CipherCipher

Privacy Policy

Last updated: March 3, 2026

1. Introduction and Scope

Cipher Support Platform ("Cipher," "we," "us," or "our") operates at cipherdiag.ai. This Privacy Policy explains how we collect, use, share, and protect information when you use our services, including the Cipher web application, mobile application, and API (collectively, the "Platform").

This policy applies to all users of the Platform, whether you are a shop owner, service manager, technician, or any other role within your organization. By accessing or using Cipher, you consent to the data practices described in this Privacy Policy. If you do not agree with these practices, please do not use the Platform.

2. Information We Collect

We collect several categories of information to provide and improve the Platform. The types of information we collect depend on how you interact with Cipher.

Personal Information

When you create an account or update your profile, we may collect your name, email address, company or shop name, job title, and phone number. Phone number is optional and is only collected if you choose to provide it.

Vehicle and VIN Data

Cipher collects Vehicle Identification Numbers (VINs), year/make/model/trim, mileage, and engine specifications. VINs are collected when users scan or manually enter them for diagnostic purposes. This data is used to identify vehicles, retrieve relevant repair history, and provide accurate diagnostic recommendations.

Diagnostic Session Data

When you use Cipher's diagnostic features, we collect symptom descriptions, Diagnostic Trouble Codes (DTCs), AI-generated diagnoses, repair outcomes, parts used, and technician notes. This data powers the diagnostic engine and contributes to the shared knowledge base.

Usage and Analytics Data

We automatically collect information about how you interact with the Platform, including pages visited, features used, session duration, device type, browser information, and IP addresses. This data helps us understand usage patterns and improve the Platform.

Cookies and Tracking

Cipher uses essential cookies for authentication and session management. These cookies are necessary for the Platform to function properly. We do not use third-party advertising cookies or tracking technologies for ad targeting.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Provide and operate the diagnostic service. Your data enables us to deliver AI-powered vehicle diagnostics, manage support tickets, and facilitate communication between team members.
  • Generate AI-powered diagnostic recommendations. Vehicle data, symptom descriptions, and diagnostic codes are processed by our AI models to produce repair suggestions and diagnostic insights.
  • Build and maintain the Global VIN Database. Anonymized repair history is aggregated into a shared database that benefits all Cipher users by providing vehicle-level repair context.
  • Improve AI models using anonymized data. We use anonymized diagnostic session data, including symptom descriptions and repair outcomes, to refine the accuracy of our AI models.
  • Send service communications. We send account updates, security alerts, and important notices about changes to the Platform or this policy.
  • Analyze platform usage. Usage data helps us identify areas for improvement, fix bugs, and develop new features.
  • Enforce our Terms of Service. We may use collected information to detect and prevent fraud, abuse, or violations of our terms.

4. VIN and Vehicle Data

Vehicle data is central to Cipher's diagnostic capabilities. This section explains in detail how VIN and vehicle data is handled within the Platform.

When you look up a VIN, Cipher retrieves or creates a vehicle record in the Global VIN Database. This record contains vehicle specifications and, over time, an aggregated repair history contributed by shops across the Cipher network.

When you log a completed repair, the following data is contributed to the VIN record: repair type, diagnostic codes addressed, parts used, repair outcome, and date of service. This information helps other technicians understand a vehicle's history when that VIN is looked up in the future.

No personally identifiable information is attached to VIN records in the Global VIN Database. Contributing shop names, technician names, and customer information are never exposed to other users. The shared repair history is entirely anonymized.

VIN records are available to all Cipher users who look up that VIN, providing a shared repair history across the network. This collaborative approach improves diagnostic accuracy for everyone on the Platform.

Anonymized VIN repair data persists in the Global VIN Database even after account deletion, as it is no longer linked to any individual or shop. Because this data is fully anonymized, it cannot be traced back to any specific user or organization.

You may request that your account's contributions be anonymized at any time by contacting us at support@cipherdiag.ai.

5. AI-Generated Content

Cipher uses artificial intelligence to generate diagnostic recommendations, repair suggestions, and related insights. It is important to understand the nature and limitations of AI-generated content on the Platform.

AI output is provided as a reference tool and should not be treated as professional advice. All repair decisions should be verified by a qualified technician before any work is performed. Cipher does not guarantee the accuracy, completeness, or suitability of AI-generated recommendations for any specific situation.

Anonymized diagnostic session data, including symptom descriptions, diagnostic codes, and repair outcomes, may be used to improve AI model accuracy over time. This training process uses only de-identified data. We do not use personal information such as names, email addresses, or contact details in AI training data.

6. Data Sharing and Disclosure

We are committed to protecting your information and only share data in the limited circumstances described below.

Service Providers

We share data with third-party service providers who assist us in operating the Platform, including cloud hosting, analytics, and AI model providers. These providers are bound by confidentiality agreements and are only permitted to use your data as necessary to perform services on our behalf.

Legal Obligations

We may disclose your information if required to do so by law, court order, subpoena, or other governmental request. We will attempt to notify you of such requests where legally permitted.

Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

Anonymized and Aggregate Data

We may share anonymized, aggregate statistics about platform usage and vehicle repair trends. This data does not identify any individual user or organization.

No Sale of Personal Information

We do not sell your personal information to third parties for marketing or advertising purposes.

7. Multi-Tenant Data Isolation

Cipher is a multi-tenant platform where each organization (such as an auto repair shop) has its own isolated data environment. We take data isolation seriously and implement multiple layers of protection to keep your organization's data separate from others.

Your shop's account data, including customers, support tickets, and internal notes, is separated from other organizations using database-level security policies. These policies are enforced at the database layer, meaning that even application-level errors cannot expose one organization's data to another.

Role-based access controls ensure that team members within your organization only see data appropriate to their assigned role. For example, a technician may only access tickets assigned to them, while a service manager can view all tickets within the shop.

The Global VIN Database is the only data shared across organizations, and as described in Section 4, it contains no personally identifiable information.

8. Data Security

We implement robust technical and organizational measures to protect your data from unauthorized access, alteration, disclosure, or destruction.

  • All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
  • Database access is protected by row-level security (RLS) policies, ensuring that queries only return data the authenticated user is authorized to access.
  • We conduct regular security reviews and vulnerability assessments to identify and address potential risks.
  • Access to production systems is restricted to authorized personnel who use multi-factor authentication.
  • We maintain an incident response plan and will notify affected users of confirmed security breaches within 72 hours of discovery.

While we strive to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to implementing and maintaining industry-standard safeguards.

9. Data Retention and Deletion

We retain your information only for as long as necessary to fulfill the purposes described in this policy, unless a longer retention period is required by law.

  • Account Data: Retained as long as your account is active. After account deletion, personal data is removed within 30 days.
  • Diagnostic Session Data: Retained for the lifetime of your account to support the diagnostic knowledge base. Deleted within 30 days of account closure.
  • VIN History Data: Anonymized repair contributions to the Global VIN Database are retained indefinitely, as they are no longer associated with any individual or organization after anonymization.
  • Usage Analytics: Aggregated analytics data is retained for up to 24 months and then deleted or further anonymized.

You may request early deletion of your data at any time by contacting us. See Section 16 for contact details.

10. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with specific rights regarding your personal information.

  • Right to Know: You may request that we disclose what personal information we collect, use, and share about you. This includes the categories of information collected, the sources of that information, and the purposes for collection.
  • Right to Delete: You may request the deletion of your personal information, subject to certain legal exceptions (for example, data needed to complete a transaction or comply with a legal obligation).
  • Right to Opt-Out: You may opt out of the sale of your personal information. Please note that Cipher does not sell personal information to third parties.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights. You will not receive different pricing, quality of service, or access to features as a result of exercising your rights.

To exercise any of these rights, contact us at support@cipherdiag.ai. We will verify your identity before processing your request and respond within 45 days.

11. Your Rights Under GDPR (European Users)

If you are located in the European Economic Area (EEA), the General Data Protection Regulation (GDPR) grants you certain rights with respect to your personal data.

You have the right to:

  • Access the personal data we hold about you and receive a copy of that data.
  • Rectify inaccurate or incomplete personal data.
  • Erase your personal data under certain circumstances (also known as the "right to be forgotten").
  • Restrict processing of your personal data in specific situations, such as when you contest the accuracy of the data.
  • Data portability, allowing you to receive your data in a structured, commonly used, machine-readable format and transfer it to another service.
  • Object to processing of your personal data where we rely on legitimate interests as our legal basis.

Our legal bases for processing your personal data include: contract performance (providing the Cipher service to you), legitimate interests (improving the Platform and ensuring security), and consent (where applicable, such as for optional communications).

To exercise any of these rights, contact our data protection contact at support@cipherdiag.ai. We will respond to your request within 30 days.

12. Children's Privacy

Cipher is designed for professional automotive use and is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 16 years of age.

If we learn that we have inadvertently collected personal data from a child under 16, we will take steps to delete that information promptly. If you believe that a child under 16 has provided us with personal information, please contact us at support@cipherdiag.ai so we can take appropriate action.

13. International Data Transfers

Cipher is based in the United States, and your data is primarily stored on servers located in the US. If you access the Platform from outside the United States, please be aware that your data may be transferred to, stored in, and processed in the US.

Data protection laws in the United States may differ from the laws in your country of residence. By using Cipher, you consent to the transfer of your information to the US and its processing there.

For users in the European Economic Area, we rely on Standard Contractual Clauses and other appropriate safeguards approved by relevant data protection authorities to ensure that international data transfers comply with applicable regulations.

14. Third-Party Services

Cipher integrates with third-party services to deliver core functionality, including cloud hosting providers, AI model providers, and analytics tools. These integrations are essential to the operation of the Platform.

Each third-party service provider has its own privacy policy governing how it handles data. We encourage you to review the privacy policies of these providers. While we select service providers that maintain appropriate data protection standards, we are not responsible for the privacy practices of third parties.

We regularly evaluate our third-party providers to ensure they continue to meet our security and privacy requirements. All providers are bound by contractual obligations regarding data protection and confidentiality.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will revise the "Last updated" date at the top of this page.

For material changes that significantly affect how we handle your personal information, we will notify you via email or through a prominent notice on the Platform before the changes take effect.

Your continued use of Cipher after any changes to this policy constitutes your acceptance of the updated terms. We encourage you to review this page periodically to stay informed about how we protect your data.

16. Contact Information

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us:

Please include "Privacy" in the subject line of your email for faster routing to the appropriate team. We aim to respond to all privacy-related inquiries within 10 business days.