Privacy Policy — Verified Auto Transport

Last Updated: [DATE]

DRAFT — This document must be reviewed by legal counsel before production deployment.

1. Introduction

Verified Auto Transport ("Platform," "we," "us," "our") operates the website at verifiedautotransport.com. This Privacy Policy describes how we collect, use, store, and protect your personal information when you use our vehicle shipping platform.

2. Information We Collect

Account Information

When you create an account, we collect:

  • Full name
  • Email address
  • Phone number
  • Account password (stored as a cryptographic hash, never in plain text)

Vehicle and Shipment Information

When you request quotes or book shipments, we collect:

  • Vehicle details: year, make, model, VIN, condition (operable/inoperable)
  • Pickup and delivery addresses
  • Transport preferences (open/enclosed, pickup urgency)
  • Shipment status and history

Payment Information

Payment is processed through Stripe, a PCI DSS Level 1 certified payment processor. We do not store credit card numbers, CVVs, or full payment card details on our servers. Stripe handles all sensitive payment data.

Carrier Information (for carrier accounts)

  • Business name and MC number
  • FMCSA operating authority documentation
  • Insurance certificates and expiration dates
  • W-9 tax documentation
  • Vehicle fleet details
  • Payment preference (card, cash, or Zelle at delivery)

Location Data

During active shipments, we collect GPS location data from the carrier's device to provide real-time tracking. Location data is collected only during active transport and is not tracked when a carrier does not have an active shipment.

Usage Data

We collect standard web analytics data including pages visited, browser type, device type, and IP address for platform improvement and security monitoring.

3. How We Use Your Information

We use collected information to:

  • Facilitate vehicle transport — matching shipments with carriers, generating quotes, processing bookings
  • Process payments — collecting the $85 platform fee through Stripe
  • Provide tracking — displaying real-time GPS location during active shipments
  • Verify carriers — confirming FMCSA authority, insurance coverage, and business documentation
  • Communicate — sending shipment status updates, booking confirmations, and account notifications via email and SMS
  • Secure records — recording vehicle inspection data on the Polygon blockchain for tamper-proof Bill of Lading documentation
  • Resolve disputes — providing inspection records and shipment history for damage claims
  • Improve the platform — analyzing usage patterns to enhance features and performance
  • Ensure security — detecting and preventing fraud, unauthorized access, and abuse

4. Information We Share

With Carriers

When you book a shipment, your assigned carrier receives:

  • Pickup and delivery addresses
  • Vehicle details (year, make, model, condition)
  • Your name and contact information (only after $85 platform fee is paid)

Before you pay the platform fee, carriers can see shipment details but not your personal identity.

With Customers (for carrier accounts)

After carrier assignment, customers can see:

  • Carrier business name and MC number
  • Carrier rating and customer reviews
  • Real-time GPS location during active transport

With Third-Party Services

We use the following third-party services:

| Service | Purpose | Data Shared |

|---------|---------|-------------|

| Stripe | Payment processing | Payment card details, billing address, transaction amounts |

| Supabase | Database and authentication | All account and shipment data (encrypted at rest) |

| Google Places | Address verification | Pickup and delivery addresses |

| Dropbox Sign | Digital contract signing | Names, email addresses, contract terms |

| Cloudinary | Image storage | Vehicle inspection photos (private, not publicly accessible) |

| QStash (Upstash) | Background job processing | Job payloads (no PII) |

| Sentry | Error monitoring | Error context (sanitized — no PII included in error logs) |

| Polygon Blockchain | Inspection record immutability | Vehicle inspection hashes, timestamps, shipment reference codes (no PII) |

We Do Not

  • Sell your personal information to third parties
  • Share your data with advertisers
  • Include personally identifiable information (phone numbers, email addresses, VINs) in application logs or error tracking systems
  • Make vehicle inspection photos publicly accessible

5. Data Security

Authentication

  • User sessions use httpOnly cookies — no authentication tokens are stored in browser localStorage
  • Two-factor authentication (TOTP-based MFA) is available for all accounts
  • Passwords are cryptographically hashed before storage

Data Protection

  • All data is encrypted in transit (TLS/HTTPS)
  • Database data is encrypted at rest through Supabase's infrastructure
  • API keys and secrets are stored as environment variables, never in client-side code
  • Row-Level Security (RLS) policies in the database ensure users can only access their own data
  • File uploads (inspection photos, documents) are stored in private Cloudinary buckets, not publicly accessible

Access Controls

  • Customer accounts cannot access carrier or admin routes
  • Carrier accounts cannot access customer or admin data
  • Admin access requires explicit approval and is audited
  • All API routes enforce authentication and authorization before processing requests

6. Data Retention

  • Active accounts: Data is retained for the duration of your account.
  • Deleted accounts: Accounts are soft-deleted. Personal information is removed from active use, but transaction records are retained as required for legal, tax, and insurance purposes.
  • Shipment records: Shipment data and blockchain-secured inspection records are retained indefinitely as they serve as legal documentation for insurance and dispute purposes.
  • Location data: GPS tracking data from completed shipments is retained for 90 days after delivery for support and dispute resolution, then archived.

7. Your Rights

You have the right to:

  • Access your personal information stored on the Platform
  • Correct inaccurate personal information in your account
  • Delete your account (subject to soft-delete policy above)
  • Export your shipment history and account data
  • Opt out of non-essential communications

To exercise any of these rights, contact us at privacy@verifiedautotransport.com.

8. Cookies

The Platform uses essential cookies for:

  • Session management (httpOnly authentication cookies)
  • Security (CSRF protection)

We do not use third-party advertising cookies or tracking pixels.

9. Children's Privacy

The Platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated to registered users via email. The "Last Updated" date at the top of this page reflects the most recent revision.

11. Contact

For privacy-related questions or requests, contact us at privacy@verifiedautotransport.com.

DRAFT NOTICE: This document is a content draft prepared for the Verified Auto Transport platform. It must be reviewed and approved by qualified legal counsel and assessed for compliance with applicable privacy regulations (CCPA, state-specific requirements) before being published on the production website.