1. Information We Collect

1.1 Account Information

When you create an account, we collect your name, email address, and organization details. Organization administrators may invite additional members whose email addresses are stored.

1.2 Usage Data

We log carrier searches (USDOT numbers looked up, timestamps, decision results) for audit trail and provenance purposes. This data is associated with your organization and user account. Each search creates a decision receipt with a cryptographic hash to ensure data integrity.

1.3 Carrier Data

We process publicly available government data about motor carriers (FMCSA records, inspection data, crash reports, authority filings). This is business entity data, not personal consumer data. We do not collect personal information about individual truck drivers.

1.4 Technical Data

We collect standard web analytics: IP addresses (for rate limiting), browser type, device information, and page views. We use cookies for authentication session management.

2. How We Use Your Information

Provide and improve the carrier risk intelligence Service
Authenticate your identity and manage your organization
Maintain audit trails for legal defensibility (decision receipts)
Send monitoring alerts and digest notifications (configurable)
Enforce usage limits per subscription tier
Detect and prevent abuse, fraud, and unauthorized access
Comply with legal obligations

3. Data Sharing and Disclosure

We do not sell your personal information. We share data only in these circumstances:

Within your organization: Members of your org can see shared carrier data, notes, and monitoring activity
Service providers: Supabase (database), Vercel (hosting), Cloudflare (storage), Upstash (caching) — all under data processing agreements
Legal requirements: When required by law, subpoena, or court order
Aggregated data: Anonymous, aggregated usage statistics may be published (no individual or org identification)

4. Data Retention

Account data is retained for the duration of your subscription plus 90 days. Audit logs (search events and decision receipts) are retained indefinitely as required for legal defensibility. Source carrier data from government databases is archived in immutable object storage (WORM) as a permanent record.

5. Data Security

We implement industry-standard security measures including: encryption in transit (TLS 1.3), encryption at rest, Row Level Security (RLS) for multi-tenant data isolation, rate limiting, and regular security audits. API keys are hashed before storage.

6. FCRA Compliance Statement

Before You Load is NOT a consumer reporting agency as defined by the Fair Credit Reporting Act (15 U.S.C. § 1681 et seq.). The Service does not provide consumer reports. Data provided through the Service may not be used for any purpose governed by the FCRA, including but not limited to: employment decisions, credit decisions, insurance underwriting, or tenant screening. All data pertains to business entities (motor carriers), not individual consumers.

7. Your Rights

[ATTORNEY TO DRAFT — Include applicable rights under CCPA, GDPR if serving EU customers, state privacy laws. Right to access, delete, port data. Opt-out of marketing communications. Contact mechanism for privacy requests.]

8. Children’s Privacy

The Service is intended for business use by adults. We do not knowingly collect personal information from children under 13. If we become aware of such collection, we will promptly delete the data.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. Continued use of the Service after changes constitutes acceptance.

10. Contact

For privacy-related inquiries: privacy@daaswhatsup.com