Parkspot.ai
Contact sales

Legal

Privacy Policy

Effective April 25, 2026

This Privacy Policy explains how Parkspot.ai (“Parkspot”, “we”, “us”) collects, uses, shares, and protects information when you visit parkspot.ai, use the Parkspot mobile app, or use the Parkspot platform for cities and fleets (collectively, the “Service”).

By using the Service, you agree to this Privacy Policy. If you don’t agree, don’t use the Service.

1. Who we are

Parkspot acts as the data controllerfor personal data collected through this website, the Parkspot driver app, and the Parkspot enterprise platform — except for personal data that an enterprise customer (a city or fleet) sends through the Service on its behalf, where Parkspot acts as a data processor for that customer.

Privacy questions and rights requests: legal@parkspot.ai. We reply within 30 days.

2. What we collect

We collect only what we need. The categories below are exhaustive for the website and the Parkspot driver app. The enterprise platform additionally processes whatever a customer chooses to upload or stream through it.

2.1 Account and contact data

  • Email address (required for an account or waitlist entry)
  • Display name and profile preferences (optional, in-app)
  • Authentication tokens (managed by your platform: Apple, Google, or email)
  • Support correspondence you send us

2.2 App and usage data

  • Device type, OS version, app version, language, timezone
  • IP address (used transiently for rate limiting and abuse prevention)
  • Approximate or precise location — only after you grant permission, only to suggest nearby coverage
  • App usage events (cameras checked, features used, navigation taps) — aggregated, no PII attached
  • Crash logs, error reports, performance metrics

2.3 Payment data

Payments for Parkspot Pro and other paid features are processed by our payment partners (RevenueCat on iOS, Paddle on Android and web). We receive a transaction reference and subscription status — we do not see or store your full card number, CVV, or bank credentials.

2.4 Camera feeds (the important one)

Parkspot ingests live frames from publicly available city camera feeds and runs computer vision on them to identify open spots. We commit to the following, every time:

  • We do not store camera feeds. Frames are processed in memory and discarded.
  • We do not capture license plates. Plate regions are blurred or discarded at ingest.
  • We do not recognize faces. No facial-recognition models are run on any frame.
  • We do not link camera observations to any individual.Outputs are spot counts and bounding boxes — not identities.

2.5 What we do not collect

We do not collect biometric data, government IDs, financial account credentials, or any special category data under GDPR Article 9 (health, genetic, racial, political, religious, sexual orientation, trade-union membership, criminal history).

3. How we use your data and our legal bases

We use personal data only for the purposes below, on the legal bases shown:

  • Provide the Service— operate the app, suggest nearby coverage, run your subscription. Legal basis: performance of a contract.
  • Keep it secure and reliable— rate-limit abuse, investigate bugs, respond to incidents. Legal basis: legitimate interest.
  • Understand what’s useful— aggregated analytics tell us which features people use. Legal basis: consent (EU/UK/Switzerland), legitimate interest (elsewhere).
  • Communicate with you— service announcements, security alerts, replies to your questions. Legal basis: legitimate interest, or consent for non-essential marketing.
  • Comply with the law— respond to lawful requests, keep records we’re required to keep. Legal basis: legal obligation.

We do not:sell your personal data; share it with advertisers or ad networks; profile you for purposes unrelated to delivering the Service; use your data to train computer-vision or AI models — ours or any subprocessor’s.

4. Computer vision and our no-training commitment

Our spot-detection models are trained on publicly available imagery and on synthetic data we own. They are not trained on user data, user inputs, or live feeds processed for active customers.

Where we use third-party AI services (for example, model hosting), we maintain Zero Data Retention agreements where the provider supports them. Where ZDR is not available for a specific feature, we will name that feature and require your opt-in before you use it.

5. Subprocessors

We use a small number of infrastructure providers to operate the Service. Each is contractually bound to process data only on our instructions and to maintain appropriate security.

  • Vercel Inc.— web hosting and analytics. United States. EU–US Data Privacy Framework certified.
  • Google LLC (Google Analytics 4)— aggregated website analytics. United States. EU–US Data Privacy Framework certified. Loaded only with your consent in EU/UK/Switzerland.
  • Resend, Inc.— transactional email (waitlist confirmations, account notices). United States.
  • Paddle.com Market Limited— merchant of record for Android and web subscriptions. United Kingdom.
  • RevenueCat, Inc.— subscription management for iOS. United States.

We give 30 days’ notice before adding or replacing a subprocessor that processes personal data. To subscribe to changes or request the current list with DPA links, email legal@parkspot.ai.

6. Cookies and analytics

We use a small set of cookies and analytics:

  • Essential cookies— session, authentication, CSRF, and consent state. These cannot be turned off.
  • Vercel Web Analytics— cookieless, aggregated traffic and Core Web Vitals.
  • Google Analytics 4— aggregated pageview and event data, IP-anonymized. Loads only with your consent in the EU/UK/Switzerland; opt-out available elsewhere via the cookie banner or your browser’s Global Privacy Control / Do Not Track signal.

You can change your cookie choices any time via the Cookie settings link in the footer.

7. How long we keep your data

  • Account email and profile— for the life of your account. Deleted within 30 days of account closure; encrypted backups roll off within 90 days.
  • Waitlist email (no account)— until you ask us to delete it, or 24 months from your last interaction, whichever is sooner.
  • Camera frames— processed in memory and discarded; never written to disk.
  • IP address (rate limiting)— held in memory for up to 60 seconds, then discarded.
  • Usage events— aggregated metrics retained 14 months (GA4 default).
  • Payment records— kept by our payment processors for the period required by applicable tax and consumer-protection law (typically 7 years).
  • Support correspondence— 24 months from last contact, then deleted.

When the law requires us to keep data longer (tax, dispute, security incident), we keep only what’s strictly required and delete the rest.

8. Your rights

Depending on where you live, you have some or all of these rights:

  • Access— get a copy of the personal data we hold about you.
  • Correction— fix inaccurate data.
  • Deletion— ask us to erase your data (subject to legal obligations we cannot waive).
  • Portability— get your data in a machine-readable format.
  • Object or restrict— stop specific processing or marketing.
  • Withdraw consent— wherever we rely on consent, you can withdraw at any time without affecting prior processing.
  • Complain— to your local data-protection authority. We’d rather you came to us first — we’ll do our best to fix the problem.

To exercise any right, email legal@parkspot.ai. We respond within 30 days. No charge for reasonable requests.

9. International data transfers

Our infrastructure operates globally. When personal data leaves your region (for example, EU to United States), we use appropriate safeguards:

  • EU–US Data Privacy Framework for transfers to DPF-certified US subprocessors.
  • UK Extension to the EU–US DPF (UK–US Data Bridge) for UK transfers to DPF-certified US subprocessors.
  • Standard Contractual Clauses under European Commission Decision 2021/914 Module 2, where DPF does not apply.
  • UK International Data Transfer Addendum to the EU SCCs.

Copies of the safeguards in place for any specific transfer are available on request from legal@parkspot.ai.

10. Security

  • TLS 1.2+ on all traffic. HSTS preloaded for parkspot.ai.
  • Encrypted storage at rest. Secrets in managed secret stores, never in source code.
  • Least-privilege access controls and audit logging on production systems.
  • Strict CSP, frame-ancestors none, origin-pinned CSRF protection on mutation endpoints.
  • Regular dependency scanning and security testing.

Breach notification. If a personal-data breach is likely to result in risk to your rights, we notify you and the relevant supervisory authority within 72 hours, in line with GDPR Article 33 and equivalent state laws.

Report a suspected vulnerability to legal@parkspot.ai. We treat good-faith disclosures with care.

11. European users (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the following supplements this Privacy Policy under Regulation (EU) 2016/679 (GDPR) and the UK GDPR.

Controller. Parkspot is the controller for the personal data described above. For data sent to Parkspot by an enterprise customer (a city or fleet) on behalf of its own users, that customer is the controller and Parkspot is the processor.

Legal bases. The bases on which we process your data are listed in section 3 above (contract, legitimate interest, consent, legal obligation).

Your rights.Access, rectification, erasure, restriction, objection, portability, withdrawal of consent, and the right to complain to your local supervisory authority — all listed in section 8 above. The list of EU supervisory authorities is at edpb.europa.eu/about-edpb/about-edpb/members_en. The UK supervisory authority is the Information Commissioner’s Office (ico.org.uk).

No automated decisions with legal effects. We do not make decisions producing legal effects about you using automated processing alone. Spot suggestions in the app are informational and do not, by themselves, restrict your rights or cause legal consequences for you.

International transfers. See section 9 above.

12. California users (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, gives you the rights below.

  • Right to know what categories of personal information we collect, the sources, the purposes, and the categories of third parties we share with.
  • Right to delete personal information we have collected about you, subject to exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing.We do not sell personal information and we do not share it for cross-context behavioral advertising. There’s nothing to opt out of.
  • Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose that would trigger this right.
  • Right to non-discrimination for exercising any CCPA right.

We honor the Global Privacy Control signal as a valid opt-out request from California browsers. To exercise any other right, email legal@parkspot.ai. Authorized agent requests accepted with written authorization.

13. Children

Parkspot is intended for users aged 18 or over. We do not knowingly collect personal information from anyone under 18. If you believe a minor has submitted data to us, email legal@parkspot.aiand we’ll delete it.

14. Changes to this policy

We update this policy when our practices change. Material changes are notified by email (for accountholders) and by a notice on the Service for at least 30 days. The “Effective” date at the top of this page always reflects the current version. Continued use after the effective date is acceptance of the updated policy.

15. Contact

Questions about this policy, your data, or to report a security issue: legal@parkspot.ai. General support: support@parkspot.ai.