Effective date: May 14, 2026 · ChienTech / PullPilot · Last updated: 2026-05-27
ChienTech ("PullPilot", "we", "our", or "us") operates the PullPilot application (iOS, Android, web PWA) and Chrome browser extension. This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the rights you have regarding that information.
By using PullPilot you agree to the practices described in this policy. If you do not agree, please do not use our services.
| Data element | Details |
|---|---|
| Email address | Used for login, transactional email, and account recovery |
| Username | Public display name chosen by you |
| Password | Stored as a bcrypt hash only; never stored in plain text |
| Profile picture URL | Optional; link to an image you provide or from your OAuth provider |
| Provider | Data received |
|---|---|
| Google Sign-In | google_id, email, display name, profile picture URL from Google |
| Apple Sign-In | apple_id; Apple may relay a private email address — we store whatever Apple provides |
| Data element | Details |
|---|---|
| VIN numbers | 17-character Vehicle Identification Numbers you enter or decoded from a barcode scan |
| Part reports | part_name, part_condition (enum), notes, photo_url, report_type |
| Votes | Your "helpful" or "not helpful" votes on other users' reports |
| Bounties | Part requests you create, including junkyard name and yard row |
| Data element | Details |
|---|---|
| total_points, trust_score | In-app metrics earned through contributions and community voting |
| credit_balance | In-app credits earned through community contributions; used to unlock Detailed Views and boost bounties |
| Data element | Details |
|---|---|
| FCM push tokens | Firebase Cloud Messaging device tokens stored server-side to deliver push notifications you have opted into |
| Notification preferences | Per-category opt-in record (e.g., community reports, bounty alerts, vote notifications); updated via Settings at any time |
| IP address | Captured at request time for rate limiting and fraud prevention; retained in server logs for up to 30 days |
| User-agent string | Browser and OS identifier included in standard HTTP requests |
When you scan a VIN barcode, the camera viewfinder is processed entirely on your device using the ZXing open-source library. No video frames, images, or raw camera output are transmitted to PullPilot servers. Only the decoded 17-character VIN string is sent to our API after you confirm the vehicle match.
We automatically strip all EXIF metadata — including GPS location coordinates, camera make and model, and capture timestamps — from every photo you upload before it is stored. We never store geolocation data from uploaded images. Only the pixel data is retained.
We request your GPS location only for bounty geofencing (verifying you are at a specific junkyard before a bounty can be accepted). Coordinates are sent to our API for that single verification and are not stored persistently.
The PullPilot Chrome Extension runs only on *.picknpull.com pages. It reads only the VIN string from the page DOM. It does not read, store, or transmit browsing history, cookies from other sites, or any other page content. A short-lived authentication token is stored in chrome.storage.local; the token expires server-side after 15 minutes and is automatically refreshed via your active PullPilot web session. Your PullPilot user ID is also stored in chrome.storage.local so you remain signed in across sessions.
| Purpose | Lawful basis (GDPR Art. 6) |
|---|---|
| Create and manage your account | Contract performance (Art. 6(1)(b)) |
| Display your reports and votes to other users | Contract performance (Art. 6(1)(b)) |
| Calculate trust scores and gamification data | Legitimate interest — community quality and fraud prevention (Art. 6(1)(f)) |
| Send transactional emails (verification, account-link, support replies) | Contract performance / legitimate interest (Art. 6(1)(b)/(f)) |
| Send push notifications you have opted into | Consent (Art. 6(1)(a)) |
| Rate limiting, fraud detection, and security | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
For the full, up-to-date sub-processor list, see our Sub-processors page.
We share your data with the following service providers solely for the stated purposes. They are contractually prohibited from using it for other purposes.
| Processor | Purpose | Data shared | Privacy policy |
|---|---|---|---|
| Resend | Transactional email delivery | Email address, email content | resend.com/legal/privacy-policy |
| Google Firebase (FCM) | Push notification delivery | FCM device tokens, notification payloads | firebase.google.com/support/privacy |
| Google OAuth | Federated sign-in | OAuth tokens; profile data described in §2 | policies.google.com/privacy |
| Apple Sign-In | Federated sign-in | Apple ID, relay email (if provided by Apple) | apple.com/legal/privacy |
| Cloudflare | CDN, DDoS protection, edge delivery | IP address, request metadata | cloudflare.com/privacypolicy |
| Railway | Database & API hosting | All data stored in our database | railway.app/legal/privacy |
| NHTSA vDecoder API | VIN decoding (make/model/year lookup) | VIN string only; no personal data sent | nhtsa.gov/privacy-policy |
We do not sell your personal information to third parties. We share data only:
Your public reports, votes, tier name, and username are visible to other users — that is the core community feature. Your email, password hash, OAuth IDs, and FCM tokens are never publicly visible.
| Data category | Retention period | Purpose | Legal basis |
|---|---|---|---|
| Active account data | Retained for the life of the account | Service provision and account management | Contract performance |
| Soft-deleted accounts | PII (email, username, hashed password, OAuth IDs) anonymised after 365 days from deletion | Grace period for account recovery | Legitimate interest |
| Reports by deleted users | Anonymised (author shown as "Deleted User") and retained indefinitely as community data | Community data integrity | Legitimate interest |
| Email verification codes & reset tokens | 15 minutes from issuance | Security — prevent token reuse | Contract performance |
| Server access logs | 30 days rolling | Security, debugging, and fraud prevention | Legitimate interest |
| Admin action logs | 2 years | Platform safety and legal compliance | Legitimate interest |
We implement industry-standard security measures, including:
HttpOnly; Secure; SameSite=None;No method of transmission or storage is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify affected users and relevant authorities as required by applicable law.
Regardless of your location, you may:
To exercise these rights email [email protected]. We respond within 30 days (45 for complex requests).
If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, grants you the following rights.
Submit CCPA requests by email to [email protected] or via in-app Settings. We may verify your identity before processing deletion or "right to know" requests. You may designate an authorised agent with written authorisation signed by you. We respond within 45 calendar days (extendable to 90 with notice), limited to one verifiable request per 12-month period.
PullPilot collects "precise geolocation" data — as defined by CPRA (Cal. Civ. Code §1798.140(ae)) — when you accept a bounty. This is used solely to verify your physical presence at the designated junkyard. We do not use precise geolocation for advertising, profiling, or any purpose beyond the single verification event. We do not share it with advertisers or data brokers.
California residents have the right to limit our use and disclosure of sensitive personal information to the purposes for which it was collected. To exercise this right, email [email protected] with the subject line "Limit Sensitive PI Use".
PullPilot does not sell or share your personal information for cross-context behavioral advertising. As no advertising services are currently active, §1798.135 (DNSMPI link) is not required. The in-app Settings → Privacy menu remains available for any future ad preferences.
PullPilot does not disclose personal information to third parties for their direct marketing purposes. California residents may request information about any such disclosures at [email protected]; we have nothing to disclose.
ChienTech complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation for Canadian residents.
All personal information is collected for specific, identified purposes as described in this Privacy Policy. We collect only what is necessary for those purposes.
By using PullPilot, Canadian residents consent to the collection, use, and disclosure of their personal information as described in this policy. You may withdraw consent at any time, subject to legal or contractual restrictions, by contacting us at [email protected]. Withdrawing consent may limit your ability to use certain features.
Canadian residents have the right to request access to their personal information and to request correction of inaccuracies. To exercise these rights, email [email protected].
ChienTech is responsible for personal information under its control. Inquiries or complaints may be directed to [email protected]. Unresolved complaints may be escalated to the Office of the Privacy Commissioner of Canada (priv.gc.ca).
Quebec residents have additional rights under Loi 25, including the right to data portability, the right to be forgotten (deindexation), and the right to be informed when automated decision-making is used. To exercise these rights, email [email protected].
Under Quebec Law 25 (Loi modernisant des dispositions législatives en matière de protection des renseignements personnels), ChienTech has designated its chief executive as privacy officer (responsable de la protection des renseignements personnels) by default, pending formal written designation. Quebec residents may contact our privacy officer at [email protected]. Privacy notices for Quebec residents are also available in French at pull-pilot.com/privacy-policy/fr/.
Personal information is transferred to and processed in the United States by ChienTech's service providers (see §4 Third-Party Processors). By using PullPilot, Canadian residents consent to this transfer. We ensure our processors maintain security safeguards appropriate to the sensitivity of the information.
PullPilot is intended for users aged 16 and older. We do not knowingly collect personal information from users under 16. If we learn that a user under 16 has registered, we will promptly delete the account and associated personal data.
Users aged 16–17 may use PullPilot only with the knowledge and consent of a parent or legal guardian. By using PullPilot, users aged 16–17 represent that they have obtained such consent.
At account registration, all users must affirmatively confirm via a checkbox that they are at least 16 years old. This minimum age is consistent with the digital consent age set by Article 8 of the EU General Data Protection Regulation (GDPR) and with the minimum age stated in our Terms of Service §2.
Note: Although our minimum age is 16, we maintain COPPA-compliant practices as a baseline for the protection of younger users who may encounter our service. If you believe a user under 13 has registered, contact [email protected] immediately.
PullPilot's servers and third-party processors are located in the United States. If you access our services from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States.
Transfers of personal data from the EU/EEA to US-based processors (including Railway for hosting and database services, Google Firebase for push notifications and analytics, Resend for transactional email, and Cloudflare for content delivery) are governed by the Standard Contractual Clauses (SCCs) adopted by EU Commission Implementing Decision (EU) 2021/914. Where ChienTech acts as data controller and the processor receives personal data directly from you, Module 2 (Controller-to-Processor) applies. Where the processor is acting as an independent controller, Module 1 (Controller-to-Controller) applies. Where an adequacy decision under Article 45 GDPR applies to the destination country or processor, we rely on that adequacy finding.
You may request a copy of the applicable SCCs by emailing [email protected].
If you are located in the United Kingdom, your personal data is processed in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Transfers of your data from the UK to US-based processors rely on the UK International Data Transfer Agreement (IDTA) issued by the UK Secretary of State, or on the UK Addendum to the EU SCCs (B1.0, issued by the ICO), as applicable.
Your supervisory authority in the UK is the Information Commissioner's Office (ICO). You may lodge a complaint with the ICO at ico.org.uk/make-a-complaint.
Transfers of data from Switzerland are conducted in accordance with applicable Swiss data protection law (nDSG). Where the SCC mechanism is used for EU transfers, we rely on the equivalent Swiss standard contractual clauses or the EU SCCs as recognised under Swiss law.
As ChienTech is based outside the European Union and European Economic Area, we are in the process of designating an EU/EEA representative as required by GDPR Article 27. Once appointed, the representative's contact information will be published here. EU and EEA residents may also contact us directly at [email protected] for all privacy inquiries.
By using PullPilot, users outside the US acknowledge that their data may be transferred to and processed in the United States as described in this section. Questions about international transfers? Email [email protected].
The PullPilot Chrome Extension (Manifest V3) operates only on *.picknpull.com pages. It:
chrome.storage.local; the token expires server-side after 15 minutes and is automatically refreshed via your active PullPilot web session;chrome.storage.local so you remain signed in across sessions;Remove all extension data by uninstalling the extension or via chrome://extensions → PullPilot → Details → Storage → Clear Data.
PullPilot uses session cookies essential for authentication (HttpOnly, Secure, SameSite=None). No advertising cookies, third-party tracking cookies, or ad-network SDKs are currently active. If advertising is introduced in the future, this section will be updated and users will be notified at least 14 days in advance with an opportunity to update consent preferences.
We may update this Privacy Policy at any time. We will notify you of material changes via in-app notification or email at least 14 days before the changes take effect. The "Effective date" at the top of this page reflects the most recent revision. Continued use after the effective date constitutes acceptance.
For questions, requests, or complaints about this Privacy Policy:
ChienTech / PullPilot
Mailing address: Available upon request pending registered office confirmation.
Email: [email protected]We aim to respond within 30 days. For formal GDPR or CCPA requests requiring identity verification, we may need up to 45 days.