← Back to Home

Privacy Policy

Last Updated: 4 March 2026

1. Introduction

VroomVroom is committed to protecting your privacy and ensuring that your personal information is handled in a safe and responsible manner. This Privacy Policy outlines how we collect, use, store, and protect your data in accordance with the Protection of Personal Information Act, 2013 (POPIA) of South Africa. VroomVroom acts as the "responsible party" as defined under POPIA for the personal information processed through our platform.

2. Data We Collect

We collect several types of information to provide and improve our car search aggregation services:

  • Identity Data: This includes your name and email address. We collect this when you sign up using email and password or via third-party OAuth providers, including Google and Facebook.
  • Usage Data: We collect information about how you use our platform, such as your car search queries, vehicle preferences, and interaction history with specific listings.
  • Technical Data: We automatically collect your IP address and device type. This data is processed by our infrastructure providers, Vercel and PostHog. While a browser fingerprint is generated for local encryption purposes, this fingerprint remains on your device and is never sent to our servers.
  • Payment Data: All payments are processed through PayFast, a secure South African payment gateway. VroomVroom receives and stores transaction references for billing purposes, but we never see or store your credit card numbers or sensitive financial details.

3. How Data Is Stored

Your data is stored using industry-standard infrastructure to ensure security and availability:

  • Primary Database: We use Neon PostgreSQL, which is hosted on Amazon Web Services (AWS) servers.
  • Hosting Infrastructure: Our application is hosted on Vercel.
  • Analytics: We use PostHog for product analytics. This is consent-gated and only activates if you explicitly accept our cookie notice.
  • Email Delivery: We use Resend to send transactional emails, such as account verifications and subscription updates.

4. Zero-Knowledge Architecture

VroomVroom employs a zero-knowledge security model for sensitive API keys. When you provide an LLM API key for AI features, it is encrypted directly in your browser using AES-256-GCM. The encryption keys are stored exclusively in your browser's IndexedDB.

These keys never leave your device and are never transmitted to VroomVroom servers. When you use AI-powered features, the request is sent directly from your browser to the AI provider (OpenRouter). Consequently, VroomVroom servers never have access to your decrypted API keys.

5. Analytics & Cookies

We use cookies and similar technologies to provide our service:

  • PostHog Analytics: This service is consent-gated. We do not track your activity through PostHog until you have provided active consent via our cookie banner.
  • Session Cookies: These are strictly necessary for authentication and account security. You cannot opt out of these while using a registered account.
  • Local Storage & IndexedDB: We use these browser technologies to store your encrypted API keys and local UI preferences. These are not used for tracking or analytics.

6. POPIA Compliance

VroomVroom processes personal information in strict accordance with the Protection of Personal Information Act, 2013 (POPIA). We are registered as a responsible party and ensure that all data processing is lawful, reasonable, and respects your right to privacy. As a data subject, you possess specific rights under sections 23, 24, and 11(3) of POPIA regarding the access, correction, and objection to the processing of your data.

7. Your Rights

You have the right to access the personal information we hold about you, request the correction of inaccurate data, or ask for the deletion of your records. You may also object to the processing of your information for certain purposes, such as analytics. For a detailed guide on how to exercise these rights, please refer to our POPIA Data Subject Rights Notice.

8. Data Retention

We retain your account data for as long as your account remains active. If you request account deletion, we will purge your personal data within 30 days. Your car search history is retained for a maximum of 12 months for personalization purposes, after which it is automatically deleted. All search history associated with an account is removed immediately upon account deletion.

9. Third-Party Sharing

VroomVroom does not sell your personal data to third parties. We only share information with essential service providers required to operate our platform:

  • OpenRouter: For AI-powered search features (data sent directly from your browser).
  • PayFast: For secure payment processing.
  • OAuth Providers: Google and Facebook for authentication.
  • Vercel & Neon: For hosting and database management.
  • Resend: For transactional email delivery.
  • PostHog: For analytics, subject to your explicit consent.

10. Contact

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact our Information Officer.

Email:privacy@vroomvroom.co.za
Subject Line:POPIA Data Request

We will respond to all valid requests within 30 days.

11. Information Regulator

You have the right to lodge a complaint with the South African Information Regulator if you believe your personal information has been handled incorrectly.

Website:https://www.justice.gov.za/inforeg/