Is Carzone free to use?

Yes, browsing and creating a basic listing is completely free.

How do I list my car?

Create an account, and follow the simple 5-minute listing process with photos, details, and pricing.

Is Carzone available in my city?

Yes! Carzone is available across all 19 governorates of Iraq.

How do I pay for premium listings?

We accept FIB (First Iraqi Bank) payments directly through the app for Standard and Premium plans.

Are listings verified?

Yes, our team reviews every listing to ensure quality and accuracy before it goes live.

How do I contact a seller?

You can call or WhatsApp sellers directly from any listing page in the app.

Privacy Policy

---

Introduction

Carzone ("we," "our," or "us") operates the website car-zone.online and related mobile applications (collectively, the "Platform"). This Privacy Policy explains how we collect, use, store, share, and protect your personal information when you use our Platform. By accessing or using Carzone, you agree to the terms of this Privacy Policy.

Carzone is a vehicle marketplace platform based in Iraq, connecting buyers and sellers of vehicles. We are not a party to any vehicle transaction — all sales are bilateral agreements between buyers and sellers.

---

1. Information We Collect

#1.1 Information You Provide Directly

**Account Information:**

- **Phone Number (Required):** Your Iraqi mobile phone number (+964) is required to create an account. We use it for identity verification via one-time password (OTP) sent through WhatsApp or SMS.

- **Name (Optional):** You may provide your name for your public profile.

- **Profile Photo (Optional):** You may upload a profile picture, which is stored on our cloud servers.

- **City and District (Optional):** You may select your geographic location to improve search relevance.

- **Language Preference:** Your choice of English, Arabic, or Kurdish for the interface.

**Listing Information:**

- When you create a vehicle listing, we collect: vehicle brand, model, trim, year, mileage, condition, paint condition, fuel type, transmission type, features, description, title, asking price, and location (city/district).

- **Vehicle Images:** Photos you upload of your vehicle are stored on Amazon Web Services (AWS) S3 cloud storage. A watermark is automatically applied to protect your images.

- **Vehicle Identification Number (VIN):** If you use our VIN check feature, the VIN you enter is sent to public government databases (NHTSA, EPA) and our auction data provider for vehicle history lookup.

**Payment Information:**

- When you purchase a listing plan, payment is processed through First Iraqi Bank (FIB). We store your payment transaction ID, amount, plan selected, and payment status. We do **not** store your bank card details — these are handled entirely by FIB's secure payment gateway.

**Reports and Communications:**

- If you report a listing or user, we collect the reason, description, and your user ID. - If you contact us for support, we retain those communications.

#1.2 Information Collected Automatically

**Device and Usage Data:**

- **IP Address:** Collected when you view listings, use the VIN check feature, or interact with the Platform. Used for rate limiting, view deduplication, and approximate geographic detection.

- **Session Identifiers:** Random session IDs generated on your device to prevent duplicate view counts.

- **Push Notification Tokens:** If you enable notifications, we store your device's push notification token and platform type (iOS or Android) to deliver notifications.

**Analytics Data:**

- **Google Analytics 4:** We use Google Analytics to understand how users interact with our Platform. This collects anonymized usage data including pages viewed, time spent, device type, browser type, and referral sources. Google Analytics uses cookies and similar technologies.

- **Meta (Facebook) Pixel:** We use Meta Pixel to measure the effectiveness of our advertising. This tracks page views and specific events (e.g., completing registration). This data is shared with Meta Platforms, Inc.

- **Vercel Analytics:** We use Vercel Analytics to monitor website performance (page load times, Web Vitals). This data is anonymized.

**Engagement Data:** - **Listing Views:** We record when listings are viewed, including the listing ID, viewer's user ID (if logged in), IP address, and timestamp.

- **Contact Requests:** When you tap "Call" or "WhatsApp" on a listing, we record the contact method, listing ID, and your user ID (if logged in) for analytics purposes.

- **Favorites:** Listings you save to your favorites are stored in your account.

#1.3 Location Data (Mobile App Only)

- With your explicit permission, we access your device's GPS to detect your nearest city for search filtering.

- Location data is processed **on your device only** — we do not store your GPS coordinates on our servers.

- You can deny location permission at any time. The Platform defaults to showing all cities if permission is not granted.

- We only request foreground location access; we never track your location in the background.

---

2. How We Use Your Information

We use your information for the following purposes:

| Purpose | Data Used | |---------|-----------| | **Account creation and authentication** | Phone number, OTP codes | | **Displaying your listings to buyers** | Listing details, images, city/district, your name (if provided) | | **Processing listing plan payments** | Payment amount, method, transaction ID, listing ID | | **Sending notifications** | Push tokens, phone number (for WhatsApp/SMS status updates) | | **Improving search relevance** | City preference, GPS (if permitted), language preference | | **Preventing fraud and abuse** | IP address, session IDs, rate limiting data, reports | | **Platform analytics and improvement** | Aggregated view counts, contact counts, usage patterns | | **Advertising measurement** | Google Analytics data, Meta Pixel data | | **Legal compliance** | All data as required by applicable Iraqi law | | **Customer support** | Communications, account data | | **VIN vehicle history checks** | VIN number (sent to public databases and auction provider) |

We do **not** use your data for:

- Selling your personal information to third parties

- Automated decision-making or profiling that produces legal effects

- Unsolicited marketing communications (you only receive transactional notifications about your listings)

---

3. How We Share Your Information

#3.1 Public Visibility

- **Your listings** (title, description, price, images, vehicle details, city) are publicly visible to all Platform visitors.

- **Your name** (if provided) is shown on your listings and public profile.

- **Your phone number is NOT publicly visible.** It is hidden behind a rate-limited reveal button accessible only to authenticated (logged-in) users. Unauthenticated visitors cannot see your phone number.

#3.2 Legal Disclosure

We may disclose your information if required by:

- Iraqi law, regulation, or legal process

- A valid court order or government request

- Protection of our rights, property, or safety, or that of our users or the public

- Investigation of fraud, security breaches, or terms of service violations

#3.3 Business Transfers

If Carzone is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify users of any such change in ownership or control.

---

4. Data Storage and Security

#4.1 Where Your Data Is Stored

- **Database:** Supabase cloud infrastructure

- **Images:** Amazon Web Services S3 (eu-north-1 region, Stockholm)

- **Website hosting:** Vercel (global CDN)

#4.2 Security Measures

We implement the following security measures:

- **Row-Level Security (RLS):** Database-level access controls ensure users can only access their own data. Moderators follow strict role-based access controls.

- **Encrypted connections:** All data transmitted between your device and our servers uses HTTPS/TLS encryption.

- **Secure token storage:** Authentication tokens on mobile devices are stored in encrypted secure storage (iOS Keychain / Android Encrypted Shared Preferences).

- **Rate limiting:** API endpoints are rate-limited to prevent abuse (e.g., 20 phone reveals per IP per hour, daily VIN check limits).

- **Content Security Policy (CSP):** Strict browser security headers prevent cross-site scripting and injection attacks.

- **HSTS:** HTTP Strict Transport Security enforced with 1-year duration.

- **Admin audit logging:** All administrative actions are logged and retained for 90 days.

#4.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will:

- Investigate and contain the breach promptly

- Notify affected users within 72 hours via WhatsApp/SMS

- Notify relevant Iraqi authorities as required by law

- Provide guidance on steps you can take to protect yourself

---

5. Your Rights

As a Carzone user, you have the right to:

#6.1 Access Your Data

You can view your personal information through your profile settings, your listing history, and your favorites.

#6.2 Correct Your Data

You can update your name, profile photo, city, district, and language preference at any time through the app or website.

---

7. Children's Privacy

Carzone is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we discover that we have collected data from a child under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at **support@car-zone.online**.

---

8. Third-Party Links

Our Platform may contain links to external websites or services (e.g., WhatsApp for contacting sellers, social media sharing). We are not responsible for the privacy practices of these third-party services. We encourage you to read their privacy policies before sharing your information.

---

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do: - The "Last Updated" date at the top will be revised. - For significant changes, we will notify users via push notification or WhatsApp message. - Continued use of the Platform after changes constitutes acceptance of the updated policy.

We recommend reviewing this policy periodically.