Privacy Policy
Last Updated: March 7, 2026
Effective Date: March 7, 2026
1. Introduction
This Privacy Policy ("Policy") describes how Oversight Division Engineering LLC, doing business as SlugPark ("we," "us," "our," or "SlugPark"), collects, uses, discloses, and otherwise processes personal information in connection with our mobile application, website located at www.slugpark.app (the "Website"), and related services (collectively, the "Services"). By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree to this Policy, you must not access or use the Services.
SlugPark is a parking recommendation and availability tracking application designed for the University of California, Santa Cruz ("UCSC") campus community.
2. Information We Collect
2.1 Information You Provide Directly
- Account Information. When you create an account, we collect your email address and password. Passwords are managed by our authentication provider (Supabase) and are not stored in plaintext.
- Waitlist and Early Access Information. If you sign up for our waitlist through the Website, we collect your email address, verification status, and the date you signed up. We use this information to manage early access to the Services and to communicate with you about your waitlist status.
- Survey Responses. If you complete an optional survey, we collect your responses, which may include how often you drive to campus, typical arrival times, parking frustrations, parking ticket history, campus destinations, and desired app features. You may also provide optional free-text feedback. Survey responses may be associated with your email address if you provide one, or may be submitted anonymously.
- Permit and Preference Data. You may provide your parking permit type, allocated parking lot group, preferred walking distance, notification preferences, and theme preferences.
- Parking Sessions. When you log a parking session, we collect the zone where you parked, your destination, session start and end times, planned duration, and any session notes you provide.
- Saved Destinations and Schedules. If you save destinations or create recurring parking schedules, we store those selections, custom labels, and associated timing information.
- Availability Reports. When you submit a crowdsourced parking availability report, we collect the zone identifier, the availability level you selected (e.g., empty, available, limited, full), and the source of the report (manual input or inferred from session activity).
- Feedback. If you provide feedback on parking recommendations, we collect your feedback response and any accompanying notes.
2.2 Information Collected Automatically
- Device and Usage Information. We collect information about your device type, operating system, app version, and general usage patterns through our analytics providers. This includes screen views, feature interactions, and session-level activity.
- Session Replay (Mobile App). We use PostHog session replay to record how users interact with the mobile application for the purpose of improving user experience and identifying bugs. All text input fields are masked during replay capture. Session replay does not capture passwords or authentication credentials.
- Error and Performance Data. We use Sentry to collect crash reports, error logs, and performance metrics. This data may include device information, operating system version, and stack traces associated with errors.
- Location Data (Mobile App). If you grant location permissions, we collect your device's geographic coordinates to display nearby parking zones and calculate walking distances. Location data may optionally be included when you submit an availability report. We do not continuously track your location in the background. You may revoke location permissions at any time through your device settings.
- Website Analytics. When you visit our Website, we use Google Analytics to collect information about your browsing activity, including pages visited, time spent on pages, referral sources, and general device and browser information. Google Analytics may use cookies and similar technologies to collect this information. See Section 5 for more information about cookies.
- Log Data. Our servers may automatically record information when you access the Services, including your IP address, browser type, referring/exit pages, and timestamps.
2.3 Information from Third-Party Services
We receive authentication tokens and session management data from Supabase, our backend infrastructure provider, to maintain your authenticated session.
3. How We Use Your Information
We use the information we collect for the following purposes:
- Providing the Services. To generate parking recommendations based on your permit type, destination, arrival time, and duration; to track your parking sessions and history; and to display crowdsourced parking availability information.
- Waitlist and Early Access Management. To process your waitlist application, verify your email address, communicate with you about your application status, and provide access to the Services.
- Personalization. To remember your preferences, saved destinations, and recurring schedules, and to tailor recommendations accordingly.
- Crowdsourced Availability. To aggregate availability reports from multiple users and compute real-time parking availability scores for each zone. Individual reports are aggregated and weighted using a time-decay algorithm; availability data displayed to other users is not attributed to any individual reporter.
- Communications. To send you transactional emails, including waitlist verification emails, approval notifications, and service-related announcements. We may also send local push notifications for parking timer reminders, expiration alerts, and daily parking reminders, subject to your notification preferences and device permissions.
- Analytics and Improvement. To understand how users interact with the Services, identify bugs, improve features, and monitor performance.
- Product Research. To analyze survey responses and user feedback to inform product development and feature prioritization.
- Security and Integrity. To detect and prevent fraud, abuse, and security incidents.
- Legal Compliance. To comply with applicable laws, regulations, and legal processes.
4. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share your personal information for cross-context behavioral advertising purposes as defined under the California Consumer Privacy Act. We share information in the following circumstances:
4.1 Service Providers
We use the following third-party service providers to operate the Services:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Backend database, authentication, and real-time data infrastructure | Account data, parking sessions, availability reports, user preferences, waitlist data, survey responses |
| Sentry | Error tracking and performance monitoring (mobile app) | Crash reports, error logs, device information, user identifiers for error correlation |
| PostHog | Product analytics, feature flags, and session replay (mobile app) | Usage events, screen views, session interactions (text inputs masked), user identifiers |
| Mapbox | Map rendering and geographic data display (mobile app) | Map tile requests (may include approximate viewport location) |
| Expo | Application framework and over-the-air update delivery (mobile app) | Device type and app version for update compatibility |
| Google Analytics | Website analytics and traffic measurement | Page views, interactions, device type, browser, approximate location (from IP), referral source |
| Resend | Transactional email delivery | Email addresses, email content for waitlist verification, approval notifications, and admin alerts |
Each service provider processes data in accordance with its own privacy policy and applicable data processing agreements. We require our service providers to use your personal information only for the purposes of providing services to us and in a manner consistent with this Policy.
4.2 Aggregated and De-identified Data
We may share aggregated or de-identified data that cannot reasonably be used to identify you, such as aggregate parking availability statistics across zones.
4.3 Legal Obligations
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of SlugPark, our users, or the public.
4.4 Business Transfers
In the event that Oversight Division Engineering LLC undergoes a merger, acquisition, reorganization, dissolution, or sale of all or a portion of its assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent notice on our Website of any change in ownership or use of your personal information, as well as any choices you may have regarding your personal information.
5. Cookies and Tracking Technologies
5.1 Cookies We Use
The Website and Services use the following cookies and similar technologies:
- Essential Cookies. We use a secure, httpOnly session cookie on the administrative portion of our Website to authenticate authorized administrators. This cookie expires after 24 hours and cannot be used to track you across other websites.
- Analytics Cookies. Google Analytics places cookies on your device to help us understand how visitors use the Website. These cookies collect information in an aggregated form, including the number of visitors, where visitors come to the site from, and the pages they visit.
5.2 Your Cookie Choices
You can control cookies through your browser settings. Most browsers allow you to refuse cookies, delete existing cookies, or set preferences for certain websites. Please note that disabling cookies may affect the functionality of the Website. You may also opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on.
6. Data Storage and Security
- Cloud Storage. Your data is stored on Supabase's cloud infrastructure, which is hosted in the United States. Supabase provides row-level security policies to ensure that users can only access their own data.
- Local Storage. Authentication tokens are stored on your device using platform-specific secure storage mechanisms (iOS Keychain, Android Secure Shared Preferences). Certain usage statistics may be stored locally on your device.
- Security Measures. We implement commercially reasonable technical and organizational measures to protect your information, including encrypted data transmission (HTTPS/TLS), secure token storage, database-level access controls, and security headers (X-Content-Type-Options, X-Frame-Options, strict Referrer-Policy). However, no method of electronic storage or transmission is completely secure, and we cannot guarantee absolute security.
- Breach Notification. In the event of a data breach that affects your personal information, we will notify affected users and applicable regulatory authorities as required by law, and in no event later than seventy-two (72) hours after becoming aware of the breach where required by applicable law.
7. Data Retention
- Account Data. We retain your account data for as long as your account remains active. If you delete your account, we will delete or de-identify your personal information within thirty (30) days, except as required by law or legitimate business purposes (such as resolving disputes or enforcing our agreements).
- Waitlist Data. We retain waitlist and early access data for as long as the waitlist program is active. Once the Services are generally available, we will delete or de-identify waitlist data within ninety (90) days, unless you have created an account.
- Survey Data. Survey responses are retained for product research purposes for a period of up to twenty-four (24) months, after which they are deleted or de-identified.
- Parking Sessions and History. Session data is retained for as long as your account is active to provide you with parking history and statistics.
- Availability Reports. Crowdsourced availability reports are retained indefinitely to support historical analysis and improve the accuracy of the availability algorithm. Reports older than 60 minutes are not used in active availability calculations.
- Error and Analytics Data. Error logs and analytics data are retained in accordance with the retention policies of our third-party service providers (Sentry, PostHog, and Google Analytics).
- Legal Holds. Notwithstanding the above, we may retain certain data for longer periods if required by law or to protect our legal interests.
8. Your Rights and Choices
8.1 Account and Data Management
- Access and Correction. You may access and update your profile information, preferences, and saved data through the App's settings.
- Deletion. You may request deletion of your account and personal information by contacting us at support@slugpark.app. We will process your request within thirty (30) days, subject to applicable legal exceptions.
- Data Portability. You may request a copy of your personal information in a structured, commonly used, and machine-readable format by contacting us at support@slugpark.app.
- Location Permissions. You may enable or disable location permissions at any time through your device's operating system settings.
- Notifications. You may enable or disable push notifications through the App's profile settings or your device's notification settings.
- Demo Mode. You may use certain features of the App without creating an account. In demo mode, limited analytics data may still be collected.
8.2 California Privacy Rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA"):
- Right to Know. You have the right to request information about the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected your information, the business or commercial purposes for which we collected your information, and the categories of third parties with whom we shared your information.
- Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions provided by law.
- Right to Correct. You have the right to request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.
- Right to Limit Use of Sensitive Personal Information. We do not use sensitive personal information for purposes beyond those permitted by the CCPA.
- Right to Non-Discrimination. We will not discriminate against you for exercising your privacy rights.
To exercise these rights, please contact us at support@slugpark.app. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf by providing written authorization.
We will respond to verifiable consumer requests within forty-five (45) days of receipt. If we require more time, we will inform you of the reason and extension period in writing.
8.3 Do Not Track
The App does not respond to "Do Not Track" browser signals. However, you may control analytics data collection by adjusting your device permissions and notification settings within the App, or by using the Google Analytics opt-out tools described in Section 5.2.
9. International Users
The Services are operated from the United States. If you access the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States where our servers are located and our central database is operated. The data protection and other laws of the United States may not be as comprehensive as those in your country. By using the Services, you consent to the transfer of your information to the United States.
If you are a resident of the European Economic Area ("EEA"), United Kingdom ("UK"), or Switzerland, we process your personal data on the following legal bases: (a) your consent, (b) performance of a contract with you, (c) our legitimate interests, or (d) compliance with a legal obligation. You have the right to access, correct, delete, restrict processing, data portability, and object to processing of your personal data. You may also have the right to lodge a complaint with your local data protection authority.
10. Children's Privacy
The Services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. The Services are designed for use by college-age individuals (18 and older). If we become aware that we have collected personal information from a child under 13, we will take steps to delete such information within a reasonable period. If you believe that a child under 13 has provided us with personal information, please contact us at support@slugpark.app.
11. Third-Party Links and Services
The App may display information about third-party services, including ParkMobile, for informational purposes. We do not process payments or handle financial transactions. Any interaction with third-party services is governed by those services' own terms and privacy policies. We are not responsible for the privacy practices of any third party. We encourage you to review the privacy policies of any third-party services you access.
12. Changes to This Policy
We may update this Policy from time to time. If we make material changes, we will notify you by: (a) updating the "Last Updated" date at the top of this Policy, (b) sending you an email notification at the address associated with your account (if applicable), and (c) where appropriate, providing additional notice through the App or Website. Your continued use of the Services after any changes constitutes your acceptance of the revised Policy. We encourage you to review this Policy periodically.
13. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, including requests to exercise your privacy rights, please contact us at:
Email: support@slugpark.app
For California residents: If you wish to exercise your CCPA rights, you may also submit a request via email to the address above with the subject line "CCPA Request."
14. Disclaimer Regarding University Affiliation
SlugPark is an independent application and is not officially affiliated with, endorsed by, or sponsored by the University of California, Santa Cruz, or the University of California system. All parking zone data, lot information, and campus references are provided for informational purposes only. Users should always verify parking regulations, signage, and permit requirements directly with UCSC Transportation and Parking Services.