Privacy Policy

• Account registration data: Email address and password when you create an account on the Website.
• Shop branding information: Business name, address, phone number, and logo image that you optionally enter in the Application's Settings dialog for inclusion on generated PDF scan reports. This data is stored locally on your computer and is not transmitted to our servers.
• Customer vehicle profiles: Customer name, phone number, vehicle details, and service notes that you enter in the Vehicles tab (Professional tier and above). This data is stored locally on your computer.
• Technician notes: Free-text notes you attach to diagnostic sessions. Stored locally on your computer.
• Support inquiries: Name, email, and message content when you contact us through the Website's support form.

• Vehicle diagnostic data: VIN (Vehicle Identification Number), decoded vehicle year/make/model, diagnostic trouble codes (DTCs), PID sensor readings (engine RPM, coolant temperature, vehicle speed, oxygen sensor values, etc.), freeze frame data, on-board monitoring test results, and calibration identifiers. See Section 4 for full details.
• Session metadata: Diagnostic session start/end times, connection port, baud rate, OBD protocol used, and command execution timing.
• Machine identifier: A hardware-specific identifier (Windows Machine GUID) read from the Windows Registry for license validation and trial period management. See Section 8 for details.
• Free-tier usage counters: The number of distinct vehicle makes (up to 2), vehicle models (up to 2), and special function executions (up to 5) used under the free tier. These counters are stored locally to enforce free-tier limits.
• Trial state: The date the Application was first launched, stored in the Windows Registry with an integrity hash to manage the 3-day trial period.

• Account data: Email address, hashed password, and account creation date.
• Payment information: Payment details are collected and processed exclusively by Razorpay, our third-party payment processor. We do not store credit card numbers, CVVs, or full payment details on our servers. See Section 10 for details.
• License information: License tier (Free, Enthusiast, Professional, or Developer), subscription status, expiration date, and associated Machine ID.

When you connect to a vehicle and perform diagnostic operations, the Application may read the following data depending on the commands you execute and features you use:

A Vehicle Identification Number (VIN) is a unique 17-character code assigned to every motor vehicle. While a VIN identifies a specific vehicle, it can also be linked to the vehicle's registered owner through public or commercial databases. We treat VINs as potentially personally identifiable information and apply appropriate safeguards.

VINs are decoded locally within the Application to determine the vehicle's year, make, and model. VINs are also transmitted to our carpm API when you use features that require vehicle-specific data (see Section 6).

Professional and Developer tier users can execute vehicle-specific diagnostic procedures (such as steering angle sensor calibration, electronic throttle reset, DPF regeneration, injector coding, and service resets) through the Special Functions tab. These procedures are fetched from our carpm API and executed using a protected command runner that safeguards proprietary diagnostic sequences. Execution results, including success/failure status and step completion data, are reported back to our servers.

Data transmission to our servers occurs automatically when you use the above features as part of normal Application operation. The Application does not display a per-request confirmation dialog for each API call. If the Application cannot reach our servers (e.g., you are offline), failed requests are queued locally and retried automatically when connectivity is restored.

All API requests are authenticated using your email address and API token, which are embedded in your license file. These credentials are sent with each request via HTTPS-encrypted headers.

Core diagnostic features (ELM327 connectivity, DTC reading, terminal, command sets, real-time graphing, and data recording) work fully offline without any data leaving your computer. Only features that require our carpm API (enriched fault descriptions, manufacturer-specific commands, special functions) transmit data to our servers.

Responses from our carpm API (manufacturer-specific commands, PID definitions, and special function procedures) are cached locally in encrypted form to reduce network requests and improve performance. The cache uses XOR cipher encryption with a key derived from your Machine ID and API token. Cached data is automatically refreshed when our server indicates updated content is available.

If the Application cannot reach our servers when attempting to upload diagnostic data, the request payload is stored in the local SQLite database and retried automatically when connectivity is restored. Queued payloads are removed after successful delivery.

The Application reads your computer's Machine GUID from the Windows Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid). This is a unique identifier assigned to your Windows installation. We use this identifier for the following purposes:

• License binding: Ensuring your license file is valid only on the machine it was issued for, preventing unauthorized sharing.
• Trial period management: Computing an integrity hash to detect trial period tampering.
• API cache encryption: Deriving an encryption key for locally cached API responses.

The Machine ID is embedded in your license file and may be transmitted to our servers as part of API authentication. We do not use the Machine ID to track your activity across other applications or websites.

When you first launch the Application, the date is recorded in the Windows Registry along with an HMAC-SHA256 integrity hash (computed using the Machine ID as the key). This is used solely to enforce the 3-day trial period and detect clock manipulation. No other system or hardware information is collected for this purpose.

When you use the Bluetooth scanner feature, the Application uses Windows PowerShell and WinRT APIs to discover nearby Bluetooth devices. During scanning, the Application temporarily accesses:

• Bluetooth device names and identifiers
• Pairing status (paired or unpaired)

This information is held in memory only during the scanning session and is not persisted to disk or transmitted to our servers. The Application filters out non-OBD devices (such as mice, keyboards, and headphones) from the displayed results.

The WiFi scanner feature sends UDP broadcast packets and TCP connection probes on your local network to discover WiFi-based ELM327 adapters. Scanning is limited to your local area network and does not transmit data to the internet. Discovered device information (IP address, device response string, and latency) is held in memory only and not persisted.

The Application does not include any third-party analytics libraries, telemetry services, crash reporting tools, or advertising SDKs. We do not collect application usage statistics, feature analytics, error rates, or performance metrics beyond the diagnostic data described in this policy.

All locally stored data (diagnostic sessions, vehicle profiles, command logs, configuration) is retained on your computer indefinitely until you choose to delete it. The Application does not automatically purge or expire local data. You have full control over local data deletion (see Section 16).

Diagnostic data uploaded to our carpm servers is retained for as long as your account is active and for a reasonable period thereafter to support service continuity and comply with legal obligations. Aggregated, de-identified diagnostic data may be retained indefinitely to improve our diagnostic database.

If you request account deletion, we will delete your personally identifiable data from our servers within 30 days, subject to legal retention requirements.

Payment records are retained by Razorpay in accordance with their data retention policies and applicable financial regulations.

Core diagnostic features (connection, terminal, command sets, DTC reading, real-time graphing, data logging, and PDF report generation) operate entirely offline without transmitting data to our servers. If you prefer not to send diagnostic data to our servers, you may use these core features without an internet connection. Features that require our carpm API (enriched fault descriptions, manufacturer-specific commands, and special functions) will be unavailable in offline mode.

To exercise any of the above rights regarding data stored on our servers, please contact us using the details in Section 20. We will respond to verified requests within 30 days. We may ask you to verify your identity before processing your request.

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to lodge a complaint with your local data protection supervisory authority. Our lawful bases for processing are described in the "Legal Basis" column of Section 5.

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt-out of the sale of personal information. We do not sell your personal information. To exercise your rights, contact us using the details in Section 20.

You can export your locally stored diagnostic data at any time using the Application's built-in export features:

• Per-session export: Export individual sessions as Excel (.xlsx), CSV, or JSON from the Data tab.
• Customer export pack: Generate a ZIP archive containing a branded PDF scan report, CSV command log, and VIN information JSON.
• CAN frame export: Export captured CAN frames from Super Miner as Excel or PCAP (Wireshark-compatible) files.
• Graph export: Export real-time PID graphs as PDF documents.

You can delete locally stored data through the following methods:

• Individual sessions: Delete specific diagnostic sessions from the Data tab in the Application.
• Vehicle profiles: Delete individual customer vehicle profiles from the Vehicles tab.
• Complete data removal: Delete the entire Application data directory at %USERPROFILE%\.carpm-deepscan\ to remove all local data including the database, configuration, license file, and custom PIDs.
• Trial data: Trial period data is stored in the Windows Registry under HKEY_CURRENT_USER\SOFTWARE\CaRPMDeepScan and can be removed using the Windows Registry Editor.

To request deletion of your data from our servers, please contact us using the details in Section 20. Upon verification of your identity, we will delete your personally identifiable information from our servers within 30 days.