Privacy Policy

Plain-English summary: We collect the minimum data needed to run your compliance program. Your driver records are encrypted at rest and cryptographically isolated from every other carrier. We never sell your data. We use reputable sub-processors (Supabase, Stripe, Cloudflare, Resend) to operate the Service. You own your data and can export or delete it at any time.

1. Who We Are

X3 Fleet Safety ("we," "us") is a DOT compliance SaaS platform operated from Howell, Michigan. Contact us at [email protected].

2. Data We Collect

From the account holder (you):

• Name, email, phone, hashed password (Supabase manages hashing — we never see plaintext passwords)
• Company name, DOT number, MC number, EIN, operation type, fleet size, billing address
• Stripe customer identifier (for subscription billing; we do NOT store card numbers)

Driver PII (entered or uploaded by you):

• Driver names, contact info, date of birth, SSN last-4 (never full SSN)
• CDL numbers, class, endorsements, state of issue, expiry dates
• Medical certificates, MVRs, drug & alcohol test results, training certificates, qualification documents
• Incident and inspection records

Usage telemetry: log-in timestamps, IP addresses, user agents, feature usage (retained for audit trail and fraud prevention).

3. How We Use Data

• To deliver the Service you signed up for
• To send transactional emails (sign-up confirmation, password reset, billing receipts, compliance alerts such as expiring medical certificates)
• To process payments via Stripe
• To maintain an audit trail of account actions, as required for FMCSA audit defense
• To respond to support inquiries you submit
• To comply with legal obligations (e.g., lawful government requests)

We do not use your data to train AI models unless you explicitly opt in. We do not sell your data. We do not show you advertising.

4. Sub-processors

We use the following vendors to operate the Service:

Sub-processor	Purpose	Location
Supabase	Database, authentication, file storage	US (AWS us-east-1)
Stripe	Subscription billing, payment processing	US
Cloudflare	DNS, CDN, static hosting	Global
Resend	Transactional email delivery (account confirmations, password resets, compliance digests). Email sent via Amazon SES under Resend.	US

Future integrations (SambaSafety for MVR, Quest/LabCorp for drug testing, etc.) will be added to this list before we enable them.

5. How We Protect Your Data

• Encryption in transit (TLS 1.2+) and at rest (AES-256 on the underlying Supabase database)
• Row-Level Security: every PII record is cryptographically scoped to your carrier account. Another carrier physically cannot query your data, regardless of bugs in app code.
• Role-based access control within your carrier account (owner, admin, safety_manager, dispatcher, driver, viewer)
• Audit log retained for all user actions
• Files stored in a private bucket with signed-URL-only access, scoped to your carrier

6. Your Rights

Depending on where you are located, you may have rights including:

• Access: request a copy of the data we have about you
• Correction: request that inaccurate data be corrected
• Deletion: request deletion (subject to legal retention requirements, e.g., DOT audit-trail obligations)
• Portability: export your data in CSV, JSON, or PDF
• Opt-out: unsubscribe from non-transactional emails at any time

To exercise any right, email [email protected].

7. Data Retention

We retain your data for the duration of your subscription plus 90 days. After that, we permanently delete it, with the exception of records we are legally required to retain (e.g., financial records, anonymized audit logs).

8. Children's Data

The Service is not directed to children under 18. We do not knowingly collect data from minors.

9. Changes

We may update this Privacy Policy. We will notify account holders by email and/or in-app notice at least 14 days before changes take effect.

10. Contact

Privacy questions: [email protected]