Privacy Policy

1. Information We Collect

Account information you provide: name, email address, password (hashed and salted, never stored or transmitted in plaintext), entity name, USDOT number, MC number where applicable, billing address, and similar onboarding fields.

Customer Data you submit: records about commercial drivers (such as name, date of birth, last four of Social Security number, hire date, CDL number and class, medical-cert expiration, drug-and-alcohol test results, MVR data, and Clearinghouse query history); records about vehicles (VIN, make, model, year, license plate, annual-inspection status); records about operations (DVIRs, accident-register entries, hours-of-service supporting documents, audit binders).

Payment information: handled by Stripe, Inc. and Stripe Tax. Roadworthy HQ does not store full card numbers; Stripe returns a customer ID and a tokenized last-four for display.

Usage and technical information: log data, IP address, browser type and version, pages and features accessed, timestamps, and similar technical details collected when you access the Service.

Cookies and similar technologies: a strictly necessary session cookie issued by Supabase Auth to keep you signed in; a Stripe cookie when you visit Checkout; product-analytics cookies if and when we add a product-analytics provider (Roadworthy HQ does not run advertising trackers).

2. Sources of Personal Information

Directly from you when you sign up, configure your account, or upload records.

From your Customer Users when they act on your behalf.

From third-party services you authorize, such as your payment processor (for billing status), an MVR vendor (for MVR data you have ordered through a vendor of record, where Roadworthy HQ is not the CRA), and FMCSA public datasets (for USDOT validation).

From your devices and browsers automatically when you access the Service.

3. How We Use Personal Information

To operate, maintain, and secure the Service; to provide customer support; to surface deadline alerts and other compliance reminders; to bill the Service and remit applicable taxes; to detect and prevent fraud, abuse, and security incidents; to comply with our legal obligations; to enforce the Terms of Service; and, in the case of aggregated and de-identified usage data only, to evaluate and improve the Service.

We do not use Customer Data to train artificial-intelligence models that serve other customers without your prior written consent. We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising.

4. How We Share Personal Information

With sub-processors that help operate the Service, including Supabase (database, authentication, storage), Stripe (payments and tax), Resend (transactional email), Vercel (hosting and edge networking), and Sentry (error monitoring). The Data Processing Addendum lists each sub-processor.

With your authorized recipients on the specific authorizations you grant — for example, a designated FMCSA representative, a written designee of a driver under 49 CFR § 40.331, the National Transportation Safety Board following an accident, or a federal, state, or local safety agency. Drug-and-alcohol test results subject to 49 CFR Part 40 are released only on the specific written authorizations contemplated by §§ 40.321 and 40.331.

With professional advisors, such as our auditors, attorneys, and insurers, under appropriate confidentiality obligations.

In connection with a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, subject to standard confidentiality protections and to this Privacy Policy continuing to govern the transferred data.

When required by law, legal process, or to protect rights, safety, or property — for example, in response to a valid subpoena or court order, or to address a security incident.

5. Retention

We retain personal information only as long as is necessary for the purposes for which it was collected, as required to comply with the retention obligations of the Federal Motor Carrier Safety Regulations (the periods in Section 9 of the Terms of Service apply), and as required to comply with our other legal obligations, resolve disputes, and enforce our agreements.

Account-level information is retained while your account is active and for the read-only window described in Section 6 of the Terms of Service. After the read-only window, account-level information is deleted or de-identified except where a longer retention is required by law or by an active Legal Hold.

6. Roadworthy HQ Is Not a Consumer Reporting Agency

Roadworthy HQ is not a Consumer Reporting Agency ("CRA") under the Fair Credit Reporting Act, 15 U.S.C. §§ 1681 et seq. We do not assemble or evaluate consumer information for the purpose of furnishing consumer reports to third parties. Where the Service stores Motor Vehicle Records, Pre-Employment Screening Program reports, or background-check data, that data was obtained by you or by a CRA you engaged, and Roadworthy HQ stores it within your account for your record-keeping convenience. You — not Roadworthy HQ — are the user of any such consumer report under the FCRA, and you are responsible for FCRA compliance.

7. Security

Roadworthy HQ uses encryption in transit (TLS 1.2 or higher) and at rest, multi-tenant database isolation enforced by row-level security, restricted access to production systems on a need-to-know basis, logging of administrative actions, and a documented incident-response process. No safeguards eliminate all risk; if you suspect a security incident affecting your account, contact security@roadworthyhq.com.

8. Your Privacy Rights

Depending on your state of residence, you may have the right to (a) request access to the personal information we hold about you; (b) request correction of inaccurate personal information; (c) request deletion of your personal information; (d) request a portable copy of your personal information; (e) opt out of the sale or sharing of your personal information (we do not sell or share for cross-context behavioral advertising, but you may still submit a request); (f) opt out of profiling that produces legally significant effects (we do not engage in such profiling); and (g) appeal a denial of any of the above where your state law provides an appeal right.

To exercise these rights, contact legal@roadworthyhq.com from the email address associated with your account, or use the in-product support form. We will verify your identity (typically by confirming control of the account email) before responding. We will respond within the timeframe required by your state's law (generally 45 days, with one 45-day extension where necessary). We will not retaliate against you for exercising any privacy right.

Most personal information held by Roadworthy HQ as a Processor on behalf of a motor-carrier customer is the customer's data; for those records, please direct rights requests to your employer or to the carrier whose Roadworthy HQ account holds the records, and Roadworthy HQ will support the carrier in responding.

9. Driver's Privacy Protection Act

Personal information from a state Motor Vehicle Record is protected by the federal Driver's Privacy Protection Act, 18 U.S.C. § 2721, and analogous state law. Where a Motor Vehicle Record is ordered through Roadworthy HQ or stored within Roadworthy HQ on a driver, the carrier customer represents and warrants a permissible use under § 2721 and is responsible for that representation. Roadworthy HQ does not use MVR data except to render it back to the carrier and as otherwise authorized in the Data Processing Addendum.

10. Children

Roadworthy HQ is not directed to children, and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided personal information to the Service, contact legal@roadworthyhq.com and we will delete the information.

11. International Users

The Service is operated from the United States and intended for United States motor carriers. If you access the Service from outside the United States, you understand and agree that your information will be processed in the United States. Roadworthy HQ has not established the legal mechanisms required to process personal information of European Union or United Kingdom residents under those jurisdictions' privacy laws and does not knowingly market the Service to those residents.

12. Changes to This Policy

We may revise this Privacy Policy from time to time. Material changes will be announced by email and by posting the revised version at roadworthyhq.com/legal/privacy. The "Effective Date" at the top of the page shows when the most recent change took effect.

13. Contact Us

Privacy questions and requests: legal@roadworthyhq.com.

Postal correspondence: Elite Tech Global LLC, Salt Lake City, Utah, United States. Our principal place of business is in Salt Lake City; for service of legal notices, please email legal@roadworthyhq.com first so we can confirm a current mailing address.