Privacy Policy

AutoSignal — Last updated: February 2026

---

1. Data Controller

AutoSignal is operated by:

HexSoft Ltd (EIK: BG207896292)
Sofia, Studentski Grad, bl. 59A, entr. B, fl. 6, ap. 42, Bulgaria
Email: privacy@autosignal.bg

For the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), HexSoft Ltd acts as the Data Controller.

---

2. What AutoSignal Does

AutoSignal is a mobile platform that allows users to:

• Notify vehicle owners about incidents (e.g. damage, safety issues, obstruction)
• Report damage cases with photographic evidence
• Register vehicles to receive notifications
• View temporary public incident visibility pages

The platform is designed for the Bulgarian market.

---

3. Personal Data We Collect

3.1 Registered Users

We collect:

• Email address
• OAuth provider data (if used)
• Device ID
• Push notification token
• Registered vehicle license plate number
• Full VIN number (for ownership verification)
• Uploaded registration certificate image (talon)
• Damage case data linked to registered vehicles

We do not collect phone numbers.

Only individuals aged 18+ may register vehicles.

3.2 Vehicle Data

AutoSignal processes:

• Vehicle license plate numbers
• Full VIN number
• Damage photos
• Plate proof photos

License plates are publicly visible identifiers by nature. However, we still treat them as personal data when they can be linked to identifiable individuals.

---

4. Public Visibility of Damage Cases

When a damage case is submitted:

• License plate number may be displayed publicly
• Damage photos may be publicly visible
• No GPS location is displayed
• No timestamp is displayed
• No reporter message text is displayed publicly
• No contact information is displayed publicly

Public visibility is temporary and expires automatically after a limited period (typically 7 days).

The purpose of public visibility is to:

• Increase the likelihood that the vehicle owner becomes aware of the incident
• Encourage platform adoption
• Improve community reporting engagement

Legal basis: Legitimate Interest (Art. 6(1)(f) GDPR).

---

5. Lawful Basis for Processing

We process data under:

Contractual Necessity (Art. 6(1)(b))

• When users register accounts
• When users register vehicles
• When users submit damage reports

Legitimate Interest (Art. 6(1)(f))

• Fraud prevention
• Abuse prevention
• Public visibility of damage cases
• Trust scoring system
• Security logging

Consent (Art. 6(1)(a))

• Push notifications
• Future analytics (if implemented)

---

6. Data Retention

Damage Notes & Public Visibility

• Damage case public visibility expires automatically (typically 7 days)
• Damage photos expire and are removed after expiration period
• Contact information (if provided) expires after 7 days

Accounts

• Users may request account deletion
• Accounts are scheduled for deletion after 7 days
• During this 7-day period, deletion can be reversed
• After 7 days, account and associated data are permanently deleted

---

7. Data Sharing & Processors

We use third-party service providers ("Processors") to operate AutoSignal.

OpenAI (OCR Processing)

We may send:

• License plate images
• Registration certificate images (talon)
• License plate numbers
• Full VIN number

Purpose: Optical Character Recognition (OCR).

Legal basis: Contractual necessity + legitimate interest.

Bunny.net (File Storage)

We store uploaded images via Bunny.net infrastructure.

Purpose: Secure storage and content delivery.

Firebase (Push Notifications)

We use Firebase Cloud Messaging (FCM) for push notifications.

Data shared:

• Push notification tokens
• Device identifiers

Email Service Provider

We use an external provider to send OTP authentication emails.

Data shared:

• Email address
• OTP code (temporary)

We do not sell personal data.

---

8. International Data Transfers

Some processors (e.g. OpenAI, Firebase) may process data outside the European Union.

When this occurs, appropriate safeguards are used, including:

• Standard Contractual Clauses (SCCs)
• GDPR-compliant transfer mechanisms

---

9. Security Measures

We implement appropriate technical and organizational measures including:

• Token-based authentication
• Hashed OTP codes
• Encrypted contact information
• Signed URLs for file access
• Rate limiting
• Abuse detection
• Limited public exposure controls
• Automatic expiration of sensitive data

No system can guarantee absolute security.

---

10. Cookies

AutoSignal uses a minimal number of cookies necessary for the proper functioning of the website:

• locale — Stores your preferred interface language. Duration: 30 days. Type: functional cookie.

We do not use cookies for tracking, advertising, or analytics.

---

11. Your Rights Under GDPR

You have the right to:

• Access your data
• Rectify inaccurate data
• Request erasure ("right to be forgotten")
• Restrict processing
• Object to processing
• Data portability
• Withdraw consent at any time
• File a complaint with the Bulgarian Commission for Personal Data Protection

To exercise your rights, contact: privacy@autosignal.bg

---

12. Children

Vehicle registration is restricted to individuals aged 18+.

AutoSignal is not designed for children under 16.

---

13. Analytics (Future Use)

If analytics tools are introduced (e.g. Firebase Analytics), this policy will be updated accordingly and users will be informed.

---

14. Changes to This Policy

We may update this Privacy Policy from time to time.

The latest version will always be available within the application and on the website.