Carma Project Privacy Policy

Last Updated: 5/30/2022

Carma Project, Inc.  (“Carma Project,”  “we,” “us,” or “our”), provide our Services to allow our customers to locate vehicles for purposes of protecting individuals, communities, and companies. This Privacy Policy is designed to help you understand how we collect, use, process, and share your personal information, and to help you understand and exercise your privacy rights.


This Privacy Policy applies to personal information processed by us, on our websites, mobile applications, and other online or offline offerings, including related to automotive recalls, repossession, insurance, or other services that we may provide from time to time. To make this Privacy Policy easier to read, our websites, mobile applications, and other such offerings are collectively called the “Services.”  This Policy applies to the following categories of individuals:

This Policy applies to the following categories of individuals:

This Privacy Policy does not apply to any of the personal information that we process on behalf of our Customers through their use of our Services (“Customer Data”). Our Customers’ respective privacy policies govern their collection and use of Customer Data. Our processing of Customer Data is governed by the contracts that we have in place with our Customers, not this Privacy Policy. Any questions or requests relating to Customer Data should be directed to our Customers.

Changes to our Privacy Policy. We may revise this Privacy Policy from time to time at our sole discretion. If there are any material changes to this Privacy Policy, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use our Services after the new Privacy Policy takes effect.


The categories of personal information we collect depend on how you interact with us, our Services, and the requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources such as third-party services and organizations, as described below.

A. Personal Information You Provide to Us Directly

We may collect personal information that you provide to us.

B. Personal Information Collected Automatically

We may collect personal information automatically when you use our Services.

Our uses of these Technologies fall into the following general categories:

Some of the advertising Technologies we use include:

See “Your Privacy Choices and Rights” below to understand your choices regarding these Technologies.

C. Personal Information Collected from Other Sources

Third-Party Services and Sources. We may obtain personal information about you from other sources, including through third-party services and organizations.  For example, on our Customer’s behalf, we may collect vehicle identification number (VIN) or other information associated with license plate data from vehicle identification services or other third parties. For example, with respect to job applicants, we also may obtain information you provide our human resources service providers for purposes of applying for an open position. Furthermore, if you access our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect personal information about you from that third-party application that you have made available via your privacy settings.


We use your personal information for a variety of business purposes, including to provide our Services, for administrative purposes, and to market our products and Services, as described below.

A. Provide Our Services

We use your information to fulfill our contracts with our Customers based on their permissions and rights with their customers or otherwise to provide you with our Services, such as:

B. Administrative Purposes

We use your information for various administrative purposes, such as:

C. Marketing and Advertising our Products and Services

Some of the ways we market to you may include email campaigns, custom audiences advertising, and “interest-based” or “personalized advertising,” including through cross-device tracking.

If you have any questions about our marketing practices or if you would like to opt out of the use of your personal information for marketing purposes, you may contact us at any time as set forth in “Contact Us” below.

D. With Your Consent

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

E. Other Purposes

We also use your personal information for other purposes as requested by you or as permitted by applicable law.

De-identified and Aggregated Information. We may use personal information to create de-identified and/or aggregated information, such as demographic information, information about the device from which you access our Services, or other analyses we create.


We disclose your personal information to third parties for a variety of business purposes, including to provide our Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.

A. Disclosures to Provide our Services

The categories of third parties with whom we may share your personal information are described below.

B. Disclosures to Protect Us or Others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.


Your Privacy Choices. The privacy choices you may have about your personal information are determined by applicable law and are described below.

Your Privacy Rights. In accordance with applicable law, you may have the right to:

If you would like to exercise any of these rights, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws.


We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized access, use, disclosure, or loss of personal information.

By using our Services or providing personal information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail, or by sending an email to you.


All information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. We endeavor to safeguard your information consistent with the requirements of applicable laws.

If we transfer personal information which originates in the European Economic Area, Switzerland, and/or the United Kingdom to a country that has not been found to provide an adequate level of protection under applicable data protection laws, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses.

For more information about the safeguards we use for international transfers of your personal information, please contact us as set forth below.


We store the personal information we collect as described in this Privacy Policy for as long as you use our Services, or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws.


This Supplemental Notice for California Residents only applies to our processing of personal information that is subject to the California Consumer Privacy Act of 2018 (“CCPA”). The CCPA provides California residents with the right to know what categories of personal information Carma Project has collected about them, and whether Carma Project disclosed that personal information for a business purpose (e.g., to a service provider) in the preceding twelve months. California residents can find this information below:

Category of Personal Information Collected by Carma Project Category of Third Parties Personal Information is Disclosed to for a Business Purpose
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, or other similar identifiers.
  • Service providers
  • Business partners
  • Affiliates
  • Advertising networks
  • Data analytics providers
  • Government entities
  • Operating systems and platforms
  • Social networks
Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))
A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Personal Information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. Note: Some personal information included in this category may overlap with other categories.
  • Service providers
  • Business partners
  • Affiliates
  • Advertising networks
  • Data analytics providers
  • Government entities
  • Operating systems and platforms
  • Social networks
Professional or employment-related information
Current or past job history or performance evaluations.
  • Service providers

The categories of sources from which we collect personal information and our business and commercial purposes for using personal information are set forth in “Personal Information We Collect” and “How We Use Your Personal Information” above, respectively.

“Sales” of Personal Information under the CCPA
California residents have the right to opt out of the “sale” of their personal information. Under the CCPA, “sale” is defined broadly and includes the transfer of personal information by a business to a third party for valuable consideration (even if there is no exchange of money). Carma Project does not “sell” consumer’s personal information. Information related to vehicles is provided to our Customers, but this information alone is not identifiable on a personal basis.

Carma Project’s business and commercial purposes for “selling” personal information can be found in “How We Use Your Information” above. Carma Project does not have actual knowledge of any “sale” of personal information of minors under 16 years of age.

Additional Privacy Rights for California Residents

Non-Discrimination. California residents have the right not to receive discriminatory treatment by us for the exercise of their rights conferred by the CCPA.

Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child. To authorize an agent, provide written authorization signed by you and your designated agent and contact us as set forth in “Contact Us” below for additional instructions.

Verification. To protect your privacy, we will take steps to reasonably verify your identity before fulfilling your request. These steps may involve asking you to provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative, or to answer questions regarding your account and use of our Services.

If you are a California resident and would like to exercise any of your rights under the CCPA, please contact us as set forth in “Contact Us” below. We will process such requests in accordance with applicable laws, and will not discriminate against consumers for exercising such rights.

De-Identified Information. If we create or receive de-identified information, we will not attempt to reidentify such information, except to comply with applicable law.


This information is provided in accordance with California Law (California Civil Code 1798.90.5 et seq.), and is intended to ensure that the collection, use, storage, and sharing of ALPR data is not only consistent with respect for individual rights to privacy and civil liberty, but also to clearly detail Carma Project’s own high-standards for data protection and consumer rights. The primary purposes of data collected by Carma Project via ALPR technology include notifying affected individuals about an active recall status on their vehicle, identifying vehicles subject to repossession, assisting insurance companies in their efforts to identify instances of garaging fraud and other uses we may undertake from time to time on behalf of our Customers in reliance on the Consumer permissions they have obtained from their customers and/or legal rights our Customers may have. We will not sell your data.

How ALPR Works
Through the use of Carma Project’s ALPR application, Carma Project is able to quickly identify vehicles by scanning an image of a license plate, converting it to text, and then converting that information to a Vehicle Identification Number (VIN). The vehicle’s VIN is important because it helps determine, for example, if a vehicle is subject to recalls such as the Takata airbag recall. If the ALPR application determines that a vehicle is subject to an active recall, the Carma Project employee may then provide educational materials (e.g., postcard, note, letter, magnet, etc.) about the recall on the vehicle. It is then up to the driver of the vehicle to decide whether or not to take action to get the recalled vehicle remedied. Carma Project will not attempt to contact a vehicle owner, unless the vehicle owner provides their information and requests to be contacted by Carma Project.

Carma Project representatives undergo extensive training and education regarding the Takata recall and other recalls and how to best share information with members of the community about these recalls. Applicable Carma Project representatives are also required to read, acknowledge and follow our Agreement to be able to participate in this life-saving program.

Understanding ALPR Technology
ALPR technology involves obtaining and storing images of license plates that are then converted into computer-readable characters that are saved in a database.  License plate images are obtained using cameras that may be stationary (e.g., mounted on a pole) or mobile (e.g., mounted on a car).  In addition to capturing the license plate image, ALPR technology also captures and stores the location at which the license plate was photographed, as well as the time and date.  This information is only collected from areas that are visible to the general public.

Once license plate information is obtained and converted to computer readable characters, that data may then be searched and sorted.

Why We Collect ALPR Information
ALPR information is collected for use by Carma Project to do the following:

Authorized Users and Training
All representatives of Carma Project that fulfill the requirements outlined below are authorized to use the ALPR system to support the purpose set forth and authorized by this policy.

Before receiving authorization to use the ALPR technology, Carma Project representatives are required to do the following:

How We Monitor ALPR Information and the ALPR System
Carma Project uses a combination of digital permission controls, physical controls and other technologies and procedures to protect ALPR information from unauthorized access, use, modification, disclosure and destruction.  Carma Project intends to conduct periodic system reviews to ensure the accuracy of the systems it uses.

In addition, Carma Project intends to maintain and store usage logs that will identify (i) when the ALPR data was accessed, (ii) any username associated with that access, (iii) from where that data was accessed, and (iv) what data that was accessed.

ALPR Information is Shared
ALPR data will be made available to Carma Project representatives solely through the ALPR system to help identify vehicles subject to recalls, repossession, stolen vehicles, and vehicles engaged in garaging fraud.  If we find a vehicle affected by a recall or any of the other aforementioned claims, we will share this data with vehicle manufacturers, dealers, insurers, and repossession companies in our program for the sole purpose of facilitating their services. Carma Project will not sell or license the data it collects to other unaffiliated third parties for their own commercial purposes.

In light of our mission to promote safety, Carma Project will share information with law enforcement if requested, though it will only do so upon receipt of assurances that the information will not be used for purposes of determining immigrant status or in furtherance of immigration-related purposes unless compelled to do so by legal process (e.g., subpoena or court order).

Custodian Information
Carma Project, Inc is the custodian and owner of the ALPR information and the ALPR system, and is responsible for implementation of this policy.  Carma Project may be contacted at the following address:

Carma Project, Inc
2900 Bristol Street, D201
Costa Mesa, CA  92626
Attn:  Fabio Gratton, Chief Executive Officer

ALPR Data Retention
Carma Project retains the ALPR information for as long as it deems that information to be relevant to its mission.  While Carma Project intends to periodically review its use of the ALPR information and whether such information should be retained or deleted, there is no set period of time for which the data will be retained or after which it will be deleted.

Changes to Our ALPR Policy
Carma Project may, from time to time, revise this policy.  Upon revision, the updated policy will be made available on our website and will apply to all ALPR information, regardless of when it was originally collected.


If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal information to third parties who intend to license or sell that personal information. You can exercise this right by contacting us at with the subject line “Nevada Do Not Sell Request” and providing us with your name and the email address associated with your account. Please note that we do not currently sell your personal information as sales are defined in Nevada Revised Statutes Chapter 603A. If you have any questions, please contact us as set forth in Contact Us below.


The Services are not directed to children under 13 (or other age as required by local law), and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe your child has uploaded personal information to our site without your consent, you may contact us as described in “Contact Us” below. If we become aware that a child has provided us with personal information in violation of applicable law, we will delete any personal information we have collected, unless we have a legal obligation to keep it.


Third-Party Websites/Applications. The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These third-party services are not controlled by us. We encourage our users to read the privacy policies of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such other websites or applications. Providing personal information to third-party websites or applications is at your own risk.

Supervisory Authority. If your personal information is subject to the applicable data protection laws of the European Economic Area, Switzerland, or the United Kingdom, or Virginia, you may have the right to lodge a complaint with the competent supervisory authority or attorney general if you believe our processing of your personal information violates applicable law.


Carma Project is the controller of the personal information we process under this Privacy Policy.

If you have any questions about our privacy practices or this Privacy Policy, or to exercise your rights as detailed in this Privacy Policy, please contact us at:

Carma Project, Inc.
2900 Bristol Street, Suite D-201, Costa Mesa, CA 92626 (USA)