Privacy policy.

Who controls your information

Carvaly is owned and operated by XPO8 Limited. In this Privacy Policy, "Carvaly", "we", "us", and "our" refer to XPO8 Limited and the Carvaly website, app, dealer workspace, valuation tools, billing flows, support channels, and related services.

This policy applies to carvaly.com, app.carvaly.com, and other Carvaly-controlled services that link to this policy. It does not apply to third-party websites, marketplaces, payment pages, authentication providers, or services that have their own privacy notices.

Carvaly is designed for Malaysian used-car valuation and dealer workflows. Where Malaysian personal data protection law applies, we aim to process personal data consistently with the Personal Data Protection Act 2010 principles of notice and choice, disclosure, security, retention, data integrity, and access.

Where Hong Kong privacy law applies, we aim to handle personal data consistently with the Personal Data (Privacy) Ordinance principles for fair collection, data accuracy, retention, use limitation, security, openness, and access or correction.

Our role and your organization's role

For account registration, website visitors, billing administration, product security, support, analytics, and direct relationship management, XPO8 Limited usually acts as the organization that controls why and how the relevant personal data is processed.

For dealer workspace records, fleet notes, internal transaction records, offer notes, and other records entered by an organization for its own business purposes, the organization may independently control how that information is used. In those cases, Carvaly provides tools that help the organization store and process the records.

If your organization uses Carvaly, your organization is responsible for giving any required notices to its staff, contractors, customers, sellers, buyers, and business contacts whose information it enters into the workspace. Your organization is also responsible for using the product in a way that matches its own privacy, HR, customer, and compliance obligations.

Scope of this policy

This policy covers personal data that can identify a living individual directly or indirectly, including identifiers, contact details, account details, vehicle-linked notes that identify someone, communications, technical identifiers, and billing-related information.

This policy also explains how we handle non-personal, aggregated, anonymized, or de-identified information. Information that cannot reasonably identify you may be used for product analytics, market statistics, reliability work, benchmarking, model evaluation, and business planning.

If we combine non-personal information with personal data, we treat the combined information as personal data while it remains combined.

Information we collect

The information we collect depends on how you use Carvaly, whether you use the public website, create an individual account, join a dealer organization, run a valuation, save a vehicle, pay for credits, or contact support.

• Identity and contact information, such as name, email address, phone number, company or dealership name, role, organization membership, invite status, and account preferences.
• Authentication and account information, such as login events, session identifiers, password reset events, social sign-in identifiers, security settings, device sessions, and account status.
• Vehicle and valuation information, such as make, model, year, variant, mileage, registration-related details you provide, location, condition, service history, ownership notes, accident or repair notes, photos or descriptions, valuation requests, saved valuation results, comparable listings, and valuation history.
• Dealer workspace information, such as fleet records, acquisition cost, target margin, selling price, stock status, aging-stock notes, organization users, audit events, and internal notes.
• Billing information, such as plan selection, credit balance, subscription events, invoices, payment status, checkout metadata, billing address where provided, tax-related details where needed, and payment processor references. We do not receive or store full card numbers when a payment processor tokenizes the payment instrument.
• Support and communication information, such as messages, attachments, call notes, feedback, survey responses, bug reports, legal notices, privacy requests, and marketing preferences.
• Technical information, such as IP address, browser type, device type, operating system, approximate location inferred from network data, referral URL, pages viewed, features used, timestamps, cookie identifiers, diagnostic events, error logs, performance data, and security logs.

Sensitive and high-risk information

Carvaly is not designed to collect sensitive personal data unless a feature expressly asks for it or you choose to include it in a note, message, file, or support request. Sensitive information may include government identifiers, precise identity documents, financial account details, health information, criminal-offence information, biometric information, religious beliefs, political opinions, or similar high-risk details.

Do not upload identity documents, bank statements, financing documents, police reports, medical details, or other sensitive information unless the product specifically requests it and you have a lawful basis to provide it. If you include sensitive information unnecessarily, we may delete, mask, restrict, or decline to process it.

Vehicle records can sometimes reveal personal details indirectly, such as seller identity, location, ownership history, financing notes, or accident context. You should enter only the information needed for the relevant valuation, listing, support, or workspace workflow.

Sources of information

We collect information directly from you when you submit it, automatically when you use the service, from your dealership or organization when it invites or manages you, from payment and authentication providers, from support interactions, and from public or third-party market sources used to generate valuation context.

Market listing data may come from public marketplace pages, third-party sources, historical records, enrichment processes, or other lawful data sources. That market data may include seller-supplied vehicle details and listing context, but Carvaly does not control the accuracy of third-party marketplace content.

We may also receive information from fraud-prevention systems, email delivery systems, analytics tools, hosting logs, error monitoring tools, and other service providers that help us operate and secure Carvaly.

If another user or organization provides information about you, such as by inviting you to a workspace, assigning you a role, entering your contact details, naming you in a note, or including you in a transaction record, we process that information according to this policy and the relevant organization's instructions or product settings where applicable.

How we use information

We use information to operate, secure, bill, support, improve, and explain Carvaly. We only aim to collect and use information that is reasonably connected to the service, our legal obligations, our legitimate operational needs, or your instructions.

• Provide valuation ranges, comparable listing context, market maps, trend signals, saved results, fleet views, and account features.
• Create and manage accounts, authenticate users, process invites, maintain organization membership, assign roles, and preserve workspace records.
• Process subscriptions, credits, top-ups, checkout events, invoices, payment status, tax records, fraud checks, disputes, and billing support.
• Detect, prevent, investigate, and respond to security incidents, misuse, spam, fraud, unauthorized access, data-source abuse, credit abuse, and violations of our Terms.
• Respond to support, privacy, legal, sales, onboarding, and product-feedback requests.
• Analyze product performance, debug errors, improve reliability, measure feature usage, refine valuation workflows, and develop new product functionality.
• Send service notices, account alerts, billing notices, security notices, legal updates, product updates, and marketing communications where permitted.
• Comply with legal duties, enforce agreements, protect rights, preserve evidence, respond to lawful requests, and complete business transactions such as restructuring or acquisition activity.

Product improvement, models, and analytics

We may use product usage data, vehicle inputs, market signals, output quality signals, error patterns, and support feedback to test, monitor, improve, and develop Carvaly. This may include evaluating valuation logic, improving data normalization, detecting duplicate or low-quality listings, improving user experience, and measuring feature reliability.

Where practical, we use aggregated, pseudonymized, anonymized, or de-identified information for analytics and model evaluation. We may retain market-level statistics and non-identifying signals even after an account or organization record is deleted.

We do not intend valuation output to be a solely automated decision with legal or similarly significant effect. Carvaly output supports human decision-making by buyers, sellers, and dealer teams, who remain responsible for final decisions.

Legal bases and consent

Depending on the context and applicable law, we may process personal data because it is necessary to perform a contract with you, because you consented, because we have a legitimate interest that is not overridden by your rights, because we must comply with a legal obligation, or because processing is needed to establish, exercise, or defend legal claims.

Where we rely on consent, you may withdraw consent where legally available. Withdrawing consent may limit or prevent use of features that require the relevant information, such as login, saved valuations, dealer workspace access, billing, security checks, or direct marketing.

Our legitimate interests may include operating the product, securing accounts, preventing fraud and misuse, improving reliability, understanding feature usage, supporting users, enforcing terms, protecting legal rights, and maintaining accurate business records.

Where law requires express consent for direct marketing, sensitive personal data, or a new purpose that is not compatible with the original purpose, we will seek consent in a manner appropriate to that context.

Vehicle, valuation, and marketplace data

Vehicle data submitted to Carvaly is used to generate valuation outputs, find comparable listings, store result history, build fleet and margin views, and improve the quality and reliability of the service.

Valuation outputs may be generated through rules, models, market comparisons, normalization, historical listing analysis, and product logic. These outputs support human decision-making and do not by themselves create a binding purchase, sale, lending, insurance, or legal decision.

If you include another person's personal data in vehicle notes, transaction records, support messages, or uploaded materials, you are responsible for having a lawful basis and any required permission to provide that information to Carvaly.

Vehicle information may be linked to an account, organization, valuation history, listing, offer, or transaction workflow. That context helps preserve auditability, billing, support, fraud prevention, dispute handling, and workspace continuity.

We may derive non-identifying market statistics from vehicle and listing information, such as pricing bands, mileage bands, stock aging patterns, regional availability, sample quality, and trend summaries.

Dealer organization access

When you join a dealer organization, organization owners, admins, and authorized members may see information connected to that organization. This can include your name, email address, role, workspace activity, saved vehicles, valuations, listings, offers, billing-related status, and support context relevant to the organization.

Your organization may control or request deletion, export, or retention of workspace records that belong to the organization. If you leave an organization, records you created for that organization may remain available to the organization unless law, contract, or product settings require otherwise.

Organization admins may be able to change your role, invite or remove users, view usage, manage billing, review saved vehicles, see activity associated with shared records, and request support for organization records. You should not use an organization workspace for personal information that you do not want the organization to access.

If an organization asks us to assist with support, billing, security, exports, or account administration, we may share relevant information with that organization's owners or admins after reasonable checks.

How we share information

We do not sell personal information in the ordinary meaning of selling a customer list for money. We share information only as needed to operate Carvaly, follow your instructions, support organization workflows, comply with law, or protect rights and security.

• With your organization, including owners, admins, authorized team members, and invited users who need access to shared workspace records.
• With service providers that host, secure, process, transmit, analyze, or support Carvaly, such as cloud hosting, database, authentication, payment, email, logging, analytics, customer support, and security providers.
• With payment processors such as Stripe to process payments, subscriptions, invoices, refunds where applicable, fraud checks, disputes, and billing support.
• With third parties you choose to interact with through Carvaly, such as a buyer, seller, dealer, partner, or support channel, where a feature requires sharing or you direct us to share.
• With professional advisers, auditors, insurers, banks, acquirers, regulators, courts, law enforcement, or other parties where reasonably necessary for legal, compliance, corporate, security, or dispute purposes.
• With successors or counterparties in connection with a merger, acquisition, financing, reorganization, sale of assets, insolvency process, or transfer of all or part of the Carvaly business.

Service-provider safeguards

We use service providers to run Carvaly. These providers may process personal data only as needed to provide contracted services to us, such as hosting, databases, authentication, payments, email delivery, logging, analytics, support, security, monitoring, and infrastructure operations.

Where required or appropriate, we use contractual and operational measures intended to require service providers to protect personal data, process it only for authorized purposes, restrict access, maintain security, assist with retention or deletion, and notify us of relevant security issues.

No provider list can be permanently static because infrastructure, tooling, and product needs change. We assess providers based on the nature of the data, processing purpose, security expectations, business need, and legal requirements.

Third-party services and links

Carvaly may link to or integrate with third-party services, including marketplaces, payment processors, authentication providers, analytics providers, support tools, and communication systems. Those third parties process information under their own terms and privacy notices where they act independently.

If you leave Carvaly through a link, authenticate through a third-party provider, pay through a payment processor, or communicate through a third-party support channel, you should review the privacy terms for that third party.

Third-party marketplaces and websites may collect information about you directly when you visit them, click external links, open source listings, or interact with embedded or linked content. Carvaly does not control those third-party privacy practices.

Cookies, analytics, and similar technologies

We may use cookies, local storage, pixels, software development kits, device identifiers, and similar technologies for necessary service operation, login sessions, fraud prevention, security, routing, language or display preferences, analytics, diagnostics, performance monitoring, and marketing measurement where enabled.

Necessary cookies and session technologies are required for login, account security, checkout routing, and workspace access. Optional analytics or marketing technologies may be controlled through browser settings, device settings, consent tools where available, unsubscribe links, or by contacting us.

Examples of cookie or storage categories include strictly necessary technologies for authentication and security, preference technologies for remembered settings, analytics technologies for product measurement, and marketing technologies for campaign attribution where used.

Browser-level controls may not affect server-side logs, security records, payment processor records, or records that are necessary for contract, legal, or fraud-prevention purposes.

International transfers

Carvaly is operated by XPO8 Limited and may use service providers, infrastructure, employees, contractors, or support tools in Malaysia, Hong Kong, Singapore, the United States, the European Economic Area, the United Kingdom, or other locations where we or our providers operate.

When information is transferred across borders, we use contractual, technical, organizational, and provider due-diligence measures intended to protect information in a manner appropriate to the nature of the data and applicable law.

The privacy and data-protection laws in these locations may differ from the laws in your country. By using Carvaly or submitting information to us, you understand that information may be processed in these locations for the purposes described in this policy.

Retention

We keep information for as long as reasonably needed to provide Carvaly, maintain account and organization history, support saved valuations, preserve billing and financial records, secure the service, resolve disputes, comply with legal obligations, enforce agreements, and maintain backups.

Retention periods vary by data type. For example, workspace records may be kept while the organization account remains active, billing records may be kept for statutory accounting and tax periods, security logs may be kept for investigation and abuse-prevention needs, and backup copies may persist for a limited period before deletion cycles complete.

If we delete or de-identify information, we may retain aggregated, anonymized, or non-identifying statistics and market signals that no longer identify you or your organization.

We may retain records longer where needed for unpaid balances, disputed transactions, fraud investigations, security events, legal holds, tax or accounting obligations, regulatory requests, product integrity, or evidence preservation.

Deletion from active systems may not immediately remove information from encrypted backups, logs, archives, payment processor systems, email systems, support systems, or records controlled by your organization. Those systems follow their own retention and deletion cycles.

Security

We use technical and organizational safeguards intended to protect information against unauthorized access, loss, misuse, alteration, and disclosure. These may include HTTPS, authentication controls, role-based access, logging, provider security controls, least-privilege practices, backup procedures, monitoring, and incident response processes.

No online service can guarantee perfect security. You are responsible for using strong passwords, securing your email account, protecting devices, limiting workspace invites, removing former team members, and promptly telling us about suspected unauthorized access.

We may review logs, account events, payment events, workspace events, device or network signals, and support records to detect suspicious activity, investigate incidents, prevent abuse, and protect users.

If we become aware of a security incident affecting personal data, we will assess the incident and take steps that we consider appropriate under the circumstances, which may include containment, investigation, remediation, provider coordination, user notice, organization notice, or regulatory communication where legally required.

Your choices and rights

Depending on where you are located and how you use Carvaly, you may have rights to request access to personal data, correction of inaccurate data, deletion, restriction, portability, objection to certain processing, withdrawal of consent, and prevention of processing for direct marketing.

We may need to verify your identity and account connection before acting on a request. We may refuse, limit, or delay a request where permitted by law, including where information must be retained for billing, legal, security, fraud-prevention, dispute, backup, organization record, or freedom-of-expression reasons.

If your account is controlled by a dealer organization, we may direct some workspace-record requests to the organization owner or admin because that organization controls how its internal records are used.

Malaysian users may have rights under the PDPA to be informed whether personal data is processed, access personal data, correct personal data, withdraw consent, prevent processing likely to cause damage or distress, and prevent processing for direct marketing. Hong Kong users may have access and correction rights under the PDPO where it applies.

You may also update some information directly in the product, unsubscribe from promotional emails through the email footer, change browser cookie settings, leave an organization subject to product settings, or ask an organization admin to remove or correct organization-controlled records.

How we handle privacy requests

To make a privacy request, contact privacy@carvaly.com and include the email address linked to your account, your organization name if applicable, the right you want to exercise, and enough detail for us to locate the relevant records.

We may ask for additional information to verify your identity, authority, or relationship to an organization. If you are making a request for someone else, we may ask for proof that you are authorized to act for that person.

We aim to respond within a reasonable period required by applicable law. Complex requests, organization-controlled records, archived records, legal holds, security investigations, or high-volume requests may take longer where law permits.

Marketing communications

We may send product updates, onboarding messages, event invitations, research requests, or promotional messages where permitted. You can opt out of promotional emails by using the unsubscribe link or contacting us. Even if you opt out of marketing, we may still send service, account, billing, security, legal, and transactional notices.

We do not treat your use of Carvaly as consent to receive third-party marketing from unrelated companies. If we ever ask to use your information for a materially different marketing purpose, we will seek consent where required.

If your organization provides your business contact information for account administration or product onboarding, we may contact you about that organization account even if you personally did not complete the first signup step.

Children

Carvaly is not intended for children or for users under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data to Carvaly, contact us so we can review and take appropriate action.

Public listings, external links, and visibility

If Carvaly offers public or shared listings, profile pages, report links, invite links, or externally shareable records, the information made visible through those features may be viewed, copied, indexed, forwarded, or stored by others depending on the feature and settings.

You should check visibility settings, recipient details, link permissions, and organization policies before sharing a report, listing, invite, or transaction record. We cannot control how recipients use information after they receive it outside Carvaly.

Keeping information accurate

Please keep your account, organization, billing, and vehicle information accurate and up to date. Inaccurate vehicle inputs can materially affect valuation output, and inaccurate account or billing information may prevent support, notices, checkout, or account recovery from working correctly.

If you believe information in a public marketplace source is inaccurate, you may need to contact the marketplace or listing owner directly. Carvaly may be unable to correct third-party source data, but we may update, remove, normalize, or annotate our own records where appropriate.

Business transfers and corporate changes

If XPO8 Limited or Carvaly is involved in a merger, acquisition, financing, restructuring, insolvency, sale of assets, joint venture, transfer of shares, or similar transaction, information may be disclosed to advisers, counterparties, auditors, financiers, insurers, regulators, or successor entities as reasonably needed for that transaction.

If a transaction results in a material change to how personal data is controlled or used, we will handle notice and choice in accordance with applicable law.

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect product changes, provider changes, legal requirements, or operational improvements. If changes are material, we may provide notice through the website, product, email, or another reasonable channel.

The updated policy applies from the effective date stated in the updated version or, if no date is stated, from publication. Your continued use of Carvaly after an updated policy applies means you acknowledge the updated policy.

We may maintain previous versions for internal legal and compliance purposes. The version shown on the website is the current public version unless it states otherwise.