Privacy policy
Effective 18 April 2026. Version 1.0.
This policy explains what personal data Underhood collects about you, why we collect it, how we use it, who we share it with, and what rights you have. It covers the Underhood marketing site (underhood.io), the Underhood product dashboard (app.underhood.io), and the public incident database (community.underhood.io, once live).
We have tried to write this in plain language. If anything is unclear, email us at the address at the bottom and we will explain.
1. Who we are
Underhood is operated by:
- Controller: e6 Integrations Kft. [TODO: confirm legal entity name]
- Registered address: [TODO: Hungarian registered address]
- Company registration: [TODO: Cégjegyzékszám + tax ID]
- Privacy contact: privacy@underhood.io
2. What data we collect
We collect only what we need. The data falls into three groups depending on how you interact with us.
2a. If you fill in the signup wizard or book a call
- Contact information you type in: name, email, phone (if given), job title, organisation name, country, city.
- Fleet details you describe: fleet size, vehicle types, propulsion types, specific vehicles and year ranges, existing maintenance or IoT tools, existing fire-detection coverage.
- Ordering preferences: sensor-kit quantities, installation preference, desired timeline, free-text notes.
- If you book a call via Calendly: the slot you picked, the timezone, and whatever else Calendly captures (see section 4).
2b. If you have an Underhood product account
- Account data managed by our identity provider (Keycloak): email, name, organisation, role, password hash, session information.
- Usage data: the vehicles, devices, inspections, work orders, and damage reports you create or view; activity logs tied to your user ID.
- Technical data automatically collected when you use the dashboard: IP address, browser, device, pages visited, timestamps.
2c. If you use the community incident database
- If you submit an incident report: the details you choose to submit, plus your email (required for moderation follow-up).
- If you only browse: standard server logs (IP, user agent, timestamps).
3. Why we use it (purposes and legal bases)
We only process your data for the purposes listed below, each with a specific legal basis under Article 6 of the GDPR.
| Purpose | Legal basis | Typical data |
|---|---|---|
| Respond to a signup or booking request: prepare a quote, discuss onboarding, send a follow-up email. | Consent (you tick the consent box) and steps taken at your request before entering a contract. | Everything in section 2a. |
| Run the Underhood product: authenticate you, show you your fleet, record inspections, compute risk scores, send platform notifications. | Performance of the contract between your organisation and us. | Everything in section 2b. |
| Run the incident database: show incident reports publicly, moderate submissions, prevent spam. | Legitimate interest (operating a community safety resource), plus consent for submitter email. | Everything in section 2c. |
| Keep the service secure and meet legal obligations (fraud prevention, logging, accounting records). | Legitimate interest; legal obligation for records we must keep by law. | Server logs, account audit trail, invoicing records. |
4. Who we share it with
We do not sell your data. We share it only with the processors listed below, who act on our instructions under written contracts (GDPR Article 28).
| Processor | What they do | Location |
|---|---|---|
| Hetzner Online GmbH | Hosts our servers, databases, email delivery, and backups. | Germany (EU) |
| Calendly LLC | Handles the booking widget on our /book page. Receives the email, name, and slot you pick. | United States |
| Cloudflare, Inc. | Protects our forms from bots (Turnstile). Receives limited technical signals, no form content. | Global CDN |
We do not give your data to advertising networks, data brokers, or analytics services that profile users across sites.
5. International transfers
Our primary infrastructure stays in the European Union (Hetzner, Germany). Two processors (Calendly, Cloudflare) may transfer limited data to the United States. For those transfers we rely on the European Commission's Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. You can ask us for a copy of the safeguards at the privacy contact below.
6. How long we keep it
We keep data only as long as needed for the purpose it was collected for, or as required by law.
| Data category | Retention period |
|---|---|
| Signup wizard submissions (not converted to a customer) | 18 months from submission, then deleted. You can ask us to delete earlier. |
| Product account data (while the organisation is a customer) | For the duration of the contract, plus 2 years after termination (for audit and dispute handling). |
| Sensor telemetry | 18 months in hot storage, then compressed long-term storage. Deleted on contract termination unless legally required. |
| Server and email delivery logs | Up to 90 days. |
7. Your rights
Under the GDPR you have the following rights. They apply to the data we hold about you personally.
- Access: ask what data we have about you and get a copy.
- Rectification: ask us to correct inaccurate or incomplete data.
- Erasure: ask us to delete your data (subject to legal retention obligations).
- Restriction: ask us to pause processing while a dispute is resolved.
- Portability: get your data in a structured, machine-readable format.
- Objection: object to processing based on legitimate interests (section 3), including profiling.
To exercise any right, email the privacy contact below. We respond within one month. No identity check beyond the account email you write from, unless we have reasonable doubts.
You also have the right to lodge a complaint with a supervisory authority, in particular the Hungarian National Authority for Data Protection and Freedom of Information (NAIH, naih.hu).
8. Cookies and local storage
We use strictly necessary storage only: a language preference key in your browser's localStorage (uh_lang), and, on the product dashboard, the session cookie your login creates. We do not use advertising or analytics cookies. If that changes, this policy will be updated and the consent flow adjusted.
9. Children
Underhood is a business-to-business service. We do not knowingly collect data from anyone under 16. If you believe a child has submitted data, contact us and we will delete it.
10. Security
We use modern encryption in transit (TLS 1.2+), encryption at rest for sensitive stores, per-tenant isolation at the database level (PostgreSQL row-level security), and role-based access for staff. We review access regularly. No system is perfectly secure, but we work to reduce risk.
11. Changes to this policy, and how to reach us
We update this policy when our practices change. The effective date at the top reflects the current version. We will announce material changes on the site and, where practical, by email. For anything about your data, email: