Privacy Policy

Short version: HaulHard collects only what we need to make the app work. Your trip history, fuel records, and voice transcripts (if you opt in) belong to you — we don’t sell them, we don’t share them with carriers or fleet platforms, and you can export or delete everything at any time. Reach feedback@haulhard.com for any of it.

1. What we collect

Account and profile: your email address, an optional display name, and the truck specs you enter on the onboarding screen (loaded height, GVWR, vehicle make/model, trailer type, CDL class, endorsements). Stored against your Supabase Auth user ID so the app can scope every query to you alone via row-level security.

Location: live GPS while the app is open and you’ve granted location permission, used to find nearby parking and fuel and to color-code bridge clearances on your route. We do not transmit raw GPS breadcrumbs to our servers in v1; the location is used client-side and discarded when the screen unmounts. Trip-segment auto-tracking is a v2 feature and will be opt-in when it ships.

Trip log: the rows you create on the trip-log screen — origin, destination, distance, load weight, fuel cost, notes. Stored against your driver ID.

Hours-of-service log: the duty-status transitions you log manually (or that a connected fleet ELD writes on your behalf). Used to compute the driving-time and on-duty countdowns. Not transmitted to FMCSA or any carrier; we do not certify HOS.

Parking reports: when you submit a "stall available" or "lot full" report, the report is associated with your driver ID and the location you reported on. Other drivers see the aggregated status; only you see your own report history.

Voice transcripts (opt-in only): if you turn on "Send voice transcripts for analytics" in Settings, the text of your voice commands is sent to our backend so we can improve intent accuracy. Off by default. Off means it doesn’t leave your device.

Connected ELD tokens: if you opt in to a fleet ELD integration (Samsara, Motive, Geotab, Trimble), the OAuth access and refresh tokens for your account are stored encrypted-at-rest. We use them only to read your HOS state on your behalf.

2. What we don’t collect

We don’t collect: your social security number, your driver’s license number, your medical card details, your carrier name, your dispatch screen, your DOT-recordable inspection history, your insurance documents, or any biometric identifier. The app doesn’t ask for them and the database has no column to put them in.

3. Who we share with

We do not sell your data. We do not share it with carriers, brokers, fleet management platforms, ad networks, data brokers, insurance companies, or law enforcement except as required by valid legal process directed at us specifically.

Subprocessors that handle data only to make the app work:

• Supabase (PostgreSQL + Auth) — primary database. Their privacy terms apply to data at rest.
• Railway — backend API hosting. Logs may transit here.
• Cloudflare — DNS, CDN, marketing site hosting. Standard request logs.
• Mapbox — map tiles + style. Tile requests carry your IP to Mapbox per their tile API but no account information.
• Anthropic — Claude AI for permit-parsing fallback (v2 feature, not active in v1).

If we add a subprocessor that handles your personal data, we’ll update this list.

4. Driver-owned data (KP-005)

Our internal commitment is that your data belongs to you, not to your fleet, not to your carrier, not to us. In practice that means:

• Export. Email feedback@haulhard.com and we’ll send you a JSON dump of every row associated with your driver ID within 14 days.
• Delete. Email the same address with "delete" in the subject. We’ll scrub everything within 14 days. The auth user, drivers row, profile, settings, trips, parking reports, fuel cards, voice commands, ELD connections — all of it.
• Take it with you. Switch carriers, switch trucks, switch jobs — your HaulHard data follows you, not the rig.

5. Children

HaulHard is not directed at children under 13. We don’t knowingly collect data from anyone under 13. If a parent believes we have, contact us and we’ll delete it.

6. California (CCPA)

California residents have the right to know what personal information we collect, the right to delete it, and the right not to be discriminated against for exercising those rights. We don’t sell personal information. To exercise these rights, email feedback@haulhard.com.

7. EU and UK (GDPR)

If you’re in the EU or UK, you have the right to access, correct, delete, port, or restrict processing of your personal data. The legal basis for processing is your consent (account creation) and our legitimate interest in providing the app you signed up for. You can withdraw consent by deleting your account at any time. The data controller is Sand Point Studios LLC.

8. Security

Data in transit: HTTPS to the API and to Supabase. Data at rest: Supabase’s standard encryption. ELD OAuth tokens stored as plaintext in v1; we’ll move to column-level encryption (pgcrypto) before any paid tier ships. RLS policies on every personal-data table enforce that you can only read your own rows even if a backend bug bypasses our app-layer checks.

If we discover a breach affecting your account, we’ll notify you by email within 72 hours.

9. Changes

If we change this policy, we’ll update the "Effective" date at the top and email registered users about substantive changes (e.g. new data categories, new subprocessors).

10. Contact

Privacy questions, data requests, complaints: feedback@haulhard.com. Postal: Sand Point Studios LLC, Bozeman, Montana.