Legal

Privacy Policy

Effective: May 14, 2026 Version: 2.0 For: Covenant Mobile Auto Care, US operations

In 30 seconds

What we do and don't do with your information

We collect only what we need to bring an oil change to your driveway: name, email, phone, address, vehicle, and the photos our technician takes during the service.
We never sell, rent, share with advertisers, or share with data brokers. Ever.
We do not collect your GPS location, payment-card details, contact list, photo library, microphone, or marketing-tracking data.
You can delete your account anytime — see covenantautocare.com/delete-account.

01What we collect

From you when you sign up and book

Name — first and last.
Email and phone — to confirm your appointment and reach you if our technician is delayed.
Service address — where we should bring the truck.
Vehicle — year, make, model, and (optionally) license plate or VIN, so we bring the right oil filter.
Notes — anything you choose to tell us about access (gate code, where to park, etc.).
Password — stored as a one-way bcrypt hash; nobody at Covenant, including engineering, can read it.

From your appointment

Service photos taken by the technician on their device (the dipstick, the new filter, the disposal jug, etc.) — shown back to you in the app as proof of work.
Service log — arrival time, departure time, oil quantity used, parts installed, technician name.

Automatically (server-side only)

IP address in security audit logs, captured on every request to our backend. Used only to investigate fraud, abuse, or security incidents. Never shared, never used for marketing or geolocation.
Marketing-site access logs on the website (covenantautocare.com) — standard web-server logs that record which page was requested and when. Aggregated for visitor counts (e.g. "47 people read the homepage this week"); we do not link these logs to individual customer accounts. Logs auto-delete after 90 days.

02What we do not collect

It is shorter to list everything we have intentionally chosen not to collect.

GPS or device location. The mobile app does not request location permissions on iOS or Android. The service address is the one you typed in.
Credit-card details. The current version of Covenant Mobile Auto Care does not process online payments. We don't store any card data.
Contact list, photo library, microphone, calendar. The mobile app does not request access to any of these.
Marketing trackers. No Google Analytics, Mixpanel, Segment, Hotjar, FullStory, advertising pixels, or session-replay tools anywhere — not on the marketing site, not in the app, not in the admin web.
Cookies on the customer-facing site or mobile app. The marketing website (covenantautocare.com) sets zero cookies. The mobile app uses bearer tokens stored in your device's secure storage instead. (Our internal admin web uses two essential session cookies; customers never interact with it.)
Browser fingerprints, web beacons, or local-storage trackers.
Data from third-party brokers. We do not buy contact lists or enrich your profile from any external source.

03What we do with what we collect

Deliver the service you booked — schedule the appointment, dispatch the technician, record the work performed, give you the photo proof.
Maintain your service history so we can pull it up if you call about a leak, a warranty claim, or your next oil change.
Investigate security and fraud using the audit logs.
Count aggregate marketing-site traffic (which pages people read, where they came from) to know which copy works.
Respond to lawful legal process (subpoenas, warrants) only when legally required.

A short list, contractually bound to keep your data confidential and use it only on our behalf.

Recipient	What they do with it
Cloud infrastructure providers	Host our website, mobile-app backend, customer database, encrypted file storage, and transactional email delivery. Bound by standard data-processing agreements that prohibit any use of your data outside running these services for us. All data is encrypted at rest and in transit.
Insurance carriers	Only if a claim is filed because of damage during service. Only the data relevant to that claim.
Law enforcement	Only with valid legal process (warrants, subpoenas). Only what the order legally requires; we push back on overbroad requests.

We do not share with advertising networks, social-media platforms, data brokers, marketing-automation tools, or analytics SaaS vendors. We do not sell, rent, or trade your information to anyone, ever.

05How long we keep things

Account profile and service history: as long as you are a customer, plus the 14 days it takes to complete a deletion request.
Backups containing your data: auto-overwrite on a 35-day rolling cycle, so within 35 days of you deleting your account no copy of your data remains.
Anonymized financial records (service date and amount, with name and contact info stripped): 7 years, because the US Internal Revenue Service requires it. After stripping, these records cannot be linked back to you.
Audit logs: 2 years, with your user ID replaced by a non-recoverable hash after account deletion.
Marketing-site web-server logs: 90 days, then auto-deleted.

06Your rights

Delete your account: follow the steps at covenantautocare.com/delete-account. We confirm within 2 business days, complete deletion within 14.
Request a copy of your data: email hello@covenantautocare.com; we send you a portable copy within 30 days.
Correct your data: change your name, email, phone, address, or vehicle inside the app, or email us if you cannot.
Object to processing: email us. If you object to data we are required to keep (e.g. tax records), we will tell you which categories are non-deletable and why.

Residents of California, Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws have the additional rights granted by those laws (right to know, right to portability, right to non-discrimination for exercising rights, etc.). To exercise any of them, the email address above is the fastest path. We do not sell or share personal information for cross-context behavioral advertising in the meaning of any state law.

07How we protect it

HTTPS everywhere — all traffic between your phone, our website, and our backend is encrypted in transit (TLS 1.2 or 1.3, no weak ciphers).
Encryption at rest on the customer database, photo storage, and backups (provider-managed AES-256).
One-way password hashing (bcrypt). Even our own engineers cannot read your password.
Audit logging on every administrative action, with the actor and timestamp recorded.
Least-privilege access — only a small number of authorized staff can read customer data, and only when troubleshooting a specific issue.

08Changes to this policy

If we add a feature that changes what we collect or who we share with (a payment processor, an SMS sender, a future analytics tool, etc.), we will update this page before the new flow goes live, with at least 30 days' email notice to active customers. You will have the chance to delete your account before the new policy takes effect. Minor edits (typos, clearer wording) may be made anytime; we will note the version date at the top of this page when that happens.

09Contact

Questions, concerns, requests, or complaints:

Email: hello@covenantautocare.com — monitored by a real human, replies within 2 business days.

If we have not adequately responded to a privacy concern, residents of states with privacy enforcement authorities may complain to the relevant state attorney general. We would prefer to hear from you first and resolve it directly.

End of document. Version 2.0 · Effective May 14, 2026.
Previous versions available on request.