Privacy Policy

1. Information We Collect

1.1 Account and Registration Information

When you create an account, we collect:

• Full name and email address;
• Password (stored in hashed form; we never store plaintext passwords);
• Organization name and role within your organization;
• USDOT number — required for identity verification. At registration, we query the Federal Motor Carrier Safety Administration (“FMCSA”) QCMobile API using your USDOT number to verify your operating authority and auto-populate your company name, authority type, and fleet size. This is a one-time lookup against a public federal database;
• Subscription tier selection and seat count (for service provisioning);
• Billing contact information (name, email, billing address) — collected only for paid-tier subscribers. Free-tier users are not required to provide billing or payment information.

1.2 Business and Operational Data

As part of normal use of the Service, you and your authorized users enter operational data, which may include:

• Load and container information (container numbers, booking numbers, vessel names, port details);
• Driver information (names, contact information, license numbers, assignment records);
• Equipment records (trucks, trailers, chassis — including identification numbers and status);
• Customer and carrier records (company names, contacts, addresses, rate information);
• Financial data (invoices, accessorial charges, rate agreements);
• Document attachments (bills of lading, delivery orders, photos, inspection records);
• Location and appointment data (pickup/delivery addresses, port names, timestamps).

Collectively, the above is referred to as “Customer Data.” You retain ownership of Customer Data. We process it only as necessary to provide the Service.

1.3 AI Assistant Inputs

When you use the AI Assistant, you may submit text content such as pasted booking confirmations, bills of lading, or other documents. This input is transmitted to our third-party AI inference provider for processing. See Section 3.2 (Third-Party Service Providers) for details on how this data is handled.

1.4 Automatically Collected Data

When you use the Service, we automatically collect:

• Device and browser information (browser type, operating system, screen resolution);
• IP address and general geographic region (country/state);
• Pages visited, features used, and actions taken within the Service;
• Session duration and access timestamps;
• Error logs and performance diagnostics.

This data is used to maintain and improve the Service and is not used to build individual advertising profiles.

1.5 Payment Information

Payment information is collected only from users on paid subscription tiers. Free-tier users are not required to provide any payment data. For paid subscribers, we do not store your full payment card number, CVV, or bank account details. All payment data is collected and tokenized directly by our PCI-compliant third-party payment processor. We receive only a payment token, the last four digits of your card, and billing metadata.

1.6 Audit Log Data

The Service automatically creates an immutable audit log of all database changes, recording the action performed, the timestamp, and the user ID of the person who performed the action. These logs are stored within your Tenant's isolated workspace and are accessible only to your authorized administrative users and (in limited circumstances for platform integrity) to Dray Flow personnel.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service;
• Authenticate users and enforce access controls;
• Verify carrier identity and operating authority via FMCSA at registration;
• Process subscription payments and manage your account;
• Send transactional emails (account setup, password resets, billing receipts, operational alerts);
• Respond to support requests and resolve disputes;
• Monitor Service performance, diagnose errors, and improve reliability;
• Enforce our Terms of Service and protect the integrity of the platform;
• Comply with applicable law, legal process, or regulatory requirements.

We do not use your Customer Data to train AI models, build advertising profiles, or sell data to third parties for marketing purposes.

3. How We Share Your Information

3.1 Within the Dray Flow Corporate Family

Dray Flow LLC, a wholly-owned subsidiary of Forge Perfect LLC, is the developer, operator, and intellectual property owner of the Service. Forge Perfect LLC, as the parent company, may access Customer Data solely to the extent necessary to support, operate, or improve the Service. Internal access within both entities is limited to personnel who require it for those purposes.

3.2 Third-Party Service Providers

We engage third-party companies (“Service Providers”) to help operate and deliver the Service. Each Service Provider is subject to contractual data protection obligations and processes data only for the purposes described below. All Service Providers used by Dray Flow are based in or host data within the United States.

• Cloud Infrastructure and Database Hosting: We use third-party cloud providers to host the Service, store Customer Data, manage authentication, and handle file storage. All Customer Data is encrypted at rest and in transit.
• Application Hosting and Content Delivery: We use a third-party platform for application hosting, edge delivery, and routing of AI Assistant requests.
• Payment Processing: We use a PCI-compliant third-party payment processor to handle all payment card data and billing transactions. We do not store full card numbers on our systems.
• AI Inference Provider: We use a third-party large language model provider to power the AI Assistant. Text content submitted to the AI Assistant is transmitted to this provider for processing.
• Transactional Email: We use a third-party email delivery service to send system-generated emails such as account notifications, alerts, and billing receipts.
• Email and Identity Services: We use third-party email infrastructure for business communications and domain verification.
• Federal Carrier Verification: At registration, we query the Federal Motor Carrier Safety Administration (“FMCSA”) public database to verify your USDOT number and operating authority. This is a one-time lookup against a public federal government system.
• DNS and Domain Infrastructure: We use third-party providers for domain routing and DNS management. No Customer Data is stored by these providers.

For a current list of named sub-processors, you may contact us at privacy@drayflow.com.

Note on AI Data Processing

AI Assistant requests are routed through a secure gateway before being processed by our AI inference provider. Under our commercial agreements with these providers, data submitted through the AI Assistant is not used to train or improve any AI foundation models. Content is processed ephemerally — it is not retained by our AI providers beyond the scope of the individual request, in accordance with their respective enterprise data handling policies.

3.3 Legal Disclosures

We may disclose your information when we believe in good faith that disclosure is required by law, subpoena, court order, or other legal process; to enforce our Terms of Service; or to protect the rights, property, or safety of Dray Flow, our users, or the public.

3.4 Business Transfers

If Dray Flow LLC or its parent company, Forge Perfect LLC, undergoes a merger, acquisition, financing, or sale of assets, Customer Data may be transferred to the successor entity. We will notify you of any such transfer via email or a prominent notice within the Service.

3.5 No Sale of Personal Information

We do not sell, rent, or license your personal information or Customer Data to any third party for monetary or other valuable consideration.

4. Data Retention

4.1 Active Accounts

We retain Customer Data for as long as your account is active, including all operational records, load history, driver data, and financial information.

4.2 Post-Cancellation Export Window

When you cancel your subscription, your account enters a 90-day grace period during which your data remains accessible and you may request an export. After this period, Customer Data is permanently deleted from production systems. See our Cancellation & Refund Policy for export procedures.

4.3 Regulated Records Retention

Dray Flow is used by motor carriers and logistics operators subject to federal recordkeeping requirements. The following categories of data entered into the Service are retained for the periods specified below, even after account cancellation, solely for legal and regulatory compliance:

• Financial and billing records (invoices, rate agreements, accessorial charges, settlement data): 7 years — IRS tax record requirements;
• Load and freight records (load history, delivery records, bill of lading references): 3 years — 49 CFR §379;
• Driver activity records (dispatch assignments, status logs): 3 years from the date created — 49 CFR §391.51.

Records retained for compliance purposes are stored in encrypted, access-controlled archival storage and are not actively accessible through the Service after account deletion. To request access to retained records during the applicable retention period, contact privacy@drayflow.com.

4.4 Platform Audit Logs

Internal platform audit logs (records of which users performed which actions within the Service) are retained for the life of your account and through the 90-day post-cancellation window, then purged.

4.5 Backup Copies

Backup copies of production data may persist for up to 90 days in encrypted storage before they are purged through normal backup rotation cycles.

5. Security

We take the security of your data seriously and implement appropriate technical and organizational measures, including:

• Multi-Tenant Isolation: Row-level security (RLS) policies enforced at the database level ensure that no Tenant can access another Tenant's data, even if they share the same underlying infrastructure.
• Encryption in Transit: All data transmitted between your browser and our Service is encrypted using TLS 1.2 or higher.
• Encryption at Rest: Customer Data stored in our database is encrypted at rest by our cloud infrastructure provider.
• Authentication: User authentication is managed through our identity and authentication provider, which uses bcrypt-hashed passwords and supports email-based verification workflows.
• Immutable Audit Logs: All changes to operational records are written to an append-only audit log that cannot be modified or deleted by regular users.
• Access Controls: Role-based access controls limit which users within your organization can view, edit, or delete specific data.

No security system is impenetrable. If you believe your account or data has been compromised, contact us immediately at security@drayflow.com.

6. Your Rights and Choices

6.1 General Rights (All Users)

You have the right to:

• Access: Request a copy of the personal information we hold about you;
• Correction: Request correction of inaccurate personal information;
• Deletion: Request deletion of your personal information, subject to our legal retention obligations;
• Data Portability: Request an export of your Customer Data in a machine-readable format;
• Opt Out of Non-Essential Communications: Unsubscribe from marketing emails at any time using the link in those emails. Transactional and security emails cannot be opted out of while your account is active.

To exercise any of these rights, contact us at privacy@drayflow.com. We will respond to your request within 30 days. For data portability requests (Customer Data export), we will deliver the export in a machine-readable format (CSV or JSON) within 30 days of verifying your identity. In complex cases, we may extend this period by an additional 30 days with notice.

6.2 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) provides you with additional rights:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
• Right to Correct: You may request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising purposes. No opt-out action is required.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@drayflow.com with “CCPA Request” in the subject line. We may ask you to verify your identity before processing the request.

6.3 Washington State Residents

The Washington My Health My Data Act applies to consumer health data. The Dray Flow TMS does not collect health data as part of its core functionality. To the extent driver wellness or drug test documentation is uploaded by your organization, we treat such data with the same security and access controls as all other Customer Data and do not use it for purposes beyond operating the Service.

6.4 Driver Data — Data Processor Role

Driver personal information (such as names, contact details, and license numbers) is entered into the Service by your organization, not directly by drivers themselves. In this context, your organization acts as the data controller for driver personal data, and Dray Flow acts as a data processor that stores and processes that data solely as necessary to provide the Service on your instructions.

Drivers who wish to access, correct, or request deletion of their personal information should direct those requests to their employer (the carrier or dispatcher organization that entered their data). Dray Flow will cooperate with your organization to fulfill any such requests in accordance with applicable law.

7. Cookies and Analytics

The Service uses minimal cookies and local storage for session management, authentication state, and performance caching. We do not use advertising cookies or cross-site tracking technologies.

We use third-party analytics and performance monitoring tools to understand aggregate usage patterns and application performance. These tools collect anonymized technical data and do not use cookies to track individuals across other websites.

You can disable cookies in your browser, but doing so may prevent certain features of the Service from functioning correctly.

8. Children's Privacy

The Service is intended for business use by individuals who are at least 18 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected information from a child under 13, we will delete it promptly.

9. International Users

Dray Flow is currently offered to businesses operating within the United States. Our Service infrastructure is hosted in the United States. If you access the Service from outside the United States, you do so at your own initiative and are responsible for compliance with your local laws. We do not represent that the Service is appropriate or available for use in other jurisdictions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 14 days before the changes take effect. The “Last Updated” date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes your acceptance of the revised Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We will respond to privacy-related inquiries within 30 days.