Privacy Policy

01

Collection of Personal Data

We collect personal data in the following categories:

Identity and Account Data

When you create an account or interact with us, we may collect your name, email address, business or organization name, role and permission settings, and account preferences.

Payment Data

We use a PCI DSS Level 1 certified third-party payment processor to handle all payment transactions. We do not collect, store, or have access to your full payment card numbers. We receive only subscription status, truncated card identifiers (last four digits, card brand), billing address, and transaction metadata necessary for account management.

Marketplace and Integration Data

When you choose to connect a third-party marketplace account to the Services—such as eBay, Amazon, Shopify, or other supported platforms—we collect and process data associated with that integration, including seller account identifiers, authorization credentials (encrypted at rest), inventory and listing data, product titles and descriptions, pricing and quantity information, item specifics, category assignments, and policy configurations. The scope of data collected depends on the permissions you grant during the marketplace authorization process.

Product and Inventory Data

In the course of providing the Services, we process product-related information including part numbers, SKU identifiers, manufacturer references, product titles and descriptions, vehicle fitment and compatibility data, product images you upload, brand and category information, condition designations, and pricing and quantity data.

Technical and Usage Data

When you use the Services, we automatically collect certain technical information, including your IP address and derived approximate location (country or region level), browser type and version, device and operating system information, pages and features accessed, timestamps and session duration, and API request metadata.

Communications Data

When you contact us for support, provide feedback, or otherwise communicate with us, we collect the contents of those communications along with associated metadata.

02

How We Use Personal Data

We use the personal data we collect for the following purposes:

Providing and operating the Services. We process your data to maintain your account, operate the platform, process product data through our proprietary enrichment systems, generate and optimize listing content, extract and validate vehicle fitment information, facilitate publishing to connected marketplaces, and deliver real-time processing notifications.

Improving and developing the Services. We use aggregated and de-identified data, as well as derived product data, to improve the accuracy of our systems, enhance our proprietary data assets and reference databases, develop new features and integrations, and analyze usage patterns for performance optimization.

Ensuring security and preventing misuse. We use data to detect, investigate, and prevent security incidents, fraud, unauthorized access, and violations of our Terms of Service.

Complying with legal obligations. We process data as necessary to comply with applicable laws, regulations, legal processes, or enforceable governmental requests, and to establish, exercise, or defend legal claims.

Communicating with you. We use your contact information to send transactional notifications, service announcements, security alerts, and, where you have consented or where permitted by applicable law, marketing communications. You may opt out of marketing communications at any time.

03

Proprietary Data, Intellectual Property, and Derived Outputs

3.1 Autotek Proprietary Assets

Autotek maintains proprietary data assets, including a reference database of over seventy-five million (75,000,000) automotive parts records, vehicle compatibility matrices, cross-reference mappings, and associated metadata (the "GridX Database"). The GridX Database is the sole and exclusive property of Autotek and constitutes a protected trade secret under the United States Defend Trade Secrets Act (18 U.S.C. 1836), the Delaware Uniform Trade Secrets Act (6 Del. C. 2001), applicable UAE intellectual property laws, and international treaties. No license, right, title, or interest in or to the GridX Database is granted to any user by virtue of their use of the Services.

3.2 Proprietary Algorithms and Processing Methods

All algorithms, models, processing pipelines, data transformation logic, artificial intelligence systems, machine learning architectures, classification methodologies, extraction heuristics, enrichment workflows, and related technical implementations used to deliver the Services (collectively, the "Proprietary Technology") constitute the confidential trade secrets and intellectual property of Autotek. The Proprietary Technology, including its design, architecture, training methodologies, optimization parameters, and operational characteristics, is protected under applicable trade secret, copyright, and patent laws. Unauthorized access to, reverse engineering, decompilation, disassembly, or derivation of any component of the Proprietary Technology is strictly prohibited.

3.3 Derived Data and Platform Outputs

All data generated, extracted, inferred, enriched, classified, or otherwise produced by the Services' processing of user-submitted inputs—including but not limited to generated product titles, enriched descriptions, extracted specifications, inferred vehicle fitments, category classifications, compatibility mappings, and any other outputs of the Proprietary Technology (collectively, "Derived Data")—constitutes the intellectual property of Autotek. By using the Services, you acknowledge and agree that:

• Autotek retains an irrevocable, worldwide, royalty-free, perpetual right to all Derived Data;
• Autotek may use Derived Data for any lawful business purpose, including improving the Services, training and refining its models, enhancing the GridX Database, developing new products and features, and generating aggregate analytics and industry insights;
• Certain non-personally-identifiable Derived Data (such as cached product specifications, shared category classifications, and validated fitment data) may be utilized across the platform to improve accuracy and performance for all users, without revealing or attributing such data to any particular user or organization;
• The foregoing does not diminish your right to use Derived Data within the scope of your subscription for the purpose of listing products on connected marketplaces.

3.4 User-Retained Ownership

You retain ownership of:

• Images and media you directly upload to the Services;
• Business-specific operational data such as your pricing decisions, quantity allocations, SKU configurations, and marketplace channel preferences;
• Marketplace credentials for your connected accounts, which you may revoke at any time.

We do not claim ownership of user-uploaded images and do not use such images for any purpose beyond delivering the Services to you.

3.5 Restrictions

You may not use outputs from the Services to create, train, fine-tune, or otherwise improve any competing product, service, database, model, or algorithm. Systematic extraction, scraping, or aggregation of Derived Data beyond the scope of your subscription constitutes a material breach of the Terms of Service.

04

How We Disclose Personal Data

We may disclose personal data in the following circumstances:

Service providers. We share data with carefully selected third-party service providers who assist us in operating the Services. These providers are bound by contractual obligations to use your data only as directed by us and to maintain appropriate security measures. Our service providers include entities in the following categories: cloud infrastructure and hosting, identity and authentication management, payment processing, artificial intelligence and machine learning, web data enrichment, and content delivery. A list of specific sub-processors is available upon request to authorized account holders.

Connected marketplaces. When you connect a marketplace account, your inventory and listing data is transmitted to that marketplace through its official interfaces in accordance with the marketplace's own terms and privacy policies.

Legal and regulatory. We may disclose personal data to comply with applicable law, regulation, legal process, or governmental request; to enforce our Terms of Service; to protect the rights, property, or safety of Autotek, our users, or the public; or in connection with a merger, acquisition, reorganization, or similar transaction.

With your consent. We may disclose personal data for other purposes with your express consent.

We do not sell, rent, or otherwise commercially distribute your personal data to third parties for their own marketing or advertising purposes.

05

Multi-Tenant Data Isolation

The Services operate a multi-tenant architecture with strict logical data segregation. Each organization ("Tenant") operates within an isolated data environment. All data access is scoped to the authenticated Tenant, enforced at both the application and database layers. No Tenant can access, view, modify, or infer the existence of another Tenant's data. This isolation applies to all categories of data, including inventory records, marketplace credentials, processing history, user accounts, and configuration settings.

As described in Section 3.3(c), certain anonymized Derived Data may be utilized across the platform to improve service quality. This excludes all personally identifiable information, user-uploaded images, pricing data, quantity information, and marketplace credentials.

06

Data Transfers

Autotek operates in the United States and the United Arab Emirates. Your data may be transferred to, stored in, and processed in jurisdictions outside your country of residence, including jurisdictions that may not provide the same level of data protection as your home jurisdiction.

For transfers of personal data from the European Economic Area ("EEA"), United Kingdom, or Switzerland to jurisdictions that have not received an adequacy decision from the European Commission, we implement appropriate safeguards, including:

• Standard Contractual Clauses ("SCCs") as approved by the European Commission;
• Contractual commitments with sub-processors providing equivalent protections; and
• Where applicable, reliance on the EU-U.S. Data Privacy Framework and the UK Extension thereto.

For transfers involving UAE-resident data subjects, we comply with the cross-border transfer requirements of Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.

07

Data Retention

We retain personal data for as long as reasonably necessary to fulfill the purposes for which it was collected, maintain and improve the Services, comply with legal obligations, resolve disputes, and enforce our agreements.

• Account data is retained for the duration of your active subscription and for thirty (30) days following termination to facilitate account recovery, after which it is scheduled for deletion.
• User-uploaded images are deleted within thirty (30) days of account termination or upon request.
• Marketplace credentials are immediately invalidated and deleted upon disconnection of a marketplace account or upon account termination.
• Derived Data is retained in accordance with Section 3.3 as it constitutes Autotek intellectual property. Derived Data does not contain personal information and is not subject to individual deletion requests.
• Aggregated and de-identified data may be retained indefinitely for analytical, research, and service improvement purposes.

We may retain certain records for longer periods as required by applicable law, including tax records, transaction logs, and communications relevant to dispute resolution.

08

Security

We implement administrative, technical, and organizational security measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest using industry-standard protocols and algorithms;
• Authenticated encryption of sensitive credentials with per-record cryptographic isolation;
• Network-level access controls restricting database and internal services to authorized processes only;
• Authentication services that employ industry-standard credential hashing, rate limiting, and support for multi-factor authentication;
• Role-based access controls with defined permission hierarchies;
• Structured audit logging with automated retention and rotation policies;
• Graceful task recovery mechanisms ensuring data integrity during service interruptions.

No method of electronic transmission or storage is completely secure. While we strive to protect your personal data, we cannot guarantee absolute security.

09

Rights and Choices

Depending on your jurisdiction, you may have certain rights regarding your personal data. These may include the right to:

• Access your personal data and obtain a copy thereof;
• Correct inaccurate or incomplete personal data;
• Delete your personal data, subject to legal retention obligations and the intellectual property provisions of Section 3;
• Restrict or object to certain processing activities;
• Port your personal data in a structured, machine-readable format;
• Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing;
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at support@autotek.io with the subject line "Privacy Rights Request." We will respond within thirty (30) days or within the timeframe required by applicable law. We may request additional information to verify your identity.

Note that deletion requests apply to personal data as defined under applicable law. Derived Data, as described in Section 3.3, constitutes Autotek intellectual property and is not personally identifiable; accordingly, it is not subject to individual deletion or portability requests.

10

Cookies and Similar Technologies

We use strictly necessary cookies for authentication, session management, and security. We may also use functional cookies to remember your preferences. We do not use advertising, retargeting, or cross-site tracking technologies.

11

Children

The Services are intended for use by businesses and individuals who are at least eighteen (18) years of age. We do not knowingly collect personal data from anyone under the age of sixteen (16). If we learn that we have collected personal data from a child in violation of applicable law, we will promptly delete that information. If you believe a child has provided personal data to us, please contact us at support@autotek.io.

12

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by posting a notice on the Services and, where appropriate, by email. Your continued use of the Services after such changes constitutes acceptance of the updated Policy. Prior versions of this Policy are available upon request.

13

Contact Information

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

For GDPR-specific inquiries, please include "GDPR Inquiry" in your subject line.

14

Legal Bases for Processing

Where the GDPR or similar legislation applies, our legal bases for processing personal data include:

You may object to processing based on legitimate interests by contacting us at the address above. We will consider your objection and, unless we have compelling legitimate grounds for continued processing, we will cease the relevant processing.

15

Regional Supplemental Disclosures

California (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to request deletion of your personal information; the right to correct inaccurate personal information; and the right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined by the CCPA/CPRA. We will not discriminate against you for exercising your privacy rights.

European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, you have the rights described in Section 9, including the right to lodge a complaint with your local supervisory authority. Our legal bases for processing are set forth in Section 14. For information about international data transfers, see Section 6.

United Arab Emirates

If you are a UAE resident, your personal data is processed in compliance with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data. You have the right to access, correct, restrict, and request erasure of your personal data, and to lodge complaints with the UAE Data Office.

Connected Marketplace Supplemental Notices

When you connect a marketplace account to the Services, your use of that marketplace is also governed by the marketplace's own terms and privacy policy. You may revoke marketplace access at any time through the Services or directly through your marketplace account settings. As additional marketplace integrations become available, supplemental notices specific to those platforms will be published.