top of page

Privacy Policy

Effective date: 27 May 2026  •  Last updated: 27 May 2026

This Privacy Policy explains how Romeo Solution LLC (“Lot Flow,” “we,” “us,” or “our”) collects, uses, shares, and protects information in connection with the Lot Flow mobile and web application (the “Service”). Lot Flow is a business-to-business tool that vehicle dealerships and their vendors use to manage vehicle reconditioning workflows. It is not directed to consumers or children.

1. Who We Are

The data controller responsible for your information is:

2. Information We Collect

We collect only the information needed to operate the Service. We do not sell personal information.

Information you provide:

Category

Examples

Account data

Email address, display name, assigned role, and the dealership location(s) you belong to.

Vehicle records

VIN, make, model, year, trim, color, stock number, mileage, cost figures, asking price, and sale price.

Work order records

Vendor assignments, cost line items, status history, and notes you enter.

Photos

Vehicle photos that you choose to upload.

Information collected automatically

  • Authentication tokens — secure session tokens stored locally on your device to keep you signed in.

  • Diagnostic data — if the app crashes, Google Play may provide us aggregated, de-identified crash and performance reports.

Camera

The app uses your device camera in two ways, only when you initiate them:

  • VIN barcode scanning — performed entirely on your device using Google ML Kit. The camera image is processed locally and is not uploaded; only the decoded VIN text is stored.

  • Vehicle photos — when you take or attach a photo, that image is uploaded and stored as part of the vehicle record.

We do not collect: precise/GPS location, contacts, calendar, microphone, SMS, advertising identifiers, browsing or behavioral profiles, biometric data, health data, or financial-account credentials. The app contains no advertising and no third-party ad trackers.

3. How We Use Information

  • To provide, maintain, and secure the Service and your account.

  • To display and manage vehicle records and reconditioning work orders for your dealership.

  • To decode VINs you scan or enter (see Section 5).

  • To communicate with you about your account or support requests.

  • To detect, prevent, and address technical issues, fraud, or abuse.

4. Legal Bases for Processing

​Where the EU/UK GDPR applies, we process personal data on these bases:

  • Performance of a contract — to provide the Service to your organization and to you as its authorized user.

  • Legitimate interests — to keep the Service secure, reliable, and improved, balanced against your rights.

  • Legal obligation — where we must retain or disclose data to comply with applicable law.

5. Who We Share Information With

We share information only with the service providers (sub-processors) that make the Service work:

Sub-processor

Purpose

Data involved

Supabase

Database, file storage, authentication, and server-side functions that power the app.

All account, vehicle, work order, and photo data.

NHTSA vPIC API
(vpic.nhtsa.dot.gov)

Decoding a VIN into vehicle specifications. A U.S. government public service.

Only the 17-character VIN. No personal data.

Google Play

App distribution and aggregated crash/performance reporting (Android).

De-identified diagnostic data.

We may also disclose information if required by law, to enforce our terms, or to protect the rights, safety, and security of our users or the public. We do not sell or rent personal information to third parties.

6. International Data Transfers

Our infrastructure provider (Supabase) hosts data in cloud data centers that may be located in the United States or other regions. Where data is transferred internationally, we rely on appropriate safeguards such as our providers’ standard contractual clauses and security commitments.

7. Data Retention

  • We retain account and operational data for as long as your account is active and your organization uses the Service.

  • When an account is deleted, personal identifiers (such as email and name) are removed. Vehicle and work order records may be retained by the dealership organization that owns them, in de-identified or organizational form, for their business and recordkeeping needs.

  • Encrypted backups managed by our infrastructure provider rotate on a short cycle (typically 7–30 days) and then expire.

8. Your Rights

Subject to applicable law (including GDPR, UK GDPR, and the CCPA for California residents), you may:

  • Access the personal data we hold about you.

  • Correct inaccurate data — you can edit your profile details directly in the app.

  • Delete your account and associated personal data. Deletion requests are honored within 30 days; account deletion triggers server-side removal of your personal data.

  • Port a copy of your data in a portable format on request.

  • Withdraw consent — deleting your account ends our processing of your personal data.

  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at support@lotflowops.com

9. Children’s Privacy

The Service is a business tool intended for use by authorized dealership and vendor personnel. It is not directed to children, and we do not knowingly collect personal information from anyone under 13 (or the equivalent minimum age in your jurisdiction). If you believe a child has provided us personal information, contact us and we will delete it.

10. Security

  • All data is transmitted over encrypted connections (TLS/HTTPS).

  • Data is encrypted at rest by our infrastructure provider.

  • Row-Level Security policies enforce strict separation between dealership tenants, so users only see data they are authorized to access.

  • Authentication tokens are kept in your device’s secure application storage.

No method of transmission or storage is 100% secure, but we work to protect your information using industry-standard measures.

11. Changes to this Policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above and, where appropriate, notify you within the Service. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. How to Contact Us

Questions, requests, or complaints about this Privacy Policy or your data can be sent to:
Romeo Solution LLC
support@lotflowops.com

bottom of page