Rueda Lens

Car and Go Technologies, S.L.

Privacy Policy

Last updated: April 8, 2026

This Privacy Policy governs the processing of personal data of users who access and use the Rueda Lens service (hereinafter, the "Service"), operated by Car and Go Technologies, S.L. (hereinafter, the "Controller" or the "Company"). The Service consists of a REST API and associated dashboard that enable businesses to identify tire sizes and vehicle information from images using artificial intelligence.

Processing is carried out in accordance with Regulation (EU) 2016/679 (GDPR), Organic Law 3/2018 of 5 December (LOPDGDD), and, where applicable, Law 34/2002 of 11 July (LSSI-CE).

1. Controller

Car and Go Technologies, S.L.

Registered address: C/ Valentí Almirall, 10, 08242, Manresa (Barcelona), Spain

Data protection contact: info@tireandgo.com

2. Data processed, purposes and legal bases

2.1 Account and access management

Data: first name, last name, company name, email address, hashed password.

Purpose: create and manage your Rueda Lens account and grant access to the Service.

Legal basis: performance of a contract (Art. 6.1.b GDPR).

Required: yes — without this data the account cannot be created.

2.2 API key management

Data: API key prefix (first characters, stored for display only); the full key is hashed using bcrypt and never stored in plain text.

Purpose: authenticate requests to the API, enforce per-key rate limits and quotas.

Legal basis: performance of a contract (Art. 6.1.b GDPR).

2.3 Image processing

Data: tire and vehicle images uploaded via the API.

Purpose: perform AI-based tire size and vehicle identification. Images are stored in Cloudflare R2 (EU region) and automatically deleted after 30 days.

Legal basis: performance of a contract (Art. 6.1.b GDPR).

2.4 Request logs

Data: recognition results, confidence scores, tire size, vehicle model, error codes, timestamps, image references.

Purpose: provide request history in the dashboard, support debugging, improve Service quality.

Legal basis: legitimate interest of the Controller (Art. 6.1.f GDPR).

2.5 Billing and usage

Data: monthly request counts, plan type, overage, invoice records. Payment card data is processed exclusively by Stripe and never stored on our servers.

Purpose: calculate usage, issue invoices, manage subscriptions.

Legal basis: performance of a contract (Art. 6.1.b GDPR); legal obligation for invoice retention (Art. 6.1.c GDPR).

2.6 Technical and security logs

Data: IP address, connection data, access logs.

Purpose: ensure Service availability, detect and prevent fraud, abuse, and security incidents.

Legal basis: legitimate interest of the Controller (Art. 6.1.f GDPR).

2.7 Exercise of data subject rights

Data: identification and contact data provided in the request.

Purpose: handle requests to exercise rights under the GDPR and LOPDGDD.

Legal basis: legal obligation (Art. 6.1.c GDPR).

3. Recipients and processors

Data will only be shared where necessary for the purposes described above. The Company uses the following processors under data processing agreements as required by the GDPR:

  • Cloud infrastructure providers (API hosting and web application hosting). May involve international transfers — see Section 4.
  • Cloud storage provider (image storage, EU region).
  • Transactional email provider. May involve international transfers — see Section 4.
  • AI image analysis provider. Data is processed outside the EEA — see Section 4.
  • Vehicle data enrichment provider.
  • PostHog (usage analytics; servers located in the European Union).
  • Stripe (payment processing). May involve international transfers — see Section 4.

Data will also be shared with competent public authorities and regulators when required by law.

4. International transfers

Some processors listed above operate outside the European Economic Area (EEA), in particular our AI image analysis provider, cloud infrastructure providers, transactional email provider, and Stripe. Where such transfers occur, they are carried out under Standard Contractual Clauses adopted by the European Commission (Arts. 44 et seq. GDPR) or another valid transfer mechanism. Details of applicable mechanisms are available on request at info@tireandgo.com.

5. Retention periods

  • Account data: retained while the account is active; after closure, blocked for up to 5 years to cover applicable limitation periods.
  • Images: automatically deleted after 30 days.
  • API request logs: up to 1 year.
  • Billing and invoice data: up to 5 years, in compliance with Spanish fiscal obligations.
  • Technical and security logs: up to 1 year, unless a security incident requires longer retention.
  • Data subject rights records: as required by applicable law.

Once retention periods expire, data is securely deleted or anonymised.

6. Data subject rights

Under Arts. 15–22 GDPR and Arts. 12–18 LOPDGDD, you have the right to:

  • Access your personal data.
  • Rectify inaccurate data.
  • Erasure ("right to be forgotten") where applicable.
  • Object to processing based on legitimate interest.
  • Restriction of processing.
  • Data portability where applicable.
  • Not to be subject to solely automated individual decisions.

To exercise these rights, contact us in writing at:

Car and Go Technologies, S.L. C/ Valentí Almirall, 10, 08242, Manresa (Barcelona), Spain info@tireandgo.com

If you believe your rights have not been adequately addressed, you may lodge a complaint with the Spanish Data Protection Agency (AEPD) at www.aepd.es.

7. Security

The Company applies appropriate technical and organisational measures to ensure the confidentiality, integrity and availability of personal data in accordance with Art. 32 GDPR, including access controls, authentication, encryption, backups and incident logging.

8. Cookies

The Rueda Lens marketing site uses cookies and similar technologies.

8.1 Types of cookies used

  • Essential cookies: required for the site to function correctly (navigation, security). Do not require consent.
  • Analytics cookies: used to measure traffic and analyse how visitors interact with the site, in order to improve it (PostHog, EU servers).

8.2 Legal basis

Essential cookies are installed on the basis of the Controller's legitimate interest (Art. 6.1.f GDPR). Analytics cookies are only installed with your explicit, informed consent (Art. 6.1.a GDPR), obtained via the cookie banner.

8.3 Consent management

On your first visit you will see a cookie banner that allows you to accept all cookies, decline non-essential cookies, or configure your preferences. You may change or withdraw your consent at any time by clicking "Manage Cookies" in the site footer.

8.4 Processors and international transfers

Analytics cookies are managed by PostHog, whose servers are located in the European Union. Processing is carried out in accordance with PostHog's privacy policy and a data processing agreement signed with the Controller.

9. Updates

Car and Go Technologies, S.L. may update this Privacy Policy to reflect changes in applicable law or processing activities. The current version is always available at ruedalens.com/privacy.