Privacy Policy
Last updated: 12 June 2026
1. Data controller
The controller of your personal data under the EU General Data Protection Regulation (GDPR) is:
Savas OÜ
Sepapaja tn 6, Tallinn, Harju, Estonia 15551
Registry Code: 14062178 · VAT: EE101896809
Contact: [email protected]
2. What we collect and why
| Data | Purpose | Legal basis |
|---|---|---|
| Account data (name, email, password hash) | Providing the Service, authentication | Contract (Art. 6(1)(b)) |
| Company & billing details (company name, address, VAT number) | Invoicing, tax compliance | Legal obligation (Art. 6(1)(c)) |
| Signup interests (optional) | Tailoring the product and onboarding | Consent (Art. 6(1)(a)) |
| Usage data (searches, saved searches, lists, API request logs) | Operating quotas, abuse prevention, product improvement | Contract & legitimate interest (Art. 6(1)(b), (f)) |
| Analytics events (via Google Tag Manager / GA4) | Understanding aggregate product usage and marketing performance | Consent / legitimate interest |
3. Processors we use
- Stripe — payment processing and billing portal (we never store card numbers).
- Google — Tag Manager / Analytics 4 for product and marketing analytics.
- Hosting & email infrastructure providers — running the application and sending transactional email (e.g. saved-search alerts, verification emails).
- Sentry — error monitoring (technical diagnostics).
- Crisp — customer support chat; receives your name, email and plan when you are logged in, so we can help you without asking who you are.
Where processors are outside the EEA, transfers rely on adequacy decisions or Standard Contractual Clauses.
4. Retention
- Account data: for the life of the account; deleted upon account deletion.
- Invoices and billing records: 7 years (Estonian accounting law).
- API request logs: up to 13 months (quota enforcement and abuse investigation).
5. Your rights
Under the GDPR you may request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. You can delete your account yourself from your profile page. To exercise any right, email [email protected] — we respond within 30 days. You may also lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon, aki.ee) or your local supervisory authority.
6. Cookies
We use strictly necessary cookies (session, CSRF) to run the Service, and analytics cookies via Google Tag Manager. You can block analytics cookies in your browser without affecting core functionality.
7. Vehicle data is not personal data
The vehicle specification database itself (makes, models, specs, tire sizes) contains no personal data. This policy covers only the personal data of VehDB users.
8. Changes
We will announce material changes to this policy by email or in the dashboard before they take effect.