Garagely

DRAFT - PENDING LEGAL REVIEW. This notice has not yet been reviewed by a licensed attorney. Bracketed placeholders below will be replaced with our finalized details before launch.

Waitlist privacy notice

Effective date: [EFFECTIVE DATE]

Garagely has not launched yet. Today the only thing this website does is let you join a waitlist by giving your email address. This notice explains what we collect and why when you do that, and what happens afterwards if we email you about the launch. It does not cover the future Garagely app - the digital garage for your motorcycle(s) - which will have its own, separate privacy policy once it launches.

Who we are (the controller)

[PROVIDER FULL NAME], an individual entrepreneur (фізична особа - підприємець / "ФОП") registered in Ukraine under registration number [ФОП REGISTRATION NO.], with a postal address at [POSTAL ADDRESS] and contact email [CONTACT EMAIL] ("we", "us", "the Provider"), is the data controller for the personal data described in this notice.

EU/EEA representative (Article 27 GDPR): [EU REPRESENTATIVE - Art.27 decision pending]. Whether an Article 27 representative is legally required, and who it will be, is an open decision.

What we collect when you join the waitlist

When you submit the waitlist form on this site, we collect your email address, the source (which page or campaign you signed up from, for example garagely:landing_waitlist), and your locale (the language you were browsing in).

We do not ask for your name, phone number, or anything else on the waitlist form. Providing your email address is entirely voluntary - the only consequence of not providing it is that you will not be on the waitlist.

What happens to your signup (no marketing before verification)

Today: when you submit the form, your email is stored as a pending contact. Pending contacts are held un-dispatchable - excluded from all campaign sending until the signup is verified through a review step on our side. No launch-update or campaign email is sent to a pending address.

Double opt-in - effective once the email confirmation flow ships: we will send you a confirmation email with a one-time confirm link right after you sign up. Until you click that link, your signup stays pending and receives nothing beyond, at most, one gentle reminder to confirm. Only after you confirm does your signup become verified and eligible for launch updates and announcement emails.

Either way: if your signup is never verified, we keep the pending record (so we do not email an address that never opted in), but it is never used to send you campaign emails.

What happens once we start emailing you

If your signup is verified, and once we start sending launch-update emails, those emails will contain an open-tracking pixel - a tiny invisible image that tells us whether the email was opened. When it loads, we record only the fact that the email was opened, and when - the pixel does not store your IP address or user-agent details.

They also contain click-tracking links: the links inside the email go through a redirect that records that you clicked, together with your IP address and user-agent string. The click record itself (which link, when) is kept for our statistics, but the IP address and user-agent are deleted from it after 365 days.

Some links may be short links (for example [SHORTLINK-DOMAIN]/xxxxx) served by our link-shortening service. Clicking one records a truncated IP address (we zero out the part that identifies your individual device before storing it), user-agent string, referrer, and coarse geographic location (country / region / city, derived from the IP - never exact coordinates). These raw events are kept for 90 days, then deleted; afterwards only aggregated statistics remain.

Every marketing email also carries a working, one-click unsubscribe link - clicking it stops future campaign emails immediately, and stops the associated tracking on future sends.

Why we are allowed to do this (lawful basis)

Our lawful basis under the GDPR/UK GDPR is your consent (Art. 6(1)(a)): you actively submit the waitlist form, and no marketing is sent until your signup is verified. You can withdraw that consent at any time by unsubscribing.

Cookies and website analytics

This website sets exactly two cookies, both strictly functional (no consent banner is required for these under the ePrivacy rules, because they are necessary for a feature you actively asked for): lang, which remembers the language you chose, and lang_dismissed, which remembers that you dismissed the "switch language?" suggestion banner. We do not set any advertising, cross-site tracking, or third-party analytics cookies on the website.

We use a lightweight, cookieless analytics setup to understand how visitors use the waitlist page (for example, which sections get scrolled to, and whether the waitlist form is completed). It stores a short-lived visit identifier in your browser's sessionStorage, cleared automatically when you close the tab and never sent to us as a persistent, cross-visit identifier. It also respects your browser's Do Not Track (DNT) setting: if your browser sends a DNT signal, analytics collection is skipped entirely for that visit.

This analytics is moving to PostHog Cloud (EU region) as the backend. The cookieless, memory-only posture stays the same after that move - only where the events are processed changes. This analytics does not identify you personally and is not linked to your waitlist email address.

Your choices: clear your browser's cookies at any time to remove lang/lang_dismissed, turn on "Do Not Track" to skip website analytics, and use your mail client's "load remote images automatically: off" setting (or a text-only view) to avoid the email open-tracking pixel described above.

Your choices

Unsubscribe at any time: every campaign email has an unsubscribe link, and you can also click through to the plain unsubscribe page at any time. This stops all future campaign emails to that address.

Ask us to delete your data: email us at [CONTACT EMAIL] and we will delete your waitlist record, subject to any short retention we must keep for anti-abuse or legal reasons.

Never verified? If you signed up but your address was never verified, your address is not used for campaigns; email us if you would like it deleted immediately rather than waiting for us to do so on request.

Who else sees this data (processors)

We use the following service providers to run the waitlist and send you email. They process data only on our instructions and only for the purposes described here: DigitalOcean (cloud hosting for our servers and database), Mailgun (sends the confirmation, reminder, and campaign emails), Cloudflare including Cloudflare R2 (edge network / CDN, DDoS and bot protection in front of the site, and file storage), PostHog Cloud EU region (cookieless product analytics on the waitlist page), and self-hosted error tracking - GlitchTip, on infrastructure we control in the EU (captures technical errors so we can fix bugs; not used for marketing).

[LAWYER: confirm each processor has a signed Article 28 data-processing agreement before launch; add any processor introduced later to this list.]

International data transfers

We are established in Ukraine; our processors above may store or process data in the EU/EEA, the UK, the US, or elsewhere. Where we transfer personal data of EU/EEA or UK individuals outside their region without an adequacy decision, we rely on appropriate safeguards, principally the European Commission's Standard Contractual Clauses (and the UK IDTA for UK data). You can request a copy of, or more information about, these safeguards at [CONTACT EMAIL]. [LAWYER: confirm the transfer mechanism and hosting region for each named processor, and Ukraine's adequacy status, before launch.]

Retention

Pending (unverified) waitlist signups are kept so we do not re-email an address that never opted in; they are not used to send campaigns. [LAWYER/OWNER: set a concrete maximum retention or purge period for never-verified rows.]

Verified waitlist signups are kept until you unsubscribe or ask us to delete them, or until the waitlist itself is retired at launch.

Email opens: only the fact and time of opening are stored (no IP/user-agent). Email click records: the click event is kept for statistics; the attached IP address and user-agent string are deleted after 365 days. Short-link click events: raw (IP-truncated) events are kept for 90 days, then deleted; aggregated, non-identifying statistics may be kept indefinitely.

Your rights

Depending on where you live, you may have rights to access, correct, delete, restrict, or port your personal data, to object to processing, and to withdraw consent at any time. To exercise any of these, contact us at [CONTACT EMAIL].

If you are in the EU/EEA or UK, you may also complain to your local data-protection supervisory authority (in the UK, the ICO). If you are in Ukraine, you may complain to the Ukrainian Parliament Commissioner for Human Rights (Ombudsperson). We do not use your waitlist data for any automated decision-making or profiling that produces legal or similarly significant effects on you. [LAWYER: confirm the applicable regimes and add any other jurisdiction-specific rights needed for the launch markets.]

Children

The waitlist and the future Service are intended for adults. We do not knowingly collect a waitlist signup from anyone under 18. If you believe a child has signed up, contact [CONTACT EMAIL] and we will delete the record. [OWNER DECISION 2026-07-05: eligibility age set to 18, matching the full-app drafts (Terms of Service section 2.1, Privacy Policy section 16) and Ridekin.]

Changes to this notice

We may update this notice as the waitlist or its email program change. Material changes will be reflected by updating the effective date above. This launch-scoped notice will be retired and replaced once the full Garagely Privacy Policy takes effect for the app.

Contact

Questions about this notice or your data: [PROVIDER FULL NAME], [POSTAL ADDRESS], [CONTACT EMAIL]. EU/EEA representative (where appointed): [EU REPRESENTATIVE - Art.27 decision pending].