Privacy Policy

Last updated: September 27, 2025

Spy A Thief ("we", "us", "our") operates a community-powered platform that lets people report vehicle thefts and sightings and receive location-based alerts via a Progressive Web App (PWA) with push notifications. This Privacy Policy explains what we collect, how we use it, and your rights.

1) Who we are & how to contact us

Spy A Thief
Email: privacy@spyathief.com
Legal/DMCA: legal@spyathief.com

2) Scope

This policy covers our website, PWA, APIs, push notifications, and related services. By using our services, you agree to this policy.

3) Age restriction (18+)

Our service is intended for adults (18+). We do not knowingly collect data from anyone under 18. If you believe a minor used the service, contact us to remove the data.

4) Information we collect

A. User-submitted content

• Vehicle theft reports & sightings: make/model/color, plate (if provided), photos, time, and location.
• Optional contact details (e.g., email) you provide.

B. Location & geocoding

• We may collect latitude/longitude you submit or allow.
• We convert coordinates into approximate addresses using OpenStreetMap Nominatim or a similar geocoding provider. This sends coordinates to that provider (see Third-Party Services).

C. Push notifications

• Web push subscription (endpoint + encryption keys) and preferences (e.g., radius in miles).

D. Technical data

• IP address, user-agent, device/browser info, cookies (if used), error logs.
• Service worker and PWA caching metadata (non-personal), strictly to make the app work offline and for notifications.

E. Payments

• Payments are processed by Stripe. We receive payment status, amounts, and references; we do not receive your full card number.

5) How we use information

• Show theft/sighting reports on maps and feeds (with approximate locations where appropriate).
• Send push alerts based on your preferences and chosen radius.
• Moderate content, prevent abuse, and maintain security (rate limiting, spam/fraud detection).
• Process payments and provide receipts.
• Improve reliability and performance; maintain logs for debugging and security.
• Comply with legal obligations and respond to lawful requests.

6) Legal bases (for EEA/UK GDPR)

• Consent: push notifications, geolocation, optional email.
• Legitimate interests: community safety, fraud prevention, service security, service improvement.
• Contract: to provide paid features you purchase.
• Legal obligation: tax records, responding to lawful requests.

7) Sharing & disclosure

We do not sell personal data.

• Vendors/Processors (only as needed to provide the service):
  • OpenStreetMap Nominatim (reverse geocoding) — receives coordinates to return approximate addresses.
  • Apple Web Push / push services — deliver notifications to your device.
  • Stripe — payments (card processing & fraud checks).
  • SendGrid (email), Twilio (SMS, if enabled), hosting providers, and analytics/error logging if used.
• Law enforcement: we may disclose data when required by law, in response to lawful requests (e.g., subpoena), or to prevent harm.
• Business transfers: if we're involved in a merger/acquisition, data may transfer as part of the transaction.

8) Cookies, storage & tracking

• We minimize cookies. The PWA uses service workers for caching and push; this is required for functionality.
• If we adopt analytics or advertising, we'll update this policy and obtain consent where required.

9) Geolocation & address precision

We aim to show approximate locations to protect privacy. Exact addresses may sometimes be inferred by third-party geocoders. Do not use the app as your sole source to locate a vehicle or person.

10) Retention

• Reports & sightings: retained until marked recovered, removed, or no longer useful for community awareness.
• Push subscriptions: expire or are deactivated when invalid.
• Payment records: kept as required by law.
• Logs: retained for security and diagnostics for a reasonable period.

11) Security

• HTTPS/TLS for data in transit.
• Restricted admin access; monitoring and rate limiting.
• We cannot guarantee absolute security. Report concerns to security@spyathief.com.

12) International transfers

We may process data in the US and other countries. Where required, we use appropriate safeguards (e.g., Standard Contractual Clauses).

13) Your rights

EEA/UK

Access, correct, delete, restrict/opt-out of certain processing, data portability, and withdraw consent. Contact us to exercise rights.

California (CPRA)

• Know/access, delete, correct; opt-out of "sale"/"sharing" (we do not sell personal data).
• Right to limit use/disclosure of sensitive personal info (we minimize collection; geolocation used only to provide alerts).
• Non-discrimination for exercising rights.

Other US states

We honor similar rights where applicable (e.g., VA/CO/CT/UT). Contact us.

14) Do Not Track

We currently do not respond to Do Not Track signals. If this changes, we'll update this policy.

15) Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects.

16) Data breach

If a data breach creates a risk to your rights and freedoms, we will notify you and regulators as required by law.

17) Changes to this policy

We may update this policy. We will post the new version with an updated date. Continued use constitutes acceptance.

18) Contact

Privacy questions or requests: privacy@spyathief.com