Legal
Privacy Policy
Last updated: 28 April 2026 · Effective immediately
At karspec.com we take your privacy seriously. This policy explains what personal data we collect, how we use it, and your rights in relation to that data.
1. Who We Are
karspec.com is a vehicle history report service operated in Kenya. If you have questions about this policy or your data, contact us at hello@karspec.com.
2. Data We Collect
2.1 Account data
When you register or sign in, we collect your email address and, where you use Google OAuth, your Google profile email. We do not store your Google password.
2.2 Search & report data
When you search for a vehicle, we record the chassis / VIN number queried, the report tier purchased, and a timestamp. This is used to restore your purchased access when you log back in.
Search history (the list of VINs you have looked up successfully) is also stored in your browser's localStorage for convenience. This data never leaves your device unless you submit a new search.
2.3 Payment data
Payment processing is handled entirely by Pesapal. We do not store card numbers, M-Pesa PIN, or any sensitive payment credentials. We receive a transaction reference, the purchase amount, and a status confirmation from Pesapal after a completed payment.
If you provide an email address at checkout, it is forwarded to Pesapal for receipt purposes only.
2.4 Technical data
Like most web services, our servers may log standard request metadata such as IP address, browser type, and pages visited. These logs are used solely for security and debugging purposes and are not sold or shared.
3. How We Use Your Data
- Authentication — to verify your identity and protect your account.
- Report access entitlement — to link purchased report tiers to your account so you can access them across devices.
- Payment processing — to initiate and confirm transactions via Pesapal.
- Service communication — to send email confirmation of account creation or password resets. We do not send unsolicited marketing emails.
- Security & fraud prevention — to detect and respond to abuse or suspicious activity.
- Service improvement — aggregate, anonymised usage data may be used to improve the platform.
4. Third-Party Sub-processors
We share limited personal data with the following trusted third parties to operate the Service:
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Auth & database | Email, purchase records |
| Pesapal | Payment processing | Email (optional), order ref |
| Google OAuth | Optional sign-in | Email (from Google profile) |
| Auction data providers | Vehicle data source | VIN / chassis number queried |
We do not sell your personal data to advertisers or data brokers.
5. Cookies & Local Storage
We use HTTP-only session cookies for authentication (managed by Supabase) and a lightweight purchase-entitlement cookie to serve your report without requiring a server round-trip on every page load.
Your recent search history (VIN numbers you have successfully looked up) is stored in your browser's localStorage only — it is not sent to our servers unless you trigger a new search. You can clear it at any time by clearing your browser storage.
We do not use advertising trackers or third-party analytics cookies.
6. Data Retention
- Account data is retained for as long as your account is active. If you request deletion, your account and associated purchase records will be removed within 30 days.
- Payment transaction records may be retained for up to 7 years to comply with Kenyan financial record-keeping obligations.
- Server logs are retained for a maximum of 90 days and then deleted.
7. Your Rights
You have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data (e.g. your email address).
- Delete your account and associated personal data (subject to legal retention obligations).
- Object to processing where we rely on legitimate interests.
- Data portability — request a copy of your data in a machine-readable format.
To exercise any of these rights, email us at hello@karspec.com. We will respond within 14 days.
8. Data Security
All data is transmitted over HTTPS. Database records are stored in Supabase, which employs encryption at rest. Authentication tokens are stored in HTTP-only, secure cookies to mitigate XSS risks. We conduct periodic security reviews and apply dependency updates promptly.
Despite these measures, no system is completely secure. In the event of a data breach affecting your personal information, we will notify affected users within 72 hours of discovery.
9. Children's Privacy
karspec.com is not directed at children under 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us personal data, we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated date. For material changes, we will notify registered users by email.
11. Contact
Questions or concerns about this Privacy Policy? Contact our team at hello@karspec.com.