Privacy Policy

Dealer Data Solutions, LLC

Effective: April 22, 2026

1. Who We Are & What This Policy Covers

Dealer Data Solutions, LLC ("DDS," "we," "our," or "us") provides a customer relationship management (CRM), compliance, and inventory management platform for independent automotive dealerships. This Privacy Policy describes how we collect, use, share, protect, and retain information in connection with our services (the "Services"), including through our website at app.dealerdatasolutions.com, our APIs, and any related tools or applications.

This policy applies to two distinct audiences:

  • Dealerships and their staff who use our Services directly (our direct customers).
  • Consumers (car buyers, credit applicants, leads) whose information is processed on behalf of the dealerships who use our Services. For these consumers, their primary privacy relationship is with the dealership itself; see Sections 3 and 10.

This policy does not govern a dealership's own privacy practices toward its consumers. Each dealership maintains its own privacy notice, typically published at an address such as /p/<dealer>/privacy on our platform or on the dealership's own website.

2. Key Definitions

  • "Dealership Customer" (or "Dealership"): the automotive dealership that has purchased or is evaluating our Services. The Dealership is the party that enters into a subscription or trial with DDS.
  • "Authorized User": an individual (typically a dealership staff member) granted access to our Services by a Dealership Customer.
  • "Consumer Data": information about a dealership's car buyers, credit applicants, and leads that is entered into, uploaded to, generated by, or transmitted through our Services by or on behalf of a Dealership Customer.
  • "Personally Identifiable Information" (PII): information that identifies a natural person, such as name, address, email, or phone number.
  • "Nonpublic Personal Information" (NPI): information as defined by the federal Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. § 6809(4) — primarily financial information provided by a consumer to obtain a financial product or service (e.g., Social Security Number, income, credit report data).
  • "Data Controller" and "Data Processor": terms used in various privacy laws to identify the party that decides why and how personal information is processed (controller) versus the party that processes it on the controller's instructions (processor). See Section 3.

3. Our Role: Data Processor for Dealerships

For all Consumer Data, DDS acts as a Data Processor (also referred to as a "service provider" under California law or a "third-party service provider" under the GLBA Safeguards Rule). The Dealership Customer is the Data Controller — they decide what information to collect, how long to keep it, and who to share it with, within the boundaries of applicable law. For GLBA purposes, dealerships that finance, arrange financing, or lease vehicles are generally the financial institutions with the consumer relationship, and DDS generally acts as their service provider for information processed through the Services.

Our processing of Consumer Data is governed by:

  • The subscription agreement (or trial agreement) between DDS and the Dealership Customer.
  • The Dealership Customer's configuration and use of the Services (what they upload, who they invite, what actions they take).
  • Our obligations under the GLBA Safeguards Rule (16 C.F.R. Part 314), state privacy laws, and this policy.

For information we collect directly from Dealership Customers and Authorized Users (account credentials, billing contact, usage analytics, support interactions), DDS acts as a Data Controller. This is described in Sections 4 and 5. DDS may also have direct legal obligations as a service provider or as a business that maintains personal information, even when the Dealership Customer remains the primary controller for Consumer Data.

4. Information We Collect

4.1 Information Dealerships Provide Directly (DDS as Controller)

  • Account and staff information: dealership legal name, address, phone, email, dealer license number, EIN, federal and state tax identifiers; Authorized User names, email addresses, roles, passwords (hashed, never stored in plaintext), avatars, and telephone numbers.
  • Billing information: billing contact name, address, email, and payment credentials. Payment card numbers are processed by our payment processor and are never stored on our servers.
  • Configuration: brand color, logo, privacy policy URL, lead distribution settings, consent text customization, expense templates, and similar operational settings.
  • Communications with us: support tickets, emails, and phone calls you initiate with DDS.

4.2 Consumer Data Processed on the Dealership's Behalf (DDS as Processor)

The categories below are determined by what dealerships upload or enter. We store only what a dealership chooses to record about its consumers. Typical categories include:

  • Identifiers: consumer name, address, email, phone numbers, date of birth, driver's license number, and government-issued ID information.
  • Nonpublic Personal Information (NPI): Social Security Number, employment and income information, housing information, bank account or trade-payoff information, and consumer credit report data. NPI is encrypted at rest using per-customer data encryption keys (see Section 8).
  • Vehicle and transaction data: vehicles of interest, test drives, deals, trade-ins, and service history.
  • Communications content: the body and metadata of SMS messages, emails, and call logs exchanged between dealership staff and consumers through the Services, as well as opt-in and opt-out records.
  • Documents: images and files uploaded by dealership staff, such as driver's licenses, proofs of insurance, income verification, and deal paperwork.
  • Interaction history: notes, action items, call logs, and activity timestamps created by dealership staff.

4.3 Information Collected Automatically

  • Usage and device data: IP address, browser and device information, pages viewed, actions taken, and approximate geographic region (derived from IP address). Used to secure the Services, measure performance, and diagnose errors.
  • Audit log data: a tamper-evident log of sensitive actions (PII access, permission changes, account changes, authentication events). See Section 8.
  • Cookies: described in Section 14.

4.4 Information From Integration Partners

At a Dealership Customer's instruction, we may receive information from third-party systems the Dealership has authorized us to integrate with, including:

  • The dealership's existing DMS (Dealer Management System), for inventory feeds.
  • Lead sources (e.g., Cars.com, CarGurus, AutoTrader), for inbound consumer inquiries routed to the Services.
  • Email and messaging providers authorized by the dealership for outbound communications (see Section 6).

5. How We Use Information

We use information for the following purposes:

  • To provide the Services — host, operate, maintain, and improve the CRM, SMS, email, credit application, document management, and compliance features of DDS, as directed by the Dealership Customer.
  • To secure the Services — detect and prevent fraud, unauthorized access, abuse of the Services, and security incidents; maintain audit logs; and operate our information security program.
  • To communicate with Dealership Customers and Authorized Users — respond to support requests, send service-related notices (outages, feature updates, security notices, invoices, password resets).
  • To comply with legal obligations — tax reporting, responding to lawful subpoenas, complying with the GLBA Safeguards Rule, and meeting our contractual obligations to Dealership Customers.
  • To improve the Services — analyze aggregated or de-identified usage data to understand how dealerships use DDS and identify product improvements. We do not train our own machine-learning models on Consumer Data, and our third-party AI subprocessor is contractually prohibited from training on data sent through its API. Where the Services use AI components to assist a Dealership Customer (for example, automating the extraction of fields from documents the dealer has uploaded), the AI processing happens at the dealer's instruction and within our subprocessor framework. We do not use Consumer Data for cross-customer profiling or behavioral advertising.

We do not sell Consumer Data or Dealership Customer information for money. See Section 6 for how we share information with service providers, and Section 11 for CCPA/CPRA-specific disclosures.

6. How We Share Information & Sub-Processors

We share information only in the following circumstances:

6.1 With Dealership Customers

Information submitted by or about a Dealership Customer is accessible to that Dealership Customer's Authorized Users, according to the role-based permissions they configure.

6.2 With Sub-Processors

We engage third-party vendors to provide infrastructure, security, and operational support for the Services. Each sub-processor is contractually obligated to protect information at least as rigorously as required by our obligations to Dealership Customers. The categories of sub-processors we currently engage include:

CategoryPurposeLocation
Cloud database, authentication, and file storagePrimary data store, user authentication, and uploaded file storage (e.g., vehicle photos, document scans, logos)United States
Application hosting and edge infrastructureWeb hosting, CDN, edge workers, and email routing for lead intakeUnited States (global edge network)
SMS and voice telecommunicationsOutbound and inbound SMS, voice calls, and carrier-level caller ID lookupsUnited States
Transactional email deliveryDelivery of service emails (credit application links, account notifications, system messages)United States
Rate limiting and session cacheAbuse prevention, short-lived session data, and API rate limitsUnited States
AI-assisted document extraction (optional)OCR and field extraction from uploaded documents (e.g., driver's licenses), used only when the Dealership Customer enables this feature. Extraction inputs are processed transiently under an API agreement that prohibits the provider from retaining inputs for training.United States

The specific identity of each sub-processor we engage in these categories is available to current Dealership Customers on request via the contact information in Section 17. We maintain an internal up-to-date sub-processor list, including contract status and security assessment records, as part of our vendor due diligence program under the FTC Safeguards Rule. We may engage additional sub-processors as the Services evolve; Dealership Customers will receive advance notice of material changes that affect their data.

6.3 With Integration Partners at the Dealership's Instruction

When a Dealership Customer authorizes an integration (for example, connecting a Gmail or Microsoft 365 account to send email through the Services, or forwarding ADF leads from a third-party vendor), we share or receive the information necessary to operate that integration. We use such integrations only for the scope authorized by the Dealership Customer and revocable by them at any time.

6.4 For Legal Reasons

We may disclose information to comply with applicable law, valid legal process (including subpoenas, court orders, and law enforcement requests), to enforce our agreements, to protect the rights, property, or safety of DDS, our customers, or the public, or to investigate suspected fraud or abuse.

6.5 In a Business Transaction

If DDS is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our assets, information may be transferred as part of that transaction. We will provide notice to affected Dealership Customers and, where applicable, affected consumers before information becomes subject to a different privacy policy.

7. Data Retention

Retention of Consumer Data is ultimately controlled by the Dealership Customer. Our default retention policy, which a Dealership Customer may tighten or loosen within legal limits, is designed to mirror the retention periods disclosed in the dealership-branded privacy policy hosted on our platform:

  • Completed vehicle sales, leases, and finance contracts: ten (10) years from the transaction close date, supporting title and lien disputes, tax reporting, dealer licensing audits, and warranty/service continuity.
  • Leads, inquiries, and abandoned credit applications: twenty-five (25) months from last substantive interaction, aligning with Regulation B (12 C.F.R. § 1002.12).
  • Opt-out records: retained indefinitely so we do not re-contact consumers who have opted out.
  • Audit, security, and compliance logs: retained as required by our GLBA Safeguards program and applicable law. Audit log entries are append-only at the database level; they cannot be deleted through the application.
  • Backups: retained for up to thirty (30) days in rolling form for disaster recovery, then automatically overwritten.

For Dealership Customer account data (staff users, billing, audit logs), we retain information for the duration of the subscription and for up to seven (7) years after termination to meet our tax, legal, and contractual obligations, unless applicable law requires a different period.

When a Dealership Customer terminates service, we provide a reasonable opportunity for them to export their data, then delete or de-identify the Consumer Data we hold for them, subject to the retention requirements above. Cryptographically protected NPI is rendered unrecoverable by destroying the associated data encryption keys ("cryptographic erase").

8. Security (FTC Safeguards Program)

Because we facilitate the extension and servicing of credit by our Dealership Customers, we are subject to the FTC Safeguards Rule (16 C.F.R. Part 314). Our information security program is designed to meet the Rule's requirements and includes:

  • Qualified Individual: a designated individual oversees and enforces the information security program.
  • Written risk assessment of foreseeable internal and external risks, periodically reassessed.
  • Encryption in transit using TLS 1.2 or higher for all connections between browsers, API clients, and our infrastructure.
  • Envelope encryption at rest for NPI fields (Social Security Numbers, dates of birth, income, driver's license numbers, and similar). Per-customer data encryption keys are wrapped by a master encryption key held in a dedicated key management boundary. Cryptographic erase of the per-customer key renders the underlying ciphertext unrecoverable.
  • Access controls enforced at the database layer via Row-Level Security (RLS) policies, limiting access to the minimum necessary by role and by dealership membership. Cross-dealership access is blocked by default.
  • Multi-factor authentication is supported for Authorized Users. Dealership Customers can require MFA for their own staff.
  • Tamper-evident audit logging: a hash-chained audit log records sensitive actions (PII access, permission changes, authentication events). Audit entries are append-only at the database layer; a separate checkpoint mechanism enables resumable verification that the chain has not been altered.
  • Vendor due diligence: we evaluate each sub-processor's security posture and require contractual commitments to appropriate safeguards.
  • Security awareness training for personnel with access to NPI.
  • Written incident response plan governing how we detect, contain, investigate, and remediate security events, and how we notify affected Dealership Customers and, where applicable, consumers.

No security program is perfect. We cannot guarantee that unauthorized access, disclosure, alteration, or destruction of information will never occur. If it does, we will act in accordance with Section 15.

9. Dealership Account Rights

Dealership Customers and their authorized representatives can exercise the following rights with respect to their account data:

  • Access: request a copy of the information we hold about their account.
  • Correction: update inaccurate account information directly in the Services or by contacting us.
  • Export: obtain a machine-readable export of account data (customer records, inventory, interaction history, etc.) on reasonable request.
  • Deletion: request deletion of account data on termination of service, subject to the retention periods in Section 7 and any legal or contractual obligations to retain.
  • Audit cooperation: request a copy of our most recent information security program overview, a self-attestation of Safeguards Rule compliance (or, when available, a copy of an independent third-party attestation such as SOC 2), or a copy of our sub-processor list for their own vendor due diligence.

To exercise any of these rights, contact us using the information in Section 17.

10. Consumer Rights (Routed to Dealerships)

If you are a consumer whose information has been entered into our Services by a dealership (for example, because you visited, inquired at, financed through, or purchased from that dealership), your primary privacy relationship is with the dealership, not with DDS. Under GLBA, CCPA/CPRA, and other state privacy laws, the dealership is the Data Controller of information about you.

Accordingly, if you wish to:

  • Request a copy of the information held about you,
  • Correct or update your information,
  • Delete your information,
  • Opt out of the sharing of your Nonpublic Personal Information with nonaffiliated third parties for marketing (GLBA opt-out),
  • Opt out of the sale or sharing of your personal information,
  • Limit the use of your sensitive personal information,
  • Opt out of SMS or email marketing communications from the dealership,

please contact the dealership directly using the information published on their privacy notice or website.

DDS will cooperate with verified requests forwarded by the dealership and, where technically appropriate, execute them on the dealership's behalf (including deletion, export, and opt-out propagation). If you contact DDS directly about a request concerning a dealership's consumer data, we will forward your request to the dealership and, subject to verification, support their response within the timeframes required by applicable law.

11. State Privacy Laws

California (CCPA/CPRA)

For information where DDS acts as a service provider (Consumer Data held on behalf of Dealership Customers), the Dealership Customer — not DDS — is the business responsible for responding to consumer rights requests. See Section 10.

For information where DDS acts as a business (account and billing information about Dealership Customers, Authorized Users, and website visitors), California residents have the right to know, delete, correct, opt out of sale or sharing, limit use of sensitive personal information, and be free from discrimination for exercising these rights. DDS does not sell personal information for money and does not share personal information for cross-context behavioral advertising. To exercise California rights, contact us under Section 17.

Shine the Light: California Civil Code § 1798.83. We do not disclose personal information to third parties for their own direct marketing purposes. No disclosure is required.

Virginia, Colorado, Connecticut, Utah, Texas, and Other States

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), and other states with comprehensive privacy laws may have rights substantially similar to the California rights described above with respect to information where DDS is the controller. Contact us under Section 17 to exercise these rights.

Nevada (§ 603A)

Nevada residents may direct us not to sell covered personal information. We do not currently sell covered information as defined under Nevada law.

12. International Users & Cross-Border Transfers

DDS is operated from and hosted in the United States. Our Services are intended for use by dealerships located in the United States and their consumer audiences. If you access the Services from outside the United States, information you submit or that is submitted about you will be transferred to, stored, and processed in the United States, which may have privacy laws different from those of your country of residence.

13. Children's Privacy

The Services are not directed to minors under 18 for credit- application or financing workflows. We do not knowingly collect personal information from children under 13, or from minors in regulated credit workflows, except where a Dealership Customer has configured a lawful collection process and obtained any legally required parent, guardian, or applicant consent. If you believe a minor has provided us with personal information, contact us under Section 17 and we will investigate and delete the information.

14. Cookies & Tracking Technologies

Our website and application use cookies and similar technologies to:

  • Authenticate Authorized Users and maintain sessions (strictly necessary).
  • Remember display preferences (e.g., dark/light mode).
  • Measure how the application is used in aggregate so we can improve it. We do not use third-party behavioral advertising cookies.

We honor Global Privacy Control (GPC) signals as valid opt-out requests with respect to information where DDS is the controller. The detection is implemented on Platform and public-facing pages including the credit-application flow; when you submit a request, you'll see a confirmation that GPC was detected and honored. If you have set GPC and would like to confirm or escalate the opt-out, contact us under Section 17.

15. Data Breach Notification

If we experience a security event that triggers notification obligations under federal or state law, or under our contractual obligations to Dealership Customers, we will notify affected Dealership Customers without undue delay and, where required, within the specific timeframes set by applicable law. Depending on the facts and the applicable law, DDS, the affected Dealership Customer, or both may also notify regulators or affected individuals. We will provide a description of the event, the categories of information involved, the steps we are taking in response, and recommended actions for affected parties to the extent available and legally appropriate.

16. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Effective" date at the top of this page and, where required by law or appropriate under the circumstances, notify affected Dealership Customers directly. Your continued use of the Services after an update constitutes acceptance of the updated policy.

17. Contact Us

To exercise rights, ask questions about this Privacy Policy, report a privacy concern, or request our security program overview or sub-processor list:

Dealer Data Solutions, LLC
Email: [email protected]
Website: app.dealerdatasolutions.com

We will acknowledge your request and respond substantively within the timeframes required by applicable law (for example, the California Consumer Privacy Act requires acknowledgment within 10 business days and substantive response within 45 days, extendable by an additional 45 days with notice). We may request information to verify your identity and the nature of your request before responding.