Bob the Car Guy Honest writing about cars
Legal

Privacy Policy

What we collect, where it goes, and what we don't do.

Last updated: June 2026.

This page describes what data we and our service providers collect when you visit bobthecarguy.com or follow links from our advertising into the offers we promote. It's longer than the average privacy policy because we'd rather be specific than reassuring. If you have a question this page doesn't answer, use the contact form.

Who we are

Bob the Car Guy LLC operates this site and the related advertising campaigns. "We" and "us" mean Bob the Car Guy LLC. Our mailing address is in the Contact page footer.

What we collect when you visit the site

  • Standard server logs. Our web server records the IP address, user agent, requested URL, response code, byte counts, and timestamp of each request. These logs are retained for 30 days and used to monitor uptime, debug issues, identify abusive traffic, and produce aggregate visit counts. They are not shared with third parties beyond our hosting provider (OVH) and our CDN (Cloudflare).
  • Country (via Cloudflare). Cloudflare adds a two-letter country code derived from your IP address (e.g., "US," "CA") to the request headers it forwards to our origin. We use that country code as part of advertising-measurement events sent to Meta (see below), in hashed form. We do not store the raw country.
  • Contact form messages. If you use the contact form, we collect your name, email address, optional subject, and message. We use these to reply. We do not add you to a list, share you with anyone, or use the message for advertising. We retain conversation history for as long as it's useful, then delete it.
  • Cookies. We do not set any first-party cookies on this site. The only cookies you may encounter are set by Cloudflare for security and performance (see the Cookies Policy) and the standard browser font cache from Google Fonts (no tracking cookie, font files only).

What we send to Meta about visits to our advertising landing pages

Bob the Car Guy LLC runs paid advertising on Meta platforms (Facebook and Instagram). Some of that advertising drives traffic to landing pages we operate, where visitors can opt into a sweepstakes entry by purchasing a sweepstakes ticket through our affiliated sweepstakes operator (PrizePanda). To measure and optimize that advertising, we transmit conversion events to Meta using their server-side Conversions API. We do this from our own server, not from your browser, to protect the privacy of our visitors from accidental URL or referrer leakage.

What we send Meta:

  • Event name and timestamp (e.g., "PageView," "ViewContent," "AddToCart," "InitiateCheckout," "Purchase").
  • Hashed identifier fields (SHA-256 hash of lowercased, trimmed value): email address, phone number, first name, last name, city, state, zip code, country code, and a sweepstakes-internal customer ID where available. We send these only when you have provided them by completing a sweepstakes ticket purchase. Meta uses hashed identifiers to match conversions to ad clicks without seeing the underlying values.
  • Non-hashed signals: your IP address, user agent string, and Meta's own browser-side identifiers (the _fbp cookie and the fbclid click identifier from the ad-click URL, where present).
  • Event source URL: always literally https://bobthecarguy.com/. We intentionally do not include the URL of any third-party page (such as the sweepstakes operator's hosted checkout) in events sent to Meta.

What we do not send Meta: raw (unhashed) email, phone, or name; any payment card details; any URL or page content other than the literal event source URL above; any data about other browsing activity on our site.

Meta's role: Meta acts as a data processor for these advertising events. Meta uses the data to match conversion events to ad delivery, measure ad effectiveness, and (where you have a Meta account) improve ad targeting. Meta's own privacy policy applies to how they handle this data: facebook.com/privacy/policy.

We do not have a standard browser-side Meta Pixel (fbevents.js) installed on bobthecarguy.com. Server-side Conversions API is functionally equivalent for ad measurement but gives us tighter control over exactly what is and isn't transmitted, which is why we use it.

Sweepstakes purchases and the third parties involved

If you click an advertising-driven call-to-action and proceed to a sweepstakes ticket purchase, the checkout itself is hosted by our funnel platform, Funnelish (operated by Funnelish Inc.), on behalf of our affiliated sweepstakes operator, PrizePanda (a brand of contestappsllc, LLC, which we own). Funnelish and PrizePanda are responsible for the data they collect on the checkout flow — name, address, email, phone, and payment details. Funnelish then sends us a webhook containing the purchase confirmation and most of those fields (excluding payment card data, which is processed by Funnelish's payment provider). We use that webhook to transmit the Meta conversion event described above and for our own internal record of the transaction.

Funnelish's privacy policy: funnelish.com/privacy. PrizePanda operates under its own privacy policy linked from its checkout.

Third-party services we use

  • Cloudflare — CDN, DDoS protection, TLS termination. Cloudflare sees every request and sets a small number of functional cookies (see Cookies Policy).
  • OVH — virtual private server hosting. Standard hosting log retention applies on their side.
  • Google Fonts — font file delivery from fonts.googleapis.com / fonts.gstatic.com. Google may receive your IP address as part of font requests. No tracking cookie is set by font requests.
  • Meta — destination of advertising-measurement events as described above.
  • Funnelish — checkout hosting for sweepstakes ticket purchases, as described above.
  • PrizePanda (our affiliate) — sweepstakes operator that runs the campaigns linked from our advertising.

If we add another third-party service that processes reader data, we will update this page and note the change at the top.

What we don't do

  • We don't sell your personal data to anyone for advertising or any other purpose.
  • We don't operate an email newsletter or auto-enroll you in any mailing list. Contact-form messages are used only to reply.
  • We don't run third-party advertising on our own pages.
  • We don't use Google Analytics, Mixpanel, Segment, TikTok, Pinterest, or any other consumer analytics tool. We rely on server logs and Meta's measurement of our own ad campaigns.
  • We don't profile readers across the web. We do not participate in cross-site tracking networks.

Your rights

California residents (CCPA / CPRA). California residents have the right to: (1) know what categories of personal information we collect and how we use it, (2) request a copy of the personal information we hold about you, (3) request deletion of personal information we hold about you, (4) opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising. We do not sell personal information. We do share hashed identifiers with Meta for advertising-measurement purposes, which under some readings of CPRA may be considered "sharing for cross-context behavioral advertising." If you want to opt out of that sharing, send a request via the contact form with the subject "CCPA opt-out" and we will exclude your hashed identifiers from future events to the extent we can identify them from the information you provide.

Everyone else. You can request a copy of any personal data we hold about you, or ask us to delete it. Use the contact form with the subject line "Privacy request" and we will respond within 30 days.

We do not specifically claim GDPR/UKGDPR compliance because we do not target advertising into the EU or UK. If you believe we hold personal information about you that came from an EU or UK source, contact us and we will work with you to delete or export it.

Data retention

Server logs: 30 days. Webhook records of sweepstakes ticket purchases (in our own server logs, not the payment data which we never see): 90 days, then anonymized. Contact-form correspondence: kept while the conversation is useful, then deleted. Meta retains advertising data per Meta's own policies, which we don't control.

Children

The site is intended for adults. Sweepstakes campaigns we advertise are restricted to age 18+ by the sweepstakes operator. We do not knowingly collect personal information from anyone under 13. If you believe a child has provided personal information to us, contact us and we will delete it.

Changes to this policy

If we change this policy in a meaningful way, we'll note it at the top of the page and post a brief explanation in a recent article. Routine updates (a typo, a clearer sentence) won't be flagged.

Contact

Use the contact form — note "Privacy" in the subject for privacy-specific questions.