Contents
1. Who we are
MyDIYGarage is a vehicle maintenance tracking application operated by Nielsen Digital, LLC ("we," "us," "our"), a Texas limited liability company. Our service is accessible at app.mydiygarage.com.
This Privacy Policy explains how we collect, use, and protect information you provide when you use MyDIYGarage. By creating an account or using the service, you agree to the practices described here.
2. What data we collect
Account information
- Email address — required to create an account, send transactional emails (verification, password reset), and contact you about your subscription.
- Username — chosen by you, displayed in your account settings.
- First and last name — optional, used for personalization only.
- Password — stored as a one-way bcrypt hash. We cannot read your password.
- Phone number — optional, never required, not used for marketing.
Vehicle and maintenance data
All vehicle records you create — service logs, fuel logs, fault codes, maintenance schedules, vehicle details — are stored on our servers to provide the service. This data is yours. We do not analyze it for advertising, sell it to third parties, or share it with insurers, dealers, or data brokers.
OBD2 dongle data (auto-ingest)
If you pair a supported Bluetooth OBD2 dongle to your car, the MyDIYGarage mobile app reads a narrow set of values directly from your vehicle's onboard diagnostics port and sends them to your account. We capture only what the OBD2 standard exposes, and only the specific values we need to keep your log up to date:
- Odometer reading (OBD2 PID 01 31, or a derived distance estimate when the vehicle does not expose odometer directly) — so your mileage stays current without manual entry.
- Diagnostic Trouble Codes (DTCs) retrieved via OBD2 Mode 03 — the fault codes your car's computer has stored.
- Malfunction Indicator Lamp (MIL) status (PID 01 01) — whether your check-engine light is on.
- Freeze-frame snapshot associated with a stored DTC — the small set of sensor values (coolant temperature, RPM, vehicle speed, etc.) the car recorded at the moment the fault was set.
- A salted/keyed hash of the dongle's identifier — so we can recognize the same device on repeat connections and let you revoke it. We treat this hash as personal data: it lets us recognize your dongle, but we cannot recover the raw serial from it. (Under CPRA §1798.140(m), the Bluetooth address space is small enough that an unsalted hash would be reversible, so we apply a server-side keyed salt and treat the result as a pseudonymous identifier — not as de-identified or anonymous data.)
- Capture timestamps — when each reading was taken.
Each OBD2-sourced record is tagged with its provenance (auto-captured vs. manually entered) and lands as a draft you confirm before it joins your permanent log. You can delete all OBD2-sourced data for a vehicle in one action without affecting anything you entered yourself, and revoking a dongle stops all auto-ingest from that device immediately.
Billing information
If you subscribe to a paid plan, payment is handled by Stripe. We receive a payment confirmation and your Stripe customer ID. We never see, store, or process raw card numbers, bank account details, or full payment credentials.
Technical data
- IP address (logged by our infrastructure for security and abuse prevention)
- Browser type and operating system (included in standard HTTP headers)
- Timestamps of account actions (login, registration, record creation)
We do not use analytics platforms (Google Analytics, Mixpanel, etc.) that track your browsing across our site.
3. What we do not collect or sell
✓ We do not sell your data to anyone, or to any other third party for monetary or other valuable consideration.
✓ We do not run ads or use ad-targeting networks.
✓ We do not share your vehicle data with insurance companies, dealers, or data brokers (including for cross-context behavioral advertising).
✓ We do not build behavioral profiles for third-party marketing.
✓ Our revenue comes entirely from subscription fees. Your data is not the product.
Specifically, for OBD2 dongle data
Driving telemetry is a category that other companies have built entire business models around selling. We have not, and we will not. To be explicit:
- We do not capture GPS or location data through the OBD2 connection. The dongle does not transmit GPS, and the mobile app does not pair location data with OBD2 readings. (If we ever add an optional location-aware feature in the future, it will be opt-in per vehicle, clearly labeled, and covered by an updated version of this policy before it ships.)
- We do not capture audio, video, or anything outside the OBD2 standard. The dongle is physically incapable of doing so, and the app does not ask for microphone or camera access for this feature.
- We do not sell or share OBD2-sourced data with insurance companies, advertisers, dealerships, repair networks, fleet-analytics firms, telematics aggregators, data brokers, or any other third party for monetary or other valuable consideration. We use "sell" and "share" here as defined by the CCPA/CPRA (including §1798.140(ad) and the cross-context behavioral advertising definition). There is no commercial pipeline. There is no anonymized-and-aggregated escape hatch that quietly resells driving behavior. This commitment does not have a feature flag.
- Processors are not sales or shares. Processors acting on our written instructions under service-provider/processor terms (e.g., cloud hosting, error monitoring) are not "sales" or "shares" under the CCPA/CPRA. The categories of processors we currently use are listed in section 5.
- Changing this commitment requires founder-level review and a material change to this policy, with at least 30 days' email notice to you before any new use takes effect (see section 10). We would rather lose a deal than quietly flip this rule.
4. How we use your data
We use the information we collect exclusively to:
- Create and maintain your account
- Deliver the features of the MyDIYGarage service (storing and retrieving your vehicle records)
- Send transactional emails: email verification, password resets, subscription receipts, and service notices
- Process subscription payments through Stripe
- Respond to support requests you initiate
- Detect and prevent fraud, abuse, and security incidents
- Comply with legal obligations
We do not use your data for any purpose not listed above without first updating this policy and notifying you.
OBD2-sourced data is used only to populate your own vehicle logs (mileage, fault codes, freeze-frame snapshots) and, in the future, to power your own AI co-pilot insights inside your account. It is never aggregated for resale, never fed to third-party analytics, and never used to build profiles of you or your driving for anyone else.
5. Third-party processors
We use a small number of third-party services to operate MyDIYGarage. Each has its own privacy policy. We share only the minimum data necessary for the service to function. The categories of third parties to whom we disclose personal information are: payment processors and cloud infrastructure providers. We do not disclose personal information to advertisers, data brokers, CRM platforms, or analytics services.
Categories of personal information we collect (CCPA §1798.140(v))
For California-resident transparency, here is how the data we collect maps to the statutory categories. We collect data in these categories only as described elsewhere in this policy:
- Identifiers — email address, username, name (optional), phone number (optional), IP address, and the salted/keyed hash of your OBD2 dongle's identifier (a pseudonymous identifier under CPRA §1798.140(m), treated as personal information throughout this policy).
- Commercial information — subscription tier and billing-related identifiers from Stripe (we do not receive raw payment credentials).
- Internet or other electronic network activity information — login timestamps, record-creation timestamps, browser/OS strings from standard HTTP headers, OBD2 capture timestamps, and BLE pairing metadata for paired dongles.
- Geolocation data — none collected via OBD2. The dongle does not transmit GPS, and we do not pair location data with OBD2 readings. Coarse geolocation may be inferred from IP address solely for security/abuse-prevention purposes; we do not store derived location.
- Vehicle and maintenance records — the service logs, fuel logs, fault codes, and vehicle details you create or that flow from a paired OBD2 dongle.
- Inferences — vehicle-health signals derived from DTCs and OBD2 readings (used only inside your own account to power your logs and, in the future, your own AI co-pilot insights). Never used to build profiles for third parties.
We do not collect biometric information, precise geolocation, sensitive personal information as defined by the CPRA, or any category not listed above.
Stripe (payment processing)
Stripe processes all subscription payments. When you subscribe, your payment details are entered directly into Stripe's secure checkout — they never pass through our servers. Stripe may set cookies during checkout sessions. See Stripe's Privacy Policy.
Amazon Web Services (infrastructure)
Our application and your data are hosted on AWS. We use AWS for compute, database, and transactional email. AWS does not access your personal data except as required to deliver infrastructure services. See AWS Privacy Policy.
We do not use any other third-party services that receive your personal data (no Google Analytics, no CRM platforms, no ad networks).
6. Cookies and local storage
We use a minimal set of cookies and browser storage. See our Cookie Policy for full details.
- Session authentication cookie — a secure, HTTP-only cookie that keeps you logged in. Strictly necessary; cannot be disabled without logging out.
- Local storage — we store your UI preferences (display units, default vehicle) in your browser's local storage. This data never leaves your device.
We do not use tracking cookies, advertising cookies, or third-party analytics cookies on this site. If this changes, we will update our Cookie Policy and this section, and add a consent banner before deploying any new cookies.
7. Data retention
We retain your data for as long as your account is active. If you delete your account:
- Your vehicle records and personal information are permanently deleted 14 days after you delete your account. During that 14-day window you can restore your account; once it passes, deletion is irreversible.
- Billing records (subscription history, payment confirmations) may be retained for up to 7 years as required by financial and tax regulations.
- Anonymized, aggregated usage statistics — data from which all identifying information has been removed and that cannot be reasonably re-linked to any individual — may be retained indefinitely.
To request deletion of your account and data, email us at privacy@mydiygarage.com or use the account deletion option in your settings.
Security safeguards
We use industry-standard technical and organizational measures to protect your personal information, including encryption in transit (TLS) and encryption at rest for data stored on our servers. Access to personal data is restricted to personnel and systems that require it to provide the service. We also maintain regular encrypted backups, access logging, and ongoing vulnerability monitoring as part of our security program. No transmission over the internet or method of electronic storage is 100% secure; we cannot guarantee absolute security.
Security incidents
In the event of a security incident that affects your personal information, we will notify affected users as required by applicable law — including the Texas Business & Commerce Code Chapter 521 — and, in all cases, without undue delay. Notification will be sent to the email address on your account.
8. Your rights
Depending on your location, you may have the following rights regarding your personal data. We honor these requests for all users regardless of jurisdiction.
- Access — request a copy of the personal data we hold about you.
- Correction — request correction of inaccurate or incomplete data.
- Deletion — request deletion of your account and associated data (subject to legal retention requirements above).
- Portability — request a copy of your vehicle data in a machine-readable format by contacting us at privacy@mydiygarage.com.
- Objection / Restriction — object to or request restriction of certain processing activities.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, contact us at privacy@mydiygarage.com. We will respond within 30 days. We do not charge for reasonable requests.
Your rights over OBD2-sourced data
If you paired an OBD2 dongle, you have two additional controls available directly inside the app, without needing to email us:
- Delete all OBD2-sourced data for a vehicle in one action. This removes every auto-captured mileage reading, DTC, MIL status change, and freeze-frame snapshot tied to that vehicle. It does not touch entries you typed yourself.
- Revoke a dongle. Revoking dongle access from your vehicle settings stops all auto-ingest from that device immediately. New trips will not be captured until you re-pair.
Revoke + delete together cover both directions of objection (GDPR Art. 21). Revoking the dongle is the prospective remedy — no further OBD2 records are captured. Per-vehicle delete is the retrospective remedy — existing OBD2-sourced records are removed. Use one or both depending on whether you want to stop future capture, erase what's already there, or both.
Data portability (GDPR Art. 20). OBD2-sourced records are included in any data export you request under the Portability right above. You will receive your auto-captured mileage readings, DTCs, MIL status entries, and freeze-frame snapshots in the same machine-readable export as the rest of your vehicle data.
California residents (CCPA / CPRA)
California residents have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). We do not sell personal information as defined by the CCPA, and we do not share personal information for cross-context behavioral advertising as defined by the CPRA. California residents have the right to:
- Know — request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
- Delete — request deletion of your personal information, subject to certain exceptions.
- Correct — request correction of inaccurate personal information we maintain about you.
- Opt out of sale/sharing — we do not sell or share personal information, so this right is not applicable but is acknowledged.
- Non-discrimination — we will not discriminate against you for exercising any CCPA/CPRA rights.
We do not collect sensitive personal information as defined by the CPRA. To exercise any of these rights, contact us at privacy@mydiygarage.com. We will respond within 45 days, as required by California law.
EU/UK residents (GDPR)
If you are in the European Union or United Kingdom, our legal basis for processing your data is:
- Contract — processing necessary to provide the service you signed up for
- Legitimate interest — fraud prevention and security
- Legal obligation — financial record retention
We do not engage in solely automated decision-making that produces legal or similarly significant effects on you, as defined by Article 22 of the GDPR.
You have the right to lodge a complaint with your local supervisory authority. Our Data Protection contact is privacy@mydiygarage.com.
9. Children
MyDIYGarage is not directed at children under 13. We do not knowingly collect personal data from anyone under 13. If we discover that an account was created by someone under 13, we will delete it promptly. If you believe a child under 13 has created an account, contact us at privacy@mydiygarage.com and we will delete the account.
Users between 13 and 17 may use the service with verifiable parental or guardian consent. Consent is obtained by having the parent or guardian create the account and accept these Terms on behalf of the minor. We do not have a separate age-verification mechanism. Users who misrepresent their age to create an account assume full responsibility for any consequences of that misrepresentation.
10. Changes to this policy
We may update this Privacy Policy as the service evolves. For material adverse changes — changes that expand what data we collect, broaden how we use it, or add categories of recipients we share it with — we will:
- Post the updated policy at this URL with a new effective date
- Send an email to registered users at least 30 days before the change takes effect
Additive or more-protective changes (clarifications, new user controls, expanded transparency, formatting, typo fixes) are not "material adverse changes" and may take effect on the date posted. Version 1.3 is an example: it shortens the post-deletion retention window from 30 days to 14 days — your data is deleted sooner, which is more protective — so the effective date is the same as the publication date. (Version 1.2 similarly added OBD2-specific disclosures and a stronger no-sale commitment.)
No retroactive application. We will not retroactively apply new uses to data collected under the prior version of this policy. If a future revision broadens permitted uses, the broader uses apply only to data collected after that revision's effective date — earlier data remains governed by the version of the policy in effect when it was collected.
Mergers, acquisitions, and asset sales. In a merger, acquisition, restructuring, or asset sale, OBD2 data and other personal information transfer only to a successor that is contractually bound by commitments at least as protective as the ones in this policy — including the no-sale and no-share commitments in section 3. Users will receive at least 30 days' notice of any such transfer with an opportunity to export and delete their data before the transfer takes effect.
Continued use of the service after an effective date constitutes acceptance of the updated policy.
11. Contact us
For privacy questions, data requests, or concerns:
- Email: privacy@mydiygarage.com
- General contact: hello@mydiygarage.com
Nielsen Digital, LLC
c/o Northwest Registered Agent, LLC
5900 Balcones Drive, Suite 100
Austin, TX 78731
United States