Privacy Policy
Effective date: June 26, 2026 · Service: CarAtoZ ("we", "our", "us") · Contact: official.cara2z@gmail.com
CarAtoZ is a car-service booking platform operated at cara2z.com and via the CarAtoZ Android & iOS apps (the "Service"). This policy explains what we collect, how we use it, and your choices.
1. Information we collect
- Account information: your full name, mobile number, and (optionally) email when you register or sign in via OTP.
- Vehicle information: car make, model, variant, registration number, and odometer readings you enter while booking a service or using Smart Service Check.
- Booking information: service center selected, service type, preferred date/time slot, pickup/drop address (when applicable), service notes, and the final bill amount once the service center marks the booking complete.
- Location: approximate device location used only to find the nearest service center via Quick Book. Location is requested per-session; we do not track location in the background.
- Device & technical data: IP address, browser/app version, operating system, and a Firebase Cloud Messaging (FCM) push token used to deliver booking-status notifications. The push token is anonymous and cannot identify your device's IMEI/MAC.
- Communication: SMS OTP codes sent via Firebase Phone Authentication; we never store the OTP itself.
2. How we use your information
- To create and authenticate your account (phone-based OTP).
- To match you with verified service centers based on your location and chosen service.
- To process bookings, share necessary details (your name + mobile + vehicle) with the chosen service center, and send you booking-status updates.
- To send transactional push notifications (booking confirmed, in progress, completed, reminders).
- To improve the Service — anonymised usage patterns, not individually identifying data.
- To comply with legal obligations.
3. Who we share information with
We share only the minimum data needed to provide the Service:
- Service centers you book with — your name, mobile number, vehicle make/model/registration, and preferred slot. They use this to fulfil your appointment.
- Google Firebase — Phone Authentication (OTP delivery) and Cloud Messaging (push delivery). Subject to Firebase's privacy terms.
- Google Maps Platform — when you use Quick Book or the in-app directions feature. Subject to Google's privacy policy.
- Hostinger — our database is hosted on Hostinger's infrastructure in India.
We never sell your data. We never share with advertisers or analytics resellers.
4. Data retention
- Booking records are retained for 7 years to comply with consumer-protection records requirements.
- Push notification tokens are deactivated automatically when the app is uninstalled.
- You may delete your account at any time — see Section 7.
5. Children
The Service is intended for users 18 years and older. We do not knowingly collect data from anyone under 18. If you believe a minor has registered, contact us at official.cara2z@gmail.com and we will delete the account.
6. Security
We use HTTPS for all transit; passwords (when present) are bcrypt-hashed; OTPs expire in 5 minutes; sessions use HTTP-only secure cookies; and our Firebase service-account credentials are never exposed client-side.
7. Your rights
- Access — request a copy of the personal data we hold about you.
- Correction — update your profile, vehicles, or contact details from the app's Profile section, or email us.
- Deletion — email official.cara2z@gmail.com with the subject "Delete my account". We will permanently delete your account and all linked bookings within 30 days, except where retention is required by law.
- Push notifications — disable any time from your phone's Settings → Apps → CarAtoZ → Notifications.
- Location — revoke at the OS level any time; the Quick Book feature simply asks again next time.
Quick deletion shortcut — open the CarAtoZ app, go to Profile → tap Logout, then email us. Once we confirm the email matches the registered mobile, deletion proceeds. There is no fee.
8. International transfers
Firebase and Google Maps services may process your data on servers outside India under standard contractual clauses. We do not transfer data outside the protections of the GDPR or India's DPDP Act.
9. Changes to this policy
We may update this policy when we add features. Material changes will be notified in-app and via email. The "Effective date" at the top always reflects the current version.
10. Contact
For any privacy question: official.cara2z@gmail.com
