BimmerInspect privacy notice

Privacy Policy

This policy explains how BimmerInspect handles vehicle diagnostic data, app telemetry, crash reporting, purchases, security checks, and information stored on your device.

Effective date May 15, 2026
Operator StirbitLabs, operating BimmerInspect
Contact bimmerinspect@stirbitlabs.com

1. Summary

BimmerInspect is a vehicle diagnostic application. It connects to a compatible BMW diagnostic adapter, reads information from vehicle control units, sends inspection data to BimmerInspect servers when needed to identify the vehicle and build a report, and stores report information locally so you can review it in the app.

No advertising business

We do not sell personal data, use advertising SDKs, or build advertising profiles from your vehicle data.

Vehicle data is central

A VIN, ECU information, mileage, diagnostic measurements, and fault codes may be processed to create inspection reports.

Optional sharing controls

App improvement analytics and diagnostic insight sharing are controlled separately in the app's consent and settings screens.

Important: a vehicle identification number (VIN), diagnostic trouble codes, mileage, and other vehicle data can be personal data in some jurisdictions when linked to you, your device, or your vehicle. We treat that data carefully and use it only for the purposes described in this policy.

2. Scope

This policy applies to the BimmerInspect mobile app, BimmerInspect diagnostic services, report delivery services, purchase unlock flows, crash reporting, optional telemetry, and this privacy page.

This policy does not replace the privacy policies of Apple, Google, Firebase, Cloudflare, payment processors, your mobile operating system, your vehicle manufacturer, your diagnostic adapter manufacturer, or your network provider. Those services may process information independently under their own terms when you use their platforms.

BimmerInspect does not require you to create a conventional account with a name, email address, or password. The app instead uses a device-bound security identity and anonymous installation identifiers to protect backend access, recover sessions, validate purchases, and improve reliability.

3. Data We Collect

The data collected depends on how you use the app, what adapter you connect, what vehicle information is available from the vehicle, which reports you create, which purchases you make, and which optional sharing settings you enable.

Category Examples Purpose Typical Location
Vehicle identity VIN, platform code, ECU addresses, ECU variant identifiers, vehicle characteristics, engine cylinder count, displayed mileage. Identify the vehicle, request the correct diagnostic bundle, run supported checks, and build an inspection report. Device, BimmerInspect backend, encrypted bundle/report caches.
Inspection measurements Signal codes, decoded values, ECU addresses, measurement timestamps, diagnostic trouble codes, fault status, fault mileage, fault timestamps, snapshot history. Generate report findings, explain vehicle condition, and preserve report history. Device and BimmerInspect backend when you run an inspection.
Adapter and network data Bluetooth device name or identifier, MAC address where exposed by the platform, RSSI, pairing state, Wi-Fi SSID/BSSID, local IP address, adapter IP and port, DoIP discovery responses. Find, connect to, and maintain communication with diagnostic adapters. Mostly on device; limited diagnostic metadata may be included in optional telemetry.
Device and security data Hashed installation ID, platform, app version, device public key, attestation evidence, signed challenges, access tokens, refresh tokens, session secret, IP address in server logs. Protect backend APIs, prevent abuse, keep sessions secure, and diagnose service problems. Device secure storage, BimmerInspect backend, security providers.
Optional telemetry App events, screen names, connection outcomes, capability IDs, error types, response times, negative response codes, capped protocol request/response hex when diagnostic insights are enabled. Improve reliability, troubleshoot adapter and ECU compatibility, and prioritize app fixes. Firebase Analytics, Firebase Crashlytics, and BimmerInspect telemetry services depending on consent and event type.
Purchase data Report ID, product ID, platform, purchase token or receipt verification data, anonymous account binding token, entitlement state, paid or refunded timestamp. Verify payment, unlock paid reports, prevent duplicate or fraudulent unlocks, and process refunds. Device, Apple or Google, BimmerInspect backend.

Data we do not intentionally collect

BimmerInspect does not intentionally collect your name, email address, phone number, postal address, payment card number, contacts, photos, camera data, microphone data, calendar data, advertising ID, or precise GPS location. If you choose to send support information outside the app, that support communication may contain whatever information you decide to include.

4. Vehicle and Inspection Data

To perform a meaningful inspection, BimmerInspect needs to read diagnostic information from the vehicle. Depending on the vehicle, adapter, and inspection flow, the app may collect and process the following information.

Vehicle identification data
VIN, platform code, ECU list, ECU diagnostic addresses, ECU variant identifiers, vehicle characteristics exposed by the diagnostic bundle, engine cylinder count, and displayed mileage.
Inspection session data
Inspection start and end timestamps, app version, diagnostic definition version, capability execution status, skipped capability reasons, and the list of ECUs scanned for diagnostic trouble codes.
Measurements and findings input
ECU address, signal code, decoded value, capture timestamp, diagnostic trouble code, fault status, fault mileage, fault date/time, occurrence count, healing counter, and snapshot history where available.

When you identify a vehicle, the app may send the VIN, ECU references, and platform code to BimmerInspect servers to receive the correct encrypted diagnostic bundle. When you run an inspection and do not cancel it, the app sends an inspection request so the backend can build the report.

The inspection request body is encrypted by the app before it is sent. The request envelope still includes the VIN and inspection start timestamp in plaintext so the backend can authenticate, route, and decrypt the request correctly. All network communication is sent over HTTPS.

Reports may be stored locally in the app and retrieved from the backend by report ID. Full paid report details may be cached on the device in encrypted form for faster access.

5. Adapter and Network Data

BimmerInspect supports Bluetooth, BLE, Wi-Fi, and Ethernet/DoIP diagnostic adapters. To discover and connect to those adapters, the app may process adapter and local network information.

  • Bluetooth and BLE: device name, platform device identifier, MAC address where available, RSSI, pairing state, scan status, and connection status.
  • Wi-Fi adapters: current SSID, BSSID, local IP address, adapter IP address, adapter port, and connectivity state.
  • Ethernet and DoIP: local network discovery responses, IP address, port, adapter identifiers, and vehicle discovery details if included by the response.

Android and iOS may require Bluetooth, local network, Wi-Fi, or location-related permissions for these adapter functions. BimmerInspect uses those permissions to connect to diagnostic hardware and detect the adapter network. The app does not use these permissions for advertising, continuous location tracking, or background GPS tracking.

6. Telemetry and Diagnostics

BimmerInspect separates optional sharing into two controls: app improvement analytics and diagnostic insights. You can change these choices in the app settings. Some crash and security data may still be processed where necessary to keep the app reliable and protect the service.

App improvement analytics

When enabled, Firebase Analytics may collect app usage information such as screen views, feature usage, session events, app version, platform, and consent level. BimmerInspect also bridges selected high-level lifecycle events to Firebase Analytics, such as connection outcomes, report generation, and capability completion or errors.

Diagnostic insights

When enabled, BimmerInspect may send diagnostic telemetry to its telemetry service. This can include hashed installation ID, telemetry session ID, event ID, event type, timestamp, connection type, selected transport, adapter display name, VIN prefix, ECU count, capability ID, sample count, ECU address, UDS service ID, negative response code, response time, and error type.

Diagnostic insights may also include capped protocol request and response payloads encoded as hex. These payloads are limited in size and are used to diagnose ECU compatibility and protocol problems. You should treat this setting as more detailed than ordinary app analytics.

Crash reports and operational logs

BimmerInspect uses Firebase Crashlytics and internal logging to detect crashes, connection failures, and serious app errors. Crash reports may include stack traces, error messages, platform, app version, hashed installation ID, last screen, connection state, transport type, consent level, and a shortened VIN prefix where the app has recorded one for diagnostics.

Operational logs sent to BimmerInspect services may include timestamps, log level, message, error, stack trace, hashed installation ID, platform, app version, telemetry session ID, diagnostic session ID, and connection type. Authorization headers are not intentionally logged by the app.

7. Local Storage

BimmerInspect stores information on your device so the app can work reliably, remember settings, protect sessions, show reports, and recover from temporary network failures.

  • Settings: language, consent choices, unit preferences, selected adapter details, and other app preferences.
  • Install identifiers: an installation ID used in hashed form for telemetry and crash reporting, and an account binding token used for purchase verification.
  • Security material: refresh tokens, session secret, and device-bound key material stored through platform secure storage such as Keychain, Secure Enclave, Android Keystore, and encrypted shared preferences where available.
  • Vehicle cache: recently identified vehicle metadata and ECU variant data to speed up repeated inspections. The current implementation caps the vehicle cache at 10 vehicles, treats ECU variant data as fresh for 7 days, and can refresh vehicle characteristics when the app version changes.
  • Reports: report metadata, summary snapshots, full report details where available, and user-created PDF report files.
  • Offline queues: unsent telemetry, diagnostic insight events, cloud log entries, and pending purchase unlock requests until they can be delivered or confirmed.

Uninstalling the app generally removes app-local data, subject to the behavior of your operating system, device backup settings, and app store purchase records. Deleting a local report in the app removes that local copy, but it may not automatically delete backend records needed for report delivery, fraud prevention, or legal compliance.

8. Purchases

Paid report unlocks are handled through Apple App Store or Google Play in-app purchase systems. BimmerInspect does not receive or store your payment card number or bank details.

To unlock a report, the app sends purchase verification data to BimmerInspect servers, including report ID, platform, product ID, purchase token or receipt verification data, and an anonymous account binding token. The account binding token is a random value generated for the app installation and is used as a fraud-prevention and purchase-binding signal.

The app may store pending purchase verification data locally until the backend confirms the unlock. It may also store entitlement state, such as whether a report is paid or refunded, so the app can show the correct report access state.

9. How We Use Data

We use the information described in this policy for the following purposes:

  • To discover and connect to diagnostic adapters.
  • To identify compatible vehicle diagnostic definitions and encrypted bundles.
  • To run vehicle inspections and generate diagnostic reports.
  • To store, retrieve, cache, display, export, and unlock reports.
  • To verify purchases, process entitlement state, and prevent fraud.
  • To protect backend services through device attestation, signed challenges, tokens, and abuse prevention.
  • To diagnose crashes, connection failures, backend errors, and compatibility issues.
  • To improve app quality and diagnostic reliability where you have enabled optional sharing.
  • To comply with legal, tax, accounting, security, and app store obligations.

Legal bases where required

Where laws such as the GDPR require a legal basis, we rely on performance of a service you request for inspections, reports, purchases, and account security; legitimate interests for service protection, fraud prevention, crash diagnostics, and operational reliability; consent for optional analytics and diagnostic insight sharing; and legal obligations for records we must keep.

10. Sharing

We do not sell personal data. We also do not share personal data for cross-context behavioral advertising.

We may share or make data available to the following categories of recipients when needed for the purposes described in this policy:

  • BimmerInspect backend and infrastructure providers: to identify vehicles, deliver encrypted bundles, process inspections, store reports, receive telemetry, and operate APIs.
  • Firebase services operated by Google: for Firebase Analytics where enabled and Crashlytics crash reporting.
  • Apple and Google app store services: for in-app purchases, receipt validation, app attestation, device integrity checks, and platform security.
  • Cloudflare or other web hosting providers: if this privacy page or other public web pages are hosted through those providers.
  • Legal, security, or compliance recipients: when required by law, court order, regulation, fraud investigation, security incident response, or to protect rights and safety.

Service providers are expected to process data only for the services they provide to BimmerInspect, subject to their contractual and legal obligations.

11. Security

BimmerInspect uses technical safeguards designed for the sensitivity of vehicle diagnostics and report data.

  • Network communication with BimmerInspect services uses HTTPS.
  • Inspection request bodies are encrypted by the app before submission, with the VIN and inspection start timestamp left in the authenticated request envelope.
  • Diagnostic bundles are delivered encrypted and decrypted using a session secret.
  • Full report cache files are encrypted locally.
  • Refresh tokens and session secrets are stored using platform secure storage where available.
  • Device-bound key material and attestation mechanisms, including Apple App Attest and Google Play Integrity, help protect API access.
  • Optional telemetry uses a hashed installation ID, and VIN use in telemetry is shortened where implemented for diagnostic context.

No method of transmission or storage is perfectly secure. If we learn of a security incident that affects your data, we will respond as required by applicable law.

12. Retention

We keep data only for as long as reasonably necessary for the purposes described in this policy, unless a longer period is required or permitted by law. Exact retention periods can depend on app version, backend configuration, legal requirements, and the type of record.

Data Retention Approach
Local settings and identifiers Generally kept until you change settings, clear app data, or uninstall the app. Platform backups may behave differently depending on your device settings.
Vehicle cache Kept locally to speed up repeated inspections, with caps and freshness checks. The current implementation limits the vehicle cache to 10 vehicles and treats ECU variant data as fresh for 7 days.
Encrypted report cache Kept locally for faster report access and refreshed or evicted based on cache freshness. The current default freshness period for encrypted report cache entries is 24 hours.
Reports and PDFs Kept locally until deleted in the app, removed by clearing app data, or removed by uninstall behavior. Backend report records may be kept as needed to deliver reports, manage purchases, prevent fraud, and meet legal obligations.
Offline queues Telemetry, diagnostic insight, and log queues are capped locally to avoid unbounded storage. Current caps are 500 ordinary telemetry events, 2,000 diagnostic insight events, and 200 log entries.
Purchase records Kept as needed to verify unlocks, support refunds, prevent fraud, and comply with app store, tax, accounting, and legal obligations.
Crash, security, and server logs Kept for operational reliability, security, fraud prevention, and legal compliance, then deleted or anonymized when no longer needed.

To request deletion of backend records associated with your reports or device, contact us using the address below. We may need information such as report ID, VIN, approximate inspection date, or purchase details to locate the relevant records, and we may retain certain records where required by law or needed for fraud prevention and security.

13. Your Choices and Rights

In-app choices

  • You can decline optional app improvement analytics and diagnostic insight sharing.
  • You can change telemetry choices in settings. Disabling a choice stops future optional collection for that choice, but it does not automatically delete data already sent.
  • You can delete local reports from the app where that feature is available.
  • You can remove local app data by using your operating system's app storage controls or uninstalling the app.

Privacy rights

Depending on where you live, you may have rights to request access, correction, deletion, portability, restriction, objection, or withdrawal of consent. You may also have the right to complain to a data protection authority.

Residents of certain U.S. states may have additional rights to know, access, correct, delete, or opt out of certain uses of personal information. BimmerInspect does not sell personal information and does not use personal information for cross-context behavioral advertising.

We will not discriminate against you for exercising privacy rights. To exercise a right, contact us using the address below. We may need to verify your request before acting on it.

14. Children

BimmerInspect is intended for vehicle owners, technicians, buyers, and other users old enough to operate vehicle diagnostic tools and make purchase decisions. It is not directed to children. We do not knowingly collect personal data from children under the age required by applicable law. If you believe a child has provided personal data to BimmerInspect, contact us so we can review and delete it where required.

15. Changes

We may update this policy as BimmerInspect evolves, including when we add features, change service providers, modify retention practices, or update legal language. When we make material changes, we will update the effective date and provide notice as required by law.

16. Contact

For privacy questions, requests, or concerns, contact:

BimmerInspect Privacy
StirbitLabs
bimmerinspect@stirbitlabs.com

Please include enough detail for us to understand your request, such as report ID, approximate inspection date, purchase platform, or the device involved. Do not send sensitive diagnostic payloads or payment information by email unless we specifically ask for it through a secure process.