How Rinsed builds data pipelines in car washes: the lessons learned

October 21, 2025

min read

The car wash industry runs on servers that sit on floors in office backrooms, getting literally kicked around by employees who walk past, but it's bigger than the entire box office.

It's also a world where point of sale (POS) vendors try to control everything and the entire business model is shifting from one-offs to monthly memberships. If someone could connect to POS solutions within these businesses and give owners a ton more intelligence about their customers, they could open up an extraordinary amount of value.

Kristin Farahdel, Senior Director of Infrastructure at Rinsed, says, "Car washes are popping up every second, and all of them have these huge ads of their memberships that they're selling. These points of sale [solutions] didn't really have the tools to do anything with the data. We're one of the first that came in and said we'll grab your data and do something more with it."

Rinsed is building the CRM platform for the car wash industry, bringing modern analytics to an industry that runs on infrastructure that time forgot. But to get there, the Rinsed team had to learn to work within a handful of constraints rather than fighting them at every facility—and brought some lessons in managing hostility along the way.

Lesson 1: Your assumptions about production environments aren’t jagged enough

You probably picture production running on neat racks in climate-controlled data centers.

Rinsed’s reality is very different. Kristin says, "They're usually just these rinky-dinky little servers sitting on the ground and getting kicked around all day.”

Matthew Beckley, POS Specialist at Rinsed, also adds: "It's a total pain in the butt because they're all Windows." Not even modern Windows versions, but ones Microsoft long abandoned to end of life. If the Windows XP machine still processes transactions and doesn't always fall over, there's no good reason to update it.

The networks are equally rough-edged. A typical site might have:

A firewall from the POS vendor
A corporate firewall
An ISP router doing its own NAT
Sometimes, an ancient router everyone forgot about

Each layer adds complexity, and each is controlled by someone different. “The worst,” Beckley says, “is when you’re double NAT-ed through this cascade of firewalls.”

Across hundreds of locations, Rinsed deals with every possible combination of ancient hardware, tangled onion-like networks, and operators who are skeptical at best. Instead of forcing upgrades or standardizing, they built systems that work with the mess that's implicit in running a car wash business.

Lesson: Build for what’s out there, not what you wish was there.

Lesson 2: Progressive degradation is a valid engineering strategy

When Beckley started at Rinsed, part of his job was to update and improve the deployment process for car wash owners and operators. The first version was three clean lines of PowerShell, exactly the automation script you'd write today to deploy new infrastructure.

Enter a new jagged reality of hostile environments.

For example, PowerShell wasn't standard on the older Windows versions he often encountered. He says, "I've had to keep reverting back to older and older methods. The tried and true method is just using the oldest version of Bash you can use.”

This wasn’t a failure of engineering. It was a learning process, and each step taught the Rinsed folks more about the actual runtime environments they’d be running with for the long haul.

Lesson: Sometimes the most sophisticated solution is the one that works across the most number of least sophisticated systems.

Lesson 3: You can’t (easily) teach networking, but you can put it behind a curtain

As Rinsed’s automation matured, they faced another challenge: networking. Most car wash operators just want to focus on the work that's important to them. That means getting more monthly members and keeping the active ones from churning out, figures that are both on the rise according to Rinsed's October 2025 industry report.

Firewalls and ports are a very, very distant concern.

Kristin says, "These people aren't really used to having to get their data pulled for anything. ... I’ve been in a situation where I’m FaceTiming the customer to help them find the router so they can get the password off of it.”

Even when Rinsed explained port forwarding, the concept never quite landed.

“If you can see my screen, why can’t you just see the database?”
— A confused car wash operator

The answer wasn’t more education. It was better abstraction. The Rinsed team learned to make networking invisible—scripts that asked for two inputs, did the heavy lifting, and worked across even the oldest Windows boxes. Tools like ngrok turned something impossibly technical into a black box that “just worked.”

Lesson: Hide complexity from users who don’t need to see it. The best abstraction is the one no one has to think about.

Lesson 4: Your security theater matters in ways you wouldn't expect

Simplifying the setup solved one problem but surfaced another: fear. Rinsed’s customers split cleanly into two camps:

80%: “Just make it work.” (hand over credentials, no questions asked)
20%: “This terrifies me.” (demand security reviews, documentation, engineering calls)

The second group wanted detailed reviews and long security calls. Hearing “reverse tunnel” set off alarms. Ironically, some insisted on less secure direct connections simply because they felt safer.

Kristin and Beckley realized that security wasn’t only about encryption or network architecture—it was about perception. They reframed their approach around clear, human-friendly constraints:

Outbound-only tunnels
Access limited to Rinsed’s VPC IPs
Separate tools for data pulls and admin access
VPNs for all employee connections

They learned that trust comes not from showing how secure something is, but from showing what it can’t do.

Lesson: Security is as much about empathy as engineering. If it doesn’t feel safe to the customer, then it simply isn’t—no matter how airtight the tech.

The meta lesson: Meet your networks where they are

The Rinsed team shaped all their technical decisions based on constraints—not just how they explained their stack to customers, but what they discovered about their customers' environments along the way.

Can't assume PowerShell exists? Use bash.
Can't teach port forwarding? Use reverse tunnels.
Can't access the firewall? Go outbound-only.
Can't trust the network? Add visible restrictions.
Can't upgrade the servers? Build for the lowest common denominator.

Between Kristin's educational hand-holding, Beckley's deployment script, and the ngrok CLI agent itself, the Rinsed team has a pretty solid system.

Depending on the POS, they sometimes have an easily accessible cloud database or API they could connect to. For the most part, they deal with old Firebird databases, which run on port 3050 by default.

After they access the servers remotely, they install the ngrok CLI agent with a YAML config, which sets up a TLS endpoint on a domain like tls://customer.db_name.domain.com, which points to the database's port.

Each TLS endpoint uses the terminate-tls Traffic Policy action to automatically terminate TLS at the ngrok network before forwarding traffic through the secure tunnel.

on_tcp_connect:
  - actions:
    - type: terminate-tls

Finally, they use IP policies to allow only specific static IPs, which belong to their VPC, to access any public endpoint.

On the administrative side, they previously used the Non-Sucking Service Manager (yes, that's a real thing) to manage ngrok as a service. Over time, they moved to the ngrok service subcommand run ngrok as a service. With ngrok service install --config="/path/to/ngrok.yaml, and ngrok service start, the agent starts up a TLS endpoint on boot and reconnects the secure tunnel any time there's a network hiccup.

Here's what the whole situation looks like:

What's next for Rinsed?

With this setup (don't forget the suite of lessons), Rinsed helps operators learn from data they already have on:

Membership data and status for every customer
Membership plans and pricing
Visit frequency
Sales transactions and receipts

The competitive advantage in Rinsed's approach might sound more like managing technical debt. They build for the oldest OS, the most layers of firewall, the least IT-concerned operator, but in reality, they're helping operators exfiltrate and maximize on data that's otherwise locked up on all those Windows servers anyway.

As far as what's next—Gabe Solomon, Rinsed's director of data engineering, says they're putting all their eggs into the speedy and reliable extraction of car wash data: "Our SalesPath product works best when sales coaching feedback is timely and the data is available for salespeople to improve their behaviors in real-time."

With tons of data about what's happening beneath the queue at the wash as it happens, Rinsed helps operators tap into all that value—and still let them worry not even a smidge about networking.

Share this post

Joel Hans

Joel is ngrok's DevRel lead. Away from blog posts, videos, and demo apps, you'll find him mountain biking, writing fiction, or digging holes in his yard.