moto/folio
Sign inStart your garage

Legal

Privacy policy.

Effective
May 17, 2026
Last updated
May 17, 2026

1. The short version

  • We collect what you put into your garage, plus the minimum needed to run an account.
  • We don't sell your data. We don't share it with advertisers.
  • We use a handful of standard processors (hosting, auth, storage, email, analytics) to actually run the Service. They're listed below.
  • You can export everything and delete your account at any time.

2. Who's responsible

Motofolio (“Motofolio,” “we,” “us”) is the data controller for the personal data described here. If you're in the UK or EEA, you have specific rights under UK GDPR and GDPR — see §9.

3. What we collect

Account data

Email address, handle, display name, optional avatar, and the timestamps of when you signed up and last used the Service.

Garage content

Cars you add (make, model, variant, year, colour, chassis number, ownership dates, story, mods, timeline entries) and the photos you upload. Visibility is per-car: public, unlisted, or private.

Technical data

  • IP address (used briefly to detect abuse and stored in logs for up to 30 days).
  • Device and browser information sent in standard request headers.
  • Authentication cookies and a small set of preference cookies — see §10.
  • Server-side logs of requests (path, status code, timing) for debugging and security.

Payment data (if you buy a paid plan)

Handled by our payment processor. We receive the subscription status and the last four digits of the card; we don't store full card numbers.

4. Why we collect it

  • To create and run your account and your garage.
  • To store and display the cars, photos, and timeline entries you put in.
  • To link cars across owners by chassis number (see Terms §5). You can opt a car out at any time from its visibility settings.
  • To send transactional email — sign-in links, security alerts, billing receipts.
  • To detect abuse, keep the Service secure, and meet legal obligations.
  • To improve the Service in aggregate (which features are used, where things break).

Where UK GDPR or GDPR applies, we rely on these lawful bases:

  • Contract — running your account and the Service you asked for.
  • Legitimate interests — security, fraud prevention, aggregate product analytics, and replying to support enquiries. You can object.
  • Consent — optional cookies, marketing email (if you ever opt in), and any sensitive data you choose to add to a public garage.
  • Legal obligation — when we have to keep records or respond to lawful requests.

6. Who we share with

We use the following sub-processors to run Motofolio:

ProcessorPurposeRegion
VercelHosting & CDNEU / US
SupabaseDatabase, auth & photo storageEU
GoogleOAuth sign-in (optional)US
ResendTransactional emailEU / US
StripePayments (paid plans only)EU / US
PlausiblePrivacy-preserving analyticsEU

We do not sell personal data and we don't allow our processors to use it for their own purposes. We may share data with law enforcement when required by a valid legal request.

7. International transfers

Some of our processors are located in or transfer data to the United States. Where this happens, transfers are protected by Standard Contractual Clauses (SCCs) or equivalent safeguards, plus supplementary measures (encryption in transit and at rest).

8. How long we keep it

  • Garage content — until you delete it or close your account, then up to 30 days while backups age out.
  • Account record — for the life of the account; after closure we retain the minimum (email hash, billing record) needed for fraud prevention and accounting for up to 6 years.
  • Request logs — up to 30 days.
  • Security event logs — up to 12 months.

9. Your rights

Depending on where you live, you may have the right to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent at any time. You can exercise most of these rights directly from your account settings. For anything you can't do yourself, email privacy@motofolio.app — we'll reply within 30 days.

If you're in the UK you have the right to lodge a complaint with the Information Commissioner's Office (ico.org.uk). In the EEA, your local data protection authority.

10. Cookies & local storage

We try to use as few cookies as we can get away with. The ones we set:

  • Session — keeps you signed in. Strictly necessary.
  • Preference — remembers small things like theme. First-party, no tracking.
  • Anti-CSRF — protects forms from cross-site request forgery. Strictly necessary.

We don't use advertising cookies or third-party trackers. Our analytics is privacy-preserving (Plausible — no cookies, no cross-site identifiers).

11. Children

Motofolio isn't aimed at people under 16, and we don't knowingly collect personal data from them. If you believe a child has signed up, email privacy@motofolio.app and we'll take care of it.

12. Security

We use HTTPS everywhere, store photos in private object storage with per-user access rules, and isolate database access by row-level security. No system is bullet-proof — if you ever spot something, mail security@motofolio.app and we'll act fast.

13. Changes

If we change this policy materially, we'll email you and post the update at least 30 days before it takes effect. Minor wording changes we'll just update here with a new “Last updated” date.

14. Contact

Privacy questions: privacy@motofolio.app. General questions: hello@motofolio.app. Postal address available on request.