LEGAL  ·  EFFECTIVE April 24, 2026

PRIVACY
POLICY

We only collect what we need — and we protect what we collect.

NO AD NETWORKS
We run 0 ad trackers.
NEVER SOLD
Your data stays here.
YOU CAN DELETE
Ask and it's gone.
72HR RESPONSE
We reply fast.

What We Collect :: MINIMAL

When you create an account or sign in with a social provider, we receive your email address and a unique user ID from that provider. That's the only personally identifiable information we hold.

When you browse without an account:

  • Anonymous usage data via Google Analytics — country/region and page views only. No names, no IPs stored by us.
  • A reCAPTCHA score on signup — Google's bot signal. We see the score, not your identity.
  • A random guest token stored in your browser's localStorage, used only to count your votes so you can't vote twice. It's a string of random characters — not tied to you in any way.

We do not collect names, phone numbers, payment information, location, or browsing history.

How We Use It :: FUNCTIONAL ONLY

Your email is used to:

  • Send your account confirmation and password reset emails.
  • Identify you as the owner of your wish list and product submissions.

That's it. No newsletters unless you opt in. No behavioral profiling. No ads. No remarketing. The site exists to help Lexus GX owners find good parts — not to monetize your identity.

Third Parties :: FOUR VENDORS

We use a small set of vendors to run the site. Here's exactly who sees what:

ServicePurposeData SharedTheir Policy
SupabaseAuth & database hostingEmail, session tokenssupabase.com/privacy
GooglereCAPTCHA + Analytics + OAuthBot score, anon usage, identity token (if you sign in with Google)policies.google.com/privacy
MetaFacebook OAuth sign-in (optional)Identity token only — only if you choose this login methodfacebook.com/privacy/policy
MicrosoftMicrosoft OAuth sign-in (optional)Identity token only — only if you choose this login methodprivacy.microsoft.com

None of these vendors are permitted to use your data for their own marketing based on your activity on this site.

Local Storage :: NOT COOKIES

This site stores your login session in your browser's localStorage — not tracking cookies. Three keys:

gxa_tokenYour login JWT. Expires per Supabase's token policy.
gxa_refreshA refresh token to re-issue your login without re-entering your password.
gxa_userYour user object — email address and user ID.
gxa_guestRandom anonymous string used to count your votes. No identity attached.

Clear your browser's site data for gxaftermarket.com to remove all of these instantly. Settings → Privacy → Clear browsing data → Cached data and cookies.

Your Rights :: YOURS

  • Access. Want to see exactly what we hold? Email us and we'll send it within 72 hours.
  • Deletion. Ask us to delete your account and all associated data. We'll confirm within 72 hours and complete it within 30 days.
  • Portability. We'll export your data as JSON — wish list, votes, submissions.
  • Opt out of analytics. Use a browser extension like uBlock Origin to block Google Analytics requests entirely. We have no objection.
  • Correction. If something we have is wrong, tell us and we'll fix it.

These rights apply regardless of where you're located. GDPR, CCPA, common decency — take your pick.

Contact :: HUMAN RESPONDS

Privacy questions, deletion requests, data access requests — send them here:

privacy@gxaftermarket.com

Jurisdiction: Phoenix, Arizona, USA.
Effective date: April 24, 2026.