Privacy Policy

Last updated: March 29, 2026

Luminest ("we," "our," or "us") operates CarFlow, a vehicle repair queue and management application. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application, desktop application, and related services (collectively, the "Service").

By using CarFlow, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

Account Information

  • Email address
  • Display name
  • Password (stored securely via Firebase Authentication)
  • Business name and team role (Owner, Field Agent, or Accountant)

Vehicle and Business Data

  • Vehicle information (VIN, year, make, model, trim, mileage, purchase price, sale price)
  • Repair task details (descriptions, status, costs, vendor assignments)
  • Vendor information (names, types, contact details)
  • Financial data (repair costs, profit calculations, billing information)

Photos and Documents

  • Vehicle photos (before/after repair images)
  • Receipt images uploaded for OCR processing
  • Title and document photos

Usage Data

  • Device information (device type, operating system, app version)
  • Analytics data (feature usage, screen views, crash reports)
  • Push notification tokens

2. How We Use Your Information

  • Provide the Service: Manage your vehicle inventory, track repairs, coordinate team activities, and generate reports.
  • Process Payments: Handle subscription billing through our payment processor, Stripe.
  • OCR Processing: Extract text from receipt images using on-device processing (Google ML Kit) to auto-fill cost information.
  • VIN Decoding: Look up vehicle details from the NHTSA vPIC API using the VIN you provide.
  • Push Notifications: Send real-time updates about task assignments, vehicle status changes, and team activity.
  • Analytics: Understand how the Service is used to improve features and fix issues.
  • Customer Support: Respond to your inquiries and resolve issues.

3. Data Storage and Security

Your data is stored using Google Firebase services, including:

  • Cloud Firestore: Vehicle, task, vendor, team, and business data.
  • Cloud Storage: Photos and document images.
  • Firebase Authentication: Account credentials and authentication tokens.

All data is transmitted over encrypted connections (TLS/SSL). Firebase services comply with SOC 1, SOC 2, and SOC 3 certifications. We implement Firestore security rules that restrict data access to authorized team members within your business only.

4. Data Sharing

We do not sell your personal information. We share data only with:

  • Google Firebase: Cloud infrastructure for data storage, authentication, and analytics.
  • Stripe: Payment processing for subscriptions. Stripe receives only billing-related information.
  • NHTSA: VIN numbers are sent to the National Highway Traffic Safety Administration's public API for vehicle identification lookup.

We may also disclose information if required by law or to protect our rights and users' safety.

5. Data Retention

We retain your data for as long as your account is active. When you delete your account or request data deletion:

  • Account data is deleted within 30 days.
  • Vehicle, task, and vendor data associated with your business is deleted within 30 days.
  • Photos and documents stored in Cloud Storage are deleted within 30 days.
  • Analytics data is retained in anonymized form.

6. Your Rights

You have the right to:

  • Access: Request a copy of the data we hold about you.
  • Correction: Update or correct inaccurate information through the app or by contacting us.
  • Deletion: Request deletion of your account and associated data. See our Data Deletion page.
  • Export: Export your vehicle and financial data in PDF or CSV format from within the app.
  • Opt-out: Disable push notifications through your device settings.

7. Children's Privacy

CarFlow is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can delete it.

8. Third-Party Services

Our Service uses the following third-party services, each with their own privacy policies:

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy in the app and updating the "Last updated" date above. Continued use of the Service after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or your data, contact us at: