Heavy Parts AIHeavy Parts AI

Privacy Policy

Effective date: 2026-05-14 Last updated: 2026-05-14

This Privacy Policy describes how heavyparts.ai (operated by Heavy Parts AI LLC, "we", "us", "our") collects, uses, shares, and protects your personal information when you use our Service.

By using the Service, you consent to the practices described here. If you do not agree, do not use the Service.

1. Information We Collect

1.1 Information you provide

  • Account information: Name, email address, password (managed by Clerk, never stored by us in plaintext), and any optional profile details.
  • Payment information: Billing name, billing address, and payment card details — collected and processed by Stripe. We do not store full card numbers or CVV codes. We receive only the last 4 digits, card brand, and a Stripe customer/subscription ID for reference.
  • Query content: The text of queries you submit, including part numbers, model identifiers, VIN numbers, machine descriptions, and any contextual details you include.
  • Communications: Information shared when contacting support (team@heavyparts.ai), submitting feedback, or completing forms.
  • Corporate inquiry data: If you submit a corporate inquiry form: company name, contact name, email, phone (optional), estimated team size, region, and message text.

1.2 Information collected automatically

  • Usage data: Queries per day/month, search modes used, features accessed, response times, error events, widget interactions.
  • Device and connection data: IP address, browser type and version, operating system, screen size, referring URLs, timestamps.
  • Cookies and similar technologies: See Section 6 for full details.
  • Session recordings: We record anonymized session interactions via our product analytics provider for usability research and debugging. Input fields (passwords, payment information) are automatically masked.

1.3 Information from third parties

  • Identity provider (Clerk): When you sign in with a third-party identity provider (e.g., Google), we receive basic profile information shared by that provider per your authorization.
  • Payment processor (Stripe): We receive subscription status, billing events, and customer ID updates.
  • VIN decoding partners: If you submit a Vehicle Identification Number, the VIN is sent to third-party VIN-decoding services to retrieve vehicle metadata. The decoded data is then associated with your account.

2. How We Use Information

We use the information collected to:

  • Provide, operate, secure, and improve the Service
  • Authenticate users and manage accounts
  • Process payments and manage subscriptions
  • Process queries by routing them to AI providers (see Section 3)
  • Personalize and improve search results
  • Communicate with you about your account, billing, security alerts, and Service updates
  • Send promotional communications (with consent or where permitted by law; you can opt out at any time)
  • Detect, prevent, and address fraud, abuse, security issues, and technical problems
  • Calculate quota usage and enforce subscription limits
  • Comply with legal obligations
  • Enforce our Terms of Service and Acceptable Use Policy

3. Third-Party Service Providers

We share your information with categories of third-party service providers to operate the Service. Each category has its own privacy practices governed by the provider's own policies. Where required by law, we use Standard Contractual Clauses or equivalent safeguards for international data transfers.

3.1 Authentication

We use Clerk (https://clerk.com/legal/privacy) as our identity and authentication provider. Clerk manages account credentials, session tokens, and login flows.

3.2 Payments

We use Stripe (https://stripe.com/privacy) as our payment processor. Stripe collects and processes payment card details, billing addresses, and transaction data on our behalf. Stripe is PCI-DSS compliant. We rely on Stripe's fraud detection and tax calculation services for transactions.

3.3 AI service providers

When you submit a query, portions of your query content and limited account context are transmitted to one or more third-party AI service providers for inference. These include:

  • Large language model providers — for response composition, classification, summarization, and analysis
  • Embedding model providers — for semantic search and matching across our internal datasets
  • Web-augmented search and retrieval providers — for surfacing real-time public information related to your query

We select these providers based on capability, performance, and cost, and we may add, remove, or rotate providers over time. Each provider operates under its own privacy policy and may briefly retain query data for abuse prevention, debugging, and service quality.

Do not submit queries containing sensitive personal information about third parties, trade secrets, regulated data (e.g., protected health information), or confidential information you are not authorized to share.

3.4 Search and enrichment partners

We use third-party services to surface web search results, shopping listings, mapping data, dealer directories, and reference documents related to your query. Your query text and account-derived parameters (e.g., approximate location for location-aware features) may be transmitted to these providers.

3.5 VIN decoding partners

If you submit a Vehicle Identification Number, the VIN is transmitted to government and commercial VIN-decoding services to retrieve vehicle metadata. The decoded data is then associated with your account.

3.6 Hosting and infrastructure providers

We use third-party providers for:

  • Database hosting — storage of account data, sessions, and query history
  • Application hosting — backend and frontend infrastructure
  • Object storage — cached images and related media
  • Image processing — for technical diagrams and parts photos

3.7 Analytics and monitoring

We use a third-party product analytics provider to measure how the Service is used, identify usability issues, and improve features. This includes anonymized event tracking, error monitoring, and session recordings. All input fields (passwords, payment information, etc.) are automatically masked in session recordings.

3.8 Internal team notifications

We use a third-party messaging service for internal team alerts (e.g., new signup, subscription event). Only event metadata (such as your email address and event type) is included in these internal notifications. Query content, payment details, and other sensitive data are not transmitted to this service.

3.9 Other disclosures

We may also share information:

  • With law enforcement, regulators, or other government bodies where legally required, or to investigate fraud, security incidents, or violations of our Terms
  • With professional advisors (lawyers, accountants) under confidentiality obligations
  • In connection with a business transaction (merger, acquisition, asset sale, financing) — you will be notified before your data is transferred to a different controller

We do not sell your personal information.

4. Legal Bases for Processing (EU/UK Users)

If you are in the EU, EEA, UK, or Switzerland, we process your personal data under the following legal bases:

  • Contract performance — to provide the Service you have subscribed to
  • Legitimate interest — to improve the Service, prevent fraud, secure our systems, and communicate about your account
  • Consent — for optional analytics cookies, non-essential session recordings, and promotional emails (you can withdraw consent at any time)
  • Legal obligation — to comply with applicable laws (tax, regulatory reporting, law enforcement requests)

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your account and associated data, subject to legal retention requirements
  • Portability: Receive your data in a structured, machine-readable format
  • Restriction / objection: Restrict or object to certain processing activities
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing
  • Lodge a complaint: Contact a supervisory authority (EU/UK) or other applicable regulator

California residents (CCPA / CPRA)

You also have the right to:

  • Know what categories of personal information we collect, the purposes, and the categories of third parties we share with (all detailed above)
  • Opt out of "sales" of personal information (we do not sell personal information)
  • Limit use of sensitive personal information (we do not use sensitive personal information beyond what's needed to provide the Service)
  • Non-discrimination for exercising your rights

How to exercise your rights

Email team@heavyparts.ai with the subject line "Privacy Request" and tell us which right you want to exercise. We will respond within 30 days (or longer if extended by law). We may need to verify your identity before fulfilling certain requests.

6. Cookies and Tracking Technologies

We use cookies and similar technologies (localStorage, sessionStorage) for:

  • Strictly necessary: authentication tokens (Clerk session), CSRF protection, load balancing. These cannot be disabled without breaking the Service.
  • Functional: remembering your search mode preference, theme, and UI preferences (sessionStorage)
  • Analytics: third-party product analytics cookies to count unique users and measure usage patterns

You can disable non-essential cookies via your browser settings. Disabling strictly necessary cookies will break authentication and core features.

We do not use third-party advertising cookies.

7. Data Retention

Data categoryRetention period
Account data (while account is active)Indefinite
Account data (after account closure)Up to 90 days for backup recovery, then deleted (except legally required records)
Session and query historyIndefinite while account is active; inactive sessions older than 90 days may be archived or deleted
Payment and billing records7 years (US tax recordkeeping requirement)
Analytics dataUp to 12 months at event level, then aggregated
Support communicationsUp to 3 years
Internal team notification logsRetained per the underlying messaging provider's policies
Billing events log (App_Billing_Events)90 days (auto-expires)

You can request earlier deletion by contacting team@heavyparts.ai, subject to the legal retention requirements above.

8. International Data Transfers

heavyparts.ai is operated from the United States. Our infrastructure and AI service providers may store and process data in multiple regions, including the US and EU.

If you are located outside the US, your data will be transferred to and processed in the US and possibly other countries that may have different data protection laws than your jurisdiction. Where required by law, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards approved by EU/UK data protection authorities for international transfers.

9. Security

We use industry-standard security practices to protect your data:

  • Encryption in transit — TLS / HTTPS for all data flowing between you, our servers, and third-party providers
  • Encryption at rest — database encryption at our hosting providers, Stripe PCI-compliant payment storage, encrypted object storage
  • Authentication and access controls — Clerk-managed authentication with secure token handling
  • Webhook signature verification — all incoming webhook events from Clerk are cryptographically verified
  • Dependency vulnerability scans — regular monitoring of third-party packages
  • IP-based rate limiting — to detect and mitigate abuse
  • Prompt injection sanitization — AI inputs and outputs are filtered for known injection patterns
  • Principle of least privilege — internal access to user data is restricted to authorized team members on a need-to-know basis

No system is 100% secure. We cannot guarantee absolute security. If we become aware of a data breach affecting your personal data, we will notify you and applicable authorities as required by law.

10. Children's Privacy

The Service is intended for users 18 and older. We do not knowingly collect personal information from anyone under 13 (in compliance with COPPA in the US) or, where applicable, under 16. If you believe a child has provided us with personal data, contact team@heavyparts.ai and we will delete it promptly.

11. Do Not Track

Some browsers send "Do Not Track" signals. The Service does not currently respond differently to these signals because there is no industry-standard interpretation. We may revisit this if a clear standard emerges.

12. Automated Decision-Making

We do not make legally significant or similarly significant decisions about you based solely on automated processing. AI-generated responses are content output to you — they do not directly affect your legal rights or benefits.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to the address on file or by in-app notice at least 14 days in advance. The "Last updated" date at the top reflects the most recent revision.

Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

14. Contact

For privacy questions, requests, or to exercise your rights, contact:

heavyparts.ai Heavy Parts AI LLC 30 N Gould St, STE R, Sheridan, WY 82801, USA Email: team@heavyparts.ai Subject line: Privacy Request

For EU/UK users, you may also contact our data protection point of contact at the same email. You also have the right to lodge a complaint with your local supervisory authority.