Policy

Privacy Policy

Effective: April 20, 2026 · Last updated: April 20, 2026

CarItch (operated by ParkPlus, "we") runs caritch.com, a public index of Indian car-ownership problems ranked by AI. This policy explains what we collect, how we use it, and your rights under India's Digital Personal Data Protection Act, 2023 (DPDP Act).

1. What we collect

Collected automatically

IP address — used for rate-limiting and abuse prevention.
Browser user agent, referrer, pages viewed — standard server logs.
Session cookies set by Cloudflare (security) and Supabase (auth).

When you vote or submit content

Votes on itches — a per-vote identifier and which itch was voted on.
Problem submissions — the text you enter, your optional email, your IP.
Claim submissions (for brands) — brand name, URL, pitch, contact email, IP.
Reports — reason code and which itch/claim you flagged.

When you sign in with Google

Email address, display name, profile picture URL as returned by Google OAuth.
A unique Supabase Auth user ID (UUID) we generate and associate with your account.
Your votes on brand claims are tied to this ID (one vote per claim per user).

Stored on your device

LocalStorage holds IDs of itches you've voted on or reported, so we don't show duplicates. No tracking identifiers are stored.

2. How we use your data

Operating the Site and displaying content you submit.
Preventing abuse: rate limiting, spam detection, profanity filtering.
Running AI moderation: submissions and claims are classified by Groq (Llama 3.3) to check relevance and block troll/spam content.
Emailing brands about the status of their claim submissions.
Aggregating anonymous stats (itch counts, vote counts) for the public leaderboard.

We do not sell your data, do not use advertising cookies, do not run marketing analytics (Google Analytics, Meta Pixel, etc.), and do not profile you for targeted content.

3. Third-party services

Service	Purpose	Data processed
Supabase	Database, authentication, edge functions, hosting	All collected data listed in §1
Google OAuth	Sign-in	Email, name, profile picture
Groq	AI content classification and scoring	Submission/claim text (no PII)
Resend	Transactional email delivery	Brand contact emails, admin email
Cloudflare	DNS, CDN, security headers, static hosting	Request metadata, IP
GitHub	Source code, CI/CD	Public content only (no PII)

Each of these providers has its own privacy policy. By using CarItch, you acknowledge that your data may be processed by these providers as required to operate the Site.

4. Data retention

Raw complaints (scraped) — auto-deleted after 90 days, kept only if referenced by an active itch.
User-submitted problems — retained indefinitely while the submission remains associated with a published itch.
Claims and brand pitches — approved claims expire after 90 days by default (renewable); rejected/paused claims are archived for 12 months for audit purposes.
Votes — retained while the underlying itch or claim is active.
Rate-limit records — auto-cleaned every Monday 4 AM IST.
Server logs — rolling 30 days.

You can request immediate deletion of data tied to your Google-linked account at any time — see §6.

5. Cookies and local storage

We use the minimum necessary:

Session cookie (Supabase Auth) — only set when you sign in. Expires on sign-out or after 60 days.
LocalStorage — stores IDs of itches you voted on or reported. Not shared with any server.
Cloudflare security cookie — used to filter bot traffic. No user tracking.

We do not use third-party advertising cookies, retargeting pixels, or analytics identifiers.

6. Your rights (DPDP Act 2023)

You have the following rights regarding personal data we hold about you:

Access — request a copy of personal data associated with your account.
Correction — ask us to correct inaccurate or incomplete data.
Erasure — request deletion of your account and personal data tied to it.
Withdraw consent — stop our processing of your data for specified purposes.
Grievance — raise concerns with our Data Protection contact below.

Scope and limits

These rights apply to personal data tied to your identified account. They do not extend to:

Aggregated or anonymized statistics (itch counts, vote totals) that cannot be re-identified to you.
Moderation records, abuse reports, or content currently under active investigation.
Content that has been lawfully published and whose erasure would impair the rights of others or our operation of the Site (per DPDP Act §17 exceptions).
Records we are required to retain under applicable law or to defend against legal claims.

Identity verification

To prevent misuse, before acting on an access, correction, or erasure request we may require you to verify your identity — for example, by replying from the email address tied to your account, confirming details only you would reasonably know, or completing a one-time verification link. Unverified requests will not be processed.

Abuse and fair-use exception

We may refuse, delay, or charge a reasonable fee for requests that are manifestly unfounded, excessive, repetitive, automated in nature, or made in bad faith (for example, repeated identical requests, requests that appear designed to harass, or bulk submissions from coordinated accounts). We may also pause a request while we investigate suspected abuse or fraud.

Duties of the data principal (DPDP Act §15)

Under §15 of the DPDP Act, 2023, data principals are required to exercise their rights in good faith and must not furnish false particulars, impersonate another person, suppress material information, or file frivolous or vexatious complaints. Non-compliance may attract a penalty of up to INR 10,000 under §33 and may also be relevant to any criminal proceedings for impersonation or fraud.

How to exercise your rights: email parkplus.co@gmail.com from the address tied to your account. Please include enough detail for us to locate the relevant records. We will acknowledge receipt and respond within a reasonable time, typically up to 30 days — longer where the request is complex, requires identity verification, or involves third-party data. If you are unsatisfied with our response, you may escalate to the Data Protection Board of India.

7. Security

We apply standard safeguards: Row-Level Security policies on the database, HTTPS everywhere, HSTS, strict CSP, signed requests on public endpoints, rate limits on all write endpoints, server-side moderation on submissions. No system is perfectly secure; if you suspect a breach affecting your data, email parkplus.co@gmail.com.

8. Children

CarItch is not directed at users under 18 and we do not knowingly collect data from anyone under 18. If you believe a minor has submitted data, email us and we'll remove it.

9. International users

CarItch is operated from India. Data is stored on Supabase infrastructure (primary region: Asia/Mumbai) and may be processed by our vendors in other regions. By using the Site you consent to this.

10. Changes to this policy

We'll update this page and the "Last updated" date when anything material changes. Continued use after an update means you accept the revised policy.

11. Contact

Grievance Officer / Data Protection contact
Email: parkplus.co@gmail.com
Entity: CarItch, a ParkPlus initiative
Jurisdiction: India