Privacy Policy
Effective Date: January 15, 2025
Introduction
Welcome to Carma! Carma Inc. ("Carma," "we," "us," or "our") operates the Carma platform, providing a comprehensive platform for car buyers to share deal data and negotiate better prices. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our mobile application, website, and related services (collectively, the "Services").
By accessing or using the Services, you agree to this Privacy Policy. If you do not agree, please do not use our Services. If you have any questions about this Privacy Policy, please contact us at privacy@joincarma.io.
Notice at Collection of Personal Information
We collect the categories of personal information identified below. As indicated, some categories may be disclosed for business purposes or shared for marketing and advertising purposes with business partners and third parties.
| Category | Collected | Disclosed for Business Purpose | Sold or Shared |
|---|---|---|---|
| Identifiers (name, email, phone, IP address, device IDs) | Yes | Yes | Yes |
| Personal information per CA Customer Records statute (payment info) | Yes | Yes | No |
| Protected classification characteristics (age, etc.) | Yes | Yes | No |
| Commercial information (deal history, preferences) | Yes | Yes | No |
| Internet/network activity (browsing, search, interactions) | Yes | Yes | Yes |
| Geolocation data (non-precise) | Yes | Yes | Yes |
| Inferences (preferences, interests derived from above) | Yes | Yes | Yes |
| Sensitive Personal Information (precise location, account credentials) | Yes | Yes | No |
We do not knowingly sell or share personal information about persons under the age of 18. You may opt out of the sale or sharing of your personal information, including targeted advertising, by contacting us or using any universal opt-out tools like Global Privacy Control (GPC).
Information We Collect
Information You Provide Directly
Account Information: When you create an account, we collect your name, email address, username, password, and profile information. This information is necessary to create your profile, calculate your Carma score, and enable platform functionality.
Car Deal Data: We collect information about your car purchases that you voluntarily share, including:
- Vehicle Identification Numbers (VINs)
- Dealer names and locations
- Purchase prices and out-the-door costs
- Fees, taxes, and add-ons
- Financing terms (interest rates, loan amounts, monthly payments)
- Trade-in values
- Transaction dates and terms
Images and Documents: You may upload images of vehicles, window stickers, buyer's orders, or other deal-related documents. We may use optical character recognition (OCR) and AI technologies to extract deal information from uploaded images.
Communications: When you contact us or use chat features, we collect the content of your communications, including any information you choose to provide.
Information Collected Automatically
We automatically collect information about your device and usage when you interact with our Services, including:
- IP address and device identifiers
- Device type, operating system, and browser information
- App usage patterns and feature interactions
- Search queries and vehicles viewed
- Crash reports and performance data
- Date and time of visits, pages viewed, and time spent
- Referring URLs and exit pages
- Location data (with your permission) for finding nearby deals and dealers
Camera and VIN Scanning
If you use our VIN scanning feature, we access your device's camera solely to scan and decode VINs. Camera data is processed locally and/or transmitted securely to our servers for VIN decoding purposes only.
Information from Third Parties
We may collect personal information from third-party sources to supplement information you provide, including:
- Vehicle data providers for VIN decoding and vehicle specifications
- Public databases for vehicle registration information
- Analytics providers for usage data
- Advertising partners for advertising identifiers
Technologies We Use to Collect Information
We use cookies, pixel tags, SDKs, local storage, and similar tracking technologies on our Services. These technologies may create unique identifiers that reside on your browser or device and transmit data about your use of our Services.
Types of Technologies
- Essential Cookies: Required for basic functionality, authentication, and security
- Analytics Cookies: Help us understand how visitors use our Services
- Advertising Cookies: Enable targeted advertising and track ad effectiveness
- Preference Cookies: Remember your settings and personalize your experience
Session Recording and Analytics
We may use session recording tools including heat maps, click maps, scroll maps, and session replay software to track user interactions. These tools help us fix bugs, evaluate effectiveness, and improve user experience.
By using our Services, you consent to the use of electronic communications and tracking technologies, and waive any claim that such practices constitute unlawful interception under any state law, to the fullest extent permitted by law.
AI Technologies
We leverage artificial intelligence (AI) technologies, including AI-enabled tools and large language models, to enhance our Services and deliver better user experiences. Our AI use is guided by applicable laws with a focus on transparency and accountability.
How We Use Your Information
We use your information to provide and improve our Services, including:
- Creating and maintaining your account and profile
- Enabling car deal data sharing with the community
- Calculating and displaying your Carma score based on contributions
- Providing deal comparisons, pricing insights, and negotiation guidance
- Generating AI-powered deal analysis and recommendations
- Finding comparable vehicles and deals in your area
- Personalizing your experience based on your preferences and activity
- Sending important updates about platform features and your account
- Analyzing usage patterns to improve the platform
- Detecting, preventing, and addressing fraud and security issues
- Enforcing our Terms of Service and Community Guidelines
- Responding to your inquiries and providing customer support
- Complying with legal obligations
Information Sharing and Disclosure
Community Sharing (Anonymized)
When you share a deal, certain information is made available to the Carma community in an anonymized format. This includes vehicle details, pricing, fees, and dealer information. Your personal identity (name, email, contact information) is never shared publicly with your deal submissions.
Service Providers
We share information with third-party vendors who help operate our platform, including:
- Cloud hosting and infrastructure providers
- Analytics and data processing services
- Customer support tools
- Email and communication services
- Security and fraud prevention services
These providers are contractually obligated to protect your information and use it only for the purposes we specify.
Advertising Partners
We may share information with advertising partners to deliver targeted advertisements. This may include sharing hashed identifiers, browsing data, and device information with advertising networks and data analytics providers.
Legal Requirements
We may disclose your information when required by law, in response to legal process, to protect our rights or the safety of our users, or to investigate potential violations of our Terms of Service.
Business Transfers
In the event of a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as part of that transaction.
Interest-Based Advertising
We may work with advertising partners who allow us to personalize ads based on your browsing behavior. Many of these companies participate in the Digital Advertising Alliance (DAA) and/or Network Advertising Initiative (NAI).
You can learn more about targeted advertising and opt out by visiting:
- DAA: https://www.aboutads.info/choices
- NAI: https://optout.networkadvertising.org
Opting out means participating companies should no longer deliver targeted ads on that specific browser or device. You may still receive non-targeted advertisements.
Your Privacy Rights and Choices
State Privacy Rights
Residents of California, Colorado, Connecticut, Delaware, Iowa, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Texas, Tennessee, Utah, Virginia, or other states with applicable privacy laws may have the following rights:
- Right to Know: Confirm whether we process your personal information and access specific details
- Right to Delete: Request deletion of your personal information (subject to exceptions)
- Right to Correct: Request correction of inaccurate personal information
- Right to Portability: Receive your data in a portable format
- Right to Opt Out: Opt out of the sale/sharing of personal information or targeted advertising
- Right to Non-Discrimination: Not receive discriminatory treatment for exercising rights
How to Exercise Your Rights
To exercise your privacy rights, please contact us at privacy@joincarma.io or visit our Privacy Rights page. We will verify your identity before processing requests.
You may designate an authorized agent to submit requests on your behalf. We may require written proof of the agent's authorization and verify your identity directly.
California-Specific Rights
California residents have additional rights under the California Consumer Privacy Act (CCPA) and California's "Shine the Light" law (Civil Code § 1798.83), including the right to know what personal information is collected, the right to delete, and the right to opt-out of the sale of personal information.
We do not sell your personal information in exchange for monetary consideration. However, some sharing of data for targeted advertising may constitute a "sale" under California law, which you can opt out of.
Nevada Rights
Nevada residents may submit requests directing us not to sell certain personal information. Contact us at privacy@joincarma.io.
Marketing Communications
You may opt out of marketing emails by clicking the unsubscribe link in any email or by contacting us. You cannot opt out of transactional or service-related communications.
Appeals
To appeal a refusal to act on your privacy request, please contact us at privacy@joincarma.io with the subject "Appeal of Privacy Rights Request."
Data Security
We implement industry-standard security measures to protect your personal information:
- Encryption of data in transit (TLS/SSL) and at rest
- Secure authentication and access controls
- Regular security audits and monitoring
- Password hashing and secure credential storage
- Employee access restrictions and training
However, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security of your information. By using our Services, you acknowledge and assume the inherent risks of internet-based data transfer.
Data Retention
We retain your information for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods vary based on the type of data and purpose:
- Account information: Retained while your account is active and for a reasonable period after deletion
- Deal data: May be retained in anonymized form indefinitely to maintain community pricing insights
- Usage data: Generally retained for up to 24 months for analytics purposes
- Legal compliance data: Retained as required by applicable law
International Transfers
We are based in the United States and the information we collect is governed by U.S. law. If you access our Services from outside the U.S., your information may be transferred to, processed, stored, and used in the U.S. and other jurisdictions where data protection laws may differ from those of your country.
Your use of our Services constitutes your consent to the transfer, processing, and storage of your information as described in this Privacy Policy.
Children's Privacy
Our Services are intended for a general audience and are not directed at children under eighteen (18) years of age. We do not knowingly collect personal information from children under 18. We do not knowingly "sell" the personal information of minors under 18 years old.
If you believe we have collected information from a child under 18, please contact us immediately at privacy@joincarma.io. We will remove the data to the extent required by applicable law.
Third-Party Links and Services
Our Services may contain links to third-party websites, including dealer websites, financing providers, and other services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.
Publicly Posted Information
Your Carma profile and certain activity may be publicly viewable. Information you make public is your responsibility. Once posted, you may not be able to edit or delete certain information. Please consider carefully before making any information public.
Accessibility
Carma is committed to making its Services reasonably accessible. While we strive for substantial conformance with recognized accessibility standards, we do not guarantee that every feature will be fully accessible at all times.
Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new Privacy Policy on our platform, updating the effective date, and where appropriate, notifying you via email or in-app notification.
Your continued use of the Services after such changes constitutes acceptance of the updated policy. We encourage you to periodically review this page for the latest information on our privacy practices.
Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us at:
Email: privacy@joincarma.io
General Support: support@joincarma.io
Carma Inc.
Palo Alto, CA