CarWise Privacy Policy
Last updated: April 26, 2026
This Privacy Policy applies solely to the CarWise Chrome extension, published by Extensions Market. It fully discloses what data CarWise collects, how that data is used, with whom it is shared, and how it is stored and retained. By installing or using CarWise, you agree to this policy.
1. What data CarWise collects
Account data
- Email address โ collected when you create a CarWise account. Used for authentication, email verification, and account management. Stored in Google Firebase Authentication.
- User ID (UID) โ a unique identifier assigned by Firebase upon account creation. Used internally to link your usage data to your account. Never shared with any third party except as described in ยง4.
- Password โ never stored by Extensions Market. Authentication is handled entirely by Google Firebase Authentication. We never see or store your password.
Usage and subscription data
- Usage counter โ a count of how many VIN lookups you have performed in the current billing period. Used solely to enforce free plan limits. Resets monthly. Stored in Google Firestore.
- Subscription plan โ whether your account is on the free or paid plan, and your usage reset date. Stored in Google Firestore.
Vehicle data processed on request
- VIN (Vehicle Identification Number) โ when you request a vehicle history lookup, the VIN you enter (or that CarWise reads from the listing page) is transmitted from your browser to our server over HTTPS, and then forwarded to the NHTSA (National Highway Traffic Safety Administration) public API to retrieve safety ratings and open recall data. The VIN is not stored on our servers after the lookup response is returned to you.
- Vehicle listing data โ CarWise reads publicly visible listing details (make, model, year, mileage, price) from the car listing page you are currently viewing. This data is read locally in your browser and sent to our server to generate the market value analysis. It is not stored after the response is returned.
Local browser storage
- Firebase authentication tokens โ your Firebase ID token and refresh token are stored in
chrome.storage.local on your device to maintain your session. This data does not leave your device except as part of authenticated API requests to our servers. It is cleared when you sign out.
2. Data we do NOT collect
- We do not store VINs, vehicle listing details, or market value results on our servers after the response is returned.
- We do not collect or store your browsing history on any website.
- We do not use tracking pixels, advertising networks, or third-party analytics SDKs inside the CarWise extension.
- We do not collect any data from websites you visit other than car listing pages when CarWise is actively used.
- We do not sell, rent, or share your personal data for advertising purposes.
3. How your data is used
- To authenticate your account and maintain your session across browser sessions
- To enforce monthly usage limits based on your subscription plan
- To perform VIN-based safety rating and recall lookups via the NHTSA public API
- To generate market value estimates for the vehicle listing you are viewing
- To process subscription payments and manage billing via Stripe
- To send transactional emails (email verification, password reset) via Firebase
Your data is never used for advertising, profiling, or any purpose beyond operating the CarWise extension.
4. Third parties your data is shared with
CarWise shares data with the following third parties solely to operate its features. No data is shared with any other party for any purpose.
| Third Party | Data Shared | Purpose | Their Privacy Policy |
|---|
| Google Firebase |
Email address, UID, usage counter, subscription plan |
Authentication (Firebase Auth) and database (Firestore) for account and session management |
firebase.google.com/support/privacy |
| NHTSA (US Government) |
VIN number only |
Vehicle safety ratings and open recall lookup via the NHTSA public API. No personal identifiers are transmitted โ only the VIN. |
nhtsa.gov/privacy-policy |
| Stripe |
Email address, Firebase UID |
Payment processing and subscription management for paid plan users. Payment card details are entered directly into Stripe's secure form and never transmitted to our servers. |
stripe.com/privacy |
| Railway |
VIN number, vehicle listing data (in transit only) |
Cloud infrastructure hosting our API servers. Data passes through Railway servers in memory only and is not stored. |
railway.app/legal/privacy |
5. Data storage and retention
- Email address, UID โ stored in Google Firebase for as long as your account is active. Deleted within 7 days of an account deletion request.
- Usage counter and subscription plan โ stored in Google Firestore. Deleted within 7 days of an account deletion request.
- VIN and vehicle listing data โ processed in memory on our Railway-hosted servers and discarded immediately after the response is returned. Never written to disk or logs.
- Authentication tokens โ stored locally in
chrome.storage.local on your device. Cleared on sign-out. Not stored on our servers.
6. Extension permissions
CarWise requests the following Chrome permissions:
- Access to car listing pages (Craigslist, CarGurus, AutoTrader, Cars.com, and similar) โ to read publicly visible vehicle listing details (make, model, year, mileage, price, VIN) for analysis. CarWise only activates on car listing pages and does not access any other websites.
- chrome.storage โ to store your Firebase authentication tokens locally on your device to maintain your session.
7. Data security
All communication between the CarWise extension and our servers uses HTTPS/TLS encryption. Firebase Authentication tokens are short-lived (1 hour) and automatically refreshed. VINs and vehicle listing data are processed in memory and are not written to server logs. Payment processing is handled entirely by Stripe โ we never see or store payment card details.
8. Your rights
- Access โ you may request a copy of the personal data we hold about you (email, UID, usage data).
- Correction โ you may ask us to correct inaccurate account data.
- Deletion โ you may request deletion of your account and all associated data. We will complete this within 7 days of a verified request.
- Portability โ you may request your account data in a machine-readable format.
To exercise any of these rights, email [email protected].
9. Children's privacy
CarWise is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal data, contact us and we will delete it promptly.
10. Changes to this policy
We may update this policy as CarWise evolves. The "Last updated" date at the top reflects the most recent revision. Continued use of CarWise after changes constitutes acceptance of the updated policy.
11. Contact
Questions about this Privacy Policy or data deletion requests:
[email protected]