Home  /  Legal  /  Privacy
Legal

Privacy Policy

Plain English. Updated June 2026.

The short version

We do not require an account. We do not collect names, emails, phone numbers, or any other personal data. We do log the VINs you submit and your IP address for caching and rate-limiting purposes, both with short retention. We use Google Analytics and Microsoft Clarity for site analytics — these are the only tracking cookies. We do not sell or share your data, and we do not run ads.

What we collect

  • VIN queries. Each VIN you submit is cached against a Cloudflare KV key (v1:{VIN}) for 7 days so the second request for the same VIN is fast and cheap. We do not link the VIN to you personally.
  • IP-level rate-limit counter. To prevent abuse we count requests per IP per UTC day (rl:{IP}:{date}). The counter expires within ~25 hours. The IP is not stored beyond the counter key itself.
  • Server logs. Cloudflare Workers writes standard request logs (path, response code, response time, IP). We use these for debugging and abuse detection. Cloudflare's default retention applies (typically days, not months).
  • Analytics events. Page views and basic interaction events via Google Analytics 4 (with anonymize_ip enabled) and Microsoft Clarity (heatmaps and session recordings, IP automatically masked by Microsoft).

What we do not collect

No names, email addresses, phone numbers, payment information, location beyond what an IP implies, browsing history outside CheckMyVIN, advertising IDs, or social-network identifiers. We do not run advertising trackers. There is no CheckMyVIN account to create.

Third-party services

  • NHTSA (US federal government) — Every VIN you submit is forwarded to NHTSA's VPIC decode and recalls APIs. These are public, free, no-API-key endpoints. NHTSA's data practices govern that hop.
  • OpenAI (or proxy) — The decoded fields plus the recall list are sent to a small OpenAI-compatible model to generate the plain-English summary. We send only the decoded VPIC fields and recall metadata — never your IP, never the original VIN as a personal identifier. OpenAI's API terms govern that hop.
  • Google Analytics 4 — Page-level analytics via gtag.js. anonymize_ip is on. Governed by Google's privacy policy.
  • Microsoft Clarity — Session heatmaps for UX research. Microsoft automatically masks IPs and form-input contents. Governed by Microsoft's privacy policy.
  • Cloudflare — Edge hosting and WAF. Standard Cloudflare data practices apply.

Cookies

CheckMyVIN itself sets no cookies. The only cookies on the site are set by Google Analytics and Microsoft Clarity for analytics purposes (session IDs and page-view counters). You can block these via your browser's extension of choice (uBlock Origin, Privacy Badger) and the site will continue to work exactly the same.

Data retention

VIN report cache: 7 days. Rate-limit counters: ~25 hours. Server logs: per Cloudflare default (typically days). Analytics events: per Google / Microsoft default. We do not maintain a separate user database.

Your rights

Since we hold no personal account data, most privacy rights (access, deletion, correction) do not have records to act on. If you believe an IP-keyed counter or a cached VIN report is yours and you want it cleared, email kimicode@hotmail.com with the specific VIN or IP and we will purge the relevant KV entry.

Children

CheckMyVIN is not directed at children under 13 and does not knowingly collect data from them. (We don't knowingly collect data from anyone in the personal sense — see above.)

Changes to this policy

If we change the policy materially (new third-party service, longer retention, new data type), we will update the date at the top and post a short summary on the home page. There is no email list to notify.

Contact

kimicode@hotmail.com — questions, data-purge requests, anything privacy-related.