DealerPal (“we”, “us”) provides a platform that helps car dealerships (“Dealers”) communicate with their customers through WhatsApp, Facebook Messenger, and Instagram, manage vehicle inventory, and generate sales content with AI. This policy explains what information we process, why, and the rights you have over it.

1. Who is the controller

When a Dealer uses DealerPal, the Dealeris the data controller of their customers’ messages and profiles. DealerPal acts as a data processor under the Dealer’s instructions. For a Dealer’s own account information (account holders, billing, login activity), DealerPal is the controller.

2. Information we collect

We collect the following categories of data, all transmitted over TLS-encrypted connections. The list below is also reflected in our Google Play Data Safety disclosure.

2.1 Personal information

• Name— Dealer account holder’s name.
• Email address — used for login and service communications.
• Phone number — Dealer contact number; customer phone numbers received from WhatsApp.
• Address — dealership business address, displayed on listings and on maps.
• User IDs — Clerk user identifiers, internal tenant IDs, session tokens.

2.2 Messages and media

• In-app messages — messaging content received from connected Meta platforms (WhatsApp, Messenger, Instagram) and replies sent through the service. Used for routing, reply, and reporting; never used to train public AI models.
• Photos — vehicle inventory photos uploaded by the Dealer; photos sent by customers within chat threads.
• Videos — videos sent by customers within chat threads, where applicable.
• Voice and sound recordings — voice notes sent by customers via WhatsApp, played back inside the service.
• Files and documents — knowledge-base uploads the Dealer provides to power AI replies (price lists, vehicle specs, FAQs).

2.3 Dealer business data

• Dealership name, branding, vehicle inventory, pricing, promotional posts and drafts.

2.4 Location

• Approximate location — derived from the IP address of requests, used for fraud prevention and security logging. We do not collect precise GPS location.

2.5 App activity

• App interactions — feature usage events (which screens are visited, which actions are taken) for product analytics.
• User-generated content — vehicle descriptions, knowledge-base entries, post drafts, and AI-prompt content created in the app.
• Other actions — vehicle create/update/delete events, post boost events, AI generation requests.

2.6 App information and performance

• Crash logs — captured by Sentry and Google Cloud Logging.
• Diagnostics — performance traces, breadcrumbs, and OpenTelemetry spans used to debug issues.
• Other app performance data — request latency, error rates, and reliability metrics.

2.7 Device or other IDs

• Firebase Cloud Messaging (FCM) push notification tokens, Sentry device fingerprints, and Clerk session/device identifiers. Used to deliver notifications and to detect anomalous logins.

3. How we use information

• App functionality— to provide DealerPal’s core features: managing inventory, routing customer messages, generating AI replies and content, sending push notifications.
• Account management — authentication, billing, and service communications.
• Analytics — to understand product usage and improve features.
• Fraud prevention, security, and compliance — to detect suspicious activity, satisfy Meta platform-policy audit requirements, and meet legal obligations.
• Developer communications — service updates, security notices, policy changes.

We do not sell personal information. We do not use Meta-sourced message content to train public AI models. We do not use any of this data for advertising.

4. Sharing with third parties

We do not share your personal information with third parties for those third parties’ own purposes. We do engage the following service providers ( sub-processors) that process data on our behalf under written contractual restrictions:

• Google Cloud Platform (region me-west1) — hosting, Cloud SQL Postgres, Cloud Storage for photos, Cloud Logging, Cloud Trace, Firebase Cloud Messaging.
• Clerk — user authentication and identity management.
• Anthropic and other LLM providers — AI-generated replies and content. Data sent for inference is not used by the providers to train models, per their enterprise terms.
• Sentry — error and performance monitoring.
• Meta Platforms— source and destination of messaging events for the Dealer’s connected WhatsApp, Messenger, and Instagram accounts.

5. Data location and retention

Primary data storage is in Israel (Google Cloud me-west1). Dealer data is retained while the account is active. On account deletion, Dealer data is deleted within 30 days, except where we must retain it to comply with a legal obligation. Specific retention durations for retained categories (audit records, billing, security logs, backups) are documented in our Data Deletion page.

6. Your rights and how to delete your data

You may request access to, correction of, or deletion of personal information we hold about you. We support both:

• Full account deletion — see /data-deletion#full-deletion.
• Partial data deletion — delete specific categories of data without closing your account, see /data-deletion#partial-deletion.

For any privacy request, email privacy@dealerpal.co.il. Dealers may also instruct us to delete customer data on a customer’s request.

7. Security

All data is encrypted in transit with TLS. Tenant secrets (such as Meta access tokens) are encrypted at rest with Google Cloud KMS. Database connections use TLS-enforced private networking. Access to production systems is restricted to authorized personnel and audit-logged.

8. Children

DealerPal is a business tool intended exclusively for adult professionals who own or operate a car dealership. The service is not directed at children, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided information to us, contact privacy@dealerpal.co.il and we will delete it.

9. International transfers

Some sub-processors (Anthropic, Sentry, Clerk) may process data outside Israel and the EEA. Where applicable, transfers are governed by Standard Contractual Clauses or equivalent legal mechanisms.

10. Changes

We may update this policy; material changes will be posted here with a new effective date. Continued use of the service after a change means you accept the updated policy.

11. Government and law-enforcement requests

If a public authority — a court, regulator, police force, or other government body — requests access to personal information we hold, we follow these principles:

• Legality review. Every request must be served in writing through proper legal channels and is reviewed by counsel for jurisdictional validity, scope, and conformance with applicable law before any data is disclosed.
• Challenge of unlawful requests.Where we believe a request is unlawful, overbroad, or in conflict with users’ fundamental rights, we will challenge it through legal counsel — including by motion to quash, narrowing negotiations, or refusal where legally permitted.
• Data minimization.Where disclosure is legally required, we disclose only the specific records the legal instrument compels, not the user’s full account.
• Documentation. We log every request, the authority that issued it, our legal review, the scope of any disclosure, and the legal reasoning. The log is retained for at least 24 months.

Where lawfully permitted, we will notify the affected user before disclosure so they can seek their own remedies.

12. Contact

DealerPal, operated by the owners of dealerpal.co.il. Privacy questions: privacy@dealerpal.co.il. Postal correspondence: DealerPal, c/o AutoGolan Ltd., Israel.