Privacy Policy — MotorHub

MOTORHUB PRIVACY POLICY Last Updated: March 16, 2026 Effective Date: March 16, 2026 ============================== 1. CONTROLLER AND SCOPE ============================== Andrea Vaiuso St. Gallerstrasse 73 8400 Winterthur Switzerland Email: vaiu-app-assistance@outlook.com Andrea Vaiuso is the controller responsible for the processing of personal data described in this Privacy Policy. If Article 27 GDPR requires us to appoint a representative in the European Union and no exemption applies, the representative's contact details will be published here once appointed. This Privacy Policy applies to personal data processed through the MotorHub mobile application, the MotorHub backend, and related support and moderation tools. This document is intended to explain data processing only. Contractual topics such as license scope, acceptable use, payments, liability, intellectual property, governing law, and similar non-privacy terms are addressed in the MotorHub EULA, not in this Privacy Policy. MotorHub aims to process personal data in accordance with applicable data protection laws, including the Swiss Federal Act on Data Protection (nFADP) and, where applicable, the EU General Data Protection Regulation (GDPR). ============================== 2. WHAT MOTORHUB DOES ============================== MotorHub is a mobile platform for vehicle owners and automotive enthusiasts. Depending on the features you choose to use, the Service lets you: - sign in with Apple and manage an account - create a profile and interact with other users - create, browse, and report marketplace listings - create, join, and manage events and circuits - post in the forum and community areas - share selected garage vehicles with friends - create retailer profiles and sponsorship content - use optional AI-assisted mechanic features - enable optional push notifications, location-based nearby features, and iCloud synchronization ============================== 3. SOURCES OF PERSONAL DATA ============================== We collect personal data from the following sources: 3.1 Directly from you This includes data you enter in the app or upload through the Service, such as your profile data, listings, posts, event details, retailer information, messages sent to the AI mechanic feature, and uploaded media. 3.2 From Apple If you use Sign in with Apple, Apple provides us with authentication data such as your Apple unique identifier (`apple_sub`), the email address associated with your Apple ID or Apple relay email, and, on first sign-in, the name fields Apple makes available. If you buy subscriptions or in-app purchases, Apple also provides transaction and entitlement information needed to verify your subscription status, renewals, refunds, revocations, and related billing events. If you enable push notifications, Apple routes push delivery through APNs. If you enable iCloud sync, Apple processes the synced data through CloudKit in your private iCloud container. 3.3 From your device and app usage We receive technical and security data generated when the app communicates with our backend, such as IP address, request metadata, session data, timestamps, device push token, and error or abuse-prevention signals. If you choose nearby-search features, the app may send coordinates from your device in order to return nearby sponsors, events, or similar results. If you use Apple geocoding helpers, the address or coordinates you enter may also be sent from your device to Apple to resolve a place. 3.4 From other users Other users can generate data about you, for example when they: - send you a friend request - invite you to an event - mention, reply to, or react to your content - report your content or account behavior 3.5 From automated systems and service providers We may receive moderation classifications from Cloudflare Workers AI, entitlement verification results from Apple, and delivery or error status information from providers involved in notifications or email delivery. ============================== 4. DATA WE PROCESS AND WHETHER IT IS MANDATORY ============================== 4.1 Account and onboarding data We process: - Apple Sign-In identifier (`apple_sub`) - Apple account email or relay email - first name and last name if Apple provides them - refresh/session token data and login timestamps - username - date of birth - profile picture - optional profile fields such as name, surname, country, interests, vehicle-type preference, garage-sharing preference, retailer flag, and push token - internal account fields such as account role, trust level, and account status Since we rely exclusively on OAuth 2.0 authentication, we do not store users’ secret authentication information such as passwords, passphrases, or private credentials. Authentication is performed by the external identity provider. Mandatory for account access: - Sign in with Apple authentication data is required to create and access a MotorHub account. - Username, date of birth, and profile picture are required to complete onboarding. If you do not provide this mandatory account data, you cannot sign in, complete onboarding, or use authenticated features that require an active profile. Optional account/profile data: - name and surname - country - interests and vehicle-type preference - push token - garage-sharing preference - retailer status flag If you do not provide optional profile data, the relevant personalization, visibility, social, retailer, or notification features may not work, but you may still use the rest of the Service. 4.2 Feature-specific data If you choose to use a specific feature, we process the data needed for that feature. Examples include: - marketplace listing data, vehicle or part details, price, contact details, location, and listing images - event and circuit data, including titles, descriptions, dates, visibility settings, participants, invitations, coordinates, and images - forum posts, comments, reactions, polls, bookmarks, attachments, and reports - retailer data such as business name, address, geocoded coordinates, country, preferred brands, phone number, website, retailer type, and vehicle category - sponsor data such as sponsor text, targeting criteria, location, radius, visibility settings, and sponsor image - shared garage metadata and optional shared vehicle image - AI mechanic prompts, conversation history you choose to continue, and any vehicle/service context you choose to attach For these features, the data requested in the relevant form or endpoint is mandatory for that feature. If you refuse to provide it, you can still use the rest of MotorHub, but you may not be able to create, save, publish, or use that feature. 4.3 Subscription and entitlement data We process App Store transaction identifiers, product identifiers, subscription tier, purchase dates, expiration dates, renewal or revocation status, verification timestamps, and environment information in order to manage paid features. This data is mandatory if you want us to unlock paid features or verify your subscription. If you do not provide or allow the relevant Apple transaction data, we cannot activate or verify the subscription-dependent parts of the Service. 4.4 Safety, moderation, and enforcement data We process: - user reports and report reasons - moderation states and moderation reasons - automated moderation classifications - trust level - account status - admin review history This processing is necessary to operate a moderated community. If you use user-generated content features, you cannot opt out of the safety and enforcement processing that is reasonably necessary to run those features. 4.5 Technical and local-only or device-controlled data The app may also process data that is primarily local to your device or under your direct control, including: - local garage and service records stored on your device - optional iCloud-synced garage data in your private CloudKit container - optional location queries used for nearby search features - optional OCR images sent directly from your device to Google Cloud Vision if you configure your own Google API key Where these features are optional, refusing them does not stop you from using the core Service, but the affected feature will be limited or unavailable. ============================== 5. HOW WE USE PERSONAL DATA AND LEGAL BASIS ============================== Where GDPR applies, we rely on the following legal bases for the corresponding processing operations: 5.1 Performance of a contract or steps taken at your request (Art. 6(1)(b) GDPR) We rely on this basis to: - authenticate you with Sign in with Apple - create and maintain your account and sessions - complete onboarding and maintain your profile - publish and manage listings, events, circuits, forum content, retailer data, sponsor content, and shared garage data - process your AI mechanic requests and return answers - verify subscriptions and enforce feature limits linked to your plan - deliver service functionality you actively request, such as friend requests, invitations, or shared content visibility - process account deletion requests 5.2 Legitimate interests (Art. 6(1)(f) GDPR) We rely on this basis to: - secure the Service, prevent abuse, spam, fraud, and unauthorized access - run rate limiting, logging, debugging, and service reliability measures - moderate content and investigate reports - temporarily flag or hide content that appears unsafe or receives multiple reports - maintain trust levels, moderation records, and enforcement history - review, defend, or enforce our rights and the safety of the Service - send moderation or account-status notices where necessary to protect the platform and users Our legitimate interests are the secure, reliable, and safe operation of MotorHub as a moderated community service. When we rely on legitimate interests, we carry out a balancing assessment to check that our interests are not overridden by the rights and freedoms of users. This assessment takes into account the nature of the data, the context of the processing, reasonable user expectations, the likely impact on users, and the safeguards we apply to reduce that impact. 5.3 Legal obligation (Art. 6(1)(c) GDPR) We rely on this basis where processing is necessary to: - comply with lawful requests from authorities - comply with accounting, tax, or legal record-keeping obligations that apply to us - preserve evidence and respond to legal claims 5.4 Consent or equivalent device/app permission, where required (Art. 6(1)(a) GDPR) We rely on consent, or on your equivalent device-level permission/instruction, for optional features such as: - optional push notifications - optional location-based nearby search features - optional iCloud sync - any other optional feature that is disabled until you actively enable it Where we rely on consent, you can withdraw it as easily as you gave it by changing the relevant app or device setting, disabling the feature, or contacting us where needed. Withdrawal does not affect processing that took place before withdrawal. 5.5 Processing outside our backend at your direction Some optional tools are initiated directly from your device to another provider. For example, if you configure your own Google Cloud Vision API key for OCR, the image is sent directly from your device to Google under your Google Cloud relationship. In that situation, MotorHub is not acting as the server-side sender of that OCR request. ============================== 6. WHO RECEIVES PERSONAL DATA ============================== 6.1 Other users Depending on your settings and the feature you use, other users may receive or see: - your username, profile image, selected profile fields, and country - your public or friends-visible forum content - your public listings, listing content, and any contact details you choose to include in a listing - your public events, circuits, and related media - your shared garage vehicles if you enable garage sharing - your participation in events and similar social interactions where the feature requires visibility 6.2 Authorized moderators and administrators Authorized moderators and administrators may access data needed to review safety issues and enforce platform rules, including: - reported content and related images - report reasons and reporter identity - content owner identity and contact email where needed for moderation - trust level, moderation history, and account status 6.3 Service providers and infrastructure We currently rely on the following main providers: - Cloudflare, Inc. for Workers backend hosting, D1 databases, R2 object storage, and Workers AI services used for moderation and AI-backed service functions. This can include account data, profile data, content, uploaded media, API traffic, security logs, and moderation inputs and outputs. - Apple Inc. and related Apple services for Sign in with Apple, App Store purchases and entitlement verification, APNs push delivery, optional CloudKit sync, and certain device-side geocoding/location helpers. This can include Apple account identifiers, transaction data, push-delivery data, iCloud-synced data, and location/geocoding requests you trigger from your device. - MailChannels for moderation-notice email delivery. This can include the recipient email address, username or display name, and the content of the moderation email. - Google LLC only if you independently configure and use Google Cloud Vision OCR from the app. In that case Google receives the image directly from your device under your own Google configuration. 6.4 Authorities, advisers, and legal counterparties We may disclose relevant data to courts, regulators, law-enforcement bodies, lawyers, or advisers where required by law or reasonably necessary to establish, exercise, or defend legal claims. 6.5 Business transfers If MotorHub is involved in a merger, acquisition, reorganization, financing, or asset transfer, relevant personal data may be transferred as part of that process, subject to applicable legal requirements. 6.6 No sale of personal data We do not sell personal data. ============================== 7. INTERNATIONAL TRANSFERS ============================== MotorHub uses providers that may process personal data outside Switzerland or the EEA. The main transfers currently relevant to the Service are: 7.1 Cloudflare Provider: Cloudflare, Inc. Main countries/regions involved: United States and EU data-center regions used by Cloudflare infrastructure; because Cloudflare operates a global network, limited transit through other countries can occur. Safeguard: Cloudflare's contractual transfer mechanisms, including Standard Contractual Clauses and equivalent Swiss transfer terms where applicable, together with technical and organizational measures such as encryption in transit, access controls, and platform security controls. 7.2 Apple Provider: Apple Inc. / Apple services Main countries/regions involved: Ireland and the United States, and other Apple-operated regions relevant to the service you use. Safeguard: Apple's transfer mechanisms, including Standard Contractual Clauses and equivalent transfer safeguards described in Apple's privacy documentation. 7.3 MailChannels Provider: MailChannels Main countries/regions involved: Canada. Safeguard: provider contractual protections and, where applicable, the legal framework recognized for transfers to Canada. 7.4 Google Cloud Vision used directly by you Provider: Google LLC Main country involved: United States. Safeguard: if you enable OCR with your own Google Cloud Vision API key, the transfer is made directly by you from your device under Google's terms and transfer mechanisms, not by MotorHub's backend. If you want more detail about the safeguards we rely on for transfers under our control, you can contact us using the details in Section 12. ============================== 8. RETENTION AND DELETION ============================== We keep personal data for as long as necessary for the purposes described in this Privacy Policy, including to operate the Service, maintain safety, resolve disputes, comply with legal obligations, and enforce rights. In general: - account and profile data are kept while your account remains active - session data are kept until expiry or revocation - marketplace, event, circuit, forum, sponsor, and retailer content are kept while active and may remain until deleted by you or removed by us - moderation reports, trust-level records, and enforcement history are kept as long as reasonably necessary for safety, abuse prevention, and legal or evidentiary purposes - subscription and entitlement records are kept as long as needed to administer paid features, handle disputes, and meet accounting or legal obligations - technical logs and security data are kept only as long as reasonably necessary for operational, debugging, and security purposes, subject to provider settings Examples of current retention periods or review points include: - access tokens expire after up to 1 hour - refresh-session records are normally valid for up to 30 days unless revoked earlier - marketplace listings are normally active for 30 days after publication unless renewed, removed, or retained longer for disputes, fraud prevention, or legal reasons - events normally expire 90 days after the event date or end date - routine security and operational logs are generally kept for about 30 to 90 days where such logs are maintained through our infrastructure, unless longer retention is needed for an incident, abuse investigation, or legal obligation - moderation reports, trust-level records, and account-enforcement history are generally reviewed for continued need and may be kept for up to 24 months after the relevant issue is closed, or longer where necessary for repeat-abuse prevention or legal claims - certain accounting, tax, or legally required records may be kept for up to 10 years where applicable law requires it If you delete your account: - we remove account-linked data from our active application databases and application-managed object storage without undue delay, subject to technical cleanup steps - usernames may be retained in a reserved state to prevent impersonation - residual copies may remain temporarily in provider systems, backups, logs, or legal-hold environments until they are overwritten or deleted in the ordinary course - data that must be retained by law, for fraud prevention, or for legal claims may be kept for longer ============================== 9. OPTIONAL FEATURES, PERMISSIONS, AND WITHDRAWAL ============================== 9.1 Push notifications Push notifications are optional. You choose whether to allow them through your device settings. If you withdraw that permission, you may stop receiving friend requests, event invitations, moderation notices, account-status updates, and similar service messages. 9.2 Location-based features Nearby-search and sponsor-discovery features are optional. If you deny location access, nearby functionality may be limited and the app may fall back to broader or regional results. We do not use nearby-search coordinates as a permanent profile field merely because you asked for a nearby result. 9.3 iCloud sync iCloud sync is optional. If you turn it off, the app can still be used, but your local garage data will no longer sync through CloudKit across your devices. 9.4 OCR with Google Cloud Vision OCR is optional. If you do not configure or use your own Google Cloud Vision key, the OCR feature is unavailable, but the rest of the app remains usable. 9.5 AI mechanic feature The AI mechanic feature is optional. If you do not want your prompts or optional vehicle/service context to be processed for this feature, do not use the feature or do not attach vehicle context. ============================== 10. AUTOMATED PROCESSING AND HUMAN REVIEW ============================== MotorHub uses automated classification tools for certain safety and service functions. 10.1 When automated classification happens Automated moderation may run when you create or edit: - marketplace titles and descriptions - event names and descriptions - circuit names and descriptions - forum post and comment text Automated systems may also be used to help detect abuse patterns, spam, unsafe content, or content that should be reviewed by moderators. These tools primarily analyze submitted content and limited safety signals for moderation purposes. They are not designed to create advertising profiles or broader user personality profiles. 10.2 Consequences of automated classification Depending on the feature and the result, content may be: - blocked from publication - flagged for review - placed in an under-review state - temporarily hidden, including after repeated user reports These consequences are aimed at platform safety and content visibility. They do not by themselves amount to a final humanless decision to suspend or ban your account. 10.3 Human review Account suspensions, bans, permanent enforcement actions, trust-level penalties applied after confirmed moderation review, and moderation appeals are handled by human moderators or administrators. If you believe content was wrongly flagged, hidden, removed, or used in an account-level enforcement action, you may request human review by contacting us at vaiu-app-assistance@outlook.com. 10.4 No solely automated decisions with legal or similarly significant effects MotorHub does not intentionally make solely automated decisions that produce legal effects or similarly significant effects on you within the meaning of Art. 22 GDPR or the equivalent Swiss concepts for automated individual decisions. Human review is required for account-level enforcement. ============================== 11. YOUR PRIVACY RIGHTS AND HOW TO USE THEM ============================== Depending on the law that applies to you, you may have rights including: - access to your personal data - rectification of inaccurate data - deletion of data - restriction of processing - objection to certain processing based on legitimate interests - data portability where applicable - withdrawal of consent where processing is based on consent - information about automated processing - the right to lodge a complaint with a competent supervisory authority 11.1 Data portability scope Where the right to data portability applies, it covers personal data you provided to us and data observed from your use of the Service, provided that the processing is automated and based on consent or contract. It does not generally cover data that we create ourselves for internal purposes, such as moderation assessments, trust-level scoring, fraud indicators, or similar inferred or derived data. 11.2 How to submit a request Send your request to vaiu-app-assistance@outlook.com. To help us process it efficiently, please include: - your username - the Apple account email or relay email associated with your account, if available - the right you want to exercise - enough detail for us to understand what data or processing you are asking about 11.3 Identity verification Before acting on a request, we may ask for reasonable information to verify your identity and authority. We may ask you to contact us from the email linked to your account, to provide details only the account holder is likely to know, or, where necessary and proportionate, to provide additional proof of identity. 11.4 Timing We aim to respond within the deadlines required by applicable law. Under GDPR this is usually within one month, subject to lawful extension. Under Swiss law we will respond within the legally required period. 11.5 Limits and possible refusal or narrowing We may refuse, narrow, or defer a request where permitted by law, for example if: - we cannot verify your identity - the request affects the rights or confidentiality of other users - the data must be retained by law - the request is manifestly unfounded or excessive - disclosure would undermine security, fraud prevention, or ongoing moderation or legal processes If we cannot fully comply, we will explain the reason to the extent the law allows. 11.6 Complaints If you believe your data has been handled unlawfully, you may contact us first so we can try to resolve the issue. You may also complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC) or, if applicable, your local EU/EEA supervisory authority. FDPIC: https://www.edoeb.admin.ch ============================== 12. SECURITY AND CONTACT ============================== We use technical and organizational measures designed to protect personal data, including encrypted transport, authenticated sessions, access controls, rate limiting, input validation, and restricted administrative access. No system can guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent supervisory authority without undue delay and, where required, within 72 hours after becoming aware of the breach, and we will inform affected users where legally required. For privacy questions, rights requests, or review requests relating to automated or moderation decisions, contact: Andrea Vaiuso St. Gallerstrasse 73 8400 Winterthur Switzerland Email: vaiu-app-assistance@outlook.com We have not appointed a Data Protection Officer. ============================== 13. CHILDREN ============================== MotorHub is intended for users aged 16 or older. We collect date-of-birth information during onboarding to support age-related checks and community safety. If we learn that we hold personal data for a user below the applicable minimum age without a valid basis, we will take reasonable steps to delete the data and close the account. ============================== 14. CHANGES TO THIS PRIVACY POLICY ============================== We may update this Privacy Policy from time to time to reflect changes to the Service, our providers, or legal requirements. If the changes are material, we will provide notice through the app, our website, or another appropriate channel. ============================== 15. EULA REFERENCE ============================== The current MotorHub EULA is available at: https://motorhub-backend.andreavaiuso.workers.dev/eula The EULA contains the contractual rules of the Service. This Privacy Policy is focused on personal-data processing. ============================== END OF PRIVACY POLICY