My Story exports — when you generate a Passport / Hero Poster / Calendar / Timeline image, the rendered PNG is stored on our server. Sharing is opt-in (see § 7).
If you sign in with Google, we receive your name and email address from Google. We never receive your Google password.
We also automatically collect:
- Technical logs — IP address, browser user-agent, timestamps of requests. Used for security (rate-limiting failed logins, blocking abuse) and debugging.
- Lightweight usage events — which features you opened on a given day. Used to unlock in-app milestones and to compute aggregate product metrics.
3. How we use your data
- To run the service: display your vehicles, calculate costs, fire reminders, generate exports.
- To secure your account: detect failed-login bursts and lock the source IP for one hour.
- To compute and unlock milestones / achievements visible only to you.
- To compute aggregated product metrics (e.g. "how many users created at least one reminder this month"). These metrics contain no personally-identifying detail.
We do not use your data to train AI models, sell it to advertisers, or share it with data brokers.
4. Legal basis (GDPR, where applicable)
| Purpose | Legal basis |
|---|---|
| Running the account and the service | Performance of a contract with you |
| Security logging, failed-login lockout | Legitimate interest in protecting accounts |
| Email communication tied to your account (password reset, important changes) | Performance of a contract |
| Aggregated product metrics | Legitimate interest in improving the product |
| Anything we add later that requires it (e.g. third-party analytics) | Your explicit, prior consent — we will re-prompt you |
5. Cookies and similar technologies
See the dedicated Cookie Policy. Essential cookies (session, CSRF, brute-force protection) are always set. Preferences and analytics categories are opt-in.
6. Third-party services
- Google — only if you choose Sign-in with Google. Google's terms apply to the authentication flow; we only receive your name and email.
- Pixabay — used server-side to fetch a representative image for watchlist recommendation cards. Pixabay does not see your browser request or set any cookie in your browser.
- Hosting — the application and database run on a secure cloud infrastructure provider.
- Email — outgoing email (password reset, verification) is sent through a transactional email provider.
We currently do not use Google Analytics, Microsoft Clarity, Meta Pixel, or any other third-party analytics or advertising trackers. If we add one, we will update this policy and ask for your consent first.
7. Public sharing
When you generate a Passport / Hero Poster / Calendar / Timeline export and click "Share", we create a public link with a long random token (192 bits of entropy — not guessable). Anyone with that link can view the rendered image. You can disable the link at any time from the My Story page; once disabled, the link returns 404 to subsequent visitors.
We strongly recommend not sharing exports that contain information you wouldn't want public — the link is a public URL.
8. Data retention
- Account and vehicle data — kept while your account is active.
- Uploaded files — kept while your account is active or until you delete the parent record.
- Disabled share links and their files — kept for archival but unreachable. May be purged periodically.
- Server logs — kept for up to 90 days, then deleted.
- Backups — full backups of the database are kept for up to 30 days.
When you delete your account, your data is removed from the live database immediately and from backups within the retention window above.
9. Your rights
If you are in the EEA, UK, Switzerland or another GDPR-aligned jurisdiction, you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectify — correct anything inaccurate (most fields can be edited directly in your profile).
- Erase — delete your account and all associated data, via Profile → Delete Account, or by writing to [email protected].
- Restrict / object — limit or object to certain processing.
- Portability — export your data in a machine-readable format (write to [email protected]).
- Withdraw consent — for anything you previously opted into.
- Lodge a complaint with your local data-protection supervisory authority.
We will respond to a verified request within 30 days.
10. Security
- HTTPS only in production; sessions and CSRF cookies are marked Secure + HttpOnly + SameSite=Lax.
- Passwords are stored as PBKDF2-SHA-256 hashes (Django default).
- Failed logins are rate-limited per IP via django-axes (lockout after 5 attempts).
- The admin area is hidden behind an obfuscated URL prefix and an optional IP allowlist.
- All user-owned data is filtered by
owner=request.userat the SQL layer — there is no per-user data leak even if you change an ID in a URL. - Private documents are served only through an auth-gated download view that checks ownership.
No system is perfectly secure. If you discover a vulnerability, please report it confidentially to [email protected].
11. Children
The service is not directed to children under 16. Do not create an account if you are under the minimum digital-consent age in your country.
12. International transfers
Your data is hosted in a region within our cloud-infrastructure provider's network. If you access the service from outside that region, your data is transferred to our servers under appropriate safeguards consistent with applicable data protection law.
13. Changes to this policy
We will update the version number and effective date when this policy changes. Material changes will also be communicated in-app.
14. Contact
Privacy questions? Write to [email protected].