Skip to content
Skanyx
Legal/Updated June 13, 2026

Privacy Policy

This notice explains what data we collect, why we collect it, and the choices you have.

The data controller is MB "Skanyx", registered in Lithuania (Giruliu g. 10, LT-12112 Vilnius). Reach us at support@skanyx.com.


Key Definitions

  • Personal Data: Information that identifies you, or could.
  • Data Controller: Skanyx, which determines how and why your data is processed
  • Data Processor: Third parties who process data on our behalf (e.g., email provider, analytics)
  • Cookie: Small text files stored on your device to remember preferences and track usage
  • Data Subject: You: the person whose personal data is processed.
  • GDPR: General Data Protection Regulation, the EU law on data protection and privacy
  • CCPA/CPRA: California Consumer Privacy Act/California Privacy Rights Act

What This Policy Covers

This Privacy Policy applies to:

  • The Skanyx website (skanyx.com)
  • The Skanyx mobile application
  • Any related services or marketing

This policy does not apply to third-party websites, products, or services, even if they link to our services.


What We Collect

CategoryExamplesLawful Basis*
Transactional EmailEmail address for account verification and service updatesLegitimate Interest (Art 6 f)
Marketing EmailEmail address for newsletters and product updatesConsent (Art 6 a)
Device DataIP address, browser type, operating system, pages visited, time spentLegitimate Interest (Art 6 f)
Marketing StatisticsEmail open rates, click rates, unsubscribe eventsConsent (Art 6 a)
InteractionsFeedback, customer support inquiries, survey responsesLegitimate Interest (Art 6 f)
Vehicle Diagnostic DataFault codes (DTCs), sensor readings, live data streams, vehicle identification (VIN, make, model, year), diagnostic history, health metrics, repair recommendationsContract Performance (Art 6 b) & Legitimate Interest (Art 6 f)
AI Chat ContentYour messages to the AI assistant and the assistant's replies, including any vehicle context you share in the conversationContract Performance (Art 6 b)
AI Vehicle Memory ProfileAn AI-derived profile summarising your vehicle's history, symptoms, and prior diagnoses, used to personalise future answersContract Performance (Art 6 b) & Legitimate Interest (Art 6 f)
Chat & Content EmbeddingsNumerical vector representations of chat and knowledge-base text, used to retrieve relevant information for the assistantContract Performance (Art 6 b)
Hardware & Device DataOBD adapter serial number, Bluetooth device information, connection logs, firmware version, device performance metricsLegitimate Interest (Art 6 f)
Adapter Session TelemetryOBD2 connection logs, session duration, and protocol and signal metrics from diagnostic sessionsContract Performance (Art 6 b) & Legitimate Interest (Art 6 f)
Behavioural & App ActivityScreen views, in-app actions, lifecycle events, and app event historyConsent (Art 6 a)
Automatic Crash ReportsCrash stack traces and device logs captured automatically when the app failsConsent (Art 6 a); Legitimate Interest (Art 6 f) for fatal startup crashes
Manual Bug ReportsInformation you submit when reporting a problem: name, email, phone, VIN, and screenshotsLegitimate Interest (Art 6 f)
Payment & Billing DataPayment method information (processed by third-party payment processors), billing address, subscription status, order history, transaction recordsContract Performance (Art 6 b) & Legal Obligation (Art 6 c)
Account DataUsername, password (hashed), profile information, vehicle profiles, preferences, subscription detailsContract Performance (Art 6 b)
Security & Anti-Fraud LogsAuthentication events, IP address, and rate-limit and abuse signals used to detect and prevent fraudLegitimate Interest (Art 6 f)

*Legal bases under GDPR Art. 6(1)(a) & (f)

We collect Vehicle Identification Numbers (VINs) to match your exact vehicle configuration for accurate diagnostics. VINs can be linked to a vehicle owner, so they may count as personal data. We use VINs only to deliver diagnostic services. We do not share them with third parties for marketing.

We do not knowingly collect data from anyone under 16. If we discover we have data from a minor, we will delete it immediately.

Cookies and similar technologies collect some data automatically for analytics and site functionality. See our Cookie Preferences center for the full list.

iOS App Privacy Nutrition Label. The Skanyx mobile app declares 7 data types in its App Store privacy nutrition label, mapped to the categories above: Email Address and User ID -> Account Data; Purchase History -> Payment & Billing Data; Crash Data and Performance Data -> Device Data (collected via Google Firebase Analytics and Crashlytics, only after the in-app Telemetry Consent prompt and, for the tracking-classified Performance Data, iOS App Tracking Transparency approval); Other Diagnostic Data -> Hardware & Device Data; Other User Content -> Vehicle Diagnostic Data and Account Data (AI Chat messages, PPI inspection notes, vehicle profiles, bug report attachments).

Crash Reports and Bug Reports

We collect automatic crash reports, including device logs, when the app fails, and bug reports you submit yourself (which may include your name, email, phone number, VIN, and screenshots). Automatic crash capture is gated by the in-app Telemetry Consent prompt, except for fatal startup crashes, which we capture for stability so the app can keep working. This data is sent to Sentry and Google Firebase Crashlytics and is stored in our own database.


How We Use Your Data

  • Vehicle Diagnostics: Provide diagnostic services, read and analyze fault codes, monitor vehicle health, generate repair recommendations, and maintain diagnostic history for trend analysis.
  • Communication: Send product updates, service notifications, and marketing communications (with your consent). Every marketing email contains a one-click unsubscribe link.
  • Service Delivery: Process payments, manage subscriptions, provide customer support, and maintain your account.
  • Site Improvement: Analyze usage patterns to improve the website and app and ship new features.
  • Security: Detect, prevent, and address fraud, abuse, security incidents, and technical issues.
  • Legal Compliance: Comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

We never sell your personal data or vehicle diagnostic data to third parties. We may use aggregate statistics, such as counts and trends that cannot single out any person or vehicle, to improve our algorithms; that aggregate data is anonymous. Where we instead work with hashed identifiers, such as VINs, Wi-Fi SSIDs, Bluetooth device names, or device fingerprints, that data is only pseudonymous, not anonymous: it remains personal data and stays protected by this policy, because it can still be linked back to you.

Important Notice for California Residents (CCPA/CPRA): We do not sell personal information as defined by the CCPA/CPRA, nor do we share personal information for cross-context behavioral advertising. We do not use sensitive personal information for purposes other than those specified in Cal. Civ. Code § 1798.121. Vehicle diagnostic data is considered personal information under CCPA/CPRA and is protected accordingly.

We use vehicle diagnostic data only to provide diagnostic services, generate repair recommendations, track vehicle health over time, and improve our algorithms. It is encrypted at rest. Our support team accesses it only when you request help.

AI Providers and Retention

Our AI Chat Assistant and AI features are processed by Anthropic (Claude). When you use these features, your messages and the relevant vehicle context are sent to Anthropic to generate a response. Under our agreement with Anthropic, your data is processed on standard API terms: Anthropic may retain it for up to 30 days for trust-and-safety purposes and then deletes it, and Anthropic never uses it to train its models. Embeddings of chat content are generated by Voyage AI for retrieval and are stored in our own database while your account is active.


Cookies & Similar Technologies

TypePurposeDefault Setting
EssentialEnable core site functionality and securityAlways enabled
AnalyticsMeasure traffic patterns and understand user behaviorOff until you consent
MarketingMeasure and optimize ad performance (if we use Facebook Pixel, Google Ads tag, etc.)Off until you consent

You can change your preferences at any time via the "Cookie Preferences" link in our footer. Most browsers also allow you to manage cookies through their settings.


Data Sharing & Processors

We share personal data only when necessary for:

  • Service Providers: Third parties who help us operate our website and services (e.g., web hosting, analytics, email marketing)
  • Legal Compliance: When required by law or to protect our legal rights
  • Business Transfers: If we sell or transfer our business (with the same privacy protections)

Our data processors, and what each one receives and why, are:

  • Anthropic (AI Chat Assistant and AI features) - receives your chat messages and the relevant vehicle context so it can generate AI responses and diagnostic insights
  • Voyage AI (embeddings) - converts chat and knowledge-base text into numerical embeddings so the assistant can retrieve relevant information; the embeddings are stored in our database
  • Google Firebase (Analytics, Crashlytics, and Cloud Messaging) - receives app analytics events, automatic crash reports with device logs, and push-notification tokens; gated by the in-app Telemetry Consent prompt, except fatal startup crashes captured for stability
  • Sentry (error monitoring and performance) - receives application error reports, performance traces, and diagnostic logs so we can detect and fix faults; on the website it also records masked session replays (text and media masked, so message and account content is not captured), gated by your telemetry consent
  • PostHog (product analytics) - receives website usage events (pages viewed, clicks, and conversions) and, once you sign in, your account ID, email, and language, so we can understand and improve how the site is used; website analytics run only with your telemetry consent, while confirmed purchase and waitlist sign-up events are recorded as part of providing the service; hosted in the EU
  • RevenueCat (subscription management) - receives purchase and subscription events to manage your entitlements across platforms
  • Stripe (payment processing) - receives payment, billing, and transaction data to process purchases; we never store your full card details
  • Brevo (email and waitlist) - receives your email address and contact details to send transactional and marketing emails and manage the launch waitlist
  • NHTSA (vehicle recall lookups) - receives a vehicle's make, model, and year (or VIN) to return open safety-recall information; this is a U.S. government service
  • Apple (Sign in with Apple) - processes your Apple-provided identifier and, if you allow it, your email address to authenticate you
  • Supabase (database, authentication, and storage) - hosts your account, vehicle, diagnostic, and chat data and any files you upload
  • Vercel and Cloudflare (hosting and content delivery) - process technical request data, including your IP address, to serve, accelerate, and protect the website and app

Some processors are located outside the EEA. We ensure every transfer has appropriate safeguards in place - see section 9 below.


Data Retention

We keep personal data only as long as needed for the purposes in this policy. Where a window below is a fixed length, deletion is automatic at the end of it; where retention lasts while your account is active, we delete the data when you delete your account or ask us to.

DataRetention period
Account dataWhile your account is active; deleted within 30 days of a deletion request
Vehicle diagnostic dataWhile your account is active
AI chat contentWhile your account is active; you can delete it at any time
AI vehicle memory and embeddingsWhile your account is active
PPI and prediction reportsWhile your account is active
App and error logs90 days
Bug reportsUntil resolved, then 90 days
Analytics data14 months (the GA4 maximum for a standard property)
Security logs12 months
Marketing dataUntil you unsubscribe or request deletion
Billing and tax records7 years (legal and tax obligation)

Beyond these automatic windows, you can request deletion of your data at any time by contacting us, and we delete your account data within 30 days of an account-deletion request.


Your Rights

Depending on your location, you may have the following rights:

GDPR Rights (EU/EEA)

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate or incomplete data
  • Erasure: Request deletion of your personal data
  • Restriction: Limit how we process your data
  • Portability: Get your data in a machine-readable format
  • Objection: Object to certain types of processing
  • Withdraw Consent: Withdraw consent at any time

California Rights (CCPA/CPRA)

  • Right to Know: What personal information we collect and how we use it
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out of Sale: Opt-out of selling personal information (not applicable - we don't sell data)

To exercise any of these rights, email support@skanyx.com with the subject line 'Data Rights Request'. We will verify your identity and respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Lithuanian State Data Protection Inspectorate (Valstybine duomenu apsaugos inspekcija, ada.lt) or the supervisory authority in your country of residence.


Data Security

We use the following technical and organizational measures:

Technical Measures

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security monitoring and logging
  • Penetration testing and vulnerability assessments

Organizational Measures

  • Regular staff training on privacy and security
  • Data protection policies and procedures
  • Data processing agreements with third parties
  • Incident response plans

We protect your data with the measures above, but no method of transmission or storage is 100% secure. Take your own precautions too.


International Transfers

Skanyx operates from the European Union. Some of our processors are located in, or transfer data to, the United States.

Processors that may process your data in the United States include Anthropic, Voyage AI, Google (Firebase), RevenueCat, Apple, and Stripe.

For these transfers we rely on appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-US Data Privacy Framework, where the processor is certified
  • Supplementary technical and organisational measures, such as encryption in transit and at rest

Changes to This Policy

We may update this Privacy Policy. We'll notify you of significant changes by:

  • Sending an email to your registered address
  • Posting a prominent notice on our website
  • Updating the "Last updated" date at the top

Your continued use of our services after such changes constitutes your acceptance of the updated policy.


Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, you can contact us:

  • Email: support@skanyx.com (for privacy inquiries and data rights requests)
  • General Inquiries: team@skanyx.com
  • Contact Form: Available on our website

We respond to inquiries within 30 days.