Privacy Policy

1. Who we are

OBDThink ("we", "us", "our") operates the website https://obdthink.com (the "Site") and provides the OBDThink mobile application for iOS and Android (the "App"). We are an independent aftermarket tool provider focused on automotive diagnostics and coding for BMW and MINI vehicles. We are not affiliated with BMW AG or any automotive manufacturer.

This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information when you visit our website and use our mobile application.

2. Website: what we collect

Information collected automatically

• Analytics data (via Google Analytics 4 — measurement ID G-BVHY23ENXN): page URLs visited, time spent on page, device type, browser, approximate geographic region (country/city, based on IP), referrer URL, and custom events such as blog post views, scroll depth, and CTA clicks. IP addresses are anonymized before being sent to Google's servers.
• Server logs: standard Apache logs include your IP address, user agent string, requested URL, and timestamp. Used for security, debugging, and abuse prevention. Retained for 30 days, then automatically deleted.

Information stored in your browser

We use localStorage (not cookies, in most cases) for non-personalized preferences:

• Your preferred language (one of: tr, en, de, fr, es, ru, pl, ar)
• Your preferred theme (dark/light)
• Your preferred accent color
• Administrative authentication token (only relevant for staff accessing the content management area; not applicable to regular visitors)

Information you provide voluntarily

If you contact us at [email protected], we receive your email address and any content you include. We use this only to respond to your inquiry.

Information we do not collect

• Your name, phone number, or postal address (we have no forms requesting these)
• Payment information (purchases happen on the App Store / Google Play, not our website)
• Precise geolocation
• Browsing history outside our site
• Social media profiles

3. Mobile app: what we collect

The OBDThink mobile application (iOS and Android) interacts directly with your vehicle through an OBD adapter. To provide diagnostics and coding features, the app processes vehicle-specific technical data. We are committed to transparency about what is sent to our servers and why.

Data sent to our servers on a successful vehicle connection

When the app successfully connects to your vehicle, the following technical information is transmitted to our servers:

• Vehicle Identification Number (VIN) — used to identify the chassis family, production year, and equipment configuration, so the app can offer the correct templates and supported features for your specific car
• Detected ECU list — the modules (e.g., DME, EGS, FRM, HU_NBT, HU_MGU) that responded during the bus scan
• Supported diagnostic features per ECU — which services (read codes, clear codes, live data, coding, service resets) each detected ECU exposes
• Adapter type — ENET, Bluetooth, WiFi, or BLE; used to map quality patterns to hardware
• App version & OS version — used to correlate issues with software builds

Data sent on a failed connection

If a connection attempt fails, we collect technical error context to improve compatibility:

• Connection error code and message (e.g., "Gateway unreachable", "Timeout on K-CAN")
• Adapter type and connection method attempted
• OS, app version, and approximate time of the attempt
• Last successful step in the handshake (if any), to pinpoint where the failure occurred

Why we collect this — and why we do not

How VIN is handled

We are aware that VIN can, in certain contexts, be associated with vehicle ownership records. We treat VIN as technical metadata:

• VIN is not linked to any personally identifying information about you (your name, address, payment details, or social profiles)
• VIN is not shared with third parties, including BMW, insurance providers, or advertising networks
• VIN is used in aggregated analytics (e.g., "X% of connected vehicles are F30 chassis") and to provide vehicle-appropriate features in the app
• You can request deletion of all VIN-associated records linked to your device at any time by contacting [email protected]

Data we explicitly do not collect from the app

• Real-time vehicle location, GPS coordinates, or trip history
• Personally identifying information (we don't ask for your name or contact details in the app)
• Audio, camera, or photos
• Contacts, calendar, or other phone data unrelated to the OBD adapter
• Driving behavior (speed, acceleration patterns) — we do not perform any kind of driver scoring

Crash logs & telemetry

The app sends anonymized crash logs (stack traces, OS, device model — no personal data) to help us fix bugs. You can disable this in the app settings.

4. How we use information

• To measure traffic patterns and improve the site's content and structure
• To remember your language and theme preferences across visits
• To analyze which vehicles, adapters, and features work reliably — and which need attention
• To deliver the right templates and supported features to your specific vehicle
• To protect the site from abuse (e.g., rate-limiting failed login attempts to the admin panel)
• To respond to support inquiries you send via email
• To detect and prevent fraud, spam, and security incidents

We do not use your information for advertising, profile building, or to make automated decisions that significantly affect you.

5. Cookies & local storage

The Site uses minimal tracking technologies:

Functional storage (localStorage)

We use the browser's localStorage API to remember your preferences. This data stays on your device, is not transmitted to us, and persists until you clear browser data manually.

Google Analytics cookies

Google Analytics sets cookies (_ga, _ga_*) to distinguish unique users and sessions. These cookies do not contain personal information. See Google's Privacy Policy for details.

We do not use

• Advertising cookies
• Cross-site tracking pixels (Facebook Pixel, etc.)
• Session-replay or heatmap tools
• Affiliate tracking

Opting out

You can:

• Disable JavaScript or block analytics scripts using browser settings or extensions (uBlock Origin, Privacy Badger, Ghostery)
• Install Google's Analytics Opt-Out Browser Add-on
• Clear localStorage at any time via your browser's developer tools or site settings

6. Third-party services

The following third parties may receive minimal technical data from visitors to our Site:

• Google Analytics 4 — usage analytics. Anonymized IP, page views, events. Privacy policy
• Google Fonts — typography. Browser may send IP to Google when fonts load. Privacy policy
• unpkg.com — CDN for JavaScript libraries (React, Babel). Browser sends standard HTTP request when libraries load.
• DigitalOcean — server hosting. Standard request logs.
• Let's Encrypt — SSL certificate authority. No visitor data shared.
• Apple App Store / Google Play — when you click "Download" links, you are redirected to their platforms which have their own privacy policies.
• YouTube — embedded videos in some blog posts. YouTube may set cookies when you interact with the video player. Privacy policy

7. Data sharing

We do not sell, rent, or trade your personal information.

We may share information only in these limited cases:

• Service providers: With the third parties listed above, only the minimum needed for them to operate (e.g., hosting, analytics)
• Legal compliance: If required by law, court order, or to protect against fraud or abuse
• Aggregated statistics: Anonymous, non-identifying aggregates (e.g., "70% of visitors are on mobile") may be used in marketing materials

8. Data retention

• Google Analytics data: 14 months by default (Google's standard event-data retention)
• Server logs: 30 days, then automatically rotated and deleted
• localStorage: Until you manually clear browser data — never expires on its own
• Mobile app connection records (VIN, ECU list, error logs): Retained for up to 24 months for compatibility analysis and quality assurance. Aggregated, non-identifying statistics may be retained indefinitely.
• Crash logs: Up to 90 days, after which they are aggregated and the raw entries deleted.
• Support email correspondence: Up to 2 years, for service continuity. You may request earlier deletion.

9. Your rights

Depending on your jurisdiction (GDPR in the EU/EEA, KVKK in Turkey, CCPA in California, and similar laws elsewhere), you may have the right to:

• Access: Request a copy of any information we hold about you
• Rectification: Request correction of inaccurate information
• Erasure ("right to be forgotten"): Request deletion of your information
• Restriction: Request that we limit how we process your information
• Portability: Receive your information in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Where processing is based on consent
• Complaint: Lodge a complaint with your local data protection authority

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. Since we collect minimal data, in many cases the data you can request will be limited to what's stored locally in your own browser (which you can already access and delete yourself).

10. Children's privacy

The Site and the App are not directed at children under 13. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us information, please contact us and we will delete it promptly.

11. International data transfers

Our servers are located in Amsterdam, Netherlands (DigitalOcean). Analytics data is processed by Google in the United States and other countries where Google operates. By using the Site, you consent to your information being transferred and processed in these jurisdictions, which may have different data protection laws than your country of residence.

Where applicable, we rely on Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms approved by the European Commission for cross-border data transfers.

12. Security

We use industry-standard measures to protect data:

• Encryption in transit: All site traffic uses HTTPS with TLS 1.2 or higher
• Secure password storage: Administrative passwords are stored as bcrypt hashes, never in plain text
• Rate limiting & brute-force protection: Failed login attempts are throttled; repeated abuse triggers temporary IP bans
• Server hardening: Fail2ban, regular security updates, restricted SSH access
• Principle of least privilege: Database accounts have only the minimum permissions needed

No system is 100% secure. In the unlikely event of a data breach affecting your information, we will notify you and the relevant data protection authority within 72 hours where legally required.

13. Changes to this policy

We may update this policy from time to time. The "Effective date" at the top of this page will reflect the most recent change. Material changes will be highlighted on our homepage for at least 30 days. We recommend reviewing this policy periodically.

Your continued use of the Site after a policy update constitutes acceptance of the revised policy.

14. Contact

For any privacy-related questions, requests, or concerns:

• Email: [email protected]
• Website: https://obdthink.com

We aim to respond to all privacy inquiries within 5 business days, and to formal rights requests within 30 days as required by applicable law.