Privacy Policy

Last Updated: December 9, 2025

Effective Date: December 9, 2025

Website: www.gearmike.com

Application: app.gearmike.com

Contact: contact@gearmike.com

INTRODUCTION

GEARMIKE ("we," "our," or "us"), a product of UPPERWAY LLC, operates the GEARMIKE automotive shop management software platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (www.gearmike.com) and our software application (app.gearmike.com).

This policy applies to:

  • Shop owners and employees who use GEARMIKE to manage their business
  • Customers of shops that use GEARMIKE (whose data is entered by shop staff)
  • Visitors to our website

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

INFORMATION WE COLLECT

1. Information You Provide Directly

Account Information:

  • Full name
  • Email address
  • Phone number (optional)
  • Password (stored securely hashed, never in plain text)
  • Profile photo (optional)

Business Information (for shop owners):

  • Shop name and address
  • Business phone and email
  • Tax ID (optional, for invoicing)
  • Logo and branding preferences

Customer Data (entered by shop users about their customers):

  • Customer names and contact information
  • Vehicle information (make, model, year, VIN, license plate)
  • Service history and notes
  • Payment information references
  • Communication preferences

2. Information Collected Automatically

Technical Information:

  • IP address (for security and fraud prevention)
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Date and time of access
  • Referring website

Session Information:

  • Login timestamps
  • Session duration
  • User agent string

3. Information from Third Parties

We may receive information from integrated services you connect:

  • QuickBooks (customer and invoice sync)
  • Stripe (payment processing status)
  • Vehicle data providers (VIN decoding)

HOW WE USE YOUR INFORMATION

We use collected information for the following purposes:

Service Delivery:

  • Provide and maintain our software platform
  • Process transactions and send related information
  • Manage user accounts and authentication
  • Provide customer support

Communication:

  • Send service updates and notifications
  • Respond to inquiries and support requests
  • Send transactional emails (invoices, estimates, appointment confirmations)

Security and Fraud Prevention:

  • Detect and prevent fraudulent activity
  • Monitor for security threats
  • Enforce our terms of service

Improvement:

  • Analyze usage patterns to improve our service
  • Develop new features and functionality
  • Fix bugs and technical issues

Legal Compliance:

  • Comply with legal obligations
  • Respond to lawful requests from authorities
  • Protect our legal rights

LEGAL BASIS FOR PROCESSING (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

1. CONTRACT PERFORMANCE

Processing necessary to provide our services to you

2. LEGITIMATE INTERESTS

Security, fraud prevention, and service improvement, where our interests don't override your rights

3. CONSENT

Marketing communications (you can opt out anytime) and optional features and integrations

4. LEGAL OBLIGATION

Tax and financial record-keeping, and response to legal process

DATA SHARING AND DISCLOSURE

We do NOT sell your personal information. We may share data with:

1. Service Providers

We use trusted third-party services to operate our platform:

ProviderPurposeData Shared
SupabaseDatabase & AuthenticationAll account and business data
StripePayment ProcessingCustomer names, emails, amounts
ResendEmail DeliveryEmail addresses, order details
VercelHosting & CDNTechnical access logs
QuickBooksAccounting (if connected)Customers, invoices
TwilioSMS (if enabled)Phone numbers, message content
OpenAIInvoice AI extractionUploaded invoice documents
MOTOR.comVIN DecodingVehicle VINs only

All providers are bound by data processing agreements.

2. Legal Requirements

We may disclose information:

  • To comply with legal process or government requests
  • To protect our rights, property, or safety
  • To prevent fraud or security threats

3. Business Transfers

If we merge with or are acquired by another company, your information may be transferred as part of that transaction. We will notify you of any change.

DATA RETENTION

We retain your information as follows:

Data TypeRetention Period
Active account dataDuration of your account + 30 days
Customer recordsAs long as your account is active
Order/invoice history7 years (legal/tax requirements)
Session logs30 days after expiration
Support conversations2 years after resolution
Webhook/sync logs90 days
IP addresses90 days (then anonymized)

You may request earlier deletion subject to legal retention requirements.

YOUR PRIVACY RIGHTS

Rights for All Users

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your data
  • Portability: Receive your data in a portable format
  • Objection: Object to certain processing activities
  • Restriction: Request limited processing of your data

Additional Rights for California Residents (CCPA)

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising privacy rights

WE DO NOT SELL YOUR PERSONAL INFORMATION.

Additional Rights for EEA Residents (GDPR)

  • Right to lodge a complaint with your local data protection authority
  • Right to withdraw consent at any time

To exercise these rights, contact us at: contact@gearmike.com

We will respond within:

  • 30 days for GDPR requests
  • 45 days for CCPA requests

COOKIES AND TRACKING

We use the following cookies:

Essential Cookies (Required)

  • Authentication session cookies
  • CSRF protection tokens
  • Security preferences

These cannot be disabled as they are necessary for the application to function.

Analytics Cookies (Optional)

[Currently not implemented - will be added with consent mechanism]

We do NOT use:

  • Advertising or tracking cookies
  • Third-party marketing pixels
  • Cross-site tracking

DATA SECURITY

We implement industry-standard security measures:

Technical Safeguards:

  • AES-256-GCM encryption for sensitive data (API keys, tokens)
  • HTTPS/TLS encryption for all data in transit
  • Secure password hashing (bcrypt via Supabase)
  • CSRF protection on all forms
  • Rate limiting to prevent abuse

Organizational Safeguards:

  • Multi-tenant data isolation (each shop's data is completely separate)
  • Role-based access controls
  • Regular security reviews
  • Employee access limitations

Infrastructure:

  • Hosted on Vercel (SOC 2 Type 2 certified)
  • Database on Supabase (SOC 2 Type 2 certified)
  • Automatic backups with encryption

INTERNATIONAL DATA TRANSFERS

Our services are hosted in the United States. If you access our services from outside the US, your information will be transferred to and processed in the US.

For EEA users, we rely on:

  • Standard Contractual Clauses (SCCs) with our service providers
  • Adequacy decisions where applicable

CHILDREN'S PRIVACY

Our services are not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new policy on our website
  • Sending an email to your registered address
  • Displaying a notice in the application

Your continued use after changes constitutes acceptance of the updated policy.

CONTACT US

For privacy-related inquiries:

Email: contact@gearmike.com

Address:
UPPERWAY LLC
16W235 83rd St STE E
Burr Ridge, IL 60527, USA

Data Protection Officer: contact@gearmike.com

For CCPA requests:

Response times:

  • General inquiries: 5 business days
  • Data access/deletion requests: 30 days (GDPR) / 45 days (CCPA)

DO NOT SELL MY PERSONAL INFORMATION (CCPA)

California residents have the right to opt-out of the sale of their personal information. GEARMIKE does not sell personal information to third parties.

If you have questions about this, contact: contact@gearmike.com

This privacy policy is governed by the laws of the State of Illinois. Any disputes arising from this policy shall be resolved through the American Arbitration Association.