Privacy Policy for OBDWhiz.com

Last Updated: July 22, 2025

Introduction: Our Commitment to Your Privacy

Who We Are (OBDWhiz.com, PWA, ELM327)

OBDWhiz.com operates as a browser-based Progressive Web App (PWA) specifically designed to assist car and motorbike owners in diagnosing vehicle fault codes. The service leverages a low-cost ELM327-compatible Bluetooth OBD2 dongle, distinguishing itself by offering a direct diagnostic solution without the need for traditional mobile applications, user accounts, or expensive scan tools. The core value proposition emphasizes simplicity and accessibility, allowing users to "Just plug, pair, and diagnose — right from your phone."

Purpose of This Policy

This Privacy Policy is established to transparently outline how OBDWhiz.com collects, utilizes, shares, and safeguards user data. It serves to inform users of their privacy rights across a diverse range of global jurisdictions, including the United States (federal and specific states), Canada (federal and provincial), Australia, New Zealand, Singapore, the United Kingdom, and Europe. Adherence to applicable data protection and privacy laws within these regions is a foundational commitment of OBDWhiz.com.

Data We Collect and Why

Information Collected Automatically (Anonymous Data for Improvement)

OBDWhiz.com states that it does not store any personal data directly and that any data collected is anonymous, used solely to enhance the technology and usability of the service. However, the legal definition and treatment of "anonymous" data vary significantly across jurisdictions, and what a business considers anonymous may still be classified as personal data under stringent privacy laws.

For instance, under the General Data Protection Regulation (GDPR) and UK GDPR, information is truly anonymous only if it does not relate to an identified or identifiable natural person, either in isolation or when combined with other available information. Pseudonymous data, which replaces direct identifiers with a reference number but allows re-identification with additional information, is still considered personal data and remains subject to data protection laws. Similarly, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) define "de-identified" information as data that cannot reasonably identify or be linked to a particular consumer, requiring technical safeguards and business processes to prohibit re-identification and no attempt to reidentify the information. The Australian Privacy Principles (APP) consider information de-identified when the risk of re-identification is "very low" in the relevant context. The New Zealand Privacy Act 2020 defines personal data broadly as any information relating to an identifiable individual, including browsing habits if they can be linked back to a person. Singapore's Personal Data Protection Act (PDPA) also defines personal data as information from which an individual can be identified, and while it generally does not apply to anonymized data, it clarifies that data remains personal if a research team has access to keys or linkages for re-identification.

The use of tools like Google Analytics, even for "application monitoring only," often involves the collection of persistent identifiers such as ClientIDs and IP addresses. These identifiers, even when IP anonymization is enabled, are frequently deemed personal data or unique identifiers under various privacy laws, including GDPR, UK GDPR, CCPA/CPRA, and PIPEDA. The ability to link these identifiers to a device or, indirectly, to an individual's browsing behavior means that the data is not truly anonymous in the strictest legal sense. Therefore, the assertion that all collected data is "anonymous" requires careful re-evaluation to ensure compliance with the comprehensive definitions of personal data across the targeted global markets. This necessitates a privacy policy that addresses the handling of personal data, rather than solely anonymous information.

Information Collected via Google Analytics & Google Tag Manager (Application Monitoring Only)

OBDWhiz.com intends to use Google Analytics (GA) and Google Tag Manager (GTM) exclusively for application monitoring, explicitly stating that these tools will not be used for advertising or remarketing purposes. While this focus on monitoring can reduce certain compliance burdens related to targeted advertising, it does not eliminate the need for robust consent mechanisms and transparent disclosures across all target jurisdictions.

Google Analytics typically employs first-party cookies (e.g., _ga, _gid) and other identifiers like ClientIDs to track user interactions and behavior on websites. These identifiers are widely considered personal data or unique identifiers under various privacy regulations. For users in the European Union (EU) and the United Kingdom (UK), the GDPR and ePrivacy Directive mandate explicit opt-in consent for the placement of non-essential cookies, including those used for analytics. This requirement holds true even if IP addresses are anonymized, as the act of using cookies for tracking still triggers the need for consent. Pre-ticked boxes or implied consent are generally insufficient in these regions; consent must be freely given, specific, informed, and unambiguous.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) requires "meaningful consent" for analytics cookies, often interpreted as explicit for non-essential purposes like detailed analytics. Australia, New Zealand, and Singapore, while not always as explicit as the EU/UK for all analytics cookies, emphasize consent, purpose limitation, and transparency in their privacy principles (APP, NZPA, PDPA). The global trend leans towards more explicit consent requirements for non-essential tracking technologies. Quebec's Bill 64 also requires clear, free, informed, and specific consent for personal information collected through technological means.

For users in US states with comprehensive privacy laws, such as California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Utah (UCPA), and Connecticut (CTDPA), federal law does not regulate cookies directly. However, these state laws often classify cookies and unique online identifiers as personal information. While explicit opt-in consent for cookies is not universally required in these states, businesses must disclose their use of cookies and provide an opt-out mechanism, particularly if the data collected via cookies could be considered "sold" or "shared" for targeted advertising or profiling purposes. Even though OBDWhiz.com states it uses GA/GTM for "application monitoring only," the general collection of personal information via cookies still triggers disclosure and opt-out obligations in these US states.

Google Tag Manager itself does not set cookies directly but manages the tags that do. Its compliance status is therefore dependent on how it is configured to respect user consent choices. Google's Consent Mode is a technical tool designed to help adjust tag behavior based on user consent preferences.

Given these varied requirements, OBDWhiz.com must implement a robust Consent Management Platform (CMP) and a clear cookie consent banner. This banner should obtain explicit opt-in consent for GA/GTM cookies from users in the EU, UK, Canada, Australia, New Zealand, and Singapore. For US users, it should provide transparent disclosure of cookie usage and clear opt-out options for any data collection that might fall under "sale" or "sharing" definitions, even if currently limited to monitoring. Essential configurations like IP anonymization and appropriate data retention policies within Google Analytics are also critical for compliance.

Information Collected for Donations (via Stripe)

OBDWhiz.com will collect personal data exclusively for donations, with all such transactions securely managed by Stripe. While Stripe is responsible for the secure processing and storage of payment information, OBDWhiz.com, as the merchant, assumes the role of a data controller for the personal data initially collected for the purpose of facilitating these donations. This means OBDWhiz.com determines the purpose and means of processing this data.

As a data controller, OBDWhiz.com is obligated to provide comprehensive notices to users about the collection, use, retention, and disclosure of their personal data, including the fact that it is shared with Stripe for payment processing. This transparency is a fundamental requirement across global privacy laws. OBDWhiz.com must also obtain all necessary rights and consents from users for this data sharing.

Stripe, as a payment processor, collects various categories of personal data, including identifiers, payment account details, and potentially biometric information for identity verification and fraud prevention. Stripe's own privacy policy details its data collection and usage practices. To ensure compliance with regulations like GDPR, Stripe provides a Data Processing Agreement (DPA) that outlines its obligations as a processor. OBDWhiz.com should ensure that it has entered into and adheres to Stripe's DPA.

The privacy policy for OBDWhiz.com must clearly state that personal data, such as names, email addresses, and payment information, is collected for donation purposes and that Stripe serves as the secure payment processor. It should include a link to Stripe's privacy policy for users to review their practices in detail. Furthermore, the policy must outline how users can exercise their data privacy rights (e.g., access, deletion) concerning their donation data, including the process for forwarding such requests to Stripe when necessary. This dual responsibility between OBDWhiz.com as the controller and Stripe as the processor requires clear communication to users and adherence to the respective legal obligations.

No User Accounts or Direct Personal Data Storage (Except Donations)

OBDWhiz.com's operational model explicitly states "No apps. No accounts," and clarifies that there will be "No direct input fields in the future" beyond those required for Stripe donations. This design choice significantly streamlines privacy compliance by reducing the scope of personal data collection and eliminating the complexities associated with managing user-generated content, profiles, or extensive personal data storage. By not maintaining user accounts, OBDWhiz.com avoids many of the data minimization, access, and correction burdens that typically apply to persistent user profiles under various privacy laws.

However, this model introduces specific challenges, particularly concerning consent management and the exercise of user rights. Without a persistent user identity tied to an account, obtaining and documenting explicit consent for non-essential cookies (such as those used by Google Analytics) becomes more intricate, especially in jurisdictions like the EU, UK, and Canada where opt-in consent is required. A robust cookie consent banner is therefore paramount.

Furthermore, enabling users to exercise their data privacy rights—such as the right to access, correct, or delete their data—presents a practical hurdle. Most privacy laws grant these rights, and businesses must provide clear mechanisms for users to submit requests and for the business to verify the requester's identity. Without a login system, traditional identity verification methods are unavailable. OBDWhiz.com will need to establish a clear, documented process for verifying user identity without relying on login credentials. This might involve requesting non-sensitive, corroborating information that only the legitimate user would know, based on the pseudonymous data collected (e.g., approximate date of first use, type of device used, general location data if collected). This process must be carefully designed to avoid inadvertently collecting more personal data for verification than was originally collected or is necessary.

The absence of age restrictions for users also complicates compliance, as discussed further in the "Children's Privacy" section. Without accounts, implementing age-gating or parental consent mechanisms is challenging.

The privacy policy must clearly articulate the limited scope of data collection and explain in detail how users can exercise their rights, including the identity verification process, given the "no accounts" model.

How We Use Your Data

To Provide and Improve Our Service

The primary purpose for collecting data at OBDWhiz.com is to provide and continuously improve the diagnostic service, enhancing both its technology and overall usability. This aligns with the fundamental "purpose limitation" principle found in major privacy regulations globally. GDPR and UK GDPR mandate that personal data be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. Similarly, Canada's PIPEDA requires organizations to identify the purposes for collecting personal information at or before the time of collection, and to limit its use and disclosure to those identified purposes. The Australian Privacy Principles (APP), New Zealand Privacy Act 2020 (NZPA), and Singapore's Personal Data Protection Act (PDPA) also uphold principles of purpose limitation, ensuring data is collected and used only for legitimate and necessary functions. By clearly defining that data is used for service provision and improvement, OBDWhiz.com establishes a legitimate basis for processing, provided that the data collected is proportionate and relevant to these stated purposes.

For Monetization (Google AdSense, Donations)

OBDWhiz.com plans to monetize its service through Google AdSense and donations via Stripe. This section outlines how data is used for these purposes.

Google AdSense

We use Google AdSense to display advertisements on our website. To comply with Google's policies and provide transparency to our users, we are required to make the following disclosures:

  • We partner with Google and other third-party vendors who use cookies to serve ads on our site.
  • Google's use of advertising cookies enables it and its partners to serve ads to you based on your visit to our site and/or other sites on the Internet.
  • You can find a detailed explanation of how Google uses your data at How Google uses information from sites or apps that use our services.
  • Users may opt out of personalized advertising by visiting Google's Ads Settings.
  • Alternatively, you can opt out of a third-party vendor's use of cookies for personalized advertising by visiting www.aboutads.info/choices.

Important Note on Children's Privacy and Ad Personalization: As outlined in our "Children's Privacy" section, we cannot verify the age of our users. To protect the privacy of all users and comply with regulations like the Children's Online Privacy Protection Act (COPPA), we have configured Google AdSense to serve only non-personalized ads to all visitors. Non-personalized ads are based on contextual information, such as the content of the current page, rather than a user's past behavior.

Donations

For donations, the personal data collected through Stripe will be used to process these financial contributions. As discussed previously, OBDWhiz.com acts as the data controller for this purpose, with Stripe as the processor. The use of data for this purpose must be clearly disclosed, and the user's consent for processing payment-related personal data must be obtained, typically through the donation process itself. The privacy policy will explain that data collected for donations is used solely for transaction processing and related legal obligations, and that Stripe's privacy policy governs its handling of this data.

For Legal Compliance and Security

OBDWhiz.com will process user data as necessary to comply with legal obligations and to ensure the security of its service. This includes activities such as fraud prevention, responding to legal requests, and addressing security incidents. The processing of data for legal compliance and security is a recognized legitimate basis under most global privacy frameworks. For example, GDPR explicitly permits processing personal data where it is necessary for compliance with a legal obligation or for the protection of vital interests. Similarly, laws across the US, Canada, Australia, New Zealand, and Singapore emphasize the importance of data security and allow for data processing to prevent fraud and respond to law enforcement requests. Stripe, as a payment processor, also collects and processes data for identity verification, fraud prevention, and compliance with financial sector regulations. The privacy policy must clearly state that data may be processed for these essential purposes, even if it is not directly stored by OBDWhiz.com, and that such processing adheres to applicable legal requirements.

How We Share Your Data

With Third-Party Service Providers (Google, Stripe)

Although OBDWhiz.com states it does not store data directly, the service relies on third-party providers, Google and Stripe, for critical functionalities. This means that significant user data is transferred to and processed by these entities. The privacy policy must clearly identify these third parties, the categories of data shared with them, and the specific purposes for this sharing, as required by numerous privacy laws.

For instance, GDPR, UK GDPR, CCPA/CPRA, PIPEDA, APP, NZPA, PDPA, VCDPA, CPA, CTDPA, and UCPA all mandate transparency regarding third-party data sharing. This includes detailing the categories of personal information shared and the specific purposes for which it is shared.

Google, as a provider of Analytics and AdSense, acts in different capacities. For some Google Analytics data, Google may act as an independent controller, while for other services, it acts as a processor on behalf of OBDWhiz.com. Stripe, for donation processing, acts as a processor for OBDWhiz.com but also as a controller for its own fraud detection and compliance purposes.

Many jurisdictions, including Quebec (Bill 64) and those under GDPR, require written agreements with service providers (data processors) to ensure data protection standards are upheld. Google provides Data Processing Terms that cover its services, and Stripe offers a Data Processing Agreement. OBDWhiz.com must ensure these agreements are in place and referenced in its privacy policy to demonstrate its commitment to safeguarding data processed by third parties. The policy should explicitly name Google and Stripe, explain their respective roles (e.g., Google for analytics and advertising, Stripe for payment processing), and describe the categories of data they handle on OBDWhiz.com's behalf or for their own purposes.

For Legal Reasons

OBDWhiz.com may disclose user data when legally required, such as in response to law enforcement requests, court orders, or other legal processes. This is a standard provision in privacy policies globally, reflecting the necessity for businesses to comply with governmental and regulatory demands. Most privacy laws include provisions that allow for data processing and disclosure when necessary to meet legal obligations or protect vital interests. For example, Google's privacy policy states it will share personal information outside of Google if there is a good-faith belief that disclosure is reasonably necessary to respond to applicable law, regulation, legal process, or enforceable governmental request. Similarly, Stripe may disclose personal data if required by law or in response to valid requests by public authorities. This section of the privacy policy ensures transparency regarding such potential disclosures.

Cookies and Tracking Technologies

Types of Cookies Used (First-party, third-party)

OBDWhiz.com's use of Google Analytics and Google AdSense involves the deployment of cookies and other tracking technologies. Google Analytics primarily sets first-party cookies (e.g., _ga, _gid) to distinguish individual users and track their interactions on the website. Google AdSense, particularly if it involves personalized advertising, may utilize third-party cookies placed by Google or its ad network partners. These cookies collect data such as IP addresses (even if anonymized), ClientIDs, timestamps, user agents, and browsing behavior, which are considered personal data or unique identifiers under various privacy laws.

Your Choices Regarding Cookies (Consent mechanisms, opt-out options)

The regulatory landscape for cookie consent is complex and varies significantly across the global markets OBDWhiz.com intends to serve. A single, undifferentiated approach to cookie consent is unlikely to achieve full compliance.

For users in the European Union (EU) and the United Kingdom (UK), the GDPR and ePrivacy Directive impose stringent requirements for cookie consent. Explicit opt-in consent is mandatory for all non-essential cookies, including those used for analytics and advertising. This means users must take a clear, affirmative action (e.g., clicking "Accept" on a cookie banner) before any such cookies are placed on their device. Pre-ticked boxes or implied consent are generally not permissible. Consent must be freely given, specific, informed, and unambiguous, and users must be able to withdraw consent as easily as they gave it.

In Canada, PIPEDA requires "meaningful consent" for analytics cookies. While this may allow for implied consent in some cases, explicit consent is generally required for marketing and advertising cookies. The cookie banner must be clear, transparent, and offer granular consent options. Quebec's Bill 64 also requires clear, free, informed, and specific consent for each purpose.

Australia, New Zealand, and Singapore's privacy laws (APP, NZPA, PDPA) emphasize transparency and consent for data collection, including through cookies. While explicit opt-in for all cookies might not be as universally strict as in the EU/UK, the global trend is towards more explicit consent.

For users in US states with comprehensive privacy laws (e.g., California, Virginia, Colorado, Utah, Connecticut), there is no federal cookie law. However, these state laws consider cookies as personal information. The CCPA, for example, does not require opt-in consent for cookies but mandates disclosure of cookie usage and provides consumers with the right to opt-out of the "sale" or "sharing" of their personal information, particularly for targeted advertising. Virginia's VCDPA and Colorado's CPA also grant opt-out rights for targeted advertising.

To navigate these varied requirements, OBDWhiz.com must implement a sophisticated Consent Management Platform (CMP) that can dynamically adapt its cookie banner and data collection practices based on the user's geographical location. This CMP should:

  • Present an explicit opt-in consent banner for users in the EU, UK, Canada, Australia, New Zealand, and Singapore, offering granular control over cookie categories (e.g., essential, analytics, advertising).
  • For US users, provide clear disclosure of cookie usage and a prominent "Do Not Sell/Share My Personal Information" link or similar opt-out mechanism, especially if AdSense is configured for personalized ads.
  • Integrate with Google Consent Mode to ensure that Google Analytics and AdSense tags adjust their behavior according to user consent choices.
  • Ensure that Google Tag Manager is configured to only fire tags after the user has granted the necessary cookie consent.
  • The privacy policy must clearly describe the types of cookies used, their purposes, and provide detailed instructions on how users can manage their preferences, including how to use the consent banner and any opt-out options.

Your Privacy Rights

General Rights (Access, Correction, Deletion, Opt-Out)

Individuals universally possess fundamental rights concerning their personal data across modern privacy frameworks. These generally include the right to know what personal information is collected about them, the right to access that data, to request corrections for inaccuracies, and to request its deletion. Furthermore, individuals often have the right to opt-out of certain processing activities, such as the sale of their data or its use for targeted advertising. These rights are enshrined in laws such as GDPR, UK GDPR, CCPA/CPRA, VCDPA, CPA, UCPA, CTDPA, PIPEDA, APP, NZPA, and PDPA.

How to Exercise Your Rights (Contact: ask@obdwhiz.com)

OBDWhiz.com is committed to facilitating the exercise of these privacy rights. Users can submit requests to ask@obdwhiz.com. When a request is received, OBDWhiz.com will take reasonable steps to verify the identity of the requester to ensure the security and privacy of the data. This is particularly important given the "no accounts" model, which means traditional login-based verification is not available. Identity verification may involve asking for non-sensitive, corroborating information that only the legitimate user would likely know, based on the pseudonymous data collected (e.g., approximate date of first use, type of device used, general location data if collected). This process will be carefully balanced to avoid collecting more personal data than necessary for verification.

Response timelines for data subject requests vary by jurisdiction. For example, PIPEDA requires a response within 30 days, while Colorado's CPA mandates a response within 45 days. OBDWhiz.com will endeavor to respond to all legitimate requests within the shortest applicable legal timeframe. For requests related to donation data processed by Stripe, OBDWhiz.com will coordinate with Stripe to fulfill the request, as Stripe has mechanisms for handling data subject requests from merchants' end-users.

International Data Transfers

Data Flow to/from Specified Jurisdictions

Given OBDWhiz.com's global reach, personal data collected from users in the EU, UK, Canada, Australia, New Zealand, and Singapore may be transferred to servers located in the United States, primarily operated by Google (for Analytics and AdSense) and Stripe (for donations). This cross-border transfer of data is a critical area of compliance under international privacy laws.

The GDPR and UK GDPR impose strict requirements for transferring personal data outside the European Economic Area (EEA) and the UK, respectively. Such transfers are only permitted if "adequate protection" is ensured. Common mechanisms for achieving this include Standard Contractual Clauses (SCCs) or participation in recognized data privacy frameworks, such as the EU-U.S. Data Privacy Framework (DPF). Both Google and Stripe have affirmed their compliance with the DPF and offer Data Processing Agreements (DPAs) that incorporate SCCs to facilitate these transfers.

Quebec's Bill 64 also requires organizations to conduct privacy impact assessments (PIAs) for any cross-border transfers of personal information to determine if the transfer is safe. The New Zealand Privacy Act 2020 has specific rules for transferring personal information overseas, allowing it only if adequately protected, for example, if the recipient adheres to NZ privacy rules, the other country has similar laws, or the recipient agrees to protect the information.

Safeguards for Cross-Border Transfers (e.g., SCCs for EU/UK)

OBDWhiz.com relies on the robust data transfer mechanisms and compliance frameworks implemented by its third-party service providers, Google and Stripe. Both companies are certified under the EU-U.S. Data Privacy Framework (DPF), which is designed to provide a legal basis for data transfers from the EU to the US. They also offer Data Processing Agreements (DPAs) that include Standard Contractual Clauses (SCCs), which are widely accepted legal tools for ensuring adequate data protection during international transfers. Google's Data Processing Terms, for instance, are designed to address GDPR and CCPA requirements.

Despite these safeguards, the landscape of EU-US data transfers remains subject to ongoing legal scrutiny, as highlighted by rulings such as Schrems II. This means that while OBDWhiz.com utilizes the best available mechanisms provided by its processors, it must acknowledge the evolving nature of international data transfer regulations. The privacy policy will explicitly state that personal data may be transferred to and processed in the United States, identifying Google and Stripe as the recipients, and specifying that these transfers are safeguarded through mechanisms such as the DPF and SCCs via their respective DPAs. This transparency is crucial for building user trust and meeting legal disclosure requirements.

Children's Privacy

Addressing "No Age Restrictions"

OBDWhiz.com's policy of having "No age restrictions for users" presents a significant compliance challenge, particularly when combined with the use of Google AdSense and the "no accounts" operational model. Privacy laws globally impose enhanced protections for children's data, and the inability to verify age or obtain parental consent without user accounts complicates adherence to these regulations.

In the United States, the Children's Online Privacy Protection Act (COPPA) applies to online services collecting personal information from children under 13, requiring verifiable parental consent. Beyond COPPA, the Connecticut Data Privacy Act (CTDPA) requires opt-in consent before selling or processing sensitive personal data of children under 16 for targeted advertising and provides additional protections for minors under 18. California's Age Appropriate Design Code Act mandates that online services likely to be accessed by children configure all default privacy settings to the highest level of confidentiality.

The GDPR and UK GDPR also provide heightened protections for children's data, generally requiring explicit consent from a parent or guardian for processing personal data of children below the age of digital consent (typically 13 or 16, depending on the Member State).

Crucially, Google AdSense explicitly prohibits targeted advertising to minors. Google's policies state that personalized ads are not shown based on sensitive categories, which can include age-related targeting if minors are involved.

Given the "no accounts" model, implementing reliable age verification or parental consent mechanisms is practically unfeasible for OBDWhiz.com. Therefore, the most pragmatic and legally prudent approach is to assume that all users, regardless of actual age, could be minors. This necessitates configuring all data collection and advertising practices to strictly avoid triggering minor-specific regulations or Google's restrictions.

To achieve this, OBDWhiz.com must:

  1. Universal Non-Personalized Ads: Ensure that Google AdSense is always configured to serve only non-personalized ads to all users, irrespective of their perceived age. This avoids the prohibition on targeted ads for minors and simplifies compliance by applying the strictest standard universally.
  2. Data Minimization for All Users: Configure Google Analytics and Google Tag Manager to collect and process data in a manner that ensures it cannot be used to identify individuals, or to track them for advertising/remarketing purposes, even if the tools are capable of doing so. This includes robust IP anonymization and disabling any features that could lead to the collection of Personally Identifiable Information (PII) or user-level behavioral profiling that might be linked to a child.
  3. Clear Policy Statement: The privacy policy must clearly state OBDWhiz.com's approach to children's privacy. It should explain that due to the nature of the service and its "no accounts" model, OBDWhiz.com cannot verify user age and therefore treats all users' data with the highest level of privacy protection, specifically by not collecting PII from children and by serving only non-personalized advertisements. It should also advise that if children use the service, they should do so with parental supervision.

This strategy aims to mitigate the significant compliance risks associated with children's privacy in a global, account-less environment by applying the most conservative data handling and advertising practices across the entire user base.

Data Security

Measures to Protect Your Information

OBDWhiz.com is committed to protecting user information through robust security measures. While OBDWhiz.com itself states that it does not directly store sensitive personal data, it relies on the advanced security postures of its third-party service providers, Google and Stripe, for the data they process on its behalf. Data security is a universal principle across all global privacy laws.

Stripe, as a payment processor, maintains a highly secure environment. It is PCI-certified at Service Provider Level 1, the most stringent level available in the payments industry. Stripe encrypts sensitive data both in transit and at rest, with decryption keys stored separately. It tokenizes primary account numbers (PANs) internally, isolating raw numbers from its main infrastructure. Stripe also implements rigorous access controls, regular vulnerability assessments, penetration testing, and continuous monitoring of audit logs for suspicious activity. These measures ensure the confidentiality and integrity of donation-related personal data.

Google also employs robust security practices for its services, including Google Analytics and AdSense. Google's infrastructure is designed to protect user data, with strict internal access policies, SSL encryption for data access, and continuous security reviews.

OBDWhiz.com's privacy policy will affirm its dedication to data security and highlight its reliance on the comprehensive security frameworks provided by Google and Stripe to protect user data processed through their services.

Data Breach Notification

In the event of a data security incident, OBDWhiz.com is committed to complying with all applicable data breach notification laws. While OBDWhiz.com itself does not directly store sensitive personal data, it remains responsible for breaches affecting its users' data that are processed by its third-party providers, Google and Stripe.

Mandatory data breach notification is a common requirement across most of the targeted jurisdictions. This includes US states (e.g., California, which can trigger a civil action for data breaches involving non-encrypted personal information), Canada (PIPEDA and Quebec's Bill 64 mandate reporting to authorities and affected individuals), Australia (mandatory obligation to notify data subjects and the Privacy Commissioner for eligible data breaches), New Zealand (mandatory breach notification for serious harm), Singapore (notification regulations for data breaches), and the UK/EU GDPR (requiring notification to data protection authorities and affected individuals within 72 hours of discovery).

Stripe's Data Processing Agreement outlines its obligation to notify merchants (like OBDWhiz.com) of security incidents involving personal data. Similarly, Google has its own procedures for addressing data security incidents. The privacy policy will state that in the unlikely event of a data breach affecting user data processed via Google or Stripe, OBDWhiz.com will work closely with these providers and comply with all relevant data breach notification laws to inform affected individuals and regulatory authorities as required.

Changes to This Privacy Policy

OBDWhiz.com reserves the right to update or modify this Privacy Policy periodically to reflect changes in its practices, legal requirements, or the services offered. Any revisions will be effective immediately upon posting the updated policy on the website. Users are encouraged to review this Privacy Policy regularly to stay informed about how OBDWhiz.com is protecting their information. Material changes will be communicated through prominent notices on the website or via other appropriate channels.

Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or OBDWhiz.com's data practices, users are encouraged to contact OBDWhiz.com at:

Email: ask@obdwhiz.com

This contact point also serves as the primary channel for users to exercise their privacy rights, including requests for access, correction, or deletion of their personal information.

Back to Home