Legal

Privacy Policy

XPCO, Inc. Motrvu Platform Privacy Policy

Effective Date: March 27, 2026 · Last Updated: March 27, 2026

1. Introduction

XPCO, Inc. (“XPCO,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Motrvu platform (“Platform”).

XPCO is a Delaware corporation with operations in California. For users in the European Economic Area (EEA), United Kingdom, or Switzerland, XPCO acts as the data controller for personal data processed through the Platform.

Please read this Privacy Policy carefully. By using the Platform, you consent to the practices described herein.

2. Information We Collect

2.1 Information You Provide

Account Information:

Name
Email address
Phone number
Job title
Organization name and type
Role within organization

Organization Information:

Business name and address
Primary and secondary owner contact information
Billing contact information
DMS (Dealer Management System) identifiers

Campaign and Business Data:

Campaign names, budgets, and parameters
Target audience demographics and interests
Geographic targeting preferences
Creative assets (images, videos, audio)
Campaign performance goals

Lead Information (On Your Behalf):

Lead contact information (name, email, phone)
Vehicle interests and preferences
Lead source and campaign attribution
Lead form responses from advertising platforms

Vehicle Inventory Data:

VIN (Vehicle Identification Number)
Stock numbers
Make, model, year, trim
Pricing information
Vehicle images and descriptions

2.2 Information Collected Automatically

Technical Data:

IP address
Browser type and version
Device type and operating system
Referring URL
Pages viewed and time spent
Click patterns and navigation paths

Usage Analytics (via PostHog):

Session recordings (with sensitive data masked)
Feature usage patterns
User interaction events
Error encounters
Performance metrics (page load times)

Authentication Data (via Clerk):

Login timestamps
Authentication method used
Session identifiers
Failed login attempts

2.3 Information from Third Parties

Advertising Platforms:

Campaign performance metrics (impressions, clicks, reach)
Lead form submissions (from Meta, Google)
Advertising account identifiers

Integration Partners:

3VA campaign performance data
Platform-specific metrics

3. How We Use Your Information

3.1 Service Delivery

We use your information to:

Provide and maintain the Platform
Process and manage advertising campaigns
Track and report campaign performance
Manage vehicle inventory for advertising
Facilitate lead capture and management
Provide customer support

3.2 Platform Improvement

We use analytics data to:

Understand how users interact with the Platform
Identify and fix bugs and errors
Develop new features and improvements
Optimize user experience

3.3 Communications

We may contact you to:

Send service-related notifications
Provide campaign status updates
Respond to inquiries and support requests
Send important account updates
Provide product updates (with consent where required)

3.4 Security and Compliance

We use information to:

Detect and prevent fraud
Monitor for security threats
Comply with legal obligations
Enforce our Terms of Service

3.5 Legal Bases for Processing (EEA/UK Users)

For users in the EEA, UK, or Switzerland, we process personal data based on:

Contract: Processing necessary to perform our contract with you
Legitimate interests: Processing necessary for our legitimate business interests
Consent: Where you have given consent for specific processing activities
Legal obligation: Processing necessary to comply with applicable law

4. How We Share Your Information

4.1 Service Providers (Sub-processors)

We share data with service providers who assist in operating the Platform.

4.2 Advertising Platforms

To execute advertising campaigns, we share necessary data with:

Meta (Facebook/Instagram)
Google (YouTube, Google Ads)
TikTok
Spotify

Data shared is limited to what is necessary for campaign execution.

4.3 Within Your Organization

For organizations using the Platform:

Parent organizations (dealer groups, OEMs) may access aggregated performance data of child organizations
Organization administrators may access user activity within their organization

4.4 Legal Requirements

We may disclose information:

To comply with legal obligations
To respond to lawful requests by public authorities
To protect our rights, privacy, safety, or property
In connection with legal proceedings

4.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

4.6 With Your Consent

We may share information with other parties when you provide explicit consent.

5. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Privacy Policy.

Organizations may request earlier deletion of their data, subject to legal retention requirements.

6. Data Security

6.1 Encryption

We implement strong encryption measures:

At Rest: Sensitive personal data encrypted using AES-256-GCM
In Transit: All data transmitted using TLS 1.2 or higher
Key Management: Encryption keys rotated annually with version tracking

6.2 Access Controls

We maintain strict access controls:

Role-based access control (RBAC)
Multi-factor authentication available
Regular access reviews
Principle of least privilege

6.3 Infrastructure Security

Data hosted on SOC 2 compliant infrastructure (Vercel)
Regular security assessments
Automated vulnerability scanning
Incident response procedures

6.4 Encrypted Fields

The following data fields are encrypted at rest:

Email addresses
Phone numbers
Billing contact information
Primary/secondary owner details
VINs (Vehicle Identification Numbers)

7. International Data Transfers

7.1 Transfer Mechanisms

For users in the EEA, UK, or Switzerland, personal data is transferred to the United States. We rely on the following mechanisms:

EU-U.S. Data Privacy Framework (where applicable)
Standard Contractual Clauses (SCCs) approved by the European Commission
UK Addendum to the SCCs for UK transfers

7.2 Additional Safeguards

We implement supplementary measures including:

Encryption of data in transit and at rest
Access controls and audit logging
Contractual obligations with sub-processors

8. Your Privacy Rights

8.1 Rights for All Users

All users may:

Access their personal data
Correct inaccurate data
Request deletion of data
Withdraw consent for marketing

8.2 Additional Rights for EEA/UK Users

Under GDPR, you also have the right to:

Data Portability: Receive your data in a structured, machine-readable format
Restriction: Request limitation of processing
Object: Object to processing based on legitimate interests
Automated Decision-Making: Not be subject to solely automated decisions with legal effects

8.3 Additional Rights for California Residents

Under CCPA/CPRA, California residents have additional rights as described in our California Privacy Notice.

8.4 Exercising Your Rights

To exercise your rights, contact us at:

Email: info@motrvu.com
Response Time: Within 30 days (45 days for complex requests)

We may need to verify your identity before processing requests.

9. Cookies and Tracking Technologies

9.1 Types of Technologies Used

We use:

Session Cookies: For authentication and security
Analytics Tracking: PostHog for usage analytics
Session Recording: Selective recording with data masking

9.2 Do Not Track

We respect browser Do Not Track (DNT) signals. When enabled, we limit non-essential tracking.

9.3 Cookie Management

For detailed information, see our Cookie Policy.

10. Children’s Privacy

The Platform is not intended for individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn we have collected such information, we will delete it promptly.

11. Third-Party Links

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of these sites. We encourage you to review their privacy policies.