How Chassly stores your photos, VIN, and personal data

When you submit an assessment, your photos are uploaded to Cloudflare R2, a globally distributed object storage service comparable to Amazon S3. They're served from images.chassly.com over HTTPS only, and R2's encryption-at-rest is enabled by default. Photos are never accessible via direct URL guessing; the storage path includes randomized identifiers tied to your user ID and assessment ID.

Retention varies by tier. Basic-tier assessments have their photos automatically deleted after 12 months by a daily cron job. The assessment metadata (parts identified, cost estimates, severity) stays accessible in your history; only the underlying photos go away. Driver and Business tier photos are retained indefinitely as part of the subscription value.

You can request immediate deletion of any specific assessment's photos by deleting the assessment from your history. The R2 cleanup runs as part of the deletion flow, not on a delay.

If you decode a VIN to populate vehicle information, the raw 17-character VIN is encrypted with AES-256-GCM before being stored in our PostgreSQL database. We use a 256-bit key stored in Vercel's secrets manager, separate from the database itself. Without both the encrypted ciphertext and the key, the VIN cannot be recovered.

We also store a SHA-256 hash of the VIN for lookup purposes. Hashes let us check 'have we decoded this VIN before' without needing to decrypt anything. The hash is one-way; you cannot derive the VIN from it.

Critically: your VIN is NEVER sent to our AI provider or any other AI provider. The damage analyzer receives only your vehicle's year, make, and model, not the VIN itself. Same for all subsequent AI calls. Your VIN exists only in our encrypted database and the NHTSA VPIC API call we make to decode it initially.

User account data (email, name, password (hashed), session tokens) is managed by Clerk, our authentication provider. Clerk is SOC 2 Type II certified and handles password storage with bcrypt-equivalent hashing. We don't store your password directly; we couldn't see it even if we wanted to.

Profile metadata you control (first name, last name, profile photo) is mirrored from Clerk into our database for display purposes. You can update or remove this information from Settings → Profile at any time, and changes propagate to both Clerk and our database within seconds.

You can export every piece of data we have about you at any time. From Settings, the 'Export my data' button generates a JSON file containing your account profile, all vehicles, all assessment metadata (including AI results and reminders), all subscription history, all tags and notes, and all body shop click-throughs. This is your GDPR data export, yours to download whenever.

Account deletion is permanent and removes everything: account profile, vehicles, assessment metadata, photos in R2, subscription history. Stripe customer records are also marked for deletion. The only data we retain after deletion is anonymized aggregate analytics (page views, assessment counts by tier, etc.) that contain no personally identifiable information.

You can delete your account from Settings → Account → 'Delete account.' This is irreversible: there is no recovery period. If you re-sign up later with the same email, you start with a fresh account.

Our AI provider (purpose-built vision AI): receives your photos and your vehicle's year/make/model for damage analysis. They do not retain your data after the API call completes; their privacy policy commits to not training on customer data.

Google Places API: when you view nearby body shops, we send a geographic query (latitude/longitude). Your specific account isn't tied to the query; Google sees an anonymous request.

Stripe: handles all payment processing. They have your billing details (card number, expiration, billing address) which we never see. We only have the Stripe customer ID and subscription status.

Resend: handles email delivery. They process the email address and email content but don't retain messages after delivery.

Sentry: receives error reports if something breaks. We strip personally identifiable information from error contexts before sending.

Vercel Analytics: aggregate page-view counts, no personal identifiers.