Privacy Policy
1. Who We Are
Legal Name: CoreAutoFix
Address: 6299 Powers Avenue Storage N#22, Jacksonville, FL 32217, USA
Contact: admin@coreautofix.com | (904) 846-0751
2. Information We Collect
Identification: Includes name, surname, telephone number, and email address. Collected when you request an appointment through our online scheduling system.
Service Description: Brief notes about the vehicle’s issue or problem. Collected via the appointment request form.
Vehicle Data: The vehicle’s VIN (Vehicle Identification Number) and the vehicle’s location. Collected after confirming the appointment.
Financial Data: Payment method and the last 4 digits of your payment card. Collected for billing and payment processing.
Communications: The content of messages and attachments you send via WhatsApp. Collected during the contractual relationship (e.g. while your service appointment or repair is ongoing).
Cookies/Similar Files: Session information and language preference. Will be collected when you visit our website (feature planned for future implementation).
3. Purposes of Processing
We use the personal information we collect for the following purposes:
To schedule, confirm, and remind you of appointments.
To manage cancellations or rescheduling of appointments.
To issue estimates, invoices, and tax receipts, in accordance with IRS record-keeping rules (which generally require retaining records for a minimum of 3–6 years, or 4 years for payroll tax records).
To collect and process payments, in compliance with Payment Card Industry Data Security Standards (PCI-DSS) requirements (Level 4 compliance for small businesses).
To address technical questions or service inquiries that you send via our WhatsApp Business communications.
To fulfill local legal obligations, such as maintaining a valid business license and paying applicable municipal taxes.
4. Legal Bases and Applicable Frameworks
Our privacy practices adhere to the following legal and regulatory frameworks:
Federal Trade Commission (FTC) Act & “Protecting Personal Information” Guide: We follow the FTC’s five key principles for data protection (taking stock of data collected, limiting collection, protecting data, proper disposal, and having a plan). In practice, we have adopted policies for data minimization, encryption, and incident response.
Telephone Consumer Protection Act (TCPA): For SMS or WhatsApp communications, we obtain your express written consent before sending any automated messages, and we always provide a quick way for you to opt out of such messages.
PCI-DSS v3.2.1: We adhere to credit card security standards. For example, we complete the relevant Self-Assessment Questionnaires (SAQ A/SAQ B for our case), conduct quarterly scans by Approved Scanning Vendors (ASV) as needed, and use TLS encryption for all payment processing.
Gramm-Leach-Bliley Act (GLBA) / Regulation P: In the event we handle financing or other financial services, we comply with GLBA by providing this privacy notice and limiting the sharing of any “non-public personal information” as required.
Florida Digital Bill of Rights (FDBR) 2024: Although FDBR’s revenue thresholds generally exclude small businesses like ours, we voluntarily extend the rights of access, correction, deletion, and opt-out to our customers (see Section 9 below for details on your rights).
California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA): Our business likely falls below the applicability thresholds of California’s privacy laws; however, we do not sell personal information, and we extend the privacy rights described in this policy to California residents.
Children’s Online Privacy Protection Act (COPPA): Our services are not directed to children under 13, and we do not knowingly collect information from minors. We do not solicit or accept personal data from children.
5. Sharing and Third Parties
We do not sell your personal information to third parties. We only share your personal data with certain third parties as necessary to operate our business or comply with the law, as outlined below:
Internal Mechanics and Mobile Service Providers: We may share relevant information with our in-house mechanics or contracted mobile technicians in order to diagnose and repair your vehicle. These parties operate under confidentiality agreements and are granted only the minimum necessary access to your data to perform their work.
Payment Processor: We use a PCI-DSS Level 1 certified payment processing company to handle credit/debit card transactions for our services. Your financial information is shared with this processor solely for billing and charging purposes, under strict security standards.
WhatsApp LLC (Meta): We use WhatsApp Business to communicate with customers (for appointment updates, service inquiries, etc.). This means some message content or metadata may be processed by WhatsApp’s servers, which could be located outside the U.S. (see Section 12 on international transfers). WhatsApp is certified under the EU-U.S. Data Privacy Framework and is overseen by the FTC, ensuring it implements appropriate data safeguards.
Tax Authorities: We may disclose required information to government tax authorities for purposes of tax filings or audits. Such information is shared only when legally mandated and in compliance with applicable laws (for example, providing records to the IRS or local tax agencies if audited).
6. Information Security
We take the security of personal information seriously and implement various measures to protect it:
Data Inventory & Classification: We maintain an inventory of the personal and sensitive data we hold, and we classify data to ensure appropriate handling according to its sensitivity (per FTC guidance).
Encryption: We protect personal data with encryption in transit (for example, our website and online forms use HTTPS/TLS 1.2 or above) and at rest when stored in our systems.
Access Controls: We enforce role-based access control policies, meaning employees and contractors only access the information necessary for their role. Access to personal data is limited to authorized personnel on a need-to-know basis.
Backups: We perform regular encrypted data backups and periodically test our ability to restore information from backups, to safeguard against data loss.
Secure Disposal: We dispose of personal data safely when it is no longer needed. This includes techniques such as shredding physical documents and securely wiping or degaussing electronic media, following FTC recommendations for data disposal.
Incident Response Plan: We have a data breach response plan. In the event of a security incident that compromises personal information, we will notify affected customers and, if required, report to regulators such as the FTC and the Florida Attorney General’s office.
7. Retention and Destruction
We retain personal information only for as long as necessary to fulfill the purposes described in this policy or as required by law. In general:
Appointment and Vehicle Service Records: Retained for three (3) years after your last service, unless a longer retention period is required by law.
Tax and Billing Records: Retained for at least 4–6 years in accordance with IRS guidelines for recordkeeping.
WhatsApp Communications: Retained for up to 18 months, unless a particular conversation is part of an ongoing dispute or matter that requires us to keep it longer.
After the applicable retention period has elapsed, we will permanently destroy or erase the personal data in a secure manner such that it cannot be reconstructed or recovered (for example, by physical shredding of paper records or secure deletion of electronic files).
8. Cookies and Similar Technologies
8.1 Overview
Our website uses cookies, pixel tags, local storage objects, and similar technologies (collectively, “Cookies”) to recognize your browser, improve site performance, and—only with your permission—measure audience analytics or display targeted advertising.
8.2 Categories of Cookies
| Category | Purpose | Default Status* | Typical Lifespan** |
|---|---|---|---|
| Strictly Necessary | Core site functionality, security, load-balancing. | Always active | Up to 12 months |
| Functional / Preferences | Remember language or location preferences. | Off until “Accept All” or “Customize ➜ Enable” | 1–12 months |
| Performance / Analytics | Aggregate site statistics (e.g., Google Analytics). | Off until “Accept All” or “Customize ➜ Enable” | 1–24 months |
| Advertising / Targeting | Deliver interest-based ads or measure campaigns. | Off until “Accept All” AND explicit “Enable Targeting” | 1–12 months |
* “Default Status” refers to how the CDPR Cookie Consent banner loads for first-time visitors under our U.S. opt-out model: only Strictly Necessary cookies are dropped automatically.
** Exact duration varies by cookie vendor; full details appear in the in-banner “Cookie List” table generated by the plugin and in our standalone Cookie Policy page.
8.3 Your Choices & the Cookie Banner
First Visit Banner. Upon your first visit (or after any substantial policy change) a banner will appear at the bottom of the screen offering:
“Accept All” – consents to all optional cookies;
“Reject Non-Essential” – keeps only Strictly Necessary cookies;
“Customize” – opens the Preferences Centre where you may toggle individual categories.
Persistent Controls. A “Cookie Settings” link is permanently placed in our footer. You may withdraw or modify consent at any time.
Accessibility. The banner and preference centre meet WCAG 2.1 AA contrast and keyboard-navigation requirements, ensuring equal access for users with disabilities.
8.4 Opt-Out Rights Under Florida & CCPA/CPRA
Under the Florida Digital Bill of Rights and, where applicable, the California Consumer Privacy Act, you may:
Opt out of sale or sharing of personal data for targeted advertising (we do not currently sell personal data).
Exercise the broader privacy rights listed in Section 9.
The banner contains a prominent “Do Not Sell/Share My Personal Information” link that triggers an opt-out flag in our consent database.
8.5 Do Not Track & Global Privacy Control
We honor Global Privacy Control (GPC) signals sent by your browser. If received, we automatically 1) disable analytics/advertising cookies and 2) register your opt-out preference in our system, without further action from you.
8.6 Cookie Retention & Deletion
Cookie identifiers are retained for the period shown in Table 8.2, after which they expire or are refreshed only upon renewed consent. You can manually delete cookies via your browser settings at any time. Where cookie-derived data is linked to personal information, we apply the retention limits in Section 7.
9. User Rights
Even though our company may be exempt from certain provisions of the Florida Digital Bill of Rights due to our size, we choose to extend the following privacy rights to all of our customers:
Access: You have the right to request information about what personal data we have collected about you and to obtain a copy of that data.
Correction: If any of your personal information is incorrect or outdated, you have the right to request a correction or update.
Deletion: You can request that we delete your personal information when it is no longer needed for the purposes for which it was collected. (Note that we may not delete information that we are required to keep by law or that is necessary to complete an ongoing transaction or comply with legal obligations.)
Data Portability: You have the right to request your personal information in a portable format. We can provide your data in a commonly used machine-readable format (for example, a CSV or PDF file) so that you can reuse it or transfer it to another provider if you wish.
Opt-Out: You have the right to opt out of receiving promotional communications from us, and to opt out of the sale of your personal data. (For clarity, we do not currently sell personal data to third parties.)
Exercising Your Rights: To make any request regarding your personal data, please send an email to admin@coreautofix.com with the subject line “Privacy Rights.” In the body of your email, please specify which right you seek to exercise and provide enough information to verify your identity (for example, your name and the email or phone number associated with your account or appointment). We will acknowledge and respond to your request within 45 business days of receipt, as required by law. We will not charge you for making a request, and we will not discriminate against you for exercising any of these privacy rights.
10. WhatsApp and SMS Communications
We will only send you appointment reminders, service updates, or other relevant messages via WhatsApp or SMS if you have given us prior consent to do so. (For example, by opting in through our appointment scheduling process or by requesting updates via messaging.)
Every automated text message we send will include clear instructions on how to opt out of future messages. For instance, you may see a line such as “Reply STOP to unsubscribe” in our messages; if you reply “STOP,” we will cease messaging you through that channel.
We do not use auto-dialers or prerecorded voice calls to contact you for marketing purposes without your express consent. We also do not send unsolicited marketing text messages. All communications will be related to your specific service appointments or inquiries, unless you have separately signed up for marketing communications.
11. Children’s Privacy
Our services are not directed to individuals under the age of 13. We do not knowingly solicit or collect personal information from children under 13 years old. In the unlikely event that we receive personal information from a child under 13 (for example, via a service request or message), we will promptly delete that information. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately so that we can take appropriate action.
12. International Transfers
As noted above, we use WhatsApp for some customer communications. Please be aware that WhatsApp (owned by Meta) may process and store chat data on servers located outside of the United States, including servers in the European Union or other jurisdictions. However, WhatsApp LLC is certified under the EU-U.S. and Swiss-U.S. Data Privacy Frameworks, which means it is committed to handling personal data from those regions in accordance with agreed-upon privacy principles and protections. In practice, this framework provides assurances that any personal information transferred across borders via WhatsApp is safeguarded with standards essentially equivalent to U.S. data protection requirements. We will also ensure that any other international data transfers comply with applicable legal requirements for cross-border data transfer and protection.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or relevant laws. When we make changes, we will update the “Last Updated” date at the end of this policy. If any changes are material (significant), we will provide prominent notice of those changes before they take effect. For example, we may notify you by email and/or place a noticeable alert on our website at least 30 days prior to the implementation of the substantial changes. We encourage you to review this Privacy Policy periodically for any updates.
14. Contact
If you have any questions, concerns, or complaints about our privacy practices or this policy, please contact us at the address below. We will do our best to address and resolve your concerns.
Privacy Officer
Daniel A. Fernandez
6299 Powers Avenue Storage N#22, Jacksonville, FL 32217, USA
admin@coreautofix.com
Last updated: July 13, 2025.