Privacy Policy

  1. Introduction NobleWheels (“NobleWheels Inc.,” “we,” “our,” “us”) is a Canada-based concierge service that delivers turnkey procurement, financing, and ongoing management of luxury vehicles. This Privacy Policy explains how personal information is collected, used, stored, and disclosed when prospective buyers, owners, co-drivers, lenders, or visitors interact with noblewheels.ca, our mobile portal, or in-showroom devices.

  2. Privacy Policy (collection, processing, storage)
    • Information we collect
    (a) Identity & contact — full name, email, phone, province, preferred language, driver-licence number, government-issued ID scan.
    (b) Vehicle & transaction data — make/model preferences, custom-build specifications, VIN, purchase agreements, lease terms, warranty options.
    (c) Financial data — tokenised card reference, bank-verification results (read-only), credit-assessment score, billing address, GST/HST allocation, payment history.
    (d) Concierge logs — service appointments, detailing history, insurance renewals, mileage snapshots, telematics alerts (if the owner enables live tracking).
    (e) Marketing preferences — event RSVP records, test-drive wait-lists, newsletter selections.
    (f) Device telemetry — IP address, browser build, session duration, crash traces. (g) Support artefacts — chat transcripts, CCTV hand-over footage, signed delivery photos.

• Purposes
– verify identity and perform anti-money-laundering checks;
– structure financing proposals and e-sign purchase or lease contracts;
– register vehicles with provincial transport authorities and activate manufacturer warranties;
– schedule maintenance, detail and concierge pick-up, and send renewal reminders;
– process subscription fees, deposits, and ad-hoc service charges;
– generate aggregated, de-identified analytics that improve inventory planning and driving-experience packages; – detect fraud, protect staff and assets, and meet legal, tax, and insurance obligations.

• Retention Deal files and trust-account records are stored for the longer of ten years or the statutory period set by your provincial regulator. Telematics data older than twelve months is auto-purged unless you request a shorter cycle. Encrypted backups roll on a 35-day rotation.

• Access & correction
Verified clients may review or amend stored data at any time via My Garage in the app or by emailing privacy@noblewheels.ca.

• Consent Express consent is captured at account creation, credit-application submission, and whenever you enable live tracking or add a payment method. Implied consent applies to operational logs essential for security. You may withdraw consent except where records must be retained to honour an active loan, warranty, or statutory requirement; we will outline any service impact beforehand.

• Accountability Our Privacy Officer oversees annual internal audits, staff training, and written privacy inquiries, responding within 30 days.

  1. GDPR (if applicable)
    Although NobleWheels targets Canada, some clients may reside in the European Economic Area (EEA). Where the EU General Data Protection Regulation applies, we act as controller for profile, billing, and engagement data, and processor for telematics or warranty documents you supply. Processing bases: performance of contract (Art. 6 (1)(b)), legitimate interest in safeguarding high-value assets (Art. 6 (1)(f)), and legal obligation (Art. 6 (1)(c)). EEA residents may request access, rectification, erasure, restriction, portability, or objection via dpo@noblewheels.ca and may lodge complaints with their supervisory authority.

  2. Cookie Policy

4.1. Types of cookies
• Essential — session tokens, CSRF guards, load-balancer cookies required for secure login.
• Preference — remembers interface language, currency, dark-mode toggle, and saved vehicle configurations.
• Analytics — first-party Matomo cookies with IP truncation that measure browsing latency and feature adoption. • Marketing — optional cookies announcing limited-edition launches or partner track-day events; never shared with ad networks.

4.2. How to disable cookies
Most browsers let you block or delete cookies. Essential cookies are mandatory for portal access; disabling them prevents login. Preference and analytics cookies can be declined via our banner or by enabling “Do Not Track.” Marketing cookies load only after explicit opt-in and can be revoked under Account → Privacy.

  1. Transfer to Third Parties
    We never sell personal information. Limited disclosures occur only to:
    • Canadian cloud hosts running encrypted servers in Toronto and Calgary;
    • PCI-DSS Level 1 payment processors and regulated lenders;
    • Provincial vehicle registries and insurance carriers to finalise ownership and coverage;
    • Manufacturer partners for warranty activation (shared data: VIN, service date, mileage);
    • Legal counsel, auditors, or courts when compelled;
    • Law-enforcement agencies for theft, fraud, or public-safety investigations. All vendors sign Data-Processing Agreements mandating safeguards equal to PIPEDA and, where required, EU Standard Contractual Clauses.

  2. Data-Security Measures
    • AES-256-GCM encryption at rest with tenant-specific keys stored in FIPS 140-2 Level 3 Hardware Security Modules.
    • TLS 1.3 with Perfect Forward Secrecy for data in transit.
    • Zero-trust segmentation isolating each client vault.
    • Role-based access control enforced by hardware-backed multi-factor authentication.
    • Hourly incremental and nightly full backups replicated across two Canadian regions (RPO 15 min, RTO 4 h).
    • Continuous vulnerability scanning, quarterly penetration tests, and annual SOC 2 Type II audit. • Incident-response plan that notifies affected users within 72 hours of a confirmed breach and publishes remediation steps.

  3. Effective Date This Privacy Policy is effective as of 19 June 2025 and supersedes all earlier versions. Material updates will be announced by email and in-app notice at least 30 days before coming into force.