Dealer Data Solutions, LLC
Effective: April 22, 2026
Dealer Data Solutions, LLC ("DDS," "we," "our," or "us") provides a customer relationship management (CRM), compliance, and inventory management platform for independent automotive dealerships. This Privacy Policy describes how we collect, use, share, protect, and retain information in connection with our services (the "Services"), including through our website at app.dealerdatasolutions.com, our APIs, and any related tools or applications.
This policy applies to two distinct audiences:
This policy does not govern a dealership's own
privacy practices toward its consumers. Each dealership maintains
its own privacy notice, typically published at an address such as /p/<dealer>/privacy on our platform or on the
dealership's own website.
For all Consumer Data, DDS acts as a Data Processor (also referred to as a "service provider" under California law or a "third-party service provider" under the GLBA Safeguards Rule). The Dealership Customer is the Data Controller — they decide what information to collect, how long to keep it, and who to share it with, within the boundaries of applicable law. For GLBA purposes, dealerships that finance, arrange financing, or lease vehicles are generally the financial institutions with the consumer relationship, and DDS generally acts as their service provider for information processed through the Services.
Our processing of Consumer Data is governed by:
For information we collect directly from Dealership Customers and Authorized Users (account credentials, billing contact, usage analytics, support interactions), DDS acts as a Data Controller. This is described in Sections 4 and 5. DDS may also have direct legal obligations as a service provider or as a business that maintains personal information, even when the Dealership Customer remains the primary controller for Consumer Data.
The categories below are determined by what dealerships upload or enter. We store only what a dealership chooses to record about its consumers. Typical categories include:
At a Dealership Customer's instruction, we may receive information from third-party systems the Dealership has authorized us to integrate with, including:
We use information for the following purposes:
We do not sell Consumer Data or Dealership Customer information for money. See Section 6 for how we share information with service providers, and Section 11 for CCPA/CPRA-specific disclosures.
We share information only in the following circumstances:
Information submitted by or about a Dealership Customer is accessible to that Dealership Customer's Authorized Users, according to the role-based permissions they configure.
We engage third-party vendors to provide infrastructure, security, and operational support for the Services. Each sub-processor is contractually obligated to protect information at least as rigorously as required by our obligations to Dealership Customers. The categories of sub-processors we currently engage include:
| Category | Purpose | Location |
|---|---|---|
| Cloud database, authentication, and file storage | Primary data store, user authentication, and uploaded file storage (e.g., vehicle photos, document scans, logos) | United States |
| Application hosting and edge infrastructure | Web hosting, CDN, edge workers, and email routing for lead intake | United States (global edge network) |
| SMS and voice telecommunications | Outbound and inbound SMS, voice calls, and carrier-level caller ID lookups | United States |
| Transactional email delivery | Delivery of service emails (credit application links, account notifications, system messages) | United States |
| Rate limiting and session cache | Abuse prevention, short-lived session data, and API rate limits | United States |
| AI-assisted document extraction (optional) | OCR and field extraction from uploaded documents (e.g., driver's licenses), used only when the Dealership Customer enables this feature. Extraction inputs are processed transiently under an API agreement that prohibits the provider from retaining inputs for training. | United States |
The specific identity of each sub-processor we engage in these categories is available to current Dealership Customers on request via the contact information in Section 17. We maintain an internal up-to-date sub-processor list, including contract status and security assessment records, as part of our vendor due diligence program under the FTC Safeguards Rule. We may engage additional sub-processors as the Services evolve; Dealership Customers will receive advance notice of material changes that affect their data.
When a Dealership Customer authorizes an integration (for example, connecting a Gmail or Microsoft 365 account to send email through the Services, or forwarding ADF leads from a third-party vendor), we share or receive the information necessary to operate that integration. We use such integrations only for the scope authorized by the Dealership Customer and revocable by them at any time.
We may disclose information to comply with applicable law, valid legal process (including subpoenas, court orders, and law enforcement requests), to enforce our agreements, to protect the rights, property, or safety of DDS, our customers, or the public, or to investigate suspected fraud or abuse.
If DDS is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our assets, information may be transferred as part of that transaction. We will provide notice to affected Dealership Customers and, where applicable, affected consumers before information becomes subject to a different privacy policy.
Retention of Consumer Data is ultimately controlled by the Dealership Customer. Our default retention policy, which a Dealership Customer may tighten or loosen within legal limits, is designed to mirror the retention periods disclosed in the dealership-branded privacy policy hosted on our platform:
For Dealership Customer account data (staff users, billing, audit logs), we retain information for the duration of the subscription and for up to seven (7) years after termination to meet our tax, legal, and contractual obligations, unless applicable law requires a different period.
When a Dealership Customer terminates service, we provide a reasonable opportunity for them to export their data, then delete or de-identify the Consumer Data we hold for them, subject to the retention requirements above. Cryptographically protected NPI is rendered unrecoverable by destroying the associated data encryption keys ("cryptographic erase").
Because we facilitate the extension and servicing of credit by our Dealership Customers, we are subject to the FTC Safeguards Rule (16 C.F.R. Part 314). Our information security program is designed to meet the Rule's requirements and includes:
No security program is perfect. We cannot guarantee that unauthorized access, disclosure, alteration, or destruction of information will never occur. If it does, we will act in accordance with Section 15.
Dealership Customers and their authorized representatives can exercise the following rights with respect to their account data:
To exercise any of these rights, contact us using the information in Section 17.
If you are a consumer whose information has been entered into our Services by a dealership (for example, because you visited, inquired at, financed through, or purchased from that dealership), your primary privacy relationship is with the dealership, not with DDS. Under GLBA, CCPA/CPRA, and other state privacy laws, the dealership is the Data Controller of information about you.
Accordingly, if you wish to:
please contact the dealership directly using the information published on their privacy notice or website.
DDS will cooperate with verified requests forwarded by the dealership and, where technically appropriate, execute them on the dealership's behalf (including deletion, export, and opt-out propagation). If you contact DDS directly about a request concerning a dealership's consumer data, we will forward your request to the dealership and, subject to verification, support their response within the timeframes required by applicable law.
For information where DDS acts as a service provider (Consumer Data held on behalf of Dealership Customers), the Dealership Customer — not DDS — is the business responsible for responding to consumer rights requests. See Section 10.
For information where DDS acts as a business (account and billing information about Dealership Customers, Authorized Users, and website visitors), California residents have the right to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and be free from discrimination for exercising these rights. DDS does not sell personal information for money and does not share personal information for cross-context behavioral advertising. To exercise California rights, contact us under Section 17.
Shine the Light: California Civil Code § 1798.83. We do not disclose personal information to third parties for their own direct marketing purposes. No disclosure is required.
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws may have rights substantially similar to the California rights described above with respect to information where DDS is the controller. Contact us under Section 17 to exercise these rights.
Nevada residents may direct us not to sell covered personal information. We do not currently sell covered information as defined under Nevada law.
DDS is operated from and hosted in the United States. Our Services are intended for use by dealerships located in the United States and their consumer audiences. If you access the Services from outside the United States, information you submit or that is submitted about you will be transferred to, stored, and processed in the United States, which may have privacy laws different from those of your country of residence.
The Services are not directed to minors under 18 for credit- application or financing workflows. We do not knowingly collect personal information from children under 13, or from minors in regulated credit workflows, except where a Dealership Customer has configured a lawful collection process and obtained any legally required parent, guardian, or applicant consent. If you believe a minor has provided us with personal information, contact us under Section 17 and we will investigate and delete the information.
Our website and application use cookies and similar technologies to:
We honor Global Privacy Control (GPC) signals as valid opt-out requests with respect to information where DDS is the controller. The detection is implemented on Platform and public-facing pages including the credit-application flow; when you submit a request, you'll see a confirmation that GPC was detected and honored. If you have set GPC and would like to confirm or escalate the opt-out, contact us under Section 17.
If we experience a security event that triggers notification obligations under federal or state law, or under our contractual obligations to Dealership Customers, we will notify affected Dealership Customers without undue delay and, where required, within the specific timeframes set by applicable law. Depending on the facts and the applicable law, DDS, the affected Dealership Customer, or both may also notify regulators or affected individuals. We will provide a description of the event, the categories of information involved, the steps we are taking in response, and recommended actions for affected parties to the extent available and legally appropriate.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective" date at the top of this page and, where required by law or appropriate under the circumstances, notify affected Dealership Customers directly. Your continued use of the Services after an update constitutes acceptance of the updated policy.
To exercise rights, ask questions about this Privacy Policy, report a privacy concern, or request our security program overview or sub-processor list:
Dealer Data Solutions, LLC
Email: [email protected]
Website: app.dealerdatasolutions.com
We will acknowledge your request and respond substantively within the timeframes required by applicable law (for example, the California Consumer Privacy Act requires acknowledgment within 10 business days and substantive response within 45 days, extendable by an additional 45 days with notice). We may request information to verify your identity and the nature of your request before responding.