VinDXit Logo
Privacy Policy Privacy First

Your data should not become the product.

VinDXit was built to help people make clearer vehicle decisions without turning them into an advertising profile. This page explains what we collect, why we collect it, and how we deliberately avoid invasive tracking.

We built VinDXit with a privacy-first philosophy. We intentionally avoid invasive tracking, behavioral profiling, and advertising technologies wherever possible.

Read the Policy View Terms of Use

Privacy in plain English.

This policy explains what data VinDXit collects, how it is used, how long it is kept, and what rights you have — in language you can actually read.

Effective Date: April 12, 2026

This Privacy Policy describes how Whitewood Legacy LLC ("we," "us," or "our"), acting as data controller, collects, uses, stores, and protects information when you use the VinDXit platform and related services (collectively, the "Services"). By using the Services, you agree to the practices described here.

VinDXit does not run cross-site advertising trackers or sell personal data. We do keep first-party operational and analytics records so we can run the product, review uploads, monitor abuse, and understand how the site is being used.

1. Information We Collect

We collect only what is necessary to operate the Services. This includes:

  • Vehicle inputs — VIN, mileage, ZIP code, asking price, ownership inputs, damage flags, and similar details you enter when scoring or comparing a vehicle.
  • Optional questionnaire and survey responses — answers you give in on-site surveys or product questionnaires, including the active survey variant and the answers you submit.
  • Google account profile — when you sign in via Google Identity Services, we receive and store your Google user ID ("sub"), email address, display name, and profile image URL. We request no additional Google scopes and do not access Gmail, Calendar, Drive, or Contacts.
  • First-party analytics and session data — page views, approximate closed-view dwell time, feature actions, score-flow events, content-source context, listing activity events, browser session identifiers, and server-side hashed network or device signals used for product reporting and abuse review. These records are session-based and browser-based; they are not ad-tech profiles.
  • Browser identifiers and storage keys — first-party analytics cookies such as vx_vid, vx_sid, vx_first_seen, vx_last_seen, and vx_analytics_optout; browser storage keys used for score flow state, survey state, and related first-party product behavior; and a legacy analytics compatibility cookie in some browsers from older builds.
  • Survey telemetry context — survey anon/session IDs, trigger context, page path, source or referrer hints, locale or device bucket, and score-band context when a survey is shown after a score.
  • FSBO operational data — listing activity, marketplace views, message-thread opens, message sends, seller or buyer account associations when available, and related moderation or admin records.
  • Uploaded or emailed vehicle records — documents you upload through the Services or send to docs@vindxit.com, including maintenance records, receipts, service records, inspection records, and history-related documents.
  • Internal score and admin records — when a vehicle is scored through verified score flows or reviewed in admin tools, we may store internal records such as VIN, masked VIN, VIN hash, score metadata, route, timestamps, and audit or deletion status.

We do not collect payment card information, Social Security numbers, government-issued ID numbers, or sensitive personal categories such as health or biometric data.

2. How We Use Information

Information collected is used only for the following purposes:

  • To generate VinDXit Scores and vehicle insight reports based on your inputs.
  • To authenticate your identity and manage your account and session.
  • To operate first-party analytics, survey reporting, admin dashboards, and internal business reporting based on real product usage.
  • To review uploaded or emailed vehicle records, associate them with the correct vehicle, VIN, listing, or account, and create privacy-safe evidence or service history records.
  • To operate FSBO listings, messaging, seller tools, moderation, and internal marketplace reporting.
  • To improve the accuracy, performance, safety, and usability of the Services.
  • To detect abuse, spam, automation, fraud, and misuse of score, listing, messaging, survey, and admin features.
  • To respond to your questions, requests, or support inquiries.
  • To comply with applicable legal obligations.

We do not sell, rent, license, or share personal data with advertisers, data brokers, or any third party for commercial marketing purposes.

3. Vehicle Records You Upload or Email

You may send vehicle records to VinDXit either through the upload flows in the Services or by emailing docs@vindxit.com. When you do, you authorize us to review those materials and associate them with the relevant vehicle, VIN, or account.

  • We may extract maintenance or service information from submitted records and create privacy-safe maintenance evidence, service history entries, Evidence Sheets, and related internal records.
  • We may use submitted materials and non-identifying information derived from them for internal operations, fraud prevention, scoring development, product improvement, analytics, and research.
  • We may use or share aggregated or de-identified vehicle history information without additional notice or permission.
  • Personally identifying information remains private and is handled in accordance with this Privacy Policy, our Terms of Use, and applicable law.

We retain submitted records and derived internal evidence only for as long as reasonably necessary for the purposes described in this policy, consistent with the retention framework in Section 5.

4. Cookies, Session Storage & Local Storage

The Services use browser-based mechanisms to maintain your session, remember first-party state, and support analytics and survey flows:

  • Analytics cookies — VinDXit sets first-party cookies such as vx_vid (browser identifier), vx_sid (session identifier), vx_first_seen, and vx_last_seen. The current analytics code also honors vx_analytics_optout when present and may read a legacy compatibility cookie from older builds.
  • Session storage — used for in-tab state such as previous same-site path, score-entry source, survey session state, and score-flow handoff data. Session storage is browser-controlled and may clear when the tab or browser session ends.
  • Local storage — used for first-party product state such as survey anon ID, survey debug or cooldown settings, score replay state, and similar browser-side helpers. This storage can persist until you clear it.
  • Authentication cookies or tokens — used to maintain your logged-in state and protect authenticated routes.

We do not currently present a separate analytics consent banner or account-level analytics toggle on the site. We also do not use third-party advertising cookies, cross-site tracking pixels, or behavioral retargeting technologies.

5. Data Retention

We retain data only for as long as necessary to fulfill the purposes described in this policy or as required by law:

  • First-party analytics records — retained in the analytics data store until they are deleted by retention tooling or admin cleanup. The current retention target is up to 730 days, but some records may be removed sooner or later if operators run cleanup or preservation tasks.
  • Survey responses, survey events, and logo-vote records — retained until deleted through admin tools, operational cleanup, or data-management work. The current code does not apply a fixed automatic age-based purge to all survey records.
  • Uploaded or emailed vehicle records and derived evidence — retained for as long as reasonably necessary to operate account-linked and VIN-linked vehicle history features, prevent fraud, improve the Services, comply with legal obligations, and resolve disputes. When no longer needed, we may delete, aggregate, or de-identify this information.
  • Google account profile data (ID, email, name, image URL) — retained for as long as your account is active, unless earlier deleted in response to a verified request.
  • Vehicle input data, Garage data, and saved history — retained in association with your account for as long as you keep those records or until they are removed through account or data-management workflows.
  • Internal score records, FSBO operational records, and admin audit data — retained until deleted through admin or operational processes. Some of these records do not currently have a fixed public auto-deletion schedule.

You may request deletion of your data at any time. See Section 9 for how to exercise that right.

6. Third-Party Service Providers

We work with a limited number of third-party service providers who process data on our behalf as data processors. These providers are contractually bound to use your data only as directed by us and in accordance with applicable law. Current providers include:

  • Google Identity Services — authentication and identity verification, governed by Google's Privacy Policy.
  • NHTSA (National Highway Traffic Safety Administration) — vehicle identification and recall data via public APIs. No personal data is transmitted to NHTSA.
  • AI/scoring infrastructure providers — if third-party AI services are used in generating scores, only anonymized vehicle input data (no personal identifiers) is transmitted.

We do not share personally identifiable information with third parties except as described above or as required by law.

7. Security

We implement reasonable and appropriate technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encryption of data in transit using TLS (HTTPS).
  • Access controls limiting data access to authorized personnel only.
  • Session expiration and token invalidation practices.

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. In the event of a data breach that affects your rights or freedoms, we will notify you and applicable regulators as required by law.

8. Children's Privacy

The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected personal information from a child under 13, we will delete it promptly. Users between the ages of 13 and 17 may use the Services only with verifiable parental or guardian consent, as described in our Terms of Use.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at james@vindxit.com.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access — request a copy of the personal data we hold about you.
  • Correction — request that inaccurate or incomplete data be corrected.
  • Deletion — request that your personal data be deleted ("right to be forgotten"), subject to legal and operational exceptions.
  • Portability — request that your data be provided in a portable, machine-readable format where technically feasible.
  • Objection / Restriction — object to or request restriction of certain processing activities where applicable law gives you that right.

Some first-party analytics records are stored as browser or session identifiers rather than a direct name. We will still review good-faith requests about those records, but in some cases we may need more information from you before we can reasonably locate them.

To exercise any of these rights, email us at james@vindxit.com with the subject line "Privacy Request." We will respond within 30 days. We may request verification of your identity before processing your request.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including:

  • The right to know what personal information we collect, use, disclose, and sell.
  • The right to delete personal information we have collected from you, subject to certain exceptions.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of your personal information.
  • The right to non-discrimination for exercising your privacy rights.

We do not sell or share your personal information with third parties for cross-context behavioral advertising. Because we do not sell or share personal data, no opt-out mechanism is required — but we disclose this explicitly in compliance with CCPA requirements.

To submit a California privacy request, contact us at james@vindxit.com. You may also designate an authorized agent to make a request on your behalf.

11. Do Not Sell or Share My Personal Information

VinDXit does not sell personal information to third parties. VinDXit does not share personal information with third parties for cross-context behavioral advertising. This applies to all users, including California residents under the CCPA.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we do, we will revise the "Effective Date" at the top of this page. Where required by applicable law, we will provide more prominent notice of material changes. Your continued use of the Services after any changes take effect constitutes acceptance of the updated policy.

13. Contact

For questions, requests, or concerns about this Privacy Policy or our data practices, please contact:

Email: james@vindxit.com
Company: Whitewood Legacy LLC, Indiana, U.S.A.
Also see: Terms of Use