Privacy policy

Secure management of your vehicles and data.

Last updated April 12, 2026

Introduction

This privacy policy describes how VroomBroom collects, uses, and protects your data when you use our services.

We respect your privacy and process your data in accordance with applicable laws, including the General Data Protection Regulation (GDPR).

Data controller

The controller of your personal data is:

Frekvento s.r.o.

Registered office: Jaurisova 515/4, Michle, 140 00 Praha 4, Czech Republic
Company ID (ICO): 21051259
Registered in the Commercial Register at the Municipal Court in Prague, Section C, Insert 396205/MSPH
Email: [email protected]

What data we collect

3.1 Data you provide voluntarily

When registering or using the services, you may provide:

Email address and name for your account
Vehicle data (VIN, license plate, registration documents)
Expenses, income and service records
Documents and photos you upload (including receipts for OCR processing)
Reminder and preference settings

3.2 Data collected automatically

When using the app, we may automatically record:

Information about the device and app version
Technical logs for troubleshooting
Anonymized usage statistics
Push notification tokens (FCM/APNS) and notification interaction events
GPS location (only with your explicit consent, for weather alerts)

3.3 Data from third-party sign-in

If you sign in using a third-party provider, we may receive:

Apple Sign-In: email address, full name (depending on your sharing preferences)
Google Sign-In: email address, profile information (via OpenID Connect)

3.4 Data from public registries

To provide core features, we retrieve:

Vehicle technical inspection (STK) records from public registries
Vehicle technical specifications and registration data

Your data is processed in accordance with the EU GDPR regulation.

Legal basis for processing

We process your personal data on the following legal grounds under GDPR Article 6:

Contract performance (Art. 6(1)(b))

Account creation and vehicle management
Vehicle data retrieval from public registries (STK records)
Expense and document storage
OCR processing of receipts (Google Cloud Document AI)
On-device OCR of odometer readings (Google ML Kit)
Reminders for inspections, insurance and service
Transactional emails (via Resend)
Contact form processing (pre-contractual measures)

Consent (Art. 6(1)(a))

Push notifications
GPS location for weather alerts
Firebase Analytics, Crashlytics and Performance Monitoring
Newsletter and waitlist subscription
Marketing cookies and UTM attribution tracking

Legitimate interest (Art. 6(1)(f))

Sentry error tracking (ensuring service stability and quality)

You may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

How we use your data

Operating your account and managing vehicles
Fetching vehicle technical data from public registries
Sending reminders for inspections, insurance and service
Showing current fuel prices and weather alerts based on your location
Processing uploaded receipts and documents using OCR technology
Communicating with you (support, updates, transactional emails)
Improving our services through analytics and error tracking

You can edit or delete your data at any time in your account settings.

Automated processing and AI

VroomBroom uses automated data processing technologies to enhance your experience:

On-device OCR (Google ML Kit): processes odometer readings directly on your device. No image data is transmitted to external servers.
Cloud OCR (Google Cloud Document AI): uploaded receipt images are sent to Google Cloud via a secure edge function for text extraction. Images are processed in real time and are not stored by Google beyond the processing request.
Vehicle data matching: license plate and VIN data is matched against public registry records to provide inspection and technical data.

We do not perform automated decision-making with legal or similarly significant effects on you (GDPR Article 22). All automated outputs are for informational purposes and should be verified by you.

Third-party services (sub-processors)

We use the following third-party services to operate VroomBroom:

Supabase Inc. (USA, EU region hosting)

Purpose: Backend infrastructure, authentication, database, file storage, edge functions

Data: All user data

Google Firebase (Google LLC, USA)

Purpose: Analytics, Crashlytics, Performance Monitoring, Remote Config, Cloud Messaging (push notifications)

Data: Device info, usage events, crash reports, FCM tokens

Sentry (Functional Software Inc., USA)

Purpose: Error tracking and performance monitoring

Data: Device info, error context (20% production sampling rate)

Google Cloud Document AI (Google LLC, USA)

Purpose: Cloud-based OCR for receipt scanning

Data: Uploaded receipt images (processed via edge function)

Google ML Kit (Google LLC)

Purpose: On-device OCR for odometer readings

Data: Processed locally on device, no data transmitted

Resend Inc. (USA)

Purpose: Transactional and confirmation emails

Data: Email address, email content

Cloudflare Inc. (USA)

Purpose: CDN, hosting, DDoS protection

Data: IP addresses, request metadata

Google Fonts (Google LLC, USA)

Purpose: Web font delivery (DM Sans)

Data: IP address via font request

Apple Inc. (USA)

Purpose: Apple Sign-In authentication

Data: Email, name (if user permits)

Google LLC (USA)

Purpose: Google Sign-In authentication (OpenID Connect)

Data: Email, profile information

International data transfers

Your primary data is stored on servers in the European Union (Supabase EU region). However, some of our sub-processors are based in the United States.

For transfers of personal data outside the EU/EEA, we rely on:

EU Standard Contractual Clauses (SCCs) concluded with each sub-processor
The EU-US Data Privacy Framework, where applicable
Adequacy decisions by the European Commission, where available

On-device processing (Google ML Kit) does not involve any data transfer outside your device.

Data security

Encryption in transit (TLS) and at rest
Access to data only after user authentication
Regular backups and monitoring
EU-based servers with personal data processing certification
Row-level security (RLS) policies on all database tables

Your data is stored on secure servers in the EU in compliance with the GDPR.

Your rights

Under the GDPR, you have the following rights regarding your personal data:

Right to access your data (Art. 15)
Right to rectify inaccurate data (Art. 16)
Right to erasure (“right to be forgotten”) (Art. 17)
Right to restrict processing (Art. 18)
Right to data portability (Art. 20)
Right to object to processing (Art. 21)
Right to withdraw consent at any time (Art. 7(3))

You also have the right to lodge a complaint with the Czech supervisory authority: the Office for Personal Data Protection (UOOU), Pplk. Sochora 27, 170 00 Praha 7, Czech Republic, www.uoou.cz.

Cookies and tracking technologies

We use cookies on the website to ensure functionality and analyze traffic. For detailed information, see our dedicated Cookies policy page.

Strictly necessary cookies
Analytics cookies (consent required)
Functional cookies
Marketing cookies (only with your consent)

Data retention

We retain data only for as long as necessary to provide services or meet legal obligations.

Account and vehicle data: for as long as the account is active
Documents and attachments: until deleted by the user
Technical logs: max. 12 months
Push notification tokens: until the user disables notifications or deletes account
Analytics data: retained according to each provider’s retention policy

Contact

If you have questions about privacy or wish to exercise your rights, contact us: