v vinfax.
Home / Legal / Privacy policy
Legal · Updated

Privacy policy

vinfax.net is a public-data archive. We collect the minimum needed to run the site and we do not track who looks up which VIN. No accounts, no analytics, no advertising cookies. This policy explains in plain terms what we do hold and how to ask for it to be removed.

Quick summary

  • No user accounts — no registration, no login, no profile, no email subscription.
  • No analytics — no Google Analytics, Plausible, Fathom, Matomo, Mixpanel, Hotjar, Posthog or similar.
  • No ad cookies, no retargeting, no tracking pixels. No Facebook Pixel, no marketing tags.
  • One first-party session cookie for CSRF protection on the VIN search and contact forms.
  • Standard server access logs kept about 30 days for operational reasons.
  • We never sell, rent or share visitor data. There is nothing to sell.

What we collect from visitors

Web server access logs.
Our LiteSpeed server writes a standard access-log line for every request: IP address, user-agent, requested URL, referer, timestamp, response code. These sit on the server only — no third-party log analytics receives a copy. We keep about 30 days for debugging, abuse mitigation and capacity planning, then they rotate out.
One first-party session cookie.
A cookie named vinfax_session is set on first request. It carries the CSRF token that protects the VIN search form and the contact form. It is encrypted, HttpOnly, Secure, SameSite=Lax, and expires after 2 hours. The value is an opaque session ID — no personal information, never joined with the access log.

That is the entirety of what vinfax.net itself collects. We do not log which VINs you look up against your IP. We keep no per-visitor history.

Third-party services

Three external services are involved in delivering a page. We name them so you can read their policies too.

Cloudflare — DNS, CDN and WAF in front of the site.
Every request to vinfax.net passes through Cloudflare's edge first. Cloudflare may set its own cookies (for example __cf_bm for bot management) and sees the same request metadata our server does. See cloudflare.com/privacypolicy.
Cloudflare R2 — vehicle-photo storage at r2.vinfax.net.
Photos are mirrored to R2 and served from our own subdomain. The photos themselves contain no visitor information.
Google FontsInter and IBM Plex Mono loaded from fonts.googleapis.com and fonts.gstatic.com.
Google may log the IP that requests the font file. See policies.google.com/privacy.

No other third-party services are embedded. No social widgets, embedded videos, chat widgets, comment systems, A/B-testing tools or browser error-monitoring scripts.

What we do not do

  • We do not record which VINs a visitor looks up.
  • We do not run analytics — first-party, third-party, or product analytics of any kind.
  • We do not set advertising cookies and are not part of any ad network.
  • We do not sell, license, rent, share or transfer visitor data to anyone.
  • We do not use cookies for "analytics" or "marketing". The session cookie is purely functional.
  • We do not build profiles of visitors.

VIN archive and removal requests

Every record in the vinfax inventory comes from a public Copart or IAAI auction listing — see data sources for the full picture. We do not enrich those listings with non-public data. If you are the owner of a vehicle that appears in the archive and would like the record hidden, email [email protected] with the VIN or lot URL and we will suppress it from the public site.

Contact form data

Submissions to the contact form are emailed directly to the operator. We do not store the contents in a database. The email server may keep delivery metadata per its provider; the message itself sits in the operator's inbox.

Children's privacy

vinfax has no features targeted at children under 13. With no accounts, we do not ask for or collect any age information. Parents or guardians with a concern can contact [email protected].

Your rights (GDPR, CCPA, US state laws)

vinfax is operated from outside the US and EU, but the site is reachable globally and we extend the same rights to every visitor. The personal data we process is minimal — essentially the access-log line for your IP and an opaque session-cookie ID.

Under EU and UK GDPR, our lawful basis is Article 6(1)(f) — legitimate interest in operating a free public archive and keeping it secure. Under the California Consumer Privacy Act and equivalent US state laws, we do not sell personal data and have nothing of value to sell. Anyone — EU, UK, California, or elsewhere — can write to [email protected] to see, correct, or delete what we hold (in almost every case, the access-log line for an IP address).

Data retention

  • Access logs — about 30 days, then rotated and discarded.
  • Session cookie — expires 2 hours after the last request. No server-side session record outlives the cookie.
  • VIN archive data — public auction data, retained for the life of the project. Not personal data.
  • Contact-form emails — retained in the operator's inbox per normal email retention.

Changes to this policy

When this policy changes, the updated date at the top of the page changes. Material changes are noted there. With no accounts and no mailing list, the page itself is the canonical record.

Contact us

For any privacy question, removal request, or data-access request, email [email protected]. A postal address can be provided on request. For background on how the site works, see how vinfax works and the terms of service.

Last updated: .