TheVIN Check

Privacy Policy

Last updated May 2026

Lawyer review required before launch.

Who we are

The VIN Check (thevincheck.com) is operated by NH International LLC, the data controller for personal information collected through this site. References to “we,” “us,” and “our” in this policy refer to NH International LLC.

For purposes of GDPR, NH International LLC is the data controller. Third parties we use as data processors include Stripe (payment processing), Resend (email delivery), and Neon (database hosting). Each processor handles only the data needed for its function.

What we collect

  • Email address (provided at checkout for report delivery)
  • VIN you submit
  • Payment information processed by Stripe (we never see card numbers)
  • Marketing-email opt-in status, captured by an unchecked checkbox during checkout (see “Marketing communications” below). We record the timestamp of opt-in for compliance audit purposes.

What we exclude (DPPA compliance)

Reports never display owner names, addresses, or phone numbers from vehicle records, in compliance with the United States Driver’s Privacy Protection Act (DPPA).

Marketing communications

At checkout we display an opt-in checkbox that is unchecked by default. If you tick it, you consent to receive promotional and educational emails from The VIN Check (operated by NH International LLC) about your vehicle research, related products and services, and product updates. We will not send marketing email unless you affirmatively opt in.

What you can expect. Marketing email volume is small by design: a discount on a second report around day 7, a feedback check-in (which may include your referral link) around day 30, and occasional product updates. We do not send daily newsletters or sales blasts.

How to withdraw consent. Every marketing email contains a one-click unsubscribe link in the footer (CAN-SPAM requirement). Clicking it immediately revokes your consent and stops further marketing email; transactional emails (your purchased report, receipts, refunds) continue regardless of marketing-consent state. You can also email us at the address below to request unsubscribe.

Optional double opt-in. If we operate the site in double-opt-in mode (currently optional — see release notes), you will receive one additional confirmation email after checkout. Marketing email only begins after you click the confirmation link. This is in addition to the unchecked-by-default consent checkbox at checkout, not a replacement for it.

What we never do. We do not pre-check the consent box, share or sell your email to other companies for their own marketing, or treat closing the checkout flow as consent. Withdrawing consent does not affect access to your purchased report or the validity of any past transaction.

Cookies

We use essential cookies to operate the site. Optional analytics cookies require your consent (cookie banner). EU/UK visitors: we process personal data on the basis of your consent for non-essential cookies.

Data retention

Different data types are retained for different windows, based on what each type is actually used for:

  • Generated PDF report files: 30 days after generation, then automatically deleted from disk. The download link in your purchase email stops working at that point.
  • Transaction + payment records: retained for at least 7 years to satisfy US tax and accounting recordkeeping obligations on the NH International LLC side. After that window they are eligible for deletion on request.
  • Raw vehicle-data JSON tied to a report: retained alongside the transaction record for the same 7-year window so we can re-generate a report or honor a support / dispute query without re-paying the original data source.
  • Marketing-consent records: retained for as long as your consent is active, plus a small audit trail showing when you opted in and when (if applicable) you unsubscribed. The audit trail exists to prove CAN-SPAM compliance and is not used for marketing itself.
  • Anonymous affiliate-click counts: retained for 24 months for billing and dispute resolution with partners. These rows contain no personally identifying information beyond the originating report ID.
  • Backups: nightly encrypted database snapshots are retained for 30 days then deleted. Deleted data may exist inside a backup for up to 30 days past the deletion request before it ages out of rotation.

Your rights

You may request deletion of your data by emailing us. EU residents have rights under GDPR including access, rectification, deletion, and portability.

California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the following rights with respect to personal information we hold about you:

  • Right to know. Request the categories and specific pieces of personal information we have collected, the sources, the business purpose, and any third parties we shared it with in the last 12 months.
  • Right to delete. Request that we delete personal information we collected from you, subject to legal exceptions.
  • Right to correct. Request correction of inaccurate personal information.
  • Right to opt out of “sale” or “sharing.” We do not sell your personal information for money. Affiliate-link click counts may constitute “sharing” under CCPA’s broad definition; you can opt out by emailing privacy@yourdomain.com.
  • No retaliation. We will not deny you service, charge a different price, or provide a different level of service for exercising any of these rights.

To exercise a CCPA right, email privacy@yourdomain.com with the subject line CCPA Request. We will respond within 45 days. Verification (typically confirming your email address on file) is required so we don’t hand your data to someone else.

Affiliate links

From time to time we feature affiliate links to third-party services (insurance comparison, financing, extended warranty, salvage buyers, auto transport) in our reports, emails, and on the site. When a link is an affiliate link, it is clearly labeled as “sponsored” per FTC requirements. If you click through and use a partner’s service, we may earn a commission at no extra cost to you. Anonymous click counts are recorded with the originating report ID for billing and support; no additional personal data is shared with partners beyond what they collect themselves on their own sites.

Contact

Questions: privacy@yourdomain.com