Skip to content
Carma

Privacy Policy

Last updated: 2026-05-24

This Privacy Policy explains how Carma ("we," "us," "our") collects, uses, and shares personal information when you use the Carma mobile application and related services available at trycarma.app (collectively, the "Service").

By using the Service you agree to the terms of this Policy. If you do not agree, do not use the Service.

1. Information We Collect

We collect only what we need to operate the Service. Categories below.

1.1 Information you give us

  • Account information — your email address, display name, and (if you sign in with Apple or Google) the identifiers those providers share with us. If you create a password account we store a salted hash of your password, never the password itself.
  • Vehicle records — VIN, year, make, model, trim, color, license plate, nickname, current odometer reading, odometer unit, and an optional vehicle photo that you upload.
  • Service and fuel logs — dates, service names, shop or station names, odometer readings, costs, gallons/liters, MPG, notes, and any receipt photos you attach.
  • Reminders — service type, mileage/date intervals, snooze states, and completion history you record.
  • Household membership — the name of the household you create or are invited to, your role within it, and which other Carma accounts share it.
  • Support communications — if you email us, we keep your messages and any information you choose to include.

1.2 Information collected automatically

  • Device and app diagnostics — operating system version, app version, language, and crash reports generated when the app encounters an error.
  • Push notification token — if you grant notification permission, we store an opaque device token issued by Apple Push Notification service so we can deliver maintenance reminders.

1.3 Information from third parties

  • Apple Sign In / Google Sign In — if you choose to sign in with Apple or Google, we receive a verified email address and a user identifier from those providers. We never receive your password.
  • Apple In-App Purchase — when you purchase a subscription or one-time unlock, Apple processes the payment and sends us a receipt that confirms which product was purchased and its current status. We do not receive your payment card details.
  • NHTSA VIN decode service — if you scan or enter a VIN, we look it up against the United States National Highway Traffic Safety Administration's public VIN decode API to populate make, model, and year. We send the VIN to NHTSA and receive vehicle attributes back.

2. How We Use Your Information

We use the information we collect to:

  • Provide the core features of the Service (record-keeping for vehicles, reminders, household sharing).
  • Authenticate you and keep your account secure.
  • Process in-app purchases through Apple and confirm your subscription status.
  • Send transactional emails (account confirmation, vehicle-transfer confirmations, password resets).
  • Send push notifications for the maintenance reminders you have configured.
  • Diagnose crashes and improve reliability.
  • Respond to your support requests.
  • Comply with applicable law and enforce our Terms of Service.

We do not use your information for advertising, marketing profiling, or sale to third parties.

3. How We Share Your Information

We share information only as described below.

3.1 Service providers

We use a small number of vetted vendors to operate the Service. Each is bound by contract to use your information only as needed to provide their service to us.

VendorUsed forData shared
SupabaseDatabase, authentication, file storageAll account, vehicle, service, fuel, reminder, and receipt data
Apple Push Notification ServiceReminder push deliveryDevice push token + notification payload
Apple In-App PurchaseSubscription processingPurchase receipts and product identifiers
Apple Sign In (if you use it)AuthenticationProvider-issued user identifier and email
Google Sign In (if you use it)AuthenticationProvider-issued user identifier and email
ResendTransactional email deliveryRecipient email address + email contents
NHTSA Vehicle APIVIN decodeThe VIN you enter

3.2 Household members

If you join a household, the vehicle records you mark as shared become visible to other members of that household. Members cannot see your account email, password hash, or other accounts you belong to — only the vehicle data you share.

3.3 Vehicle transfers

If you transfer a vehicle to another Carma user, the recipient receives the vehicle record and its associated service, fuel, reminder, and receipt data. Your email address is included in the transfer notification so the recipient can confirm who initiated it.

3.4 Legal and safety

We may disclose information when we have a good-faith belief that disclosure is required to:

  • Comply with applicable law, regulation, subpoena, or court order.
  • Protect the rights, property, or safety of Carma, our users, or others.
  • Investigate or prevent fraud, abuse, or violations of our Terms of Service.

3.5 Business transfers

If Carma is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will give you notice before your information is transferred and becomes subject to a different privacy policy.

4. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account and vehicle data — kept until you delete the account or the specific record.
  • Archived vehicles — kept in archived state indefinitely so historical records remain available, until you delete them.
  • Receipt photos — kept for as long as the associated service log exists; deleted when you delete the service log or the receipt itself.
  • Crash reports and diagnostic logs — retained for up to 90 days.
  • Transactional email logs — retained by Resend per their retention policy (currently 30 days).

When you delete your account, all personal data is removed from our active systems within 30 days. Backups containing your data are overwritten on a rolling basis, typically within 90 days.

5. Your Choices and Rights

You can:

  • Access and edit your account information from within the app.
  • Delete individual records (vehicles, service logs, fuel logs, reminders, receipts).
  • Delete your entire account from Account → Delete Account. This action is irreversible.
  • Disable push notifications in Account → Notifications or in your device's Settings.
  • Choose what to share with your household — you control which vehicles are added to a household and can remove them at any time.

Depending on where you live, you may have additional rights under your local law (for example, the right to receive a copy of your data in machine-readable form, or to object to certain processing). To exercise any of these rights, email us at privacy@trycarma.app.

6. Security

We protect your information with reasonable administrative, technical, and physical safeguards:

  • All traffic between the app and our servers is encrypted in transit (HTTPS / TLS).
  • Database storage at Supabase is encrypted at rest.
  • Authentication tokens are stored using the device's secure storage (iOS Keychain).
  • We follow the principle of least privilege for internal access to production systems.

No method of transmission or storage is perfectly secure. If we become aware of a breach that materially affects your information, we will notify you and the appropriate authorities as required by law.

7. Children's Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, contact us at privacy@trycarma.app and we will delete it.

8. International Users

Carma is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country. By using the Service you consent to that transfer.

9. Changes to This Policy

We may update this Policy from time to time. When we make material changes, we will notify you through the app or by email. The "Last updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

10. Contact

Questions about this Policy or about your information:

Email: privacy@trycarma.app Website: https://trycarma.app