Privacy Policy

How we collect, use, and protect data — yours and your customers’.

Effective: May 2, 2026 (version 2026-05-02).

1. Who this applies to

This Privacy Policy covers three types of people:

• Operators — car wash businesses or individuals who sign up to use TheWashCRM at thewashcrm.com/signup.
• End customers — people who book washes through an operator’s booking page (e.g. stellar.thewashcrm.com). When you book a wash, you have a relationship with the operator. We process your data on the operator’s behalf.
• Visitors — anyone browsing the public marketing site without signing up.

2. What we collect

2.1 From Operators

• Account info: business name, contact name, contact email, phone, billing email
• Authentication: login email, password (hashed and stored by Clerk, our auth provider — we never see plaintext passwords)
• Payment info for your subscription: handled by Stripe. We store your Stripe customer ID; Stripe stores card details.
• Usage data: what features you use, when you log in, errors you encounter (via Sentry, our error monitoring)

2.2 From End Customers

When end customers book a wash on an operator’s booking page, we collect on the operator’s behalf:

• Name, email, phone
• Service address (for mobile washes)
• Vehicle details (make, model, color)
• Booking history, service preferences
• Payment details (handled by Stripe Connect — payments go directly to the operator’s Stripe account; we don’t process or store card data)

End customers’ relationship is primarily with the operator, not with TheWashCRM. We process this data as a service provider to the operator.

2.3 From Visitors

• IP address, user agent, page visited (server logs)
• If you submit a contact form or email us, your message and email address

We don’t use third-party advertising trackers or behavioral ad networks on the marketing site.

3. How we use it

• Provide the Service: show you your dashboard, process payments, send transactional emails (booking confirmations, receipts, login codes)
• Support: respond to questions you send to support@thewashcrm.com
• Improve the product: aggregated, anonymized analytics on which features get used. We don’t sell individual usage data.
• Security & abuse prevention: detect fraudulent signups, dispute attacks, or unauthorized access
• Legal obligations: respond to subpoenas, court orders, or other lawful requests

We do not sell your personal data or your customers’ personal data to anyone. Ever.

4. Who we share with

We share data with the following service providers, only as needed to operate the Service:

• Stripe (payments) — subscription billing + Stripe Connect routing of customer payments
• Clerk (authentication) — operator login, session management, password handling
• Resend (transactional email) — sends booking confirmations, receipts, login codes
• Vercel (hosting) — runs the application; logs requests for ~30 days
• Neon (database) — stores your data in encrypted PostgreSQL hosted in the United States
• Sentry (error monitoring) — receives stack traces and breadcrumbs when errors occur. Sensitive fields are scrubbed before transmission.
• Google Workspace (email infrastructure) — handles email sent from @thewashcrm.com

Each of these providers has its own privacy policy and security practices. We choose providers that meet industry-standard certifications (SOC 2, ISO 27001, or equivalent).

We may also share data when legally required (subpoenas, court orders) or in connection with a corporate transaction (merger, acquisition, asset sale). If a corporate transaction would result in your data being transferred, we’ll notify you in advance.

5. Data location & retention

Data is stored on servers located in the United States. We retain Customer Data for the duration of your subscription. On termination, data is preserved for 90 days then deleted. Server logs are retained for ~30 days. Backup snapshots may persist longer per Neon’s point-in-time recovery policy.

6. Security

We use industry-standard practices: TLS 1.2+ for all traffic, encrypted-at-rest databases, hashed passwords, scoped access controls, audit logging. No system is perfectly secure, and we can’t guarantee zero data breaches — but we work hard to minimize risk.

If we discover a data breach affecting your data, we’ll notify you within 72 hours of confirmed discovery, with details of what was affected and steps we’re taking.

7. Your rights

You can:

• Access your data via the operator dashboard or by emailing support@thewashcrm.com
• Export Customer Data as CSV from Settings → Account → Data export (Pro tier)
• Correct account info from Settings → Account → Business info
• Delete your account from Settings → Account → Manage. After deletion, data is preserved 90 days then permanently removed.

California residents have additional rights under CCPA/CPRA (opt-out of sale, right to know, right to delete). We don’t sell personal data, but you can email support@thewashcrm.com for any privacy request.

8. Children

TheWashCRM is intended for use by businesses; you must be at least 18 to sign up. We don’t knowingly collect data from anyone under 13. If you believe a child has provided data to us through an operator’s booking page, contact us and we’ll delete it.

9. Cookies

We use cookies for authentication (so you stay logged in) and basic functionality (CSRF protection, session handling). We don’t use third-party advertising cookies, behavioral retargeting, or cross-site tracking.

10. Changes to this policy

We may update this Privacy Policy. Material changes will be emailed to your account’s contact email at least 30 days before taking effect. The version date at the top will be bumped on every update.

11. Contact

Privacy questions? Email support@thewashcrm.com with subject line “Privacy.”

To Jared: Have a lawyer review before broad public marketing. Especially section 8 (children) and section 7 (CCPA rights) — jurisdictions and state-specific requirements vary, and you may want to add a cookie banner if you ever expand to EU operators.