Privacy Policy

1. Introduction

This Privacy Policy explains how Carculus Automotive LLC (“Carculus,” “we,” “our,” or “us”) and its wholly-owned subsidiary Carculus Finance LLC (“Carculus Finance”) collect, use, disclose, and safeguard your personal information when you use the Carculus website at carculus.ai, our mobile applications, and all related services (collectively, the “Services”). Carculus operates as both an online automotive marketplace and, through Carculus Finance, as a direct consumer lender licensed under the California Finance Lenders Law.

Because we process financial transactions, originate consumer loans, pull credit reports, and facilitate vehicle purchases, we are subject to federal and state privacy laws including the Gramm-Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable regulations. This Privacy Policy is designed to satisfy the requirements of all applicable laws.

By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration: Name, email address, phone number, mailing address, and account credentials.

Vehicle Purchases: Contact information, delivery address, payment method details (for cash purchases processed through the Platform), and transaction preferences.

Credit Applications: When you apply for financing through Carculus Finance, we collect: full legal name, date of birth, Social Security number, residential address and history, employment information and income, bank account information, and other information required to evaluate your creditworthiness. This information is collected by Carculus Finance as the direct lender and is used to originate and service your loan.

Trade-In Information: If you request a trade-in valuation, we collect: vehicle identification number (VIN), year, make, model, trim, mileage, condition details, photographs you provide, payoff information (if applicable), and title status. Trade-in valuations are generated by Carculus and may be shared with the selling dealer with your consent as described in Section 4.

Dealer Partner Information: For dealership partners, we collect: business legal name, dealer license number, business address, principal owner information, tax identification number, DMS credentials, bank account information for payment processing, and authorized user information.

Communications: Records of your communications with us, including customer support inquiries, chat transcripts, and email correspondence.

2.2 Information Collected Automatically

Device & Browser Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.

Usage Information: Pages visited, vehicles viewed, searches performed, time spent on pages, click patterns, navigation paths, and referral sources.

Location Information: Approximate location based on IP address. We may collect precise location with your explicit permission to provide location-based services such as nearby dealer identification and delivery estimates.

Cookies & Tracking Technologies: We use cookies, web beacons, pixels, and similar technologies as described in Section 8.

2.3 Information from Third Parties

Credit Reporting Agencies: When you apply for financing through Carculus Finance and authorize a credit inquiry, we obtain your credit report and credit score from one or more consumer reporting agencies (Equifax, Experian, TransUnion). This information is used solely for the purpose of evaluating your credit application and is governed by the FCRA.

Vehicle Data Providers: We obtain vehicle history, specification, and valuation data from third-party providers including Carfax, MarketCheck, and other automotive data services.

Identity Verification Services: For Platform Transactions where Carculus Finance originates a loan, we may use third-party identity verification services to confirm your identity as part of our fraud prevention program.

3. How We Use Your Information

Marketplace Services: To operate the Carculus marketplace, display vehicle listings, calculate True Price and Out-the-Door Price, process vehicle purchases, arrange shipping and notary services, facilitate dealer-consumer communications, and provide trade-in valuations.

Lending & Financial Services: To process credit applications submitted to Carculus Finance, make credit decisions, originate and service loans, process payments, manage loan accounts, and comply with lending regulations including the Truth in Lending Act (TILA), Equal Credit Opportunity Act (ECOA), and Fair Credit Reporting Act (FCRA).

Payment Processing: To collect and process payments for vehicle purchases. For cash purchases facilitated through the Platform, Carculus acts as a payment facilitator — collecting funds from the consumer and releasing them to the dealer upon transaction completion. For financed purchases, Carculus Finance processes loan payments via ACH transfer.

Transaction Integrity: To verify consumer identity for Platform Transactions (financed purchases where Carculus Finance originates the loan), detect and prevent fraud, and fulfill our Transaction Guarantee obligations.

Vehicle History Records: To create and maintain permanent Vehicle Detail Pages (VDPs) on carculus.ai for every vehicle listed on the Platform. These pages persist indefinitely as a public vehicle history record, even after a vehicle is sold or a dealer's participation ends. See Section 6 for details on permanent data retention.

Communications: To send transaction confirmations, delivery updates, account notifications, payment reminders, and (with your consent) marketing communications.

Analytics & Improvement: To analyze usage patterns, improve our Services, develop new features, and generate aggregated market intelligence reports that do not identify individual consumers.

Legal & Compliance: To comply with applicable laws and regulations, respond to legal process, enforce our agreements, and protect the rights, property, and safety of Carculus, our users, and the public.

4. How We Share Your Information

4.1 With Dealer Partners

Vehicle Purchases: When you complete a vehicle purchase on the Platform, we share your name, contact information, delivery address, and transaction details with the selling dealer so they can fulfill the order, prepare the vehicle, process title transfer, and complete DMV registration.

Credit Application Lead Sharing: During the credit application process, before any credit inquiry is initiated, you will be presented with a choice: (a) have your application processed by Carculus Finance only; or (b) if you are declined by Carculus Finance, reject the terms offered, or do not complete the purchase after approval, allow your information to be shared with the selling dealer as a lead so the dealer may independently attempt to arrange financing. If you choose option (b), only the following information is shared with the dealer: your name, phone number, email address, vehicle of interest, and general financing preferences (requested term and approximate payment range). The following information is NEVER shared with dealers: Social Security number, date of birth, bank account numbers, credit score, credit report data, or detailed income verification documents. Your consent choice is documented before your credit is pulled.

Trade-In Information: If you request a trade-in valuation and elect to proceed with a trade as part of a vehicle purchase, we will share your trade-in vehicle information (VIN, year, make, model, mileage, condition, and the Carculus valuation) with the selling dealer to facilitate the transaction. This sharing occurs only with your express consent. Your trade-in payoff information and personal financial details associated with the trade-in are not shared with the dealer unless you specifically authorize it.

4.2 With Service Providers

We share information with third-party vendors who perform services on our behalf, including payment processors, shipping companies, notary services, identity verification providers, cloud hosting providers, analytics providers, and customer support tools. These service providers are contractually obligated to use your information only for the services they provide to us and to maintain appropriate security measures.

4.3 Credit Reporting & Financial Services

For consumers who obtain financing through Carculus Finance, we report loan performance information to consumer reporting agencies as required by the FCRA. This includes account status, payment history, outstanding balance, and account closure information. We may also share information with loan purchasers (Forward Flow buyers or ABS investors) when loans are sold, as described in our GLBA Privacy Notice.

4.4 Legal & Regulatory Disclosures

We may disclose your information when required by law, regulation, court order, subpoena, or other legal process; when necessary to protect the rights, property, or safety of Carculus, our users, or the public; to government agencies in connection with regulatory examinations or investigations; or in connection with fraud prevention and identity theft reporting.

4.5 Business Transfers

If Carculus is involved in a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have regarding your information.

4.6 Information We Do Not Sell

Carculus does not sell your personal information. We do not sell consumer data to data brokers, marketing companies, or any other third party. The sharing described above is limited to what is necessary to operate our Services, comply with the law, and fulfill your transactions.

5. Credit Application Consent & Your Choices

When you submit a credit application through the Platform, you will encounter several consent mechanisms designed to give you control over your information:

Pre-Pull Consent: Before any credit inquiry is initiated, you will be asked to choose whether your application should be processed by Carculus Finance only, or whether your information may be shared with the selling dealer if you are declined, reject the offered terms, or do not complete the purchase. This choice is made before your credit is pulled and is documented with a timestamp in our records.

Credit Inquiry Authorization: By submitting a credit application, you authorize Carculus Finance to obtain your consumer credit report from one or more credit reporting agencies for the purpose of evaluating your application. This constitutes a “hard inquiry” that may affect your credit score.

Trade-In Consent: If you request a trade-in valuation, you will be asked for your consent before any trade-in information is shared with the selling dealer. You may obtain a trade-in valuation from Carculus without sharing that information with a dealer.

Marketing Consent: Marketing communications are opt-in. You will not receive marketing emails or text messages unless you affirmatively consent. You may withdraw marketing consent at any time by clicking the unsubscribe link in any marketing email or by contacting us.

6. Permanent Vehicle Detail Pages & Data Retention

Every vehicle listed on the Carculus Platform receives a permanent Vehicle Detail Page (VDP) on carculus.ai. This page is a public vehicle history record that persists indefinitely, similar to how property records persist for real estate.

When a vehicle is actively listed: The VDP displays the dealer's photos, pricing, vehicle specifications, reconditioning history, inspection records, and other listing information.

After a vehicle is sold: Transaction-specific information (pricing, dealer photos) is removed. The VDP retains non-transaction vehicle data including specifications, reconditioning history, inspection records, and historical listing data. Dealer photos are replaced with an AI-generated vehicle image.

What is NOT retained: Consumer personal information is never displayed on public VDPs. Buyer name, contact information, financing terms, credit information, and payment details are never part of a permanent vehicle record.

Vehicle data may be updated over time as additional information becomes available from public records, subsequent listings, and other data sources. This permanent vehicle history record is a core feature of the Carculus Platform and benefits future buyers by providing comprehensive vehicle provenance.

6.1 Consumer Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy and to comply with our legal obligations. Specific retention periods include:

Account Information: Retained for the duration of your account plus seven (7) years after account closure, as required for tax and regulatory compliance.

Credit Application Data: Retained for a minimum of twenty-five (25) months after the credit decision as required by the Equal Credit Opportunity Act, and longer if a loan is originated (for the life of the loan plus seven years).

Transaction Records: Retained for a minimum of seven (7) years after the transaction date for tax, regulatory, and dispute resolution purposes.

Loan Servicing Records: Retained for the life of the loan plus seven (7) years after payoff, charge-off, or sale of the loan.

Trade-In Records: Trade-in valuation records and associated vehicle data are retained for a minimum of seven (7) years. Trade-in vehicle data may be incorporated into the permanent VDP for that vehicle.

7. Gramm-Leach-Bliley Act (GLBA) Privacy Notice

Carculus Finance LLC is a financial institution subject to the GLBA. This section serves as our GLBA Privacy Notice for consumers who apply for or obtain financing through Carculus Finance.

Categories of Nonpublic Personal Information (NPI) We Collect: Information from credit applications (income, employment, assets, debts); information from consumer reporting agencies (credit history, credit scores); and information from transactions with us (loan balances, payment history, account activity).

Categories of NPI We Disclose: We may disclose NPI to: service providers who assist with loan origination, servicing, and collections; consumer reporting agencies (loan performance reporting); purchasers of loans (Forward Flow buyers, ABS investors) in connection with the sale or securitization of your loan; and government regulators and law enforcement as required by law.

Your Right to Opt Out: Under the GLBA, you have the right to opt out of certain information sharing with non-affiliated third parties. Because Carculus Finance does not share your NPI with non-affiliated third parties for their own marketing purposes, there is currently no opt-out action required. If this practice changes, we will provide you with an updated notice and opt-out mechanism before any such sharing occurs.

Safeguarding Your Information: We maintain physical, electronic, and procedural safeguards to protect your NPI in accordance with federal and state regulations. These include encryption of data in transit and at rest, access controls limiting employee access to NPI on a need-to-know basis, and regular security assessments.

8. Cookies & Tracking Technologies

We use the following categories of cookies and similar technologies:

Essential Cookies: Required for the basic functionality of the Services, including authentication, security, and session management. These cannot be disabled.

Functional Cookies: Remember your preferences and settings, such as saved vehicle searches, preferred dealers, and display preferences.

Analytics Cookies: Help us understand how visitors interact with the Services by collecting usage data in aggregate form. We use these to improve our Services.

Marketing Cookies: Used to deliver relevant advertisements and measure the effectiveness of our marketing campaigns. These are only activated with your consent.

You can manage cookie preferences through your browser settings. Disabling non-essential cookies will not affect core functionality but may limit personalization features. We honor Do Not Track (DNT) browser signals where technically feasible.

9. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to Know: You may request that we disclose to you the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collection, the categories of third parties with whom we shared it, and the categories of personal information we disclosed for a business purpose.

Right to Delete: You may request that we delete your personal information, subject to exceptions permitted by law (such as information necessary to complete a transaction, comply with legal obligations, or exercise legal claims). Note that credit application data, loan records, and transaction records are subject to mandatory legal retention periods that may prevent immediate deletion.

Right to Correct: You may request that we correct inaccurate personal information that we maintain about you.

Right to Opt Out of Sale or Sharing: Carculus does not sell your personal information. We do not share your personal information for cross-context behavioral advertising. Therefore, there is no sale or sharing from which to opt out at this time.

Right to Limit Use of Sensitive Personal Information: We collect sensitive personal information (Social Security number, financial account information, precise geolocation) only as necessary to provide our Services, process your transactions, and comply with legal requirements. We do not use sensitive personal information for purposes beyond those authorized by law.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.

How to Exercise Your Rights: Submit requests by emailing privacy@carculus.ai or by calling us at the number listed in Section 14. We will verify your identity before processing your request and will respond within 45 days (or 90 days with notice of extension). You may designate an authorized agent to submit requests on your behalf.

9.1 Categories of Personal Information Collected

In the preceding twelve (12) months, we have collected the following categories of personal information: identifiers (name, email, phone, SSN, driver's license number); financial information (bank account numbers, credit history, income); commercial information (vehicle purchase records, trade-in history); internet activity (browsing history, search history, interactions with the Services); geolocation data; professional information (employment details from credit applications); sensitive personal information (SSN, financial account numbers, precise geolocation); and inferences drawn from the above to create a consumer profile.

9.2 Categories of Sources

We collect personal information from: you directly (account creation, credit applications, trade-in requests); automatically through the Services (cookies, usage data); consumer reporting agencies (credit reports); vehicle data providers (vehicle history, specifications); and identity verification services.

9.3 Business Purposes for Collection

We collect personal information for: providing marketplace and lending services; processing transactions and credit applications; identity verification and fraud prevention; communicating with you about transactions and account activity; improving our Services; complying with legal and regulatory obligations; and creating and maintaining permanent vehicle history records.

10. Fair Credit Reporting Act (FCRA) Disclosures

Carculus Finance obtains consumer credit reports solely for the permissible purpose of evaluating credit applications submitted through the Platform. Under the FCRA, you have the following rights:

Right to Know What's in Your File: You have the right to know what is in your consumer credit file at each of the nationwide credit reporting agencies.

Right to Dispute Inaccurate Information: If you believe any information that Carculus Finance has reported to a credit reporting agency is inaccurate, you may dispute it directly with the credit reporting agency or by contacting us. We will investigate and correct any errors.

Adverse Action Notice: If your credit application is declined or approved on less favorable terms based in whole or in part on information in your credit report, Carculus Finance will provide you with an adverse action notice identifying the credit reporting agency that supplied the report, your credit score (if used), and the key factors affecting your score.

Prescreened Offers: Carculus Finance does not use prescreened credit offers. All credit applications are initiated by the consumer through the Platform.

11. Data Security

We implement technical, administrative, and physical safeguards designed to protect your personal information. These include:

Encryption of sensitive data in transit (TLS 1.2+) and at rest (AES-256); row-level security controls on our database restricting access to authorized personnel and systems; secure authentication including multi-factor authentication for sensitive operations; regular security assessments and penetration testing; employee access controls based on the principle of least privilege; incident response procedures with defined notification timelines; and secure disposal of data that is no longer needed.

While we strive to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, and you use our Services at your own risk.

12. Children's Privacy

Our Services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a person under 18, please contact us immediately at privacy@carculus.ai and we will promptly delete the information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. We will notify you of material changes by posting the updated policy on our website with a revised “Last Updated” date, and for material changes that significantly affect how we handle personal information, by email to the address associated with your account. Your continued use of the Services after the effective date of an updated policy constitutes acceptance of the changes.