Privacy Policy
Last updated: July 17, 2026 · Applies to the MechanAIc mobile app (iOS & Android) and mechanaic.com
MechanAIc ("the app," "we," "us") is built and operated by Wrench & Byte LLC, the maker of MechanAIc. This policy explains what personal data the app collects, why, where it is stored, who processes it on our behalf, how long we keep it, and the choices and rights you have. We built MechanAIc to be local-first: your vehicle logbook lives on your device and is the source of truth, and we keep the amount of personal data on our servers deliberately small.
1. The short version
- We collect the email address (and, if you use Sign in with Apple, optionally your name) you use to sign in, your vehicle logbook (vehicles, repairs, parts, costs, reminders, warranties, oil reports, saved OBD readings), and photos you attach.
- When you use an AI feature — chat, receipt scan, oil-report reading, or spec generation — the relevant text and image are sent to Anthropic (the Claude AI provider) to generate a response. We do not store your AI prompts or images on our servers; only anonymized usage counts (token totals) are logged for cost monitoring.
- We use a small number of trusted service providers (Cloudflare, Anthropic, Resend, and the U.S. government's NHTSA VIN database) to run the service. We describe each below.
- We do not sell your personal data, we do not use advertising trackers or ad identifiers, and we do not collect your precise location.
- You can delete your account and all associated server-side data from within the app at any time.
2. Who we are and how to contact us
Data controller: Wrench & Byte LLC (maker of MechanAIc).
Contact: support@wrenchandbyte.com
3. Data we collect and where it is stored
a. Account & identity
- Email address — used to sign you in (via a one-time code) and to identify your account. If you use Sign in with Apple, this may be a private Apple relay address. Stored in our database (Cloudflare D1).
- Name — only if you provide it through Sign in with Apple on first sign-in. Optional; stored in Cloudflare D1.
- Sign-in identifier — a stable, pseudonymous account key (your Apple user identifier, or a value derived from your email). If you use Sign in with Apple, we also store an Apple refresh token for the sole purpose of revoking your Apple sign-in grant when you delete your account.
- Marketing consent flag — a single on/off setting (off by default) recording whether you opted in to product emails.
- Sign-in codes & session tokens — one-time email codes are stored only as a hash and expire in 10 minutes; session tokens are stored on your device's secure keychain and only as a hash on our servers.
b. Your vehicle logbook (user content)
Everything you record about your vehicles: vehicle details and VIN, repair and maintenance entries, parts used and costs, service reminders, generated spec sheets, warranties, saved oil-analysis results, and any OBD readings you choose to save. This data is stored on your device (in the app's local database) as the source of truth. If you are signed in, an encrypted-in-transit copy is backed up to our servers (Cloudflare D1) so you can restore it on a new phone. Our servers store these rows as opaque data and do not analyze their contents.
c. Photos
Photos you take or attach — of parts, leaks, warning lights, receipts, or oil reports. Photos are stored on your device and, when you are signed in, backed up to our object storage (Cloudflare R2) under a key tied to your account so they can be restored on a new device. You can delete individual photos, and deleting your account removes all of them.
d. OBD2 / vehicle diagnostic data
When you connect a Bluetooth OBD2 adapter, the app reads diagnostic trouble codes, live sensor values, emissions-readiness status, your VIN, and — on supported hybrids — traction-battery data. This is read directly on your device over Bluetooth and processed locally. It is only sent to our servers if you save it into your logbook (backed up as above) or if you choose to ask the AI about it (see below).
e. AI feature content
When you use an AI feature, the content needed to answer is sent to our API and on to Anthropic:
- AI chat — your typed question, your vehicle's profile and repair history from your logbook, and up to one photo you attach.
- Receipt scan — the photo of the receipt/invoice.
- Oil-report reading — the photo of the lab report.
- Dyno-sheet reading — the photo of the dyno sheet.
- Spec sheet & fuse map generation — your vehicle's year, make, model, trim, and (for fuse maps) VIN.
- AI risk assessment — the diagnostic codes, readiness status, and sensor values from a scan you submit.
- Camera finders (OBD2 port, fuses) — the photo you capture and your vehicle's year, make, model, and trim.
- Remote start advisor — your vehicle details and your answers to its questions.
- Chat title — a short excerpt of your first question and answer.
We do not store the prompts, photos, or AI responses for these features on our servers. Our server logs record only anonymized token counts and your account ID for cost and abuse monitoring — never the message text or images.
f. Product analytics (first-party, minimal)
To understand how the app is used and improve it, the app sends a small, fixed set of activity events tied to your account ID — for example: account created, vehicle added, entry logged, AI question asked, scans run, feature opened (e.g. diagnostics, parts search, fuse finder), reminder created or fired, and sync completed. Events record that a feature was used (plus your vehicle's make), never the content. These are stored in our database (Cloudflare D1). We use no third-party analytics SDK, no advertising identifiers, and we do not track your location or your activity in other apps. We deliberately do not put VINs, repair notes, or photos into analytics.
g. Technical & log data
Our API runs on Cloudflare and generates operational logs (request status codes, error messages, timestamps, token usage, and your account ID). These are used to keep the service running and secure. They do not contain your message text or images.
4. VIN decoding
When you decode a VIN, the app sends the 17-character VIN to the free public vPIC database operated by the U.S. National Highway Traffic Safety Administration (NHTSA) to return the year, make, model, and trim. No account information is sent with the VIN.
5. How we use your data
- To provide the core features: sign-in, storing and syncing your logbook, backing up photos, reading codes, and generating AI diagnostics and readings.
- To decode VINs and generate factory spec sheets for your vehicle.
- To operate, secure, debug, and rate-limit the service (including preventing abuse of the AI features).
- To send you transactional email (your one-time sign-in code).
- To send product/marketing email only if you opt in.
- To understand aggregate product usage through the minimal first-party events described above.
Legal bases (where GDPR/UK GDPR applies): performance of our contract with you (providing the app), your consent (marketing email; optional features you invoke), and our legitimate interests in securing and improving the service.
6. Who processes your data (third parties)
We do not sell your data. We share it only with the service providers ("processors") that are necessary to run MechanAIc:
| Provider | Role | Data it receives |
|---|---|---|
| Cloudflare, Inc. | Hosts our API, database (D1), photo storage (R2), and rate-limiting infrastructure. | Account identity, your synced logbook, photos, analytics events, operational logs. |
| Anthropic, PBC (Claude API) | Generates AI chat answers and reads receipt/oil-report photos and spec requests. | The prompt text, vehicle/logbook context, and image for the AI feature you use, at the moment you use it. |
| Resend | Delivers transactional sign-in emails. | Your email address and the one-time code. |
| NHTSA vPIC (U.S. DOT) | Decodes VINs. | The VIN you decode. |
| Apple | Sign in with Apple (if used) and App Store distribution. | Your Apple sign-in identifier and, once, your name/email (as you permit). |
| Google Play distribution (Android). | Handled per Google Play; the app does not send your logbook to Google. |
Each provider processes data under its own terms and privacy commitments. Data submitted to the Anthropic API is handled under Anthropic's commercial terms; MechanAIc does not use your data to train AI models, and Anthropic's API is not used to train its models on your inputs.
7. Data retention
- Account & logbook backup: retained until you delete your account.
- Photos: retained until you delete the photo or your account.
- One-time sign-in codes: expire in 10 minutes and are deleted on use.
- Session tokens: removed when you sign out or delete your account.
- AI prompts/images: not retained on our servers (transient processing only).
- Analytics events & operational logs: retained for up to 12 months for product and security purposes, then deleted or aggregated.
- On-device data remains on your device until you delete it in the app or uninstall the app.
8. Deleting your account and data
You can delete your account directly in the app (Account → Delete Account). This permanently removes your user record, your synced logbook rows, your analytics events, your session, and all your backed-up photos from our servers, and — if you used Sign in with Apple — revokes your Apple sign-in grant. Data stored locally on your device is removed when you delete it in-app or uninstall the app. You may also email support@wrenchandbyte.com to request deletion.
9. Your rights
Depending on where you live (e.g., under GDPR/UK GDPR or CCPA/CPRA), you may have the right to access, correct, delete, port, or restrict processing of your personal data, and to object to certain processing or withdraw consent. Because MechanAIc is local-first, much of your data is already in your possession on your device. To exercise any right regarding server-side data, use in-app account deletion or contact us at support@wrenchandbyte.com. We will not discriminate against you for exercising these rights.
10. Security
Data is encrypted in transit (HTTPS). Session tokens are held in your device's secure keychain and stored only as hashes on our servers; one-time codes are stored only as hashes. Access to server data is limited to what's needed to operate the service. No method of transmission or storage is 100% secure, but we work to protect your data and keep our server-side footprint small.
11. Children
MechanAIc is intended for a general audience of vehicle owners and DIY mechanics and is not directed to children under 13 (or the minimum age required in your country). We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it.
12. International transfers
Our providers (including Cloudflare and Anthropic) may process data in the United States and other countries. Where required, transfers are made under appropriate safeguards.
13. Changes to this policy
We may update this policy as the app evolves. We will change the "Last updated" date above and, for material changes, provide notice in the app or by email.
14. Contact
Questions about this policy or your data? Email support@wrenchandbyte.com.