Privacy Policy

Last updated: May 16, 2026

Summary

PriceMyFix is designed to be one of the lowest-data-collection consumer sites on the internet. We do not sell or share your personal information for any purpose. We do not set tracking cookies. We do not use third-party advertising trackers (no Google Analytics, no Facebook Pixel, no advertising tags). We honor Global Privacy Control automatically and apply the strongest opt-out available under every state and federal privacy law.

Categories of Personal Information We Collect

Under the California Privacy Rights Act (CPRA) and equivalent state laws, we are required to disclose the categories of personal information we collect. The full list:

Identifiers — none collected directly. We do not ask for your name, email, phone, or account credentials to browse the site. If you submit a review, you provide a display name (which may be a pseudonym).
Internet or other electronic network activity — anonymous pageview counts (via Cloudflare Web Analytics, cookieless) and categorical first-party click events (button presses on Visit Website / Call Shop / View Shop / Filter / Coupon / Review). Each click event records the shop slug, city slug, service slug, your country (2-letter ISO code), device class (desktop/mobile/tablet), and the referer hostname (e.g. google.com) — never the full URL, never an IP, never a user agent string, never any identifier that persists across visits.
Geolocation— only if you explicitly grant location permission to pre-fill your ZIP code, OR if you type a ZIP code directly. We resolve ZIP to approximate latitude / longitude server-side and use it to sort nearby shops. We do not store precise GPS coordinates. Your ZIP may be saved in your browser's localStorage for convenience.
Commercial information — for users who submit a review: the display name, vehicle make / model / year, the service performed, the shop name, the rating, the written review text, and (optionally) an invoice image used to verify the review was real.
Inferences drawn from the above — none. We do not build behavioral profiles, scoring profiles, or any other individual-level inferences.
Sensitive personal information (CPRA-defined category) — we do not collect any data in this category. No government IDs, no financial account data, no precise geolocation, no race / ethnicity, no health data, no religion, no biometric data, no contents of mail / email / text messages, no genetic data.

How We Use This Information

Operating, maintaining, and improving the website.
Aggregated traffic analysis (counting how many people viewed each page, how many clicked each CTA — never linked back to an individual).
Showing nearby shops based on your ZIP code (only when you provide one).
Verifying that submitted reviews are genuine (via Cloudflare Turnstile bot detection and, for receipt-backed reviews, AI analysis of the invoice image).
Detecting and preventing abuse, fraud, and security incidents.
Complying with legal obligations and responding to lawful government requests.

Service Providers We Share Data With

We do not sell or shareyour personal information in the CCPA / CPRA sense (any party's commercial benefit or cross-context behavioral advertising). The following service providers process data on our behalf, under contract, only for the purposes listed above:

Cloudflare, Inc.— site hosting (Workers), CDN, DDoS protection, Web Analytics (cookieless), Turnstile (bot verification on review submissions), and email forwarding for privacy@ / legal@ addresses on this domain. Cloudflare processes your IP address and HTTP request metadata at the edge for security and routing per Cloudflare's own privacy notice.
Supabase, Inc. — database hosting (PostgreSQL) for the shop directory, verified prices, and submitted reviews. Reviewer-supplied data and invoice images are stored in Supabase-managed infrastructure.
Google LLC (Gemini API)— server-side AI used to (a) extract pricing information from publicly available shop websites during our scrape pipeline, and (b) moderate submitted reviews and verify submitted invoice images. No personal browsing data is sent to Google. Review text and invoice images you submit ARE sent to Google's API transiently for moderation; Google does not retain API inputs for training per their published API data policy.
Functional Software, Inc. (Sentry) — error monitoring. Sentry receives anonymized stack traces and request metadata when a server-side error occurs. IP addresses are scrubbed before transmission.
GitHub, Inc. — workflow orchestration for the daily scrape pipeline. No user-submitted data is processed by GitHub Actions; workflows operate only on publicly available shop websites.

All service providers are under written agreements that prohibit using your data for their own purposes. We do not transfer data to third parties for advertising or marketing.

Automated Decision-Making

We use AI / large language models (specifically Google Gemini) in two ways that affect users:

Review moderation — submitted reviews are automatically scored for spam, off-topic content, harassment, and authenticity. Reviews flagged as suspicious are placed in a queue for human review before publication; they are not auto-rejected. Reviews scored as clearly legitimate are auto-published.
Invoice verification — if you attach an invoice image to a review, the image is analyzed by AI to confirm the shop name, service, and price match your written review. The underlying image is stored privately and is not displayed publicly.

Neither system makes a decision with legal or similarly significant effects on you in the GDPR / CPRA sense. If your review is held for moderation or rejected, you may appeal by emailing privacy@pricemyfix.com.

Data Retention

Click event data — retained 90 days, then automatically purged from Cloudflare Analytics Engine.
Aggregated daily traffic counts — retained for trend analysis. No individual visitor data; cannot be re-identified.
Reviews— published reviews are retained indefinitely (they're the content of the site). You can request removal of your own review by emailing privacy@pricemyfix.com.
Invoice images — retained for 90 days after successful review verification, then deleted from storage. Rejected invoices are deleted within 30 days.
Server logs and error traces — retained 30 days for security and debugging, then automatically purged.

Global Privacy Control (GPC)

We honor the Global Privacy Control signal automatically, on every request, server-side. If your browser sends the Sec-GPC: 1 header (enabled by default in Brave and DuckDuckGo, available as a setting or extension in Firefox / Chrome / Safari / Edge), we treat this as a valid opt-out request under California, Colorado, Connecticut, Delaware, Montana, New Hampshire, New Jersey, Oregon, Texas, and every other state where the signal is legally recognized. We do not record your click events to our analytics database, we apply the strictest available privacy posture across every system that processes your visit, and we do not require any further action from you to honor the request. There is no cookie banner because there is nothing to consent to.

Do Not Sell or Share My Personal Information

We do not sell or share your personal information. "Sell" and "share" are defined narrowly by the California Privacy Rights Act (CPRA) and analogous state statutes; we do not engage in any activity that falls under either definition. We do not engage in cross-context behavioral advertising, we do not transfer personal information to third parties for monetary or other valuable consideration, and we do not allow third parties to drop advertising trackers on the site.

Because we do not sell or share, there is nothing to opt out of. If you want absolute confirmation in writing for your records, email privacy@pricemyfix.com with the subject line "CCPA Opt-Out Confirmation" and we will reply within 15 business days confirming the same in writing.

Your Rights

Depending on the state you reside in, you have some or all of the following rights with respect to personal information about you that we hold:

Right to know / access — request a copy of the personal information we hold about you.
Right to delete — request deletion of personal information we hold about you, subject to legal exceptions.
Right to correct — request correction of inaccurate personal information.
Right to opt out of sale or sharing — see above. We do neither.
Right to opt out of profiling for decisions with legal or similarly significant effects — we do not engage in profiling of this kind.
Right to limit use of sensitive personal information — we do not collect sensitive personal information.
Right to non-discrimination — exercising any of these rights will not affect your ability to use the site or result in any difference in service.
Right to appeal (Virginia, Colorado, Connecticut, Texas, others) — if we decline a request, you may appeal by replying to the response email; we will reconsider within 45 days.

To exercise any of these rights, email us at privacy@pricemyfix.com with the request type in the subject line. We will respond within 45 days as required by most state privacy laws (with one 45-day extension available where the request is complex). You may also designate an authorized agent to make a request on your behalf; please include the agent's authorization with the request.

International Visitors (GDPR / UK GDPR)

PriceMyFix is operated from the United States and serves a US audience. We do not actively market or target services to individuals in the European Economic Area, the United Kingdom, or other jurisdictions outside the United States. If you visit the site from one of these jurisdictions, the data we collect (described above) is the same minimal set we collect from US visitors and is held under the same protections. To exercise GDPR or UK GDPR rights, email privacy@pricemyfix.com.

Children's Privacy

PriceMyFix is intended for adults shopping for vehicle service. We do not knowingly collect personal information from children under the age of 13 (under 16 in some jurisdictions). If you believe a child has submitted personal information to the site, email privacy@pricemyfix.com and we will delete it.

Data Security

All site traffic is served over HTTPS with HSTS enforced. We use Content Security Policy, X-Frame-Options, X-Content-Type-Options, COOP / CORP headers, and a strict Permissions-Policy on every response to mitigate common web attacks. Server-side data is held in Supabase Postgres with row-level security and is accessible only through service-role credentials held in our deployment environment. Submitted invoice images are stored in a private storage bucket with no public read access.

Changes to This Policy

We will update the "Last updated" date at the top of this page whenever we change this policy in a substantive way. If a change materially affects the categories of data we collect or how we use it, we will note the change in a banner on the homepage for at least 30 days.

Contact

Privacy questions, rights requests, complaints, and CCPA / CPRA / state-law disclosures all go to privacy@pricemyfix.com.