Privacy Policy · Carcommerce Virtual Showroom

This policy describes how SOFTLY IKE handles personal data in connection with the Carcommerce Virtual Showroom product — including the web platform at vs.carcommerce.gr and the iOS mobile app Carcommerce VS.

1. Who we are

SOFTLY IKE ("we", "us", "our") is the data controller for the personal data processed through the Carcommerce Virtual Showroom service (the "Service").

Registered office: Doiranis 13, 113 62 Athens, Greece
VAT (ΑΦΜ): EL800973647
Phone: +30 211 400 2237
Contact for privacy matters: [email protected]

2. Scope

The Service is a business-to-business (B2B) SaaS tool used by automotive dealerships to capture, process, and publish vehicle photographs. Accounts are created and managed by the dealership ("Tenant") that subscribes to the Service. Individual employees of a Tenant use the Service under credentials issued by their Tenant administrator.

The Service is not intended for consumers, and it is not directed at children. We do not knowingly collect data from anyone under the age of 16.

3. The data we collect

The data we process falls into the categories below. We never sell personal data and we do not use it for advertising or third-party tracking.

Category	What it includes	Why we need it
Account identifiers	Email address, full name, role (e.g. `manager`, `user`), a unique internal user identifier (UUID), preferred language.	To create and authenticate accounts, route users to the correct dealership, and apply role-based access control.
Authentication data	Hashed password, session and API tokens, last-login timestamp, device name supplied during login.	To verify identity, keep users signed in, and let administrators see which devices have active access.
Vehicle photos & metadata	Images uploaded by users (vehicle exterior, interior, walk-around 360° sequences), associated vehicle data (make, model, VIN, etc.), and the derived AI-processed versions of those images.	To deliver the core service: storage, AI image processing (background replacement, license-plate masking, 360° playback) and publication to the dealership’s downstream channels.
Diagnostic & crash data	Application crash reports, error messages, stack traces, HTTP-request breadcrumbs (URL, status code, duration). Collected via Sentry on our self-hosted instance at `sentry.softly.gr`. No user identifier is attached to these reports.	To detect, diagnose, and fix software defects so the Service remains stable and secure. Legitimate interest under Article 6(1)(f) GDPR.
Device sensor access (no data leaves the device)	The mobile app requests access to the device camera, photo library, and motion sensors. The motion sensor data is used locally to track camera angle during 360° capture and is never transmitted or stored on our servers.	To enable photo capture and guided 360° walk-around capture on the device.

What we do not collect

No advertising or tracking identifiers (IDFA, IDFV, ad IDs).
No precise GPS location.
No contacts, calendar, microphone, or health data.
No behavioural analytics, no usage tracking across other apps or websites.

4. Legal basis for processing (GDPR Article 6)

Performance of a contract (Art. 6(1)(b)): processing required to provide the Service to the Tenant under our master subscription agreement.
Legitimate interests (Art. 6(1)(f)): security, fraud prevention, diagnostic and crash reporting, and the protection of the Service’s integrity. We have weighed these interests against your rights and consider them proportionate and necessary.
Legal obligation (Art. 6(1)(c)): retention of certain records required by Greek and EU law (e.g. invoicing, tax records, dispute resolution).

5. Who processes the data on our behalf (sub-processors)

The categories of data above are stored on infrastructure we control or with the following sub-processors. All sub-processors are bound by data-processing agreements consistent with Article 28 GDPR.

Sub-processor	Purpose	Location
Hetzner Online GmbH	Object storage for vehicle photographs and AI-processed media.	Nuremberg, Germany (EU)
Laravel Forge / DigitalOcean (application server)	Hosting the web application, API, and operational database.	EU region
Sentry (self-hosted by SOFTLY)	Application error monitoring. Hosted on infrastructure we control; no data leaves our environment.	Athens, Greece (EU)
Apple Inc.	App distribution via the App Store and TestFlight. Subject to Apple’s privacy policy.	Global

Where any sub-processor handles data outside the European Economic Area, we rely on European Commission Standard Contractual Clauses (SCCs) and any supplementary measures necessary to ensure an essentially equivalent level of data protection.

6. How long we keep the data

Account data — for as long as the Tenant maintains an active subscription and the user remains a member of that Tenant’s organisation.
Vehicle photos and metadata — for the duration of the Tenant’s subscription. The Tenant can delete individual vehicles and photos at any time from the web platform or the mobile app.
Account-deletion request (in-app) — when a user requests account deletion from the mobile app, the account is locked immediately and permanently removed 30 days later. During that 30-day window the Tenant administrator may cancel the request. After the window expires, the personal account data is deleted; vehicles created by the user remain with the Tenant unless the Tenant explicitly deletes them.
Crash & diagnostic data — retained for up to 90 days in Sentry, then automatically purged.
Invoices and tax records — retained for the period required by Greek law (currently 10 years).
Backups — encrypted backups are retained for up to 35 days. Data is restored from backups only in disaster-recovery scenarios.

7. Security

All network traffic between the apps and our servers is encrypted with TLS.
Passwords are hashed with bcrypt; we never store plaintext credentials.
API tokens are stored on the device in the iOS Keychain (mobile app) or in secure HTTP-only cookies (web).
Access to production systems is limited to authorised SOFTLY personnel and is logged.
We follow industry-standard practices for vulnerability management and patching.

8. Your rights under the GDPR

You have the following rights with respect to your personal data:

Right of access (Art. 15): obtain a copy of the personal data we hold about you.
Right to rectification (Art. 16): correct inaccurate or incomplete data.
Right to erasure (Art. 17): request deletion of your personal data. You can initiate this directly from the mobile app (Settings → Account → Delete account), or by contacting us.
Right to restriction of processing (Art. 18).
Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
Right to object (Art. 21) to processing based on legitimate interests.
Right to lodge a complaint (Art. 77) with a supervisory authority — in Greece, the Hellenic Data Protection Authority (www.dpa.gr).

Because Service accounts are issued and managed by your dealership (the Tenant), some requests may need to be routed through your Tenant administrator. We will help you identify the right path when you contact us.

To exercise any of these rights, email [email protected]. We respond within one month, extendable by two further months for complex requests as permitted under Article 12(3) GDPR.

9. Children

The Service is a professional tool for automotive dealerships and is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in the Service, our practices, or applicable law. The “Last updated” date at the top of this page reflects the most recent version. Material changes will be communicated to active users through the Service before they take effect.

11. Contact us

For any question, request, or concern about this Privacy Policy or your personal data:

SOFTLY IKE — Privacy
Doiranis 13, 113 62 Athens, Greece
[email protected]