Privacy Policy
Effective date: June 12, 2026 · Last updated: June 12, 2026
This Privacy Policy explains how Swept, operated by Bottle Rocket Growth, Chicago, Illinois ("Swept," "we," "us"), collects, uses, shares, and protects information in connection with sweptauto.com and the Swept application (the "Service"). Swept is a business tool for automobile dealers; it is not directed to consumers or children.
1. Information We Collect
Information you provide
- Account information. Dealership name, your email address, and a password. Passwords are never stored in plain text; they are hashed using PBKDF2 with a per-user salt and 100,000 iterations.
- Inventory data. VINs you submit by paste or file upload, and stock-related details you attach (such as sold status). Files you drop into the intake (CSV, Excel, PDF, text) are parsed in your browser to extract VINs; the file itself is not uploaded to our servers.
- Communications. Anything you send us by email or support channels.
Information from sign-in providers
- If you sign in with Google or Microsoft, we receive your name, email address, and a provider account identifier through the OpenID Connect protocol. We do not receive or store your Google or Microsoft password, and we request no scopes beyond basic profile and email. Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Information collected automatically
- Session cookie. One strictly necessary cookie that keeps you signed in for up to 30 days. We set no advertising, analytics, or cross-site tracking cookies.
- Service logs. Standard technical logs (IP address, user agent, request timestamps) generated by our hosting infrastructure for security and reliability.
Information generated by the Service
- Vehicle and recall records. Decoded vehicle attributes (year, make, model, trim), recall campaign matches, VIN-level verification results where available, and a timestamped audit trail of every check performed.
- Certificates. Disclosure certificates containing the vehicle description, VIN, dealership name, check results, and timestamp.
2. How We Use Information
- To provide the Service: decode VINs, run recurring recall checks, display inventory status, and generate certificates and audit records you request.
- To operate accounts, authenticate sign-ins, and secure the Service against abuse.
- To communicate with you about the Service, including recall alerts and service notices.
- To comply with law and enforce our Terms of Service.
- To improve the Service using aggregated, de-identified data that does not identify you or any individual.
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We show no ads.
3. Public Information: Certificates
Certificate verification pages are public by design so that a buyer, attorney, or auditor can confirm a certificate years later without an account. Anyone with a certificate link can view that certificate, including the VIN, vehicle description, dealership name, results, and timestamp. Do not generate a certificate if you do not want that record to be publicly verifiable.
4. How Information Is Shared
| Recipient | What | Why |
|---|
| Cloudflare, Inc. | All Service data (hosting, storage, network logs) | The Service runs on Cloudflare Pages, Workers, and KV storage. Data is encrypted in transit (TLS) and at rest on Cloudflare infrastructure. |
| NHTSA (U.S. DOT) | Vehicle make, model, year; VINs sent to the public vPIC decoder | VIN decoding and recall campaign lookups against public government databases. |
| VIN-verification providers | VINs submitted for VIN-level open-recall checks | Where VIN-level verification is enabled, VINs are sent to a third-party recall data provider solely to return recall status. |
| Google / Microsoft | OAuth sign-in exchange only | Authentication, only if you choose that sign-in method. |
| Legal and safety | As required | To comply with law, valid legal process, or to protect rights, safety, and the integrity of the Service. |
| Business transfers | Service data | In a merger, acquisition, or sale of assets, subject to this policy. |
We do not share your inventory with other dealers, and no other Swept customer can see your lot.
5. Retention
- Account data is retained while your account is active and deleted within 30 days of a verified deletion request, except as noted below.
- Audit records and certificates exist to serve as durable proof of checks performed and disclosures made. They are designed to be immutable and are retained even after account closure, because their evidentiary value to you, vehicle purchasers, and regulators depends on permanence. If you require destruction of specific records and no legal basis requires retention, contact [email protected] and we will review the request.
- Technical logs are retained for short rolling periods consistent with our hosting provider's defaults.
6. Security
All traffic is encrypted in transit with TLS. Passwords are salted and hashed (PBKDF2, 100,000 iterations). Sessions use randomly generated tokens with HttpOnly, Secure, SameSite cookies. Data is stored on Cloudflare infrastructure with encryption at rest. No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security; report suspected vulnerabilities to [email protected].
7. Your Rights and Choices
- Access, correction, deletion, portability. You can view and edit inventory in the app, and you may request a copy or deletion of your account data at [email protected]. We verify requests before acting on them.
- California (CCPA/CPRA). California residents have rights to know, delete, correct, and to non-discrimination for exercising those rights. We do not sell or share personal information as those terms are defined in the CPRA, and we use no sensitive personal information beyond what is necessary to provide the Service.
- Other U.S. state privacy laws. Residents of states with comprehensive privacy laws may exercise comparable rights through the same contact. If we decline a request, you may appeal by replying to our decision.
- EEA/UK visitors. The Service is directed to U.S. businesses. If GDPR nonetheless applies to you, our legal bases are performance of contract (providing the Service), legitimate interests (security, improvement), and legal obligation; you may exercise GDPR rights through the contact above.
- Email. Service and security notices are part of the Service; any future marketing email will include an unsubscribe link.
8. Children
The Service is for business use by adults. We do not knowingly collect information from anyone under 18, and the Service is not directed to children under 13. If you believe a minor has provided us information, contact us and we will delete it.
9. Do Not Track and Cookies
We use a single strictly necessary session cookie and no tracking technologies, so the Service behaves the same regardless of browser "Do Not Track" signals; there is nothing to opt out of. Where legally required, Global Privacy Control signals are honored, which in our case requires no change because we do not sell or share data.
10. Changes to This Policy
We may update this policy as the Service evolves. Material changes will be announced through the Service or by email, and the effective date above will be updated. Continued use after the effective date constitutes acceptance.
11. Contact
Privacy questions and requests: [email protected]
Legal notices: [email protected]
Security reports: [email protected]
Swept · Bottle Rocket Growth · Chicago, Illinois