Privacy Policy

This Privacy Policy explains how Clearlake Carwash (“Clearlake Carwash,” “we,” “us,” or “our”) collects, uses, shares, and protects personal information when you use our website, subscribe to our car wash service, or interact with us. It also describes the rights you have over your information under the European Union General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act, as amended by the CPRA (“CCPA”).

1. Scope

This Policy applies to personal information we collect through the Clearlake Carwash website, our subscription signup and account management flows, our RFID sticker and wash services, and our email and SMS communications. It does not cover third-party sites or services we link to or that you reach through our site.

2. Information We Collect

We collect the following categories of personal information:

• Identity and contact information: first name, last name, email address, and phone number, which you provide when you sign up or update your account.
• Account credentials: a password that we store as a salted bcrypt hash. We never store your password in plain text and cannot recover it for you.
• Vehicle information: license plate, make, model, and color, which you provide so we can link your RFID sticker to the correct vehicle.
• Payment information: card details and billing address are collected directly by our payment processor, Stripe. We do not see or store your full card number. We receive a Stripe customer identifier, the last four digits of the card, the card brand, and subscription status.
• Communication preferences: whether you have opted in to marketing email and SMS messages, and any subsequent opt-out events.
• Service usage and technical data: IP address, user agent, pages viewed, request timestamps, and similar technical metadata we log for security, rate limiting, debugging, and fraud prevention. Wash events tied to your RFID sticker are logged to operate the wash system.
• Customer support content: messages you send us by email or SMS and our responses.

3. How We Use Your Information

We use personal information to:

• Provide, operate, and maintain the Service, including processing your subscription, activating your RFID sticker, and granting you access to car washes;
• Process payments, issue receipts, handle renewals, and manage cancellations and refunds through Stripe;
• Send transactional messages such as welcome emails, receipts, subscription confirmations, subscription updates, cancellation notices, and security alerts;
• Send marketing emails and SMS messages if you opt in, and immediately honor opt-out requests;
• Respond to your questions and provide customer support;
• Monitor, protect, and improve the Service, including detecting and preventing fraud, abuse, and security incidents;
• Comply with legal obligations and enforce our Terms of Service.

4. Legal Bases for Processing (GDPR)

If you are in the European Economic Area or the United Kingdom, we process your personal information under the following legal bases:

• Contract: to provide the Service you signed up for.
• Legitimate interests: to secure our systems, prevent fraud, and improve the Service, balanced against your rights.
• Consent: for marketing email and SMS communications and for any non-essential cookies. You can withdraw consent at any time.
• Legal obligation: to comply with tax, accounting, and other applicable laws.

5. Third-Party Service Providers

We share personal information with a limited set of service providers who process it on our behalf and only for the purposes described below. These providers are bound by confidentiality and data protection obligations.

• Stripe, Inc.— payment processing, subscription management, and the hosted customer billing portal. See Stripe’s privacy notice at stripe.com/privacy.
• Amazon Web Services, Inc.— cloud hosting (Amazon EC2 for the application and Amazon RDS for the database, both in the United States), transactional email via Amazon SES, and SMS and administrative email alerts via Amazon SNS.
• Google LLC— we load the Inter font via Google Fonts for visual rendering only; Google Fonts does not receive your email or account data from us.

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. See the Do Not Sell or Share My Personal Information page for details.

We may also disclose personal information to comply with a lawful request from a government authority, to enforce our Terms, to protect our rights or the safety of others, or in connection with a merger, acquisition, or sale of assets (in which case you will be notified of any material change to how your data is handled).

6. Cookies and Similar Technologies

We currently use the following categories of cookies and storage:

• Strictly necessary cookies: a session cookie set by our authentication system (NextAuth) so that you stay signed in, and a CSRF token cookie. These cannot be disabled without breaking sign-in.
• Preference storage: a value in your browser’s local storage that remembers whether you have dismissed our cookie notice. This is not shared with any third party.

We do not currently use third-party analytics, advertising, or cross-site tracking cookies. If we add such technologies in the future we will update this Policy and, where required, request your consent before loading them.

7. Data Retention

We retain personal information for as long as your account is active and for a reasonable period afterwards to comply with tax, accounting, and legal obligations (typically seven years for billing records), to resolve disputes, and to enforce our agreements. When retention is no longer required we delete or anonymize the data. You can request earlier deletion of data that is not subject to a legal retention requirement — see Section 9.

8. How We Protect Your Information

We use reasonable technical and organizational measures to protect personal information, including:

• HTTPS/TLS for all traffic to and from our website;
• Passwords stored as salted bcrypt hashes, never in plain text;
• Signed webhook verification for Stripe events;
• Authentication and role-based access controls on administrative endpoints;
• Network isolation for our database (Amazon RDS inside a private subnet, reachable only from our application servers);
• Rate limiting and CSRF protections on sensitive endpoints.

No method of transmission or storage is 100% secure. You are responsible for keeping your password private and for notifying us of any suspected unauthorized access.

9. Your Rights Under GDPR

If you are in the EEA, the UK, or another jurisdiction that grants these rights, you may:

• Access the personal information we hold about you;
• Correct inaccurate or incomplete information;
• Delete personal information we no longer need to keep;
• Restrict or object to certain processing;
• Port your data in a machine-readable format;
• Withdraw consent at any time without affecting processing that occurred before withdrawal;
• Lodge a complaint with a supervisory authority.

To exercise any of these rights contact us at contact@clearlakecarwash.com. We will respond within 30 days.

10. Your Rights Under the CCPA (California Residents)

If you are a California resident you have the following rights with respect to personal information collected about you in the preceding 12 months:

• Right to know the categories and specific pieces of personal information we collect, the sources, the business purposes, and the categories of third parties with whom we share it;
• Right to delete personal information we collected from you, subject to legal exceptions;
• Right to correct inaccurate personal information we maintain about you;
• Right to opt out of the sale or sharing of your personal information. As stated above, we do not sell or share personal information for cross-context behavioral advertising, but you can submit a request anyway through our Do Not Sell or Share My Personal Information page;
• Right to limit use of sensitive personal information;
• Right to non-discrimination: we will not deny service, charge different prices, or provide a different level of quality because you exercised a CCPA right.

Categories of personal information collected: identifiers (name, email, phone, IP address), commercial information (subscription history, wash events), internet and network activity (site interactions, logs), geolocation (general, derived from IP), and financial account information (via Stripe, we do not see full card numbers).

Sources: directly from you, automatically from your device, and from our payment processor Stripe.

Business purposes: providing the Service, payment processing, customer support, security and fraud prevention, and legal compliance.

Categories shared with service providers: identifiers and financial account information with Stripe; identifiers and communication content with Amazon Web Services.

To exercise CCPA rights, email us at contact@clearlakecarwash.com or use our Do Not Sell or Sharepage. We will verify your identity before acting on a request and will respond within 45 days. You may designate an authorized agent to make a request on your behalf; we may require proof of the agent’s authority.

11. Children’s Privacy

The Service is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us and we will promptly delete it.

12. International Users

Clearlake Carwash is based in the United States and our systems are hosted in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have different data protection laws than your country.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date above and, for material changes, notify you by email or a prominent notice in the Service.

14. Contact

If you have questions about this Privacy Policy or our privacy practices, contact our privacy team at contact@clearlakecarwash.com or at Clearlake, CA, United States.