Wrenchpit

Privacy Policy

Last updated: April 26, 2026.

This Privacy Policy explains how Wrenchpit ("we," "us," "our") collects, uses, shares, and protects information when you use our Service. It also describes the rights and choices available to you, including specific rights under the EU/UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA).

If you do not agree with this Policy, please do not use the Service.

1. Information we collect

1.1 Information you provide

  • Account information. When you sign up, we collect your email address, username (your public handle), and the password you choose. Authentication is handled by Amazon Cognito; we do not store your password ourselves — Cognito stores a salted hash of it.
  • Profile information. Optional information you add to your profile (e.g., a display name, vehicles you own).
  • User content. The guides, comments, votes, photos, and videos you submit. This content is intentionally public.
  • Payment information. If you subscribe to Pro, billing is processed by Stripe. Stripe collects your card number, billing address, and other payment details directly. Wrenchpit never sees, receives, or stores your full card number. We receive only a Stripe customer ID, the subscription status, and (for invoicing) the country and the last four digits.
  • Communications. If you email us or use a contact form, we keep the message and any attachments.

1.2 Information collected automatically

  • Usage logs. Server access logs, including the IP address, the request path and timestamp, the user-agent string, and the referer. We use these for security, abuse prevention, and capacity planning.
  • Device information. Browser type and version, operating system, screen size, language preference.
  • Cookies and similar technologies. See Section 4 below.
  • View counts. We record per-user and per-anonymous-browser counts of how many guides have been viewed in a given month. This is used for analytics and to enforce our rate limits against abuse — it is not used to gate access to content.

1.3 Information from third parties

We do not currently buy or receive personal information from data brokers. If we add analytics or advertising partners later, we will update this Policy and (where required) obtain your consent.

2. How we use information

We use the information described above to:

  • Operate the Service — serve guides, render personalized feeds for Pro users, save your votes and submissions, and let you sign in.
  • Process payments for Pro subscriptions through Stripe.
  • Communicate with you about your account, security alerts, billing, material changes to these policies, and (if you opt in) product updates.
  • Prevent abuse, fraud, and harm — detect spam, automated scraping, credential stuffing, and content that violates our Terms.
  • Improve the Service — understand which guides are useful, fix bugs, plan capacity.
  • Comply with law — respond to subpoenas, court orders, and regulatory requests.

We do not sell or rent your personal information.

2.1 Legal bases (GDPR / UK GDPR)

For users in the EU, EEA, UK, or Switzerland, the legal bases on which we process personal information include:

  • Contract — to provide the Service you signed up for (including Pro);
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve our product, balanced against your rights;
  • Consent — for any optional processing where we ask for it (e.g., marketing emails); and
  • Legal obligation — when required by applicable law.

3. Third-party service providers

We share the minimum information necessary with the following service providers, each of which is contractually obligated to protect your information:

  • Amazon Web Services (AWS) — Cognito. Authentication and account storage. Stores email, username, password hash, and account state.
  • Amazon Web Services (AWS) — DynamoDB. Database for guides, comments, votes, view counters, and Pro flags.
  • Amazon Web Services (AWS) — server hosting and logs. Web tier and supporting infrastructure.
  • Stripe, Inc. Payment processing for Pro subscriptions; receives card number and billing details directly from your browser.
  • YouTube (Google LLC). When a guide embeds a YouTube video, your browser loads the video from YouTube and YouTube may set its own cookies subject to its own privacy policy.

If we add analytics, customer-support, or email-delivery providers in the future, we will update this list.

We may also disclose information (a) to comply with legal process or a government request, (b) to enforce our Terms or protect our rights, property, or safety or that of others, or (c) in connection with a merger, acquisition, financing, or sale of assets, in which case we will give you notice before your information becomes subject to a different privacy policy.

4. Cookies and similar technologies

We use a small number of first-party cookies. We do not use third-party advertising cookies on the Service.

| Cookie | Purpose | Duration | |---|---|---| | ww_fp | Anonymous browser fingerprint, set by our edge middleware on the first request. Used to count views per anonymous browser for analytics and abuse prevention. Not linked to any personally identifiable information. | 1 year | | Cognito session cookies | Set by Amazon Cognito to keep you signed in. | Session / configurable |

You can clear or block cookies in your browser settings. Blocking the Cognito session cookies will sign you out and prevent submitting, voting, and accessing Pro features. Blocking ww_fp simply means a new fingerprint will be assigned on your next visit; the Service still works.

5. Your rights and choices

Regardless of where you live, you can:

  • Access and update most account information from your account settings.
  • Delete your account by emailing support@wrenchpit.com or using the account-deletion option in your settings if available. See Section 6 below regarding what is and is not deleted.
  • Export your User Content by requesting a copy via support@wrenchpit.com.
  • Opt out of non-essential email using the unsubscribe link in any marketing email we send. Transactional emails (security alerts, billing receipts) are sent regardless.

5.1 GDPR / UK GDPR rights

If you are in the EU, EEA, UK, or Switzerland, you have the right to:

  • access your personal data;
  • request rectification of inaccurate data;
  • request erasure ("the right to be forgotten");
  • restrict or object to processing;
  • data portability (receive your data in a portable format);
  • withdraw consent where processing is based on consent; and
  • lodge a complaint with your local supervisory authority.

To exercise these rights, email support@wrenchpit.com. We may need to verify your identity before responding.

5.2 California rights (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose;
  • Access a copy of your personal information from the past 12 months;
  • Delete personal information we hold, subject to legal exceptions;
  • Correct inaccurate personal information;
  • Limit the use of "sensitive personal information" (we do not knowingly collect sensitive personal information beyond account credentials, which we use only to provide the Service); and
  • Not be discriminated against for exercising these rights.

We do not sell or share personal information as those terms are defined under the CCPA/CPRA. We do not knowingly process the personal information of California residents under 16 for the purpose of selling or sharing.

To exercise these rights, email support@wrenchpit.com with "California Privacy Request" in the subject line. We may verify your identity using your account email.

6. Data retention

  • Active accounts. We retain your account information for as long as your account is active.
  • Deletion. When you delete your account, we delete your profile, email, and authentication record from Cognito within 30 days, except where we are required to retain them by law or for fraud prevention.
  • User Content after deletion. Because other users come to rely on your guides and comments, published User Content may remain on the Service after your account is deleted, subject to the license you granted in Section 4 of the Terms. You can request takedown of specific posts at support@wrenchpit.com and we will weigh the request against the public interest in keeping the guide available. Author attribution is anonymized after deletion (e.g., shown as "former member").
  • Logs and backups. Server logs and database backups are retained for up to 90 days for security and disaster recovery, after which they are automatically purged.

7. Children's privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from anyone under 18. If you believe a child has created an account, email support@wrenchpit.com and we will delete the account.

8. Security

We use reasonable administrative, technical, and physical safeguards to protect personal information, including:

  • TLS encryption in transit;
  • password hashing through Cognito;
  • least-privilege access controls on the team;
  • payment data segregation through Stripe;
  • regular security review of dependencies.

No system is 100% secure. We cannot guarantee absolute security. You are responsible for keeping your password confidential and for notifying us promptly of any suspected unauthorized access.

9. International data transfers

Wrenchpit is operated from the United States and your information will be processed in the United States and other countries where our service providers (e.g., AWS, Stripe) operate. By using the Service, you understand that your information will be transferred to the United States. Where required by law, we use appropriate safeguards (e.g., Standard Contractual Clauses) for international transfers.

10. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the most recent version. If a change is material, we will give reasonable advance notice (e.g., by email or in-app banner) before it takes effect.

11. Contact

Privacy questions, deletion requests, and GDPR/CCPA requests: support@wrenchpit.com.

(TODO: replace with a real privacy contact email and a postal address before launch. EU/UK users may also have the right to designate an EU/UK representative — confirm whether one is required for our scale of processing.)

See also: Terms of Service · Safety Disclaimer