BackCarfolio

Privacy Policy

Last updated: 25 May 2026

1. Who we are

Jonathan Konyen eU ("we", "us", "Carfolio") is the data controller for the personal data processed through the Carfolio app and website. We are registered in Austria and operate the digital car portfolio service available at carfolio.site.

2. What personal data we collect

Account data: Name, email address, and authentication provider ID (e.g. Google OAuth profile) when you sign in.

Vehicle data: Make, model, year, VIN, license plate, mileage, purchase price, and photos of your vehicles.

Service & cost records: Maintenance entries, fuel purchases, repair costs, vendor names, dates, and attached receipts or documents.

Usage data: IP address, browser type, device information, and app interaction patterns (collected via server logs and analytics).

Payment data: We do not store your payment card details. Payments are processed by our Merchant of Record, Paddle.com, who handle billing data independently.

3. Why we process your data (legal basis)

Contract performance (Art. 6(1)(b) GDPR): To provide the Carfolio service, store your vehicle portfolio, and enable ownership transfers.

Legitimate interests (Art. 6(1)(f) GDPR): Fraud prevention, security monitoring, service improvement, and customer support.

Consent (Art. 6(1)(a) GDPR): For optional AI document analysis and marketing communications (where applicable).

Legal obligation (Art. 6(1)(c) GDPR): Tax and accounting compliance where required by Austrian law.

4. How we share your data

We do not sell your personal data. We share data only with:

  • Service providers: Cloud hosting (AWS / EU regions), email delivery, customer support tooling, and analytics.
  • Merchant of Record — Paddle.com: For payment processing, subscription management, tax compliance, and invoicing. Paddle acts as an independent data controller for payment data. See Paddle's Privacy Policy.
  • Professional advisers: Legal and accounting firms where necessary.
  • Authorities: Where required by law or to protect our legal rights.

5. Data retention

We keep your personal data for as long as your account is active. If you delete your account, we remove your vehicle data and personal information within 30 days, except where we are legally required to retain it (e.g. tax records for 7 years under Austrian law). Anonymised analytics data may be retained indefinitely.

6. Your rights

Under the GDPR, you have the right to: access, rectify, erase, restrict processing of, and port your personal data; object to processing based on legitimate interests; and withdraw consent at any time. To exercise these rights, contact us at privacy@carfolio.site. We respond within one month.

You also have the right to lodge a complaint with the Austrian Data Protection Authority (dsb.gv.at).

7. International transfers

Your data is stored in the European Union. Where we use sub-processors outside the EEA (e.g. US-based analytics), we rely on Standard Contractual Clauses (SCCs) or adequacy decisions to ensure GDPR-equivalent protection.

8. Security

We implement appropriate technical and organisational measures to protect your data: TLS encryption in transit, AES-256 encryption at rest, access controls, regular security reviews, and least-privilege access for staff. Vehicle media (photos and documents) are stored in private buckets with signed URLs; public access is blocked.

9. Cookies

We use essential cookies for authentication and session management. These are strictly necessary and cannot be disabled. We do not use third-party marketing or tracking cookies. Analytics cookies, if used, are anonymised and require your consent.

10. Contact

For privacy questions or data subject requests, contact:
Jonathan Konyen eU
Email: privacy@carfolio.site
Website: carfolio.site