Privacy Statement

1. Scope & Audience

This Policy applies to:

• Account administrators and users (dispatchers, payroll staff, operations staff).
• Driver or owner‑operator data submitted by a customer organization.
• Business contact information of customers and prospects.
• Website visitors (limited data – telemetry, cookies, and contact form submissions).

It does NOT apply to:

• Third-party websites or services linked from the Service.
• Aggregated, de‑identified, or anonymized data that no longer identifies an individual.

2. Legal Framework

Because we operate from Canada (Alberta) and serve Canada/U.S. businesses, we align with:

• Canada: PIPEDA (federal), and where applicable Alberta PIPA, and Quebec Law 25 if Personal Information is collected about Quebec residents.
• United States: Applicable U.S. state privacy laws to the extent they govern business-to-business (B2B) data or personal information (e.g., California Consumer Privacy Rights Act "CCPA/CPRA" for driver or sole proprietor data).

We do not rely on GDPR/UK GDPR legal bases; we primarily rely on consent, legitimate business purposes, contractual necessity, and required compliance obligations.

3. Definitions

• "Personal Information" (Canada) / "Personal Information" (U.S.): Information about an identifiable individual (e.g., name, driver license number, email, phone, geolocation derived from route data, compensation details).
• "Business Contact Information" (Canada): Certain information (e.g., business title, business phone, business email, business address) used solely for business communications may be treated differently under PIPEDA/PIPA.
• "Sensitive Information": Government-issued IDs, financial/banking numbers (if provided), precise geolocation, and compensation figures.
• "Customer Data": All data a customer organization inputs into the Service (including load records, driver lists, mileage, pay calculations).
• "Aggregate/De-Identified Data": Data transformed so individuals cannot reasonably be identified; no longer Personal Information.

4. Categories of Personal Information We Collect

• Identification & Profile – Names, business titles, usernames, driver identifiers, unit numbers.
• Contact – Business email, business phone, mailing address (company or terminal).
• Operational & Logistics – Load assignments, route segments, delivery timestamps, mileage estimates.
• Regulatory & Credential (optional, if uploaded) – Driver license number, expiry dates, safety training completion status; not required unless customer chooses to store.
• Compensation & Settlement (optional) – Pay rates, settlement summaries, earnings categories (e.g., mileage, percentage splits).
• Device & Technical – IP address, browser type/version, time zone setting, system log events, usage analytics (pages visited, feature usage times).
• Support & Communications – Support tickets, feedback forms, emails to our support or privacy contacts.
• Cookies & Similar Technologies – Session cookies (authentication), preference cookies (UI configs), limited analytics cookies (page performance metrics). We do not use advertising cookies.
• Integration Metadata (if enabled) – Timestamps of exported documents, map API usage counts, email dispatch logs.

We do NOT intentionally collect: biometric identifiers, precise mobile GPS (unless a customer integration sends it), social insurance numbers, or data about children under 16.

5. Sources of Information

• Direct input by customer administrators or staff.
• Driver/owner‑operator data uploaded by the customer.
• Automated system logs and analytics instrumentation.
• Support interactions.
• Optional third-party integrations (e.g., mapping APIs returning coordinates, document renderers providing status codes).

6. Purposes for Collection & Use

We collect and use Personal Information for:

• Account provisioning, authentication, and access control.
• Dispatch and transportation workflow management.
• Driver settlement/pay period calculation and internal reporting.
• Generating documents (rate confirmations, invoices, statements).
• Customer support, troubleshooting, and incident response.
• Service improvement (feature planning, reliability analysis) using aggregated/de-identified usage metrics.
• Security monitoring, fraud detection, and abuse prevention.
• Regulatory and legal compliance (e.g., records retention if required by a customer's obligations).
• Business communications (service notices, updates, billing).
• Enforcing Terms of Use and protecting rights, property, safety.

We do not use Personal Information for behavioral advertising or unrelated marketing lists.

7. Basis for Processing (Canada & U.S.)

• Consent: When you or a customer organization provides data voluntarily (e.g., driver details) for use in the Service.
• Contractual necessity: Operating the platform under the subscription or service agreement.
• Legitimate business interests: Improving reliability, security, and core logistics features; managing aggregated analytics without identifying individuals.
• Legal/regulatory requirements: Responding to lawful requests, complying with applicable record retention if mandated by law or a valid legal process.

Where a purpose changes materially, we will seek renewed consent or provide notice as required.

8. Cookies & Tracking Technologies

Types we may use:

• Essential (session/auth): Required to log in and maintain session integrity.
• Functional: Store UI preferences (e.g., column widths, theme).
• Analytics (limited, first-party or privacy-focused third-party): Aggregate usage metrics (feature adoption, error frequency).

We do not deploy advertising or cross-site tracking cookies. Browser settings can block cookies, but essential cookies are necessary for login.

9. Do Not Sell Personal Information (CCPA/CPRA)

We do not "sell" or "share" Personal Information as defined by California law, nor exchange data for cross-context behavioral advertising. If our practices change, we will update this Policy and provide required opt-out mechanisms.

10. Disclosure of Personal Information

We may disclose Personal Information:

• To service providers (cloud hosting, document rendering, email/SMS dispatch) under contractual confidentiality and use restrictions.
• Within aggregated analytics after de-identification.
• For legal reasons: compliance with subpoenas, court orders, lawful regulatory requests.
• To investigate or mitigate security threats, fraud, or abuse.
• In a merger, acquisition, or corporate transaction (subject to continuity of protections and notice).

We do not otherwise disclose Personal Information to third parties for independent use without instruction or consent from the customer.

11. Cross-Border Transfers

Data may reside or be processed in data centers located in Canada or the United States. By using the Service, you acknowledge that Personal Information may be transferred between these jurisdictions, potentially subject to different privacy laws. We implement contractual and technical safeguards (access control, encryption in transit and at rest where applicable) to protect cross-border transfers.

12. Retention

Retention periods depend on:

• Active subscription status.
• The nature of the record (e.g., load history vs. driver settlement summaries).
• Legal or contractual obligations (e.g., a customer's required retention for tax or transportation audits).

We delete or de-identify Personal Information when no longer required for stated purposes, subject to backups and secure archiving processes. Customers should export critical compliance records periodically. Backup deletion cycles may introduce a delay before final removal.

13. Security Measures

We employ commercially reasonable safeguards:

• Access control (role-based permissions, authentication checks).
• Encryption in transit (HTTPS/TLS); encryption at rest where supported for sensitive data.
• Environment segmentation and infrastructure monitoring.
• Logging and anomaly detection for suspicious activity.
• Least-privilege internal access.

No system can guarantee perfect security; you are responsible for secure credential practices within your organization.

14. Your Rights & Choices

Depending on jurisdiction (Canada, certain U.S. states), you may request:

• Access: A summary or copy of Personal Information held.
• Correction: Updates to inaccurate or incomplete data.
• Deletion/Erasure: Removal of Personal Information not required for legal or contractual obligations (subject to feasibility).
• Portability (where applicable): A structured copy (limited; typically load/driver data provided by you already).
• Withdrawal of consent: For discretionary uses not strictly necessary for the Service.

Because we are a B2B platform, many rights requests must be coordinated through your employer/customer organization—especially for driver data entered by an administrator. We may need to verify identity (email confirmation, administrator validation, or other reasonable steps).

Requests: [email protected]

We will respond within timeframes required by applicable law (e.g., 30 days in Canada; 45 days in California, extendable with notice).

15. Children & Minors

We do not knowingly collect Personal Information from individuals under 16. If you believe data about a minor was provided, contact [email protected] for prompt review and remediation.

16. Third-Party Services

If you enable optional integrations (e.g., mapping APIs), those providers process certain technical data (coordinates lookup requests). Their privacy practices are governed by their own policies. Review third-party terms before activation.

17. De-Identification & Aggregation

We may transform Customer Data into aggregated or de-identified datasets for:

• Performance optimization and capacity planning.
• Feature improvement and reliability analysis.
• Benchmark-style insights (without exposing identifiable data).

We implement technical and organizational measures to reduce re-identification risk and will not attempt re-identification.

18. Data Breach Notification

If we discover a security incident that creates a real risk of significant harm or meets applicable statutory reporting thresholds (e.g., under PIPEDA/PIPA), we will:

• Contain and assess impact.
• Notify affected customers and, where legally required, relevant authorities.
• Provide recommended mitigation steps.

Notification channels: administrative email addresses and/or in-platform banners.

19. Changes to This Policy

We may update this Policy to reflect operational, legal, or regulatory changes. A revised "Last Updated" date will appear at the top. Material changes may be communicated via administrative email or in-app notifications. Continued use after changes indicates acceptance.

20. Verification & Authorized Agents (U.S. States)

For U.S. rights requests (e.g., California), we may:

• Require matching account credentials or administrator confirmation.
• Accept authorized agent requests if accompanied by signed permission or proof of authority.

Denial grounds (e.g., conflicting legal obligations) will be explained when feasible.

21. Sensitive Information Minimization

Do not store unnecessary Sensitive Information (e.g., full banking details, SIN/SSN) in free-form fields. If such data is inadvertently submitted, request redaction through [email protected]. We may apply automated validations or suppression mechanisms.

22. Data Processing Agreement (Optional)

A separate Data Processing Agreement (DPA) is generally not required for Canadian/U.S. B2B usage but may be provided upon request to clarify roles (controller vs. service provider / processor) and security measures. Contact [email protected] if your compliance team requires one.

23. Role Clarification (Controller vs. Service Provider)

• Customer organization acts as "controller" (Canada: organization with decision-making authority; U.S.: business) with respect to most driver/personnel data.
• AstraLogixTMS acts as a "service provider" / "processor" performing processing on documented instructions.
• If we determine independent purposes (e.g., security log analysis aggregated across tenants), we ensure no individual identification beyond what is necessary.

24. Contact Information

25. Resolving Concerns

If you have unresolved concerns:

• Contact us first at [email protected].
• Canada: You may escalate to the Office of the Privacy Commissioner of Canada or applicable provincial commissioner (e.g., Alberta OIPC).
• U.S.: Contact your applicable state authority if state law grants enforcement avenues.

26. Acknowledgment

By submitting Personal Information or using the Service, you acknowledge this Privacy Policy. If you do not agree, discontinue use and contact your account administrator.