Skip to content
Privacy policy

Your data, on a short leash.

What we collect, why we collect it, where it lives, and how to ask us to delete it. Plain language, no dark patterns.

Last updated: 20 May 2026·info@autovaluer.eu

Who we are

AutoValuer is operated by ValiamTech j.d.o.o., a Croatian limited liability company. When this policy says “we” or “us”, it means ValiamTech j.d.o.o. acting as the data controller.

This policy covers the marketing site at autovaluer.eu and the product at app.autovaluer.eu, plus the AutoValuer iOS and Android apps.

What we collect

We collect five categories of data, and we are deliberate about each one:

Valuation inputs (no account required)

Brand, model, year, mileage, fuel, transmission, equipment, condition. These stay on your device by default. If you sign in, they sync to our servers so your saved searches follow you across devices.

Account data (only if you sign in)

We use Firebase Authentication for sign-in (email + password, or Google Sign-In). When you authenticate, we receive: your email address, a Firebase user ID, a display name if Google provides one, your locale preference, and your current plan tier. We never ask for your home address or government ID. Passwords are hashed and held by Firebase — they never reach our database in plain text.

Payment data (only if you buy a Pro report or subscribe)

Payments are processed by Stripe via Stripe Checkout (hosted by Stripe). We never see or store your card number, CVV, IBAN, or full billing address. From Stripe we receive a customer reference (cus_…), the price ID you purchased, the subscription status, the country/region Stripe inferred from your card BIN (for VAT), and the email you used at checkout. Stripe is our data processor under a Standard Contractual Clauses–compliant DPA; their privacy policy applies in parallel.

Vehicle photos (only if you use Photo AI in the Pro flow)

If you upload photos for the Photo AI condition assessment, the images are sent to our API (and to our third-party vision model) only for the time it takes to produce the assessment. We don't keep raw uploads after the report is generated — only the derived condition summary stays attached to the report. Maximum five photos per upload; client-side compression happens before send.

Analytics

We use Google Analytics 4 (tag G-2KZDLSQ136) to measure page-level traffic, referrer source, and conversion. IP addresses are truncated by Google before processing. We do not use Facebook Pixel or any cross-site advertising tracker. If you decline analytics under your browser's privacy controls, the site continues to work.

Why we collect it

Valuation inputs are used to compute a valuation. Account data is used to keep you signed in and to deliver the plan tier you paid for. Analytics is used to understand which pages are useful and which aren't.

We do not sell your data, share it with advertisers, or use it to train language models. If we ever change this, we'll tell you in advance and ask you to opt back in.

Where it lives

Production data is hosted in the EU on Google Cloud Platform (Frankfurt region, europe-west3). Backups are encrypted at rest and stored in the same region.

Firebase Authentication stores credentials on Google's infrastructure; Google acts as our data processor under SCCs.

Stripe processes payments under their own EU-resident infrastructure and standard contractual clauses. Some Stripe processing happens in the US under SCCs — this is unavoidable for global card processing.

Google Analytics traffic is sent to Google. Region settings are configured to truncate IP before storage.

Neural Draft (CMS, blog, contact-form, translations) hosts content and submission data in the EU.

How long we keep it

  • Account data: until you delete your account, plus 30 days for backups to expire.
  • Valuation history: 18 months (you can clear it sooner from Settings → Privacy).
  • Photo AI uploads: not retained — derived summary only, attached to the report.
  • Stripe records (invoices, subscription history): 10 years to satisfy Croatian and EU accounting / tax obligations (Article 82 of the Croatian Accounting Act).
  • Lead submissions to partners: 12 months from submission, then anonymised.
  • Contact-form submissions (via Neural Draft): 24 months from receipt.
  • Server logs: 14 days for error and uptime monitoring.

Your rights

Under GDPR (and equivalent Croatian, German, Italian, etc. law) you can:

  • Ask us what data we hold about you (right to access)
  • Ask us to correct it (right to rectification)
  • Ask us to delete it (right to erasure)
  • Ask us to export it in a portable format (right to portability)
  • Object to specific uses (right to object)

Email info@autovaluer.eu to exercise any of these. We respond within 30 days, usually faster.

You also have the right to lodge a complaint with the Croatian data protection authority (AZOP) or your local equivalent.

Cookies

The marketing site uses Google Analytics, which sets _ga and _ga_* cookies for traffic measurement. These are first-party, expire after 24 months, and store no personally identifying information by themselves.

The product (app.autovaluer.eu and the mobile apps) uses Firebase Authentication, which sets session tokens (not browser cookies on native). On web, a single av_session cookie keeps you signed in for the tab.

See the full cookie policy for the table.

Changes to this policy

If we make material changes, we'll notify signed-in users by email and post the diff at the top of this page. Non-material changes get a quiet update with a new “last updated” date.

This is policy version 3.0, effective 20 May 2026.

Questions about this policy? Email info@autovaluer.eu. For data-subject requests under GDPR, contact info@autovaluer.eu and we'll respond within 30 days.