Privacy Policy

Last updated: March 24, 2026

CarDoor Inc. (“CarDoorX,” “we,” “us,” or “our”)

CarDoorX is a wholesale automotive auction platform used by licensed motor vehicle dealers (“Dealers”) to bid on and purchase vehicles. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in connection with the CarDoorX platform and related services (collectively, the “Services”).

This Privacy Policy applies only to information handled within the CarDoorX platform and related infrastructure. It does not govern a Dealer's own independent websites, systems, or offline data practices.

By creating an account or using the Services, you consent to the collection, use, and disclosure of personal information as described in this Privacy Policy. If you do not agree, please discontinue use of the Services.

1. Who We Are & How to Contact Us

CarDoorX is operated by:

If you have questions or concerns about this Privacy Policy or our handling of personal information, please contact us at the email above.

2. Applicable Law

CarDoorX is subject to Canadian federal and provincial privacy legislation, including:

• Personal Information Protection and Electronic Documents Act (PIPEDA) — Canada's federal private-sector privacy law, which governs the collection, use, and disclosure of personal information in the course of commercial activities.

• Canada's Anti-Spam Legislation (CASL) — Governs the sending of commercial electronic messages, including marketing emails and SMS.

• Ontario-specific regulations — Including regulations under the Consumer Protection Act, 2002 and applicable provisions of the Motor Vehicle Dealers Act, 2002 (MVDA), administered by the Ontario Motor Vehicle Industry Council (OMVIC).

We comply with the ten fair information principles set out in Schedule 1 of PIPEDA: accountability, identifying purposes, consent, limiting collection, limiting use, disclosure and retention, accuracy, safeguards, openness, individual access, and challenging compliance.

3. What Is “Personal Information”?

“Personal information” means information about an identifiable individual, as defined under PIPEDA and applicable provincial privacy laws. In the context of CarDoorX, this includes information about Dealer representatives and users (e.g., dealer staff with login accounts).

Personal information does not include business contact information used solely to communicate with a person in relation to their job or profession, or information that has been irreversibly de-identified or aggregated.

4. Information We Collect

4.1 Account & Profile Information

When you register for a CarDoorX account, we collect:

• Personal details: Full name, email address, phone number

• Dealership information: Dealership name, business address, OMVIC dealer registration number, Registered Identification Number (RIN), HST number

• Authentication credentials: Password (stored in hashed form), session tokens

• Role and permissions: User role within the dealership

4.2 Vehicle Preferences & Bidding Data

As you use the Platform, we collect:

• Vehicle preferences: Makes, models, body types, year ranges, and other criteria you specify

• Bidding activity: Bid amounts, proxy bid maximums, bid timestamps, auction participation history

• Transaction records: Purchases, Bills of Sale, payment status, transport arrangements

• Saved searches and watchlist items

4.3 Usage & Device Information

When you access CarDoorX, we automatically collect:

• Usage data: Pages viewed, features accessed, actions taken, timestamps, session duration, navigation paths

• Device information: IP address, browser type and version, operating system, device type, screen resolution

• Connection data: Real-time connection status for live auction participation (Socket.IO session data)

• Error and performance data: Error logs, crash reports, and performance metrics collected through our error tracking service (Sentry)

4.4 Communications

We collect information you provide when you contact our support team, respond to surveys, or communicate with us through any channel, including email content, support ticket details, and feedback.

5. How We Use Your Information

We use the information we collect for the following purposes:

5.1 Providing & Operating the Platform

• Creating and managing your dealer account

• Facilitating auction participation, bid processing, and real-time bid updates

• Processing transactions, generating Bills of Sale, and managing payment status

• Matching vehicles to your stated preferences and delivering relevant auction notifications

• Providing customer support and responding to your inquiries

5.2 Security & Fraud Prevention

• Authenticating your identity and verifying dealer registration status

• Detecting and preventing fraudulent activity, shill bidding, and account misuse

• Monitoring for unauthorized access and protecting Platform integrity

• Enforcing our Terms & Conditions and acceptable use policies

5.3 Improving the Platform

• Analyzing usage patterns to improve features, performance, and user experience

• Diagnosing and fixing bugs, errors, and technical issues

• Developing new features and services

• Creating aggregated, de-identified analytics to inform business decisions

5.4 Communications

• Sending operational notifications (outbid alerts, auction results, settlement reminders, transport updates)

• Communicating system updates, maintenance notices, and policy changes

• Sending marketing communications about CarDoorX features and services (with your consent, subject to CASL requirements)

5.5 Legal Compliance

• Complying with applicable federal and provincial laws and regulations

• Responding to lawful requests from regulators, law enforcement, or courts

• Maintaining records as required by OMVIC, the MVDA, and tax authorities

6. Information Sharing & Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

6.1 Auction Participants

When you participate in auctions, limited information may be visible to vehicle sellers and other auction participants as necessary to facilitate the transaction. Bid data is masked for non-winning bidders — other dealers cannot see your identity in connection with your bids. Winning bidder information is shared with the seller only to the extent necessary to complete the transaction.

6.2 Service Providers

We share personal information with trusted third-party service providers who assist us in operating the Platform, including:

• Cloudinary — Image hosting and processing for vehicle photographs

• Sentry — Error tracking and application performance monitoring

• Google Analytics — Website analytics and usage pattern analysis

• Infrastructure providers — Hosting, database, and cloud services

• Payment processors — Payment processing and settlement services (where applicable)

These providers are contractually required to protect your information and use it only for the purposes of providing services to CarDoorX.

6.3 Regulatory & Legal Disclosure

We may disclose personal information when reasonably necessary to:

• Comply with applicable laws, regulations, or legal processes

• Respond to lawful requests from OMVIC, law enforcement, or other regulators

• Protect the rights, property, or safety of CarDoorX, our users, or the public

• Detect, prevent, or address fraud, security, or technical issues

6.4 Business Transactions

If CarDoor Inc. is involved in a merger, acquisition, financing, reorganization, or sale of some or all of its assets, personal information may be disclosed as part of that transaction, subject to appropriate confidentiality protections and in compliance with applicable privacy laws.

7. Cookies & Tracking Technologies

CarDoorX uses cookies and similar technologies for the following purposes:

7.1 Essential Cookies

Required for Platform operation, including session management, authentication, and security. These cookies cannot be disabled without affecting Platform functionality.

7.2 Analytics Cookies

We use Google Analytics to understand how Dealers interact with the Platform, including pages visited, features used, and navigation patterns. Google Analytics uses cookies to collect usage data in an aggregated form. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

7.3 Performance Cookies

Used for error tracking (Sentry) and performance monitoring to help us identify and resolve technical issues quickly.

7.4 Managing Cookies

You may manage or disable cookies through your browser settings. Note that disabling essential cookies may impair Platform functionality. Where required by law, we will seek consent for non-essential cookies.

8. Data Retention

We retain personal information for as long as reasonably necessary to:

• Provide the Services and maintain your account

• Fulfill the purposes described in this Privacy Policy

• Comply with legal, regulatory, tax, and audit obligations (including OMVIC record-keeping requirements)

• Resolve disputes and enforce our agreements

Bidding and transaction records are retained for a minimum of seven (7) years to comply with tax and regulatory requirements. Account information is retained for the duration of your account plus two (2) years after closure, unless a longer retention period is required by law.

When personal information is no longer required, we will securely delete or anonymize it in accordance with our retention policies and applicable laws.

9. Security Measures

We implement reasonable physical, technical, and administrative safeguards designed to protect personal information from unauthorized access, use, disclosure, loss, or theft. These measures include:

• Encryption: Data transmitted between your browser and our servers is encrypted using TLS (Transport Layer Security). Passwords are stored using industry-standard one-way hashing.

• Access controls: Role-based access controls limit who can access personal information within our systems. Multi-factor authentication is available for account access.

• Infrastructure security: Our hosting infrastructure employs firewalls, intrusion detection, and regular security monitoring.

• Secure real-time connections: Live auction connections use authenticated WebSocket (Socket.IO) connections with JWT token verification.

• Audit logging: We maintain audit logs of significant system actions for security monitoring and incident investigation.

• Employee training: Personnel with access to personal information are subject to confidentiality obligations.

Despite these measures, no security controls are perfect and we cannot guarantee absolute security. We encourage you to use strong, unique passwords and to notify us immediately if you suspect unauthorized access to your account.

10. Your Rights Under Canadian Privacy Law

Under PIPEDA and applicable provincial legislation, you have the following rights with respect to your personal information:

10.1 Right of Access

You may request access to the personal information we hold about you. We will respond to your request within 30 days, as required by PIPEDA. In certain limited circumstances, we may be unable to provide access (e.g., where the information contains references to other individuals or is subject to solicitor-client privilege).

10.2 Right to Correction

You may request that we correct inaccurate or incomplete personal information. Where a correction is not made, we will note the requested correction alongside the existing information.

10.3 Right to Withdraw Consent

You may withdraw consent to certain uses and disclosures of your personal information, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may limit our ability to provide some or all Platform functionality to you or your organization.

10.4 Right to Challenge Compliance

You have the right to challenge our compliance with PIPEDA by contacting us or by filing a complaint with the Office of the Privacy Commissioner of Canada (OPC).

10.5 How to Exercise Your Rights

To exercise any of these rights, contact us at:

We may need to verify your identity before processing your request. We do not charge a fee for reasonable access requests.

11. Ontario-Specific Provisions

As CarDoorX operates primarily in Ontario, the following provisions apply specifically to Ontario-based dealers:

• OMVIC compliance: We maintain records as required under the Motor Vehicle Dealers Act, 2002 and cooperate with OMVIC in the exercise of its regulatory functions.

• UCDA standards: Our data handling practices align with industry standards promoted by the Used Car Dealers Association of Ontario (UCDA).

• Provincial jurisdiction: For privacy matters arising in Ontario, the laws of Ontario and applicable federal laws of Canada govern. Complaints may be directed to the Office of the Privacy Commissioner of Canada or, where applicable, the Information and Privacy Commissioner of Ontario.

• Electronic commerce: Our practices comply with the Electronic Commerce Act, 2000 (Ontario) with respect to electronic records and signatures.

12. International Transfers

Personal information handled by CarDoorX may be stored and processed in Canada and in other jurisdictions where our service providers' systems are located (for example, cloud infrastructure, analytics, and error tracking services). As a result, personal information may be subject to the laws of those jurisdictions and may be accessible to government authorities under lawful orders.

We take reasonable steps to ensure that personal information transferred outside of Canada is protected by appropriate contractual and organizational safeguards, consistent with PIPEDA requirements.

13. Children's Privacy

CarDoorX is a business-to-business (B2B) platform designed exclusively for licensed motor vehicle dealers and their authorized personnel. It is not directed to children or individuals under the age of 18, and we do not knowingly collect personal information from minors. If you believe we have inadvertently collected personal information from a minor, please contact us at [email protected] and we will promptly delete such information.

14. Third-Party Links & Integrations

The Platform may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party service before providing your personal information.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or Services. When we make material changes, we will:

• Update the “Last updated” date at the top of this Policy

• Provide notice within the Platform or by email to your registered address

• Where required by law, obtain your consent to material changes

Your continued use of CarDoorX after any changes to this Privacy Policy indicates your acceptance of the updated Policy. If you do not agree with the changes, you must discontinue use of the Services.

16. Contact Us & Filing a Complaint

If you have any questions, requests, or complaints about this Privacy Policy or our handling of personal information, please contact:

If you are not satisfied with our response, you may file a complaint with:

• Office of the Privacy Commissioner of Canada (OPC)
  Website: www.priv.gc.ca
  Toll-free: 1-800-282-1376

• Information and Privacy Commissioner of Ontario (IPC)
  Website: www.ipc.on.ca
  Toll-free: 1-800-387-0073