Dealer Recon Systems (“Company,” “we,” “our,” or “us”) operates dealerreconsystems.com and the DRS mobile application (the “Service”). This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our Service.
1. Scope of This Policy
This Privacy Policy applies to:
- Website visitors
- Dealerships using the Service (“Customers”)
- Authorized Users (employees, contractors, agents of Customers)
- End Consumers whose data is entered into the Service by Customers
The Service is intended for use by automotive dealerships located in the United States. All data is processed and stored in the United States.
2. Roles and Data Responsibility
Dealer Recon Systems operates as a data processor (or “service provider” under CCPA) on behalf of its Customers (dealerships), which act as the data controllers (or “businesses” under CCPA).
- Customers determine what data is collected, why it is collected, and how it is used
- We process and store data solely to provide the Service as directed by our Customers
- Customers are responsible for ensuring their own compliance with applicable privacy and data protection laws when using the Service
- We will not sell, share, or use Customer Data for any purpose other than providing the Service
3. Information We Collect
A. Account and User Information
- Names, email addresses, usernames, and login credentials
- Role and permission assignments
- Authentication tokens and session data
B. Dealership Operational Data
- Vehicle data (VIN, stock numbers, status, pricing, condition notes, photos)
- Inventory, parts, and materials data
- Appointments, service orders, and workflow records
- Vendor and supplier information
C. Customer and Consumer Data (Submitted by Dealerships)
- Names, phone numbers, email addresses, and mailing addresses
- Dates of birth
- Driver’s license numbers and expiration dates
- Contact preferences and do-not-contact flags
- Activity scores, lifetime value calculations, and survey responses
- Communication history and notes
We do not control the content of this data and process it only on behalf of the dealership.
D. Financial Data (Submitted by Dealerships)
- Quotes, estimates, and invoices
- Credit application data, including: partial Social Security numbers (last 4 digits), dates of birth, income and employment information, credit scores and credit tier, lender submission records, and adverse action notice records
- Buy-Here-Pay-Here (BHPH) loan terms, including: finance amount, interest rate, payment schedules, delinquency status, and repossession records
- Financing terms, lease terms, and deal structure data
E. Employee and HR Data (Submitted by Dealerships)
- Names, contact information, and emergency contacts
- Driver’s license numbers and expiration dates
- Hire dates, roles, departments, and employment status
- Hourly rates, annual salary, overtime rates, and commission structures
- Direct deposit bank name and account information
- W-4 filing status and I-9 verification status
- Garnishment amounts, types, and priority
- PTO balances, accrual records, and time entries
- Benefits enrollment data
- Certifications and professional licenses
F. Payroll and Tax Data (Submitted by Dealerships)
- Gross and net pay calculations
- Tax withholdings: federal, state, local, FICA, FUTA, and SUTA
- Tax filings: Form 941, Form 940, W-2, and 1099-NEC records
G. Automatically Collected Information
- IP address
- Device type, operating system, and browser
- App usage data and feature access logs
- Access timestamps
H. Location Data
- GPS coordinates associated with vehicles (for lot management and delivery tracking)
- User device location (when explicitly enabled by the user)
I. Crash and Performance Data
- Crash reports and error logs via Google Firebase Crashlytics (Android and iOS only)
- Device model, OS version, and app version at the time of a crash
This data is used solely to diagnose and fix software issues and does not include personal information.
J. Push Notification Tokens
- Firebase Cloud Messaging (FCM) device tokens used to deliver push notifications
- Tokens are associated with your user ID to route notifications correctly
K. Biometric Data
Dealer Recon Systems does not collect, capture, receive, store, or have access to any biometric identifier or biometric information as defined under the Illinois Biometric Information Privacy Act (BIPA), Texas Capture or Use of Biometric Identifier Act (CUBI), the Washington biometric identifier law, or any similar state or federal statute.
The Service may use device-level biometric authentication (such as fingerprint or face recognition) for login convenience. These biometric features are managed entirely by your device’s operating system. We receive only a pass-or-fail authentication result and never the underlying biometric data.
4. How We Use Information
| Data Category | Purpose |
|---|---|
| Account and User Data | Authentication, access control, audit logging |
| Dealership Operational Data | Workflow management, inventory tracking, reporting |
| Customer and Consumer Data | CRM, quote generation, communication, compliance tracking |
| Financial Data | Deal structuring, credit decisioning support, lending management, regulatory compliance |
| Employee and HR Data | Workforce management, payroll processing, benefits administration, compliance |
| Payroll and Tax Data | Compensation processing, tax filing, regulatory reporting |
| Automatically Collected Data | Security monitoring, performance optimization, debugging |
| Location Data | Vehicle lot management, delivery tracking |
| Crash and Performance Data | Bug diagnosis and software improvement |
| Push Notification Tokens | Delivering timely notifications to users |
We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use personal information for purposes materially different from those disclosed in this Policy.
5. Sensitive Data
The Service processes the following categories of sensitive data, as defined under various state privacy laws:
- Social Security numbers (last 4 digits), collected as part of credit applications
- Financial account information, including direct deposit details and loan terms
- Driver’s license numbers
- Precise geolocation data (vehicle and user device)
We apply enhanced protections to sensitive data, including:
- Encryption at rest and in transit
- Field-level masking for Social Security numbers in the user interface
- Role-based access restrictions limiting who can view sensitive fields
- Audit logging of access to sensitive data
Sensitive data is collected and entered into the Service by the dealership (data controller). Dealerships are responsible for obtaining appropriate consent from individuals before entering sensitive data and for complying with applicable state laws governing sensitive data processing.
6. Data Sharing and Sub-processors
We may share data with trusted third-party service providers (“sub-processors”) that help us operate the Service. Current sub-processors include:
- Google Firebase — authentication, database (Firestore), file storage (Cloud Storage), hosting, crash reporting (Crashlytics), and push notifications (Cloud Messaging)
- NHTSA VIN Decode API — public government API used for VIN-to-vehicle-data lookups; no personal information is transmitted
Sub-processors process data only on our instructions and are contractually obligated to safeguard data in a manner consistent with this Policy.
We will maintain a current list of sub-processors. We will provide Customers with at least thirty (30) days advance notice before engaging a new sub-processor. If you object to a new sub-processor, contact us within thirty (30) days. If the objection cannot be reasonably resolved, you may terminate your subscription.
We may also disclose information when required by law, court order, or governmental authority, or when necessary to protect rights, property, or safety.
7. Data Retention
A. Active Accounts
Data is retained while the account is active and the subscription is in effect.
B. After Cancellation or Termination
Upon cancellation, Customers may request a copy of their data within thirty (30) days. We will provide the data in a reasonable timeframe. After this thirty-day period, data may be permanently deleted at our sole discretion. We are not obligated to retain data beyond the thirty-day window. Extended retention is not guaranteed and may be arranged on a case-by-case basis by written agreement. It is the Customer’s responsibility to request their data within this period; after the window closes, data may no longer be available.
C. Regulatory Retention Requirements
Certain data categories are retained beyond the standard period regardless of account status to comply with legal requirements:
| Data Category | Minimum Retention | Legal Basis |
|---|---|---|
| Credit applications | 25 months | ECOA / Regulation B |
| Audit logs | 2 years | GLBA |
| Tax and payroll records | 7 years | IRS requirements |
| BHPH loan records | Duration of loan + 7 years | Federal and state lending laws |
| I-9 employment verification | 3 years post-termination or 1 year post-hire, whichever is later | USCIS requirements |
| Archived vehicle records | Indefinite | Deleted upon Customer request |
D. Deletion Method
Data is deleted using standard cloud provider deletion mechanisms. Google Firebase manages the physical destruction of storage media in accordance with its data security practices.
8. Data Security
We implement commercially reasonable administrative, technical, and physical safeguards, including:
- Encryption in transit via HTTPS/TLS
- Encryption at rest via Google Firebase infrastructure
- Authentication via Firebase Auth with multi-factor authentication (MFA) support
- Role-based access controls and permission management
- Audit logging of data access and modifications
- Automated session timeout for inactive users
- Application-level security measures including obfuscation and integrity checks
No method of electronic transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.
9. Data Breach Notification
In the event of a data breach affecting personal information, we will:
- Notify affected Customers without unreasonable delay following our discovery and investigation of the breach
- Comply with state-specific notification timelines based on the state of residence of each affected individual, which range from 30 to 60 days depending on the jurisdiction
- Include in notifications: a description of the incident, the types of data involved, the steps we have taken, remediation measures, and contact information for further inquiries
- Notify state attorneys general as required by applicable state breach notification laws
- Notify credit reporting agencies if one thousand (1,000) or more individuals are affected, as required by federal law
- Notify the Federal Trade Commission within the timeframes required by the FTC Safeguards Rule when five hundred (500) or more consumers are affected
- Offer credit monitoring services for a period we determine appropriate based on the nature of the incident, typically up to twelve (12) months, where required by applicable law or where we reasonably determine it is warranted, through a qualified provider of our selection
10. Your Privacy Rights
Depending on your state of residence, you may have some or all of the following rights regarding your personal information. This section is designed to satisfy the requirements of comprehensive privacy laws in California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa, Indiana, Tennessee, Delaware, New Jersey, New Hampshire, Nebraska, Maryland, Minnesota, Kentucky, Rhode Island, and any other states that have enacted or may enact similar privacy legislation.
A. Rights Available
- Right to Know and Access: You may request information about the categories and specific pieces of personal information we have collected, the sources of collection, the purposes for collection, and the categories of third parties with whom we share it.
- Right to Delete: You may request deletion of your personal information, subject to legal retention requirements described in Section 7.
- Right to Correct: You may request correction of inaccurate personal information we maintain about you.
- Right to Data Portability: You may request a copy of your personal information in a structured, commonly used, machine-readable format.
- Right to Opt-Out of Sale or Sharing: We do not sell personal information. We do not share personal information for cross-context behavioral advertising.
- Right to Opt-Out of Targeted Advertising: We do not engage in targeted advertising using personal information.
- Right to Opt-Out of Profiling: The Service may calculate activity scores and lifetime value metrics. If these are used in connection with decisions that produce legal or similarly significant effects, you may request to opt out of such profiling.
- Right to Limit Use of Sensitive Personal Information: You may request that we limit the use of sensitive personal information to what is necessary to provide the Service.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. Exercising your rights will not result in a different level of service or pricing.
B. How to Submit a Request
To exercise any of these rights, contact us at dealerreconsystems@gmail.com.
We will verify your identity before fulfilling any request to protect against unauthorized access. We may ask you to provide information that matches our records to confirm your identity.
C. Response Timeline
We will acknowledge receipt of your request within a reasonable time, and in any case as required by applicable law, and will respond substantively within forty-five (45) days. If additional time is reasonably necessary, we may extend the response period by an additional forty-five (45) days and will notify you of the extension and the reason for it.
D. Right to Appeal
If we deny your privacy request, you may appeal the decision by contacting us at dealerreconsystems@gmail.com with the subject line “Privacy Request Appeal.” We will respond to your appeal within sixty (60) days. If your appeal is denied, you have the right to contact your state attorney general to file a complaint.
E. Consumer Data Held by Dealerships
Because we act as a data processor, End Consumers whose data was entered by a dealership should direct privacy requests to the dealership (data controller) in the first instance. We will assist Customers in fulfilling privacy requests related to data we process on their behalf. End Consumers may also contact us directly at dealerreconsystems@gmail.com.
11. Employee Data Privacy
The Service stores employee and HR data entered by Customers, including the categories described in Sections 3(E) and 3(F). This data is used for workforce management, compensation processing, tax compliance, and benefits administration.
Employees of Customer dealerships have the same privacy rights described in Section 10, subject to applicable state law. In California, the California Consumer Privacy Act (CCPA) applies to employee personal information.
Employee data is retained in accordance with Section 7, including regulatory minimum retention periods for tax records (7 years), I-9 employment verification records (3 years post-termination or 1 year post-hire, whichever is later), and payroll records as required by the IRS and applicable state law.
12. Account Deletion
Individual users may permanently delete their account from within the app by navigating to their Profile and selecting “Delete My Account.” This will:
- Remove your user profile from our systems
- Remove your login credentials from Firebase Authentication
- Sign you out of all devices
Dealership data (vehicles, inventory, customer records, financial records, and other operational data) is not affected by individual account deletion, as it belongs to the dealership, not the individual user. To request deletion of all dealership data, contact us at dealerreconsystems@gmail.com.
13. GLBA Compliance
Dealerships that offer financing, including Buy-Here-Pay-Here (BHPH) lending, may be classified as “financial institutions” under the Gramm-Leach-Bliley Act (GLBA). Dealer Recon Systems supports GLBA compliance by providing:
- Privacy notice delivery tracking (recording when, how, and which version of a privacy notice was delivered to each customer)
- Data access controls and role-based permissions
- Audit logging of access to nonpublic personal financial information
- Data deletion capabilities for customer records
Dealerships remain solely responsible for:
- Delivering initial and annual privacy notices to their customers as required by GLBA
- Providing opt-out rights before sharing nonpublic personal financial information with nonaffiliated third parties
- Maintaining their own written information security programs as required by the FTC Safeguards Rule
Dealer Recon Systems does not share nonpublic personal financial information with nonaffiliated third parties except as necessary to provide the Service.
14. Industry Compliance Support
The Service is designed to support dealership compliance with applicable regulations. The following describes the role of the Service in relation to specific regulatory frameworks.
A. FTC Safeguards Rule (16 CFR Part 314)
The Service provides encryption in transit and at rest, multi-factor authentication, role-based access controls, audit logging, session timeouts, and data deletion capabilities to support dealers in meeting their Safeguards Rule obligations. Dealers are responsible for implementing their own written information security programs and for designating a qualified individual to oversee their security programs.
B. Equal Credit Opportunity Act (ECOA) and Regulation B
The Service facilitates tracking of adverse action notices, including dates sent and reasons provided. Dealers are responsible for the timely delivery of adverse action notices and compliance with all ECOA requirements. Credit application data is retained for a minimum of 25 months as required by Regulation B.
C. Fair Credit Reporting Act (FCRA)
Dealer Recon Systems does not pull consumer credit reports and does not act as a consumer reporting agency. Any credit data stored in the Service was obtained by the dealership through its own lawful processes and existing relationships with credit bureaus or lenders.
D. Red Flags Rule (16 CFR Part 681)
The Service provides identity verification tracking fields (driver’s license information, I-9 verification) and access logging to support dealership identity theft prevention programs.
15. Cookies and Tracking
Our website and web application may use cookies for the following purposes:
- Essential cookies: Required for authentication, session management, and security
- Analytics cookies: Used to understand usage patterns and improve the Service
We do not use third-party advertising cookies. We do not track users across third-party websites. We do not serve targeted advertising.
The Service recognizes Global Privacy Control (GPC) signals. When a GPC signal is detected, we will treat it as a valid opt-out request under applicable state law.
You may manage cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service.
16. Children’s Privacy
The Service is not intended for individuals under the age of sixteen (16). We do not knowingly collect personal information from children under sixteen. If we become aware that we have collected personal information from a child under sixteen without appropriate verifiable consent, we will take steps to delete that information promptly. If you believe we have collected information from a child under sixteen, please contact us at dealerreconsystems@gmail.com.
17. Demo Mode Disclaimer
The Service may include a demo mode in which authentication may be bypassed, data may be temporary or simulated, and data may be deleted at any time without notice. Demo mode is not intended for real business use. Data integrity, security, and privacy protections are not guaranteed in demo mode.
18. Disclaimer of Advisory Services
The Service is designed to support dealership operations and regulatory compliance. However, Dealer Recon Systems does not provide legal, financial, tax, or compliance advice. The inclusion of compliance tracking features, regulatory reference information, or calculation tools in the Service does not constitute professional advice. Dealerships should consult qualified legal, financial, and compliance professionals regarding their specific regulatory obligations.
19. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated with at least thirty (30) days advance notice via email and in-app notification. Non-material changes (corrections, clarifications, and formatting) may take effect upon posting. The “Effective Date” at the top of this page reflects the most recent update. Prior versions of this Policy are available upon request.
20. Contact Information
Dealer Recon Systems
Hastings, Florida, United States
Email: dealerreconsystems@gmail.com
For privacy-related requests, please include “Privacy Request” in the subject line of your email.