BillOfSaleMaker
Legal · Privacy

Privacy, in plain English.

Last updated April 21, 2026

This policy covers what data we collect when you use BillOfSaleMaker, why we collect it, and how long we keep it. We collect what's needed to generate your document, deliver it, and charge you $9.99. We also use Google Analytics and Google Ads conversion tracking to measure paid-ad performance — details below.

Who operates this service

BillOfSaleMaker.com is operated by NEXTTICK SRL, a Romanian limited-liability company (SRL) registered with trade number J2024027381003, tax ID 50633599, with registered address Str. Luncii 1, Ap. BIR. 5, 335700 Orăștie, Romania. We are the data controller for the purposes of EU GDPR. Contact us at giurgiur99@gmail.com.

What we collect

To generate a bill of sale, we collect the data you enter in the wizard:

  • Party information:full legal name, street address, city, state, ZIP, phone, email, optional driver's license number for both seller and buyer.
  • Vehicle information: VIN, year, make, model, body type, color, odometer reading, optional license plate, optional title number and issue date.
  • Sale details: price, payment method, date, condition (as-is / with warranty), optional defects disclosure.
  • Signatures:the seller's and buyer's handwritten signatures captured as PNG images on your device.

We also record automatic technical data: IP address, browser user agent, and timestamps — strictly for fraud prevention and abuse investigation.

When you pay, Stripe collects your payment details directly. We never see or store your card number. We receive only a Stripe customer ID, the amount paid, and a billing postal code.

Analytics and advertising

We use two Google services to measure how visitors reach the site and how many paid-ad clicks convert into purchases. Both set first-party cookies on this domain.

  • Google Analytics 4 — pageviews, wizard-step events, and purchase events. Sets the _ga and _ga_<property_id> cookies. Event data is retained at Google for up to 14 months.
  • Google Ads conversion tracking — measures which ad click led to a purchase. Sets _gcl_au and related _gcl_* cookies, and reads the gclid parameter that Google appends to ad URLs. After payment, a SHA-256 hash of the buyer's email is sent to Google for Enhanced Conversions matching; the plain email is never sent.

Both services are operated jointly by Google LLC (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) and Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland). Transfers of personal data to the United States are covered by Google's participation in the EU–US Data Privacy Framework and by Standard Contractual Clauses under GDPR Art. 46. Google's privacy policy is at policies.google.com/privacy and the advertising-controller terms at business.safety.google/adscontrollerterms.

On your first visit you will see a consent banner. If you click Accept, the cookies above are enabled and your visit is measured. If you click Reject, Google Consent Mode v2 keeps advertising and analytics cookies disabled, and only cookieless, non-identifying signals are sent so that aggregate ad performance can still be modeled. You can change your choice at any time by clearing the bosm:consententry in your browser's site data.

What we do not collect

  • We don't require an account or password.
  • We don't buy or sell mailing lists.
  • We don't use social-media pixels (no Meta Pixel, TikTok Pixel, LinkedIn Insight, etc.).

How we use it

  • Generate the PDF. Your data is written directly into the official state form (HSMV 82050 in Florida, REG 135 in California) or a compliant template (Texas) and saved as a PDF.
  • Deliver the PDF. After payment, we email the finished PDF to the seller and buyer email addresses you provided.
  • VIN auto-fill.When you type a VIN, we call the U.S. government's NHTSA vPIC API (vpic.nhtsa.dot.gov) to auto-fill year, make, model, and body class. NHTSA has its own privacy notice; the lookup happens server-side through our API so your browser never talks to NHTSA directly.
  • Fraud prevention.We log IP and user agent to detect abuse patterns. We don't share this with advertisers.

Where we store it

Form data is stored in a Vercel Postgres database (hosted on Neon) in the United States. Generated PDFs are stored in Vercel Blob storage. Payment records are held by Stripe. We use these vendors because they offer strong security and data-processing agreements appropriate for financial and personal data.

How long we keep it

  • Form data and PDF: retained for 12 months after purchase so you can retrieve your document if needed (for example if the DMV asks for a re-print). You can request deletion at any time.
  • Stripe payment records:retained per Stripe's policy and our accounting obligations, typically 7 years.
  • Abandoned drafts: form data for bills of sale you started but never paid for is deleted automatically after 48 hours.
  • Analytics events: up to 14 months in Google Analytics.

Your rights

Regardless of where you live, you can email us at giurgiur99@gmail.com with your document UUID and we will:

  • Send you a copy of everything we have on you.
  • Correct any inaccurate information you point out.
  • Delete your record — if you've paid, we keep only the minimum accounting data required by law.

EU / UK: GDPR and UK GDPR apply. You have rights of access, rectification, erasure, restriction, objection, and portability. The lead supervisory authority for this service is ANSPDCP (Romania); you may lodge a complaint with any EEA supervisory authority.

California (CCPA as amended by CPRA):you have rights to know, delete, correct, and limit use of sensitive personal information. The hashed email we share with Google for Enhanced Conversions constitutes "sharing" for cross-context behavioral advertising under Cal. Civ. Code § 1798.140(ah). We do not currently publish a "Do Not Sell or Share My Personal Information" link because our California consumer volume and revenue are below CPRA applicability thresholds; we will add one before those thresholds are reached. You can still opt out today by clicking Reject on the consent banner or by enabling the Global Privacy Control signal in your browser — we honor GPC as a "Do Not Sell or Share" request when we can detect it.

Security

Traffic is encrypted end-to-end with TLS. Database and blob storage are encrypted at rest. We apply standard operational security measures (least-privilege access, audit logging, MFA on admin accounts). We're a small operation — if we had a breach affecting your data, we'd notify you by email within 72 hours.

Children

The service is not intended for anyone under 18. We don't knowingly collect data from children.

Changes

If this policy changes materially, we'll update the "last updated" date at the top and, for anyone with an active document on file, send an email. Routine wording updates happen without notice.

Contact

giurgiur99@gmail.com. Humans answer.