Privacy Policy

Effective date: 2026-04-10 · Data controller: Knitted Logic, Croatia

1. Who we are 2. What data we collect 3. Why we collect it (legal basis) 4. How we use it 5. Who we share it with (processors) 6. Retention 7. Your rights (GDPR) 8. Cookies & analytics 9. Security 10. International transfers 11. Changes to this policy 12. Contact

1. Who we are

CarsDataset is operated by Knitted Logic (sole proprietorship, Croatia). For the purposes of the EU General Data Protection Regulation (GDPR, Regulation 2016/679), we are the data controller for personal data processed through this website and the CarsDataset API. You can reach us at vedran@knittedlogic.com.

2. What data we collect

2.1 Information you give us

Contact & billing details when you purchase a dataset or API subscription: email address, name, country, billing address, VAT ID (if applicable). Payment details (card number, etc.) are collected and stored by Stripe — we never see or store them.
Support correspondence if you email us or reply to receipts.

2.2 Information collected automatically

Server logs: IP address, user-agent, requested URL, timestamp, response code. Retained for abuse prevention and debugging.
API usage logs: which API key made which request, at what time. Used for rate-limiting, billing reconciliation, and detection of key sharing.
Analytics: anonymous page-view data via Google Analytics (see cookies).

2.3 Data about vehicles (not personal data)

The vehicle specifications and market-price datasets we sell contain information about cars, trucks, and motorcycles — not about people. Where a listing might have included a seller name or direct marketplace URL, those fields are removed or pseudonymized before the data leaves our system, specifically to avoid processing personal data of third-party sellers.

3. Why we collect it (legal basis)

Performance of a contract (Art. 6(1)(b) GDPR): to deliver the dataset or API access you purchased, send your receipt and download link, and provide support.
Legal obligation (Art. 6(1)(c)): to comply with tax, accounting, and invoicing requirements under Croatian and EU law.
Legitimate interests (Art. 6(1)(f)): to secure the service against fraud and abuse, measure aggregate usage, and protect our API keys.
Consent (Art. 6(1)(a)): only where required, e.g. optional analytics cookies.

4. How we use it

Process your purchase and deliver the product.
Send transactional emails: receipts, download links, API-key delivery, subscription notices.
Enforce rate limits and detect fraudulent or shared use of API keys.
Respond to support requests.
Maintain accounting records.

We do not sell your personal data, and we do not use it for profiling or automated decision-making that produces legal or similarly significant effects.

We rely on a small set of trusted processors, each bound by their own data-protection terms:

Stripe Payments Europe, Ltd. (Ireland) — payment processing, invoicing, customer portal, subscription management. Privacy policy.
Mailgun (Sinch) — transactional email delivery (receipts, download links). Privacy policy.
Google Cloud (Cloud Run, Cloud SQL) — hosting of the API and database, in the europe-west1 region (Belgium). Data processing addendum.
Google Analytics — aggregated, anonymized usage analytics for the website only.

We do not share your data with anyone else except where required by law.

6. Retention

Purchase and invoice records: 11 years, as required by Croatian tax law.
API keys and usage logs: for the lifetime of your subscription, plus 12 months.
Server access logs: up to 30 days.
Support emails: up to 24 months.

7. Your rights under GDPR

You have the right to:

Access the personal data we hold about you (Art. 15).
Rectify inaccurate data (Art. 16).
Request erasure (Art. 17), subject to our legal retention obligations.
Restrict or object to processing (Art. 18, 21).
Receive your data in a portable format (Art. 20).
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with a supervisory authority — in Croatia, that is AZOP (azop.hr).

To exercise any of these rights, email vedran@knittedlogic.com. We will respond within 30 days.

8. Cookies & analytics

This website uses a minimal set of cookies:

Strictly necessary: none beyond standard browser session handling.
Analytics: Google Analytics 4 (measurement ID G-822X64Z1WB) to understand aggregate traffic and conversion. Google Analytics stores a first-party _ga cookie for up to 2 years. IP addresses are processed in truncated form by Google. You can opt out by installing the Google Analytics opt-out browser add-on or by blocking third-party scripts.

We do not use advertising cookies, tracking pixels, or cross-site trackers.

9. Security

All traffic is served over TLS (HTTPS).
API keys are stored as salted hashes and transmitted via header, never via URL.
Payment data is tokenized and handled entirely by Stripe (PCI-DSS Level 1).
Database access is via a private Cloud SQL socket, not exposed to the public internet.
Download links are time-limited, use-count limited, and cryptographically random.

10. International transfers

Your data is primarily stored in the EU (Belgium, via Google Cloud europe-west1). Stripe, Mailgun, and Google may process data in or outside the EU under Standard Contractual Clauses and supplementary safeguards. We will not transfer your data to jurisdictions lacking an adequate level of protection without appropriate safeguards.

11. Changes to this policy

We may update this policy to reflect changes in our service, processors, or legal obligations. Material changes will be announced by updating the "Effective date" above and, where appropriate, by email to active customers.

12. Contact

Questions or requests: vedran@knittedlogic.com
Knitted Logic — Zagreb, Croatia