Privacy Policy
Effective Date: 2026-05-01
Table of Contents
- Introduction
- Information We Collect
- How We Collect Information
- How We Use Information
- Information Sharing and Disclosure
- Data Retention
- Your Privacy Rights
- Cookies and Tracking
- Global Privacy Control and Do Not Track
- International Data Transfers
- Children's Privacy
- Data Sale and Sharing
- Security Measures
- Changes to This Policy
- Contact Information
1. Introduction
Kaiju Mechanic is an AI-powered vehicle management application for Android and iOS, operated by RB ZILLA LLC ("we," "us," or "our"). Our app lets you ask car questions, track maintenance history, scan documents using optical character recognition (OCR), and optionally connect an OBD-II adapter for live vehicle diagnostics. Most features work with any vehicle; OBD-II diagnostic features require a 1996 or newer vehicle with a supported adapter.
This Privacy Policy explains what personal information we collect when you use the Kaiju Mechanic mobile application and the website at www.kaijumechanic.com (collectively, the "Service"), how we use and share that information, how long we keep it, and what rights you have over it.
This policy applies to all users of the Service. By using Kaiju Mechanic, you acknowledge that you have read and understood this policy. If you do not agree with our practices, please discontinue use of the Service.
Controller Identity: RB ZILLA LLC is the data controller for all personal information processed through the Service.
2. Information We Collect
2.1 Account and Identity Information
When you create an account, we collect your name, email address, and a password-derived credential (we do not store plaintext passwords). If you register or sign in using a social login provider, see Section 2.2 below.
2.2 Social Login Data
You may create or access your Kaiju Mechanic account using Google or Apple as an OAuth identity provider. When you choose one of these options, the provider shares the following profile data with us:
| Data Element | Apple | |
|---|---|---|
| Display Name | Your full name as stored in your Google account | Your full name as stored in your Apple ID (if you choose to share it) |
| Email Address | The primary email address associated with your Google account | Your Apple ID email, or a private relay address if you use Hide My Email |
| Profile Photo URL | A link to your Google profile picture | Not provided |
| Provider UID | A unique, stable identifier assigned by Google to your account | A unique, stable identifier assigned by Apple to your account |
We use this data solely to create and authenticate your Kaiju Mechanic account. We do not receive your password, contacts, calendar, or any other account data beyond the fields listed above. If you use Apple's Hide My Email feature, we receive only the private relay address and cannot see your real email.
2.3 Vehicle Information
We collect information about the vehicles you add to the app, including make, model, year, trim, VIN, engine type, fuel type, transmission, drivetrain, mileage, and any notes or maintenance records you enter manually. If you connect an OBD-II adapter, we also collect live sensor data transmitted from your vehicle's onboard diagnostic system (e.g., engine RPM, coolant temperature, fault codes). See Section 2.9 for details.
2.4 User-Generated Content
We collect the questions, prompts, and messages you submit to the AI assistant, as well as any documents or images you upload for OCR scanning. This content may include vehicle-related information, repair descriptions, or other details you choose to share.
2.5 Subscription and Purchase Information
We collect records of your subscription tier, in-app purchases, and entitlement status. Payment card details are processed directly by the app stores (Apple App Store, Google Play) and by RevenueCat; we do not receive or store raw payment card numbers.
2.6 Support and Feedback Data
When you contact us for support, submit feedback, report a bug, or request a feature, we collect your name, email address, the content of your message, and any attachments you provide.
2.7 Usage and Analytics Data
We collect information about how you interact with the Service, including features used, screens visited, session duration, button taps, and feature flag assignments. On the mobile app, this data is collected through Firebase Analytics (which feeds Google Analytics 4) and PostHog. On the website, this data is collected through Google Analytics 4 (managed via Cloudflare Zaraz) and Cloudflare Web Analytics.
Analytics collection on the mobile app requires your explicit opt-in. On the website, analytics collection is governed by your cookie consent preferences (see Section 8).
2.8 Device and Technical Information
We collect device type, operating system version, app version, device identifiers (excluding advertising identifiers unless you consent), IP address, browser or app metadata, crash reports, and performance metrics. Crash reports are collected through Firebase Crashlytics and Sentry on the mobile app. We do not collect the Android Advertising ID (AAID) or Apple Identifier for Advertisers (IDFA).
2.9 OBD-II Diagnostic Data
If you choose to connect a compatible OBD-II adapter, we collect live and historical sensor readings from your vehicle, including but not limited to engine parameters (RPM, coolant temperature, fuel trims, intake pressure), emissions-related data, and diagnostic trouble codes (DTCs) with freeze-frame data. Connection occurs over a local Bluetooth or Wi-Fi link between the adapter and your device; data is then synced to our servers. This feature is optional and requires explicit setup by you.
3. How We Collect Information
We collect information through the following methods:
- Directly from you — when you create an account, enter vehicle information, submit questions to the AI assistant, upload documents for OCR, contact support, or submit feedback.
- Automatically — when you use the app or visit our website, we collect device information, usage data, crash reports, and performance metrics through integrated analytics and error-tracking tools, subject to your consent preferences.
- From third-party identity providers — when you choose to sign in with Google or Apple, we receive the profile data described in Section 2.2 directly from the provider's OAuth service.
- From your vehicle — when you connect an OBD-II adapter, data is transmitted from your vehicle's diagnostic port to the app over a local Bluetooth or Wi-Fi connection and then synced to our servers.
- From app stores and payment processors — RevenueCat provides us with subscription status, entitlement records, and purchase event data on your behalf after transactions are completed through the Apple App Store or Google Play.
4. How We Use Information
| Purpose | Legal Basis (GDPR Art. 6) |
|---|---|
| Create and authenticate your account | Art. 6(1)(b) — Performance of a contract |
| Provide AI-powered vehicle assistance and answer your questions | Art. 6(1)(b) — Performance of a contract |
| Store and display your vehicle profiles and maintenance history | Art. 6(1)(b) — Performance of a contract |
| Process and display OBD-II diagnostic data | Art. 6(1)(b) — Performance of a contract |
| Process OCR document scans and return results | Art. 6(1)(b) — Performance of a contract |
| Manage your subscription, entitlements, and billing records | Art. 6(1)(b) — Performance of a contract |
| Respond to support requests, bug reports, and feedback | Art. 6(1)(b) — Performance of a contract; Art. 6(1)(f) — Legitimate interests |
| Analyze product usage to improve features and user experience | Art. 6(1)(f) — Legitimate interests |
| Monitor app performance and detect/fix errors and crashes | Art. 6(1)(f) — Legitimate interests |
| Protect against fraud, abuse, and unauthorized access | Art. 6(1)(f) — Legitimate interests |
| Send transactional and service-related communications (e.g., receipts, security alerts) | Art. 6(1)(b) — Performance of a contract |
| Send push notifications you have opted into (e.g., maintenance reminders) | Art. 6(1)(a) — Consent |
| Comply with legal obligations (e.g., tax records, law enforcement requests) | Art. 6(1)(c) — Legal obligation |
| Enforce our Terms of Service and protect our legal rights | Art. 6(1)(f) — Legitimate interests |
5. Information Sharing and Disclosure
We do not sell your personal information. We share personal information only with the service providers listed below, each of whom processes data on our behalf under contractual obligations consistent with this policy.
5.1 Mobile Application Service Providers
| Service | Role | Data Shared | Purpose |
|---|---|---|---|
| Google Cloud / Firebase | Cloud infrastructure, database, authentication, analytics | Account data, vehicle data, usage events, device info, crash reports | Host the Service, store app data, authenticate users, measure feature usage (Firebase Analytics feeds Google Analytics 4) |
| Anthropic | AI language model provider | AI assistant messages, vehicle context provided with your questions | Power the AI assistant that answers your vehicle questions (processed server-side; your prompts are not stored by Anthropic beyond their data retention policy) |
| RevenueCat | Subscription and purchase management | App user ID, subscription tier, purchase events, entitlement status | Manage subscription entitlements and synchronize purchase events from app stores |
| PostHog | Product analytics and feature flags | Usage events, session data, feature flag assignments, device info | Analyze product usage, manage feature rollouts, and replay sessions for debugging (requires your opt-in) |
| Sentry | Error tracking and performance monitoring | Error reports, stack traces, device info, breadcrumb context | Detect, diagnose, and resolve application errors (PII scrubbing enabled; no personal data sent by default) |
| Firebase Crashlytics | Crash reporting | Crash reports, device info, app state at time of crash | Identify and fix application crashes |
| Customer.io | Lifecycle messaging orchestration (email, push, in-app) | Firebase UID, email address, vehicle Year/Make/Model, subscription tier and status, notification preferences, locale, platform, and activity timestamps | Send onboarding, winback, and billing-recovery messages; orchestrate push fan-out via FCM; deliver email via authenticated subdomain mail.kaijumechanic.com; respect quiet hours and frequency caps |
5.2 Website Service Providers
| Service | Role | Data Shared | Purpose |
|---|---|---|---|
| Cloudflare | DNS, CDN, DDoS protection, hosting (Cloudflare Pages) | IP address, request metadata | Deliver the website reliably and protect against network-level attacks |
| Cloudflare Zaraz | Server-side tag management | Consent signals, page view events | Manage analytics tags server-side and enforce consent preferences |
| Cloudflare Web Analytics | Privacy-first website analytics | Page views, referrer, device type (no cookies, no IP tracking) | Measure website traffic without tracking individual users |
| Google Analytics 4 | Website analytics (managed via Cloudflare Zaraz) | Page views, events, device info, anonymized IP | Measure website traffic and understand visitor behavior (requires cookie consent) |
| Codex Titan (RB ZILLA LLC) | Support platform, legal document hosting, consent audit logging | Contact form submissions (name, email, subject, message), DSAR requests, anonymized consent events | Manage support tickets, serve legal documents, and maintain GDPR Art. 7 consent audit trail |
5.3 Additional Disclosure Circumstances
Beyond the service providers listed above, we may disclose personal information:
- Legal compliance: When required by applicable law, court order, subpoena, or governmental authority.
- Protection of rights: When necessary to enforce our Terms of Service, protect the safety of our users or the public, or defend against legal claims.
- Business transfers: In connection with a merger, acquisition, asset sale, or reorganization of RB ZILLA LLC, in which case the acquiring entity will be bound by this policy or will provide you with notice of any material changes.
- With your consent: For any other purpose with your explicit prior consent.
5.4 AI Processing
We use AI to power diagnostic, maintenance, and document features in Kaiju Mechanic — including answering your questions, explaining diagnostic trouble codes, generating and personalizing maintenance schedules, and extracting data from documents you scan. We may add or refine AI-powered features over time within these categories.
The AI features are powered by Anthropic, our third-party AI processor. When you use AI-powered features, the following information is sent to Anthropic to answer your request:
- Your prompt or input (the text of your question, or the image or PDF you scan)
- Vehicle profile data
- Recorded modifications and recent service history
- OBD-II diagnostic data (diagnostic trouble codes, sensor readings, calibration identifiers)
Categories sent vary by feature; we send only what the feature needs to function.
Free-text fields (prompts, descriptions, notes) may contain personal information you choose to include. Do not enter information you do not want sent to Anthropic.
No AI training on your data. We do not use your vehicle data, OBD-II diagnostic data, AI conversation history, or any other user-provided content to train, fine-tune, or improve any artificial intelligence or machine learning model — whether our own or any third party's. Under Anthropic's Commercial Terms of Service, inputs and outputs submitted through their API are not used to train Anthropic's models.
No cross-context advertising. We do not sell or share AI-related information for cross-context behavioral advertising.
Automated decision-making. AI features generate informational responses based on the data you provide. They do not make binding decisions about you or take autonomous actions that produce legal or similarly significant effects. All AI outputs are presented as information for your review — you decide whether and how to act on them. If you believe an AI-generated response has been used in a way that materially affects you, you may contact us at [email protected] to request human review.
AI usage metadata. For service operability and abuse detection, we record metadata about each AI call — your user ID, the AI feature invoked, model tier, input and output token counts, latency, cost, and timestamp — independently of the in-app analytics toggle (which controls only client-side product analytics). This metadata is retained for 90 days, then deleted via an automated time-to-live (TTL) policy. It does not contain the content of your prompts or AI responses. We rely on legitimate interest under GDPR Article 6(1)(f) for this processing; you may object under Article 21 by contacting [email protected].
VIN decoding (NHTSA). To decode a Vehicle Identification Number you enter, we transmit the VIN to the U.S. National Highway Traffic Safety Administration's public vPIC service at vpic.nhtsa.dot.gov. NHTSA is a U.S. government data recipient, not our processor; their handling is governed by U.S. federal records law. Only the VIN is transmitted — no account identifiers.
Opting out. AI processing occurs only when you actively use an AI-powered feature. If you do not engage the AI assistant, scan documents, or request AI-powered diagnostics, no data is transmitted to Anthropic. You may use the maintenance tracking, vehicle profile, and document storage features of the App without engaging AI.
5.5 Lifecycle Messaging (Customer.io)
Customer.io handles our lifecycle messaging — onboarding, re-engagement, feature announcements, and billing-recovery emails, in-app messages, and push notifications. We only initialize the Customer.io SDK in the app when you have granted analytics consent AND our customerio_enabled server-side feature flag is on. Anonymous users (no registered account) never get a Customer.io profile.
You can stop lifecycle messages at any time:
- Email unsubscribe. Every lifecycle email includes an unsubscribe link and a preference-center link. Both stop future marketing emails and sync your preference back to the app.
- Withdraw analytics consent. Go to Settings → Data & Privacy and turn off analytics consent. This triggers deletion of your Customer.io profile, not just message suppression (see Section 7.2).
Transactional messages — password resets, security alerts, billing-failure notifications — are sent separately and are not routed through Customer.io. They are not subject to the lifecycle-messaging opt-out.
6. Data Retention
We retain personal information for as long as your account is active and for the periods specified below.
6.1 Retention by Data Category
| Data Category | Retention Period | Notes |
|---|---|---|
| Account and profile data | Until you delete your account | See Section 6.2 |
| Vehicle data and maintenance history | Until you delete your account | You may delete individual vehicles at any time |
| OBD-II diagnostic data | Until you delete your account | Stored with the associated vehicle profile |
| AI assistant conversation history | Until you delete your account | Individual conversations may be deleted in-app |
| Subscription and purchase records | Until you delete your account, plus any period required by tax law | Financial records may be retained up to 7 years for tax compliance |
| Contact form submissions and support tickets | Up to 2 years after resolution | For support reference and quality improvement |
| DSAR requests and responses | Per statutory requirement | Retained as evidence of compliance |
| Consent audit logs | 3 years from the date of the consent event | GDPR Art. 7(1) compliance |
| Crash reports and error logs | 90 days | Automatically rotated |
| AI usage metadata logs | 90 days | Automatically rotated via Firestore TTL; metadata only — no prompt or response content |
| Analytics data (app) | Governed by Firebase Analytics and PostHog retention settings | Aggregated and not linked to your identity after 14 months (GA4 default) |
| Analytics data (website) | Governed by GA4 and Cloudflare Web Analytics retention settings | Cloudflare Web Analytics does not track individuals |
6.2 Account Deletion
You can delete your Kaiju Mechanic account at any time from Settings → Account → Delete Account. Deletion is final and, after a short recovery window, irreversible.
What happens when you delete your account:
Immediate soft-delete. Your account is marked for deletion in our database. You are signed out, and the app treats the account as gone. You have 30 days to change your mind by signing back in with the same credentials — during this window, your data is preserved but inaccessible to any other user or service.
Sub-processor propagation. A Cloud Function automatically forwards the deletion signal to each third party that holds personal data about you as a sub-processor. As of the effective date of this policy, those recipients are:
- Customer.io — your lifecycle-messaging profile is deleted via their Track API. Any queued or scheduled messages to you are cancelled.
- RevenueCat — your subscriber record (if any) is deleted via their REST API.
These calls are best-effort and are retried automatically. If a sub-processor is unreachable, the deletion is queued in our retry system, attempted hourly for up to 24 hours with exponential backoff, and — if still unresolved after 24 hours — escalated as a Sentry alert for manual intervention by our engineering team. Your Firebase deletion is never blocked by a sub-processor failure; the retry ensures eventual consistency.
Hard delete at 30 days. A scheduled retention job runs daily and permanently deletes all remaining data for accounts past the 30-day recovery window: Firebase Authentication identity, Firestore documents (profile, vehicles, service records, chat history, scan results, maintenance records), Firebase Storage media (photos, scanned documents), and analytics identifiers. The sub-processor propagation runs again at this step as a safety net in case the recovery-window propagation did not succeed.
Anonymous users. Accounts that were never registered (anonymous Firebase Auth users) are purged on a separate 30-day schedule. No Customer.io or RevenueCat propagation is required because anonymous users never had profiles in those systems.
If you'd like confirmation that a specific sub-processor has received your deletion signal, contact us at [email protected] within 30 days of deletion; we can produce a deletion receipt from our retry queue and/or the sub-processor's own audit log.
Legal basis. This procedure is designed to satisfy GDPR Art. 17 (right to erasure) and Cal. Civ. Code § 1798.105 (right to delete personal information). The 30-day recovery window is a narrow exception permitted under CCPA regulations (11 CCR § 7022(b)(3)) to prevent accidental deletion and fraud; the window does not extend our normal 45-day response obligation.
Personal information may also be retained beyond this schedule where a longer retention period is required by law (e.g., tax or financial records) or where anonymized, aggregated data has already been derived.
6.3 Inactive Account Cleanup
Accounts that have never been authenticated (anonymous/guest accounts) are automatically deleted after 90 days of inactivity. Authenticated free-tier accounts with no activity are subject to deletion after 18 months. We may, but are not obligated to, provide advance notice by email before deletion of inactive accounts.
6.4 Anonymized Data
We may retain anonymized or aggregated data derived from your usage indefinitely, as it no longer constitutes personal information and cannot reasonably be used to identify you.
7. Your Privacy Rights
7.1 Rights Overview
The table below summarizes the privacy rights available to users under applicable law. Because Kaiju Mechanic primarily serves users in the United States, the rights listed reflect U.S. state privacy law frameworks. Users in the EEA, UK, or Switzerland have equivalent or broader rights under the GDPR/UK GDPR (see Section 7.4).
| Right | Description | Applicable Law |
|---|---|---|
| Right to Know / Access | Request a copy of the personal information we hold about you and information about how we use and share it | Cal. Civ. Code 1798.100 (CCPA/CPRA); Va. Code 59.1-578; GDPR Art. 15 |
| Right to Deletion | Request that we delete your personal information, subject to certain exceptions | Cal. Civ. Code 1798.105 (CCPA/CPRA); Va. Code 59.1-578; GDPR Art. 17 |
| Right to Correction | Request that we correct inaccurate personal information we hold about you | Cal. Civ. Code 1798.106 (CPRA); Va. Code 59.1-578; GDPR Art. 16 |
| Right to Portability | Receive your personal information in a structured, machine-readable format | Cal. Civ. Code 1798.100(d) (CPRA); GDPR Art. 20 |
| Right to Opt Out of Sale/Sharing | Opt out of the sale of personal information or sharing for cross-context behavioral advertising | Cal. Civ. Code 1798.120 (CCPA/CPRA) |
| Right to Limit Use of Sensitive Personal Information | Restrict our use of sensitive personal information to necessary purposes | Cal. Civ. Code 1798.121 (CPRA) |
| Right to Non-Discrimination | We will not discriminate against you for exercising any of these rights | Cal. Civ. Code 1798.125 (CCPA/CPRA) |
| Right to Appeal | Appeal our decision if we decline to act on your privacy request | Va. Code 59.1-579; GDPR Art. 77 (right to lodge complaint with supervisory authority) |
7.2 How to Submit a Request
To exercise any of the rights listed above, you may:
- Submit a privacy request online: https://www.kaijumechanic.com/privacy/data-request
- Email us directly: [email protected]
We will verify your identity before processing your request. Verification typically involves confirming your email address or account credentials.
We aim to acknowledge all privacy inquiries within 5 business days.
Analytics consent withdrawal. Withdrawing analytics consent does more than stop new data collection. When you turn off analytics consent in Settings → Data & Privacy, our client deletes its local Customer.io session and the server issues an API call to Customer.io to delete your profile from their platform — not merely suppress messaging to you. This means any event history, profile attributes, and pending journey membership tied to your account are erased from Customer.io as part of the withdrawal flow, with retry on transient API failures so the erasure request is not lost. If you later re-grant analytics consent, a fresh Customer.io profile is created; it has no memory of prior activity.
7.3 U.S. Jurisdiction Supplement
California (CCPA/CPRA): California residents have the rights enumerated in Cal. Civ. Code 1798.100-1798.199. We respond to verifiable consumer requests within 45 days of receipt. If we need additional time (up to 45 additional days), we will notify you in writing within the initial 45-day period. If we decline your request, you may appeal by contacting us at [email protected] with the subject line "CCPA Appeal." If your appeal is denied, you may contact the California Privacy Protection Agency (CPPA) at https://cppa.ca.gov.
Virginia (VCDPA): Virginia residents have the rights enumerated in Va. Code 59.1-571-59.1-581. We respond to requests within 45 days, with a possible 45-day extension upon notice. If we decline your request, you may appeal within a reasonable time by contacting us at [email protected] with the subject line "VCDPA Appeal." If your appeal is denied, you may contact the Virginia Attorney General at https://www.oag.state.va.us.
Other States: Residents of other states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Texas, Oregon, and Montana) have similar rights under their respective statutes. We apply the same 45-day response standard and provide an equivalent appeal process. Contact us at [email protected] to exercise your rights.
7.4 EEA, UK, and Switzerland Supplement
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the GDPR or UK GDPR, including the right to withdraw consent at any time (Art. 7(3)), the right to restrict processing (Art. 18), and the right to lodge a complaint with your local supervisory authority. To exercise these rights, contact us at [email protected]. We respond to GDPR requests within 30 days of receipt, with a possible 60-day extension for complex requests upon notice.
8. Cookies and Tracking
8.1 Website Cookies
We use cookies and similar technologies on our website. The table below summarizes the categories.
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly Necessary | Core website functionality, consent state storage | cc_cookie (stores your consent preferences, 182 days) |
No |
| Analytics | Measure website traffic and feature usage | Google Analytics 4 cookies (managed via Cloudflare Zaraz) | Yes |
Cloudflare Web Analytics is cookieless and does not require consent. It collects aggregate page view data without tracking individual users.
You can manage cookie preferences at any time using the "Consent Preferences" button in the website footer or by adjusting your browser settings. On our website, we present consent controls with equal visual prominence for "Accept All" and "Reject All" options.
8.2 Mobile App Tracking
The mobile app does not use cookies. Analytics collection (Firebase Analytics and PostHog) is disabled by default and requires your explicit opt-in through the app's Data & Privacy settings. Crash reporting (Firebase Crashlytics and Sentry) is enabled by default to help us maintain app stability; you may disable it at any time in the app's Data & Privacy settings.
We do not collect the Apple Identifier for Advertisers (IDFA) or the Android Advertising ID (AAID). We do not serve advertisements.
For full details on the specific cookies used on our website, their lifespans, and how to opt out, please refer to our Cookie Policy at https://www.kaijumechanic.com/cookie-policy.
9. Global Privacy Control and Do Not Track
Global Privacy Control (GPC)
We honor the Global Privacy Control (GPC) signal as a valid opt-out of the sale and sharing of personal information in all jurisdictions where this is required by law, including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Hampshire, New Jersey, Oregon, and Texas. When our website detects a GPC signal from your browser (via the Sec-GPC HTTP header or navigator.globalPrivacyControl API), we automatically suppress non-essential tracking. No additional action is required on your part.
Our GPC compliance declaration is published at https://www.kaijumechanic.com/.well-known/gpc.json.
Do Not Track (DNT)
We do not respond to the Do Not Track (DNT) browser signal. DNT lacks a universally accepted technical standard or legal mandate. If you wish to limit data collection, we recommend enabling Global Privacy Control (GPC) in a supported browser, which we honor as described above.
10. International Data Transfers
RB ZILLA LLC is based in the United States. The service providers we use (listed in Section 5) are primarily located in the United States, with Cloudflare operating a global edge network.
If you access the Service from outside the United States, your personal information will be transferred to and processed in the United States or other countries where our service providers operate. The United States does not have a general adequacy decision from the European Commission. Where we transfer personal data originating from the European Economic Area (EEA), the United Kingdom, or Switzerland to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent transfer mechanisms, as the legal basis for such transfers.
For users in the United States, data is processed domestically by our U.S.-based infrastructure and service providers.
11. Children's Privacy
The Kaiju Mechanic Service is not directed at children under the age of 13 (or under 16 where required by applicable law, such as the GDPR), and we do not knowingly collect personal information from children under 13 (or under 16 where required by applicable law). If you are a parent or guardian and believe that your child under 13 (or under 16 where applicable) has provided us with personal information, please contact us at [email protected] and we will promptly delete that information.
If we become aware that we have inadvertently collected personal information from a child under 13 (or under 16 where required by applicable law) without verifiable parental consent, we will take immediate steps to delete that information.
12. Data Sale and Sharing
We do not sell your personal information. We do not sell personal information to third parties for monetary or other valuable consideration, as defined under the California Consumer Privacy Act (Cal. Civ. Code 1798.140(ad)) or any other applicable state privacy law.
We do not share your personal information for cross-context behavioral advertising. We do not share your personal information with third parties for the purpose of targeting you with advertisements based on your activity across different websites, apps, or services.
The service providers listed in Section 5 receive personal information only to perform services on our behalf. Their handling of your data is governed by their own published privacy policies and by the data-protection laws applicable to their processing.
13. Security Measures
We implement industry-standard technical and organizational security measures to protect your personal information against unauthorized access, disclosure, alteration, and destruction:
- Encryption in transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security).
- Encryption at rest: Data stored in our cloud infrastructure (Google Cloud / Firebase) is encrypted at rest using AES-256 or equivalent encryption.
- Access controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, enforced through role-based access controls and multi-factor authentication.
- Server-side secrets: API keys for AI services, payment processors, and other backend integrations are stored as server-side secrets and are never exposed in client-side code or app bundles.
- Monitoring: We conduct regular security reviews and monitor our systems for anomalous activity.
While no system is completely immune to security risks, we are committed to maintaining reasonable and appropriate safeguards proportionate to the sensitivity of the data we process.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will notify you by:
- Posting the updated policy at https://www.kaijumechanic.com/privacy with a new effective date;
- Displaying an in-app notification or banner the next time you open Kaiju Mechanic; and/or
- Sending an email to the address associated with your account, for significant changes that materially affect your rights.
The effective date at the top of this document is the sole identifier of the current version. Prior versions of this policy are available upon request by contacting us at [email protected].
Your continued use of the Service after the effective date of a revised policy constitutes your acceptance of the updated terms. If you do not agree with the revised policy, you should discontinue use of the Service and may request deletion of your account.
15. Contact Information
If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:
RB ZILLA LLC — Privacy Contact
- Email: [email protected]
- Support: [email protected]
- Website: https://www.kaijumechanic.com
- Mailing Address: RB ZILLA LLC, 116 E Main St, Suite 201, Rock Hill, SC 29730
Submit a Privacy Request (DSAR)
To exercise your data subject rights (access, deletion, correction, portability, opt-out), please use our dedicated intake form: https://www.kaijumechanic.com/privacy/data-request
You may also email your request directly to [email protected]. We respond to all verifiable requests within 30 days (GDPR) or 45 days (U.S. state privacy laws) of receipt, as required by applicable law.