Privacy Policy

1. What We Collect

1.1 Information You Provide

Account information. When you create an account, we collect your name, email address, phone number, dealership name, and billing information. If you sign up on behalf of a dealership or dealer group, we collect the business name, address, and primary contact details.

Payment information. We use Stripe to process payments. Your credit card number, expiration date, and CVC are sent directly to Stripe and never touch our servers. We receive and store only the last four digits of your card, the card brand, and the billing address for receipt and tax purposes. See Stripe's Privacy Policy.

Inventory feed credentials.When you connect an inventory feed (Carsforsale, AutoTrader, Cars.com, CDK, Reynolds & Reynolds, vAuto, HomeNet, or custom XML/CSV), you may provide feed URLs, API keys, or login credentials. These are stored encrypted and used solely to sync your vehicle inventory.

Social media account connections. When you connect Meta Business Suite, TikTok for Business, or Google Business Profile, we receive OAuth tokens that allow us to post videos on your behalf. We do not access your personal social media accounts, private messages, or any content outside the business pages you explicitly connect.

Support communications. When you email us, we retain the content of those emails to provide support and improve the Service.

1.2 Information We Collect Automatically

Vehicle inventory data.We pull vehicle details (VIN, year, make, model, trim, mileage, price, photos, dealer notes) from your connected inventory feeds. This data originates from your dealership's existing systems.

Vehicle photos. We access photos from your inventory feed URLs, the same URLs that AutoTrader, Cars.com, and other marketplaces already use to display your listings. We process these photos to score quality and generate videos. We do not store a separate permanent copy of your original photos after video generation is complete.

Usage data. We collect information about how you use the dashboard: pages visited, features used, videos generated, videos posted, videos downloaded. This helps us improve the product and identify issues.

Device and browser information. We collect your IP address, browser type, operating system, and device type when you access the dashboard. This is used for security (detecting unauthorized access) and to ensure the dashboard renders correctly.

Cookies. We use strictly necessary cookies to keep you signed in and maintain your session. We use optional analytics cookies (if you consent) to understand how the dashboard is used. See Section 7 for details.

1.3 Information We Do Not Collect

• We do not collect personal information about the customers of your dealership (car buyers, leads, or prospects).
• We do not access your CRM, DMS financial data, or sales records.
• We do not scrape or collect data from your dealership's website.
• We do not collect biometric data.
• We do not sell any information, ever.

2. How We Use Your Information

We use the information we collect to:

• Operate the Service - sync your inventory, generate videos, post to social platforms, and manage your account.
• Process payments - charge your subscription, issue invoices, and handle billing inquiries.
• Provide support - respond to your questions, troubleshoot issues, and resolve technical problems.
• Improve the product - analyze usage patterns to improve video quality, dashboard usability, and system performance.
• Communicate with you - send transactional emails (account confirmation, password reset, billing receipts, video generation summaries), and service announcements (downtime, new features). We do not send marketing emails unless you explicitly opt in.
• Ensure security - detect and prevent fraud, unauthorized access, and abuse.
• Comply with legal obligations - respond to lawful requests from government authorities, enforce our Terms of Service, and protect our rights.

3. How We Share Your Information

Service Providers

We use third-party services to operate the platform. Each processes data only as necessary to provide their service to us:

We do not use advertising networks, data brokers, or analytics platforms that build user profiles across sites.

Legal Requirements

We may disclose information if required by law, subpoena, court order, or government request. We will notify you before disclosure unless legally prohibited from doing so.

Business Transfers

If Lorrano is acquired, merged, or sells substantially all of its assets, your information may transfer to the acquiring entity. We will notify you via email and a prominent notice on our website before any such transfer.

With Your Consent

We may share information in other ways if you explicitly ask us to or give us written consent.

Never

We never sell personal information. We never share information with data brokers. We never provide information to advertisers. There is no advertising on Lorrano.

4. Data Retention

• Account data is retained for as long as your account is active, plus 30 days after deletion to allow for reactivation.
• Generated videosare stored for 90 days after generation, then automatically deleted unless you've connected external storage or downloaded them.
• Inventory data is synced every 6 hours and overwritten with each sync. We do not maintain historical inventory records beyond the current sync cycle.
• Payment records are retained for 7 years as required by tax and accounting regulations.
• Support emails are retained for 2 years after your last interaction.
• Usage analytics are aggregated and anonymized after 12 months. Individual session data is deleted.

When you delete your account, we delete your data within 30 days, except where retention is required by law (tax records) or necessary to prevent fraud.

5. Data Security

We take the security of your data seriously. Our measures include:

• All data is encrypted in transit (TLS 1.3) and at rest (AES-256).
• Inventory feed credentials are stored using envelope encryption with keys managed in a dedicated key management system.
• Social media OAuth tokens are encrypted and stored separately from other account data.
• Access to production systems is restricted to authorized personnel via SSH key authentication and VPN.
• We run automated vulnerability scanning and apply security patches within 48 hours of release.
• Cloudflare provides DDoS protection, WAF, and bot management in front of all public endpoints.

For more details, see our Security page.

No system is 100% secure. If we discover a data breach affecting your information, we will notify you within 72 hours via email and provide details about what was affected and what we're doing about it.

6. Your Rights

All Users

Regardless of where you are located, you have the right to:

• Access your data - request a copy of all personal information we hold about you.
• Correctinaccurate data - email us and we'll fix it.
• Deleteyour data - delete your account from the dashboard, or email us and we'll do it for you.
• Export your data - download your generated videos and account information from the dashboard.

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

• Right to know what personal information we collect, use, and disclose.
• Right to delete your personal information, subject to legal exceptions.
• Right to opt out of sale - we do not sell personal information, so this right is already satisfied.
• Right to non-discrimination - we will not treat you differently for exercising your rights.

To exercise these rights, email [email protected]. We will verify your identity and respond within 45 days.

EU/EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom:

• Our legal basis for processing is contract performance (operating your account), legitimate interest (improving the Service), and consent (optional analytics cookies).
• You have the right to access, rectify, erase, restrict processing, data portability, and object to processing.
• You have the right to lodge a complaint with your local data protection authority.
• For data transfer outside the EEA, we rely on Standard Contractual Clauses (SCCs).

Our Data Protection contact is reachable at [email protected].

7. Cookies

Strictly Necessary Cookies

These cookies are required for the dashboard to function. They keep you signed in and maintain your session state. You cannot opt out of these.

Analytics Cookies (Optional)

If you consent via the cookie banner, we use privacy-focused analytics to understand how the dashboard is used. We do not use Google Analytics, Facebook Pixel, or any tracking pixels.

You can withdraw consent at any time by clicking "Cookie Preferences" in the dashboard footer or by clearing your browser cookies.

8. Children's Privacy

Lorrano is a business-to-business service for auto dealerships. We do not knowingly collect information from anyone under 18. If we learn we have collected information from a minor, we will delete it immediately. If you believe a minor has provided us with personal information, contact [email protected].

9. Third-Party Links

Our website may contain links to third-party websites (for example, social media platforms and integration partners). We are not responsible for the privacy practices of these sites. We encourage you to read their privacy policies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.
• Send an email notification to the account owner on file.
• Post a notice in the dashboard for 30 days.

We will not reduce your rights under this policy without your explicit consent.

11. Contact Us

If you have questions about this Privacy Policy or want to exercise your data rights:

Email: [email protected]

Mail: Lorrano, Inc., United States (for physical address, email [email protected])

We will respond to all privacy-related inquiries within 30 days.

Lorrano, Inc. © 2026. All rights reserved.