Introduction
CareDriveLux (“CareDriveLux Inc.,” “we,” “our,” “us”) is a Canada-based membership platform that provides owners of high-end automobiles with concierge maintenance, detailing, seasonal storage, and on-demand chauffeur logistics. This Privacy Policy explains how personal information is collected, used, stored, and disclosed when members, prospective clients, suppliers, or website visitors interact with caredrivelux.ca, our mobile application, or our in-lounge kiosks.
Privacy Policy (collection, processing, storage)
• Data we collect
(a) Identity & contact — full name, email, phone, province, preferred language, driver-licence number, government-issued ID scan (for key release).
(b) Vehicle profile — VIN, make/model, production year, mileage snapshots, service history, custom-spec notes, remote-diagnostic feed (opt-in).
(c) Membership & service data — package tier, booking calendars, job checklists, damage photos, valet pick-up GPS tags.
(d) Financial data — tokenised card reference, billing postal code, GST/HST allocation, subscription renewals, deposit receipts.
(e) Compliance files — source-of-funds declarations for high-value transactions, insurance binder copies, liability waivers.
(f) Telemetry — IP address, browser build, mobile OS, multi-factor authentication token, feature-usage metrics, crash traces.
(g) Support artefacts — chat transcripts, voice recordings, CCTV footage of hand-over bays (retained for asset security).
• Why we process it
– authenticate member accounts and verify vehicle ownership;
– schedule maintenance, detailing, tyre swaps, battery conditioning, and secure indoor storage;
– process membership dues, one-off service fees, and parts invoices;
– dispatch real-time valet status updates and safety alerts;
– compile de-identified analytics that optimise staffing, parts inventory, and route planning;
– investigate fraud, protect personnel and property, and comply with tax and consumer-protection statutes.
• Retention
Service dossiers and warranty records are kept for the life of the membership plus seven years. CCTV clips auto-delete after 60 days unless flagged for incident review. Payment and CRA-related documents persist for at least seven years. Encrypted backups roll on a 35-day cycle.
• Access & correction
Members may review or update stored information at any time via Dashboard → Profile or by emailing privacy@caredrivelux.ca.
• Consent
Express consent is obtained during onboarding and whenever you enable telematics, upload documents, or add payment methods. Implied consent applies to essential operational logging. Consent withdrawal may be limited where statutory or contractual duties require retention; we outline any service impact before acting.
• Accountability
A designated Privacy Officer conducts annual SOC 2 Type II audits, trains staff, and responds to written privacy inquiries within 30 days.
GDPR
CareDriveLux operates primarily in Canada, yet some members may reside in the European Economic Area (EEA). Where the EU General Data Protection Regulation applies, we act as controller for profile and billing data and processor for vehicle telemetry you choose to share. Processing bases: contract performance (Art. 6 (1)(b)), legitimate interest in safeguarding high-value assets (Art. 6 (1)(f)), and legal obligation (Art. 6 (1)(c)). EEA residents may exercise their data-subject rights via dpo@caredrivelux.ca and may lodge complaints with their supervisory authority.
Cookie Policy
4.1. Types of cookies
• Essential — session tokens, CSRF guards, load-balancer cookies required for secure login and booking workflows.
• Preference — stores language, distance units, dark-mode toggle, and garage-slot filters.
• Analytics — first-party Matomo cookies with IP truncation that measure feature adoption and page latency.
• Marketing — optional cookies promoting seasonal detailing bundles or partner tyre offers; never shared with ad networks.
4.2. How to disable cookies
Most browsers allow you to block or delete cookies. Essential cookies are mandatory for portal access; disabling them prevents login. Preference and analytics cookies can be declined via our banner or by enabling “Do Not Track.” Marketing cookies load only after explicit opt-in and can be revoked under Account → Privacy.
Transfer to Third Parties
We do not sell personal information. Limited disclosures occur only to:
• Canadian cloud hosts running encrypted servers in Toronto and Calgary;
• PCI-DSS Level 1 payment processors and Schedule I banks managing trust deposits;
• OEM dealers and certified shops when warranty work is scheduled (shared data: VIN, mileage, service order);
• Insurance carriers or adjusters in the event of damage claims;
• Legal counsel, regulators, or courts when compelled;
• Law-enforcement agencies where disclosure is necessary to investigate theft or ensure public safety.
All vendors sign Data Processing Agreements imposing safeguards equal to PIPEDA and, where applicable, EU Standard Contractual Clauses.
Data-Security Measures
• AES-256-GCM encryption at rest with tenant-specific keys stored in FIPS 140-2 Level 3 Hardware Security Modules.
• TLS 1.3 with Perfect Forward Secrecy for data in transit.
• Zero-trust segmentation isolating each member vault.
• Role-based access control enforced by hardware-backed multi-factor authentication.
• Hourly incremental and nightly full backups replicated across two Canadian regions (RPO 15 min, RTO 4 h).
• Continuous vulnerability scanning, quarterly penetration tests, and annual SOC 2 Type II audit.
• Incident-response plan that notifies affected users within 72 hours of a confirmed breach and provides remediation updates.
Effective Date
This Privacy Policy is effective as of 20 June 2025 and supersedes all previous versions. Material updates will be announced by email and in-app notice at least 30 days before enforcement.