Pitlane ("we," "our," or "us") is a cloud platform built for independent auto repair shops. The Service is operated by Auto Shift Media LLC, an Ohio limited liability company. This policy explains what information we handle, how we use it, who we share it with, and the choices you have. You can reach us at support@usepitlane.com. This policy is incorporated into our Terms of Service.
Pitlane handles data in two different roles, and your rights depend on which applies:
We collect information you provide directly and information generated through use of the platform:
We do not sell your personal information, we do not share it for cross-context behavioral advertising, and we do not use your business data, customer data, or AI prompts to train any AI model.
We do not sell your personal information. We share data only as necessary to operate the platform, and only with vetted service providers:
We may also disclose information if required by law, subpoena, or legal process, in connection with a merger, acquisition, or sale of assets, or to protect the rights, property, or safety of Pitlane, our users, or the public.
When a Pitlane-using auto repair shop collects your phone number (provided to the shop in person at the time of service intake, after the shop has verbally asked and you have agreed) and sends you SMS messages through the platform, additional protections apply. The full opt-in and consent disclosure, sample messages, frequency, and opt-out instructions are published at usepitlane.com/sms.
PitCrew uses large language models operated by Anthropic (Claude) to generate suggested text. The same provider also powers our public website-audit tool. When you trigger an AI action, the following may be transmitted to Anthropic over an encrypted connection:
We do not deliberately send structured fields such as full customer phone numbers, mailing addresses, email addresses, or payment identifiers, and we do not send full customer contact lists or unrelated business data. Because some fields are free text (a typed concern, a note, a review), it is possible for information you type there to be included; do not enter data you would not want processed by our AI provider.
Under Anthropic's commercial terms, data submitted through its API is not used to train Anthropic's models. We do not separately store the content of your prompts or PitCrew's responses; we retain only token-count metadata for metering and abuse prevention. You can turn off the optional morning briefing in your settings, and on-demand AI suggestions are generated only when you or your staff trigger them, so if you do not use those features no data is sent for them. Our public demo returns canned responses and does not call the AI provider.
We retain your data for as long as your account is active. Message bodies, contacts, vehicles, and service records are kept until you delete them or close your account, except where longer retention is required by law, needed to resolve disputes, or necessary to enforce our agreements.
Account owners can delete the account at any time from settings. Deletion is immediate and irreversible — it removes your organization's data from our database and your login from our authentication provider through a type-to-confirm flow, with no grace period or recovery. Two platform-level operational logs (application events and pageview records) are not tied to your organization and are purged on rolling schedules (within 60 and 180 days, respectively) rather than at the moment of deletion. Records held by our sub-processors (for example Stripe billing records and Twilio/Resend message-delivery logs) are retained under their own policies; deleting your Pitlane account does not by itself delete those, though you may request their deletion from us or the provider. Anonymized, aggregated metrics may be retained.
We use a range of security measures, including TLS/HTTPS encryption in transit (enforced via HSTS and edge termination), a strict nonce-based Content Security Policy, rate limiting on sensitive endpoints, webhook signature verification on third-party callbacks (Stripe and Twilio), and AES-256-GCM encryption at rest for sensitive credentials such as per-shop SMS authentication tokens. Tenant isolation is enforced at the application layer, which automatically scopes every data query to your organization, backed by deny-all database policies against anonymous access as defense in depth. Authentication, session cookies, and password handling are provided by Supabase Auth. Tax identifiers submitted for SMS brand registration are transmitted to Twilio Trust Hub but are not stored in our database. Pitlane runs on SOC 2-compliant infrastructure and follows SOC 2-aligned practices; we are not ourselves SOC 2 certified. No system is completely secure, but we take reasonable precautions and review our posture regularly.
Self-service. Account owners can export their organization's data as a downloadable archive from account settings, edit or correct records directly in the platform, and delete the account (Section 8) at any time.
By request. You may also request access to, correction of, portability of, or deletion of your personal data by emailing support@usepitlane.com. We will verify and respond within 30 days (extendable where the law allows). If you are a vehicle owner whose information a shop holds in Pitlane, that shop is the controller of your data — contact the shop, and we will support the shop in fulfilling your request.
Depending on your state of residence (including California under the CCPA/CPRA, and Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws), you may have the right to:
We do not sell or share personal information, and we do not use it for targeted advertising, so there is no sale or sharing to opt out of. We honor browser Global Privacy Control (GPC) signals for analytics as described in Section 13. We do not use personal information to make decisions producing legal or similarly significant effects, and we do not offer financial incentives for your data. To exercise any right, email support@usepitlane.com; you may use an authorized agent. We will not discriminate against you for exercising your rights, and we verify requests before responding. If we deny a request, you may appeal by replying to our decision. Where Pitlane acts as a processor/service provider for a shop, we will route your request to the shop or assist the shop in fulfilling it.
Pitlane is a business-to-business service and is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
Essential cookies. We set cookies to maintain your login session (managed by Supabase Auth) and to remember your active shop, and to protect against cross-site request forgery. These are required for the platform to function.
Analytics. We use Vercel Analytics and Speed Insights for aggregate web-vitals reporting (cookieless), and a first-party pageview measurement that records the page path, external referrer, coarse IP-derived location (country, region, city), device type, and a daily-rotating hashed visitor identifier — not a raw IP. When configured, we also load Google Analytics across the site to understand traffic and pageviews; Google Analytics sets first-party cookies. We do not use any advertising, retargeting, or cross-site tracking, and we opt out of Google's interest-cohort tracking.
Global Privacy Control. If your browser sends a Sec-GPC: 1 signal — automatic in Brave and DuckDuckGo, available as an extension elsewhere — we do not load Google Analytics for your visit. The signal is honored server-side, not just disclaimed here. (Our cookieless first-party measurement still runs.)
Other ways to opt out of GA. Use the official Google Analytics opt-out browser add-on, or block analytics domains in your browser’s tracking-protection settings. We do not display a cookie consent popup because Pitlane targets U.S.-based shops and does not use any tracking that triggers EU/UK consent requirements; if that ever changes, this policy and the platform will be updated together.
Pitlane is operated from the United States and stores and processes data on infrastructure located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States, where data-protection laws may differ from those in your jurisdiction, and you consent to that processing.
If we become aware of a security breach that compromises your personal information, we will investigate promptly and notify affected users and, where required, the relevant authorities, in accordance with applicable law and without undue delay. Where Pitlane acts as a processor for a shop, we will notify the shop so it can meet its own notification obligations to its customers.
Our public demo account uses shared credentials and is intended for evaluation only. Any data you enter into the demo may be visible to other demo visitors and may be reset or deleted at any time. Outbound actions (messages, AI calls, payments) are stubbed in the demo and do not reach real customers. Do not enter real customer information, payment details, or confidential data into the demo.
We may update this policy from time to time. We will post the updated policy with a new "Last updated" date and, for significant changes, notify you by email or by a notice in the platform. Continued use of Pitlane after changes take effect constitutes acceptance of the updated policy.
Questions about this policy, or want to exercise a privacy right? Email Auto Shift Media LLC at support@usepitlane.com.