AutoDataMineSign in →

AutoDataMine Privacy Policy

Effective date: [PUBLISH DATE] Last updated: [PUBLISH DATE]

AutoDataMine ("AutoDataMine", "we", "us", "our") is a service offered by Tortone Systems LLC, a Texas limited liability company doing business as AutoDataMine. This Privacy Policy explains how we collect, use, share, and protect information when you visit autodatamine.com (the "Site"), use the AutoDataMine Finance or AutoDataMine Sales applications (collectively, the "Services"), or otherwise interact with us.

Two-audience notice. The Services are sold to automotive dealerships. Most personal information we process belongs to consumers of those dealerships (e.g., a person who brings their car in for service). For that information, the dealership is the "controller" or "business" and AutoDataMine is the "processor" or "service provider." We process it only on the dealership's instructions. If you are a dealership customer and want to exercise rights over your data, please contact the dealership first. We will assist them in responding.

1. Information we collect

1.1 From dealership users (our direct customers' staff)

- Account information: name, work email, dealership affiliation, role/title, hashed password, multi-factor authentication metadata. - Use and device data: pages viewed, features used, log timestamps, IP address, browser/OS, device type, error reports. - Communications: messages you send us (support tickets, email, feedback).

1.2 From dealership customers (consumers — processed on behalf of the dealership)

We host a separate database for each dealership ("Dealer Plane"). The categories below are loaded into a Dealer Plane by the dealership (via DMS export, OEM API integration, or manual entry):

- Identifiers: name, mailing address, email, phone number, VIN, license plate, dealer-assigned customer ID. - Vehicle and service data: make, model, year, mileage, repair orders, service appointments, warranty status, recall status, lien payoff information when provided by the dealership. - Finance & Insurance interest data: vehicle service contract ("VSC"), GAP, maintenance plan eligibility and lead scoring outputs derived from the above. - Communications log: SMS messages sent or received through the platform (content, timestamp, line, delivery status, opt-in/opt-out state).

Some of the above (e.g., information related to a lien payoff, credit application, or finance product purchase) may constitute non-public personal information ("NPI") under the federal Gramm-Leach-Bliley Act. We treat that information under our written information security program (see Section 6).

1.3 From Site visitors

- Server log data (IP, request path, user-agent). - Contact-form submissions (if you reach out to us). - We do not currently use third-party analytics, advertising pixels, or session-replay tools. If we add any in the future, this policy will be updated and (where required by law) prior consent will be obtained.

1.4 We do not knowingly collect data from children under 13

The Services are sold to businesses for B2B use. We do not knowingly collect personal information from children under 13. If a dealership loads such information into the platform and we become aware of it, we will work with the dealership to delete it.

2. How we use information

We use the categories above to:

1. Provide, operate, and improve the Services. 2. Authenticate users and secure the platform. 3. Run lead scoring, warranty and recall lookups, and other features the dealership has enabled. 4. Send and receive SMS messages on the dealership's behalf to consumers who have given the dealership prior express written consent (see SMS Terms). 5. Communicate with dealership users about service status, security, billing, and product updates. 6. Diagnose problems, prevent fraud, and protect against abuse. 7. Comply with our legal obligations and enforce our agreements.

We do not:

- Sell personal information. - Use consumer personal information to train third-party AI models. - Combine personal information across dealerships for advertising. - Use dealership customer NPI for purposes other than the dealership's service instructions.

3. How we share information

We share information with the following categories of recipients:

- The dealership whose Dealer Plane the data lives in. The dealership controls who at the dealership can access what. - Service providers (subprocessors) that help us run the platform. Current list: - Supabase, Inc. — managed PostgreSQL and authentication hosting (per-dealer Supabase project). - Vercel Inc. — application hosting. - SendBlue, Inc. — A2P SMS delivery for consumer messaging. - OEM API providers (e.g., Ford OASIS, GM GlobalConnect, Stellantis DealerCONNECT, Toyota TIS, etc.) — only outbound queries on the dealership's behalf to retrieve warranty/recall/build data. - Legal and safety — to comply with applicable law, valid legal process, or to protect rights, safety, or property. - Successor entities in the event of a merger, acquisition, reorganization, or sale of substantially all assets, subject to this policy or a successor policy with materially similar protections.

We will publish an updated subprocessor list at https://autodatamine.com/subprocessors and provide dealerships notice of material additions consistent with our Data Processing Addendum.

4. Data retention

- Dealership customer data in active production systems: retained for as long as the dealership remains a customer of AutoDataMine, plus a 90-day grace period for export, after which it is permanently deleted from production systems. - Dealership customer data in encrypted backups: continues to exist after the 90-day deletion above until each backup ages out under our backup-retention schedule (currently 30 days), during which time the information remains subject to the confidentiality and security obligations of our Data Processing Addendum. We do not restore from backups except as needed to remediate a security incident or as required by law. - Dealership user accounts: retained for the life of the customer relationship and 12 months thereafter for audit/legal purposes. - Site visitor server logs: retained for 90 days. - Billing and tax records: retained for 7 years to comply with US tax recordkeeping requirements.

Dealerships may instruct us in writing to delete or return their data sooner per the Master Services Agreement and Data Processing Addendum.

5. Security

We maintain a written information security program (the "WISP") designed to meet the safeguards requirements of the Gramm-Leach-Bliley Act (16 C.F.R. Part 314) because our dealership customers are "financial institutions" under that rule and we receive their NPI. Highlights:

- All data in transit encrypted with TLS 1.2 or higher. - All data at rest encrypted (Supabase-managed AES-256). - Per-dealer database isolation (each dealership runs in its own Supabase project, not a shared multi-tenant DB). - Row-level security enforced for every query, scoped to dealer slug. - Least-privilege access. Multi-factor authentication required for admin access. - Secrets stored encrypted in a control plane with a master key separate from production. - Annual security review of subprocessors, vulnerability monitoring, and incident response plan (see legal/compliance/incident-response-plan.md).

No system is perfectly secure. We will notify affected dealerships of any confirmed security incident involving their data without unreasonable delay and consistent with applicable law and our DPA.

6. Your privacy rights

6.1 Texas residents (TDPSA)

The Texas Data Privacy and Security Act (TDPSA) gives Texas residents the right to (i) confirm whether a controller is processing their personal data, (ii) access it, (iii) correct inaccuracies, (iv) delete it, (v) obtain a portable copy, and (vi) opt out of certain processing (targeted advertising, sale, or certain profiling).

Our role. For personal information that originates with a dealership (service appointments, vehicle records, communications), the dealership is the "controller" and AutoDataMine is the "processor" under the TDPSA. As the processor, we are required to assist the dealership in responding to your rights requests — we do not exercise independent discretion over the dealership's data.

How to exercise rights.

- If your request relates to data held by a specific dealership, the fastest path is to contact that dealership directly. We will also route your request to the dealership and provide reasonable technical assistance so they can respond within the TDPSA statutory deadlines (45 days, with one 45-day extension where necessary). - For personal information that AutoDataMine collects directly in its own right (e.g., site contact-form submissions, support email, security questionnaire responses from prospective dealer staff), AutoDataMine is the controller; email privacy@autodatamine.com and we will respond directly.

Sensitive data. TDPSA imposes additional opt-in consent requirements for "sensitive data" (precise geolocation, biometric identifiers, certain categories listed at Tex. Bus. & Com. § 541.001(28)). AutoDataMine's Services do not request, derive, or store sensitive data as the term is used in TDPSA. If you become aware of sensitive data in your AutoDataMine record, please notify us at privacy@autodatamine.com.

6.2 Other US residents

Where another state's privacy law (CCPA/CPRA, VCDPA, CPA, etc.) gives you rights, we honor those rights to the extent legally required and follow the same routing logic above.

6.3 Appeals

If we decline a request, you may appeal by replying to our written decision. We will respond to appeals within the time required by applicable law.

7. SMS / text messaging

If you receive SMS messages from a dealership through AutoDataMine, the dealership has represented to us that it obtained your prior express written consent. You can opt out at any time by replying STOP to any message; reply HELP for help. Standard message and data rates may apply. See our SMS Terms for additional details.

8. International users

AutoDataMine currently serves dealerships located in the United States. The Services are hosted in the United States. If you access the Services from outside the US, you understand your information will be transferred to and processed in the US.

9. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice to dealerships (e.g., by email or in-app notice) before the changes take effect, and update the "Last updated" date above.

10. Contact

Tortone Systems LLC d/b/a AutoDataMine Attn: Privacy [PRINCIPAL ADDRESS] privacy@autodatamine.com

This document is a drafting starting point. It is not a substitute for advice from a licensed attorney. Review and customize before publishing.