VinReach

Privacy policy

Last updated: April 19, 2026

VinReach operates the platform our dealer customers use to track their own website visitors and run remarketing journeys. This policy covers both the data we hold about dealers (our direct customers) and about the visitors the dealers track (data we process on their behalf).

Who we are

VinReach is a SaaS platform for new and used vehicle dealers. Contact: privacy@vinreach.ai.

Data we collect as controller (dealer customers)

  • Account identity — name, email, phone, role (owner / admin / operator).
  • Organization + rooftop metadata — dealership name, brand, website URL, timezone.
  • Billing info — Stripe customer + subscription identifiers. Card data stays with Stripe; we never see the PAN.
  • Audit + usage telemetry — every change you make in the console is logged for SOC 2.

Data we process as processor (visitor data)

The dealer is the controller of their visitor data. VinReach is the processor. The dealer's privacy policy governs the collection notice; our DPA governs the processing terms.

  • Pixel events — URL, referrer, device fingerprint (UA + IP /24 + Accept-Language + hashed device hash), timestamp, dealer-provided tags. IPs are hashed with a daily-rotated salt and not stored in raw form.
  • Form submissions — email + phone entered on the dealer's site, associated with the visitor's resolved person record.
  • Inventory signals — publicly available VDP content crawled from the dealer's own site, keyed by VIN.
  • Reply + engagement — inbound emails + SMS the dealer receives, opens + clicks on dealer-sent messages.

How we use it

  • Deliver remarketing journeys the dealer configures (email + SMS + inbox workflows).
  • Run the compliance engine (consent, suppression, quiet hours, CAN-SPAM headers, CPRA opt-out signals).
  • Improve platform-level ML (intent classification, subject-line bandits) using de-identified signals only. No per-person training data leaves the tenant boundary.
  • Support + operate the service (debugging, billing, SOC 2 audit).

Who we share with

Sub-processors listed at /subprocessors. We do not sell personal information in the CPRA sense. We do not share personal information with third parties for their independent commercial use.

California residents

Your CPRA rights + how we handle GPC signals are on the CAN-SPAM · CPRA page.

Retention

  • Dealer-account data: retained while account is active + 60 days after termination. CSV export provided on request.
  • Visitor behavioral data: 18 months rolling default, then purged unless retained under a paid plan.
  • Audit + SOC 2 logs: 18 months fixed, then purged.
  • Immutable CASL / CPRA opt-out history: retained indefinitely (regulatory requirement).

Your rights

  • Know, access, correct, delete, port your data — email privacy@vinreach.ai.
  • Withdraw consent at any time via the unsubscribe link in every commercial email or STOP on any SMS.
  • Appeal a decision — we respond to appeals within 45 days.

Security

See /trust for the full posture. Short version: TLS 1.2+ in transit, AES-256 at rest, RLS-segmented per-tenant data, SOC 2-ready controls.

Children

The VinReach platform is not directed at children under 16. Dealers do not market to minors. We do not knowingly collect personal information from anyone under 16.

Changes

Material changes to this policy are posted here with at least 30 days' notice. Continued use of the service after the effective date constitutes acceptance.