Effective Date: April 25, 2026 · Last Updated: April 25, 2026
Privacy Policy
CrappyCar Witch is a financial decision tool operated by CrappyCar Witch ("we," "us," or "our"), available at crappycar.io. The tool helps car owners determine whether to keep their current vehicle or replace it, using total cost of ownership modeling and AI-generated analysis.
Questions about this policy: privacy@crappycar.io
1. What We Collect and Why
1.1 Information You Provide
Account information
Your email address, collected when you sign in via our one-time passcode (OTP) system. We use this to authenticate you, to restore your saved analysis on future visits, and to send you the communications described in Section 5.
Calculator inputs
When you run an analysis, you provide:
- Vehicle specifications: year, make, model, trim, odometer reading, estimated market value, and annual insurance premium for your current car
- Repair history: up to two years of costs, dates, and descriptions
- Mechanic's quote: a description of the current problem and quoted repair cost
- Contender vehicles: up to three alternatives with asking price and financing terms
- Geographic and preference data: ZIP code (for localized cost estimates), annual mileage, and projection window
These inputs are used to calculate your analysis results and are saved to your account so you can return to them later.
1.2 Information We Collect Automatically
Session cookie
When you sign in, we set a __Host-session_id cookie on your browser. This cookie is httponly, secure, and expires after 14 days. It is used solely to authenticate your requests — it is not used for advertising or tracking across other websites.
Referrer and attribution data
If you arrive at CrappyCar Witch via a link that includes UTM parameters (e.g., utm_source, utm_medium, utm_campaign) or a referral tag, we record that attribution data once at account creation and do not update it on subsequent visits. This tells us how people find the site so we can understand which content and channels are useful.
Login activity
We record the date and time of your first confirmed sign-in and your most recent sign-in. This is used to determine the timing of optional follow-up communications (see Section 5) and to maintain session security.
1.3 Information We Do Not Collect
- We do not collect your vehicle identification number (VIN).
- We do not collect your name, phone number, or physical address.
- We do not collect browser fingerprinting data or device identifiers beyond what is inherent in standard HTTP requests.
- We do not use third-party advertising trackers, pixels, or analytics SDKs. There is no Google Analytics, Meta Pixel, or equivalent on this site.
2. How We Use Your Information
| Purpose | Data Used |
|---|---|
| Authenticate your account | Email, session cookie |
| Run and display your analysis | All calculator inputs |
| Save and restore your analysis | All calculator inputs, email (account linkage) |
| Generate the Witch's Verdict, Counsel narratives, and Steelman | Calculator inputs, repair descriptions, mechanic quote — see Section 3 |
| Localize cost estimates | ZIP code |
| Send sign-in codes | |
| Send optional follow-up communications | Email — see Section 5 |
| Understand how users find us | Referrer/UTM data |
| Detect and prevent abuse | IP address, request rate data |
We do not use your data to build advertising profiles, sell leads to dealerships, or share your information with any automotive industry partner.
3. Third-Party Services That Process Your Data
3.1 Anthropic (AI Analysis)
The Witch's Verdict, Counsel narratives, Steelman counterarguments, and bias callout detection are generated by Claude, a large language model (LLM) operated by Anthropic, PBC. When you submit an analysis or request a Counsel narrative, your calculator inputs — including your repair history descriptions and your mechanic quote — are transmitted to Anthropic's API.
This means a third party (Anthropic) processes the text you type into the repair history and mechanic quote fields. If you include personally identifying details in those fields (e.g., a shop name, a street address, your name), that information will be sent to Anthropic.
What Anthropic does with this data: Anthropic's API terms of service govern how they handle API inputs. As of this writing, Anthropic does not use API inputs to train their models by default. You can review Anthropic's privacy practices at anthropic.com/privacy.
Our recommendation: Do not include information in the repair description or mechanic quote that you would not want transmitted to a third-party AI service. The analysis does not require your name, your address, or any identifying information beyond your vehicle's details.
3.2 Resend (Email Delivery)
We use Resend to deliver sign-in codes and any follow-up emails. Resend receives your email address for the purpose of email delivery. Resend's privacy policy governs their handling of this data.
3.3 Public Data APIs (No PII Transmitted)
We call the following APIs to populate vehicle data used in your analysis. These calls do not include your email address, ZIP code, or any personal information:
- EPA FuelEconomy.gov — vehicle fuel economy data
- NHTSA (api.nhtsa.gov) — safety complaints, recalls, and NCAP ratings
- EIA (Energy Information Administration) — weekly retail fuel prices
4. Data Storage and Retention
Your account and analysis data are stored in a PostgreSQL database hosted at Render. The database is located in US-East.
| Data | Retention |
|---|---|
| Account (email) | Until you delete your account |
| Saved analysis | Until you delete your account |
| Session tokens | 14 days from creation, or until you sign out |
| OTP codes | Purged after use or expiry |
| Shared reading links | 30 days from creation, then expired |
| Login timestamps | Until you delete your account |
Account deletion: You can permanently delete your account and all associated data at any time from the Account Settings page (Account Deletion). Deletion is immediate and irreversible. Shared reading links that are currently live will become inaccessible upon account deletion.
5. Email Communications
Transactional email (required for the service)
Sign-in codes are transactional communications necessary for authentication. They are not marketing email and do not require an opt-out.
Outcome follow-up (one-time, non-promotional)
Approximately 30 days after you first use the Service, we send one follow-up email asking what you ended up doing — kept the car, bought a replacement, or something else. The sole purpose of this email is to collect outcome data: we want to know whether the Witch's analysis held up in the real world. The email contains no promotional content, no upgrade offers, and no advertising.
This email is sent once per account. We do not send recurring newsletters, promotional campaigns, or third-party offers.
If you do not want to receive this follow-up, reply to it or email privacy@crappycar.io and we will not send it.
6. Shareable Reading Links
If you share your analysis results using the Share feature, a public link is created at crappycar.io/reading/{slug}. Anyone with this link can view your full analysis results.
- Are accessible to anyone without an account
- Expire automatically after 30 days
- Can be deactivated earlier by deleting your account
- Display the vehicle data and analysis results you chose to share
If you share a reading, you are making your vehicle's analysis results publicly accessible. We recommend reviewing what is included before sharing.
7. Your Rights
Access: You can view all data stored in your account by signing in. Your saved analysis and account settings are visible in the app.
Deletion: You can delete your account and all associated data via Account Settings > Account Deletion. This is permanent and immediate.
Correction: If your saved analysis contains incorrect information, you can re-run the analysis with corrected inputs at any time.
Opt-out of marketing email: See Section 5.
California residents (CCPA/CPRA): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of the sale of your personal information. We do not sell personal information. To exercise your rights, contact privacy@crappycar.io.
Data portability: If you would like a copy of your analysis data in a structured format, contact privacy@crappycar.io and we will provide it within 30 days.
8. Children
CrappyCar Witch is intended for users 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has created an account, contact us at privacy@crappycar.io and we will delete it promptly.
9. Security
We implement reasonable technical safeguards:
- Session tokens and OTP codes are stored using industry-standard hashing protocols — a database breach does not yield usable credentials
- All data in transit is encrypted via TLS (the
__Host-cookie prefix enforces Secure transmission)
No system is completely secure. We cannot guarantee that your information will never be accessed in an unauthorized manner. If we become aware of a breach that affects your data, we will notify you as required by applicable law.
10. Changes to This Policy
We may update this policy from time to time. If we make material changes — particularly to how we share your data with third parties — we will notify you by email at least 30 days before the change takes effect. The "Last Updated" date at the top of this page reflects the most recent revision.
Continued use of the service after the effective date of a material change constitutes acceptance of the updated policy.
11. Contact
Privacy questions, requests, and complaints:
Email: privacy@crappycar.io
We respond to all privacy inquiries within 30 days.