We handle carrier data with the same operational discipline we build into the platform.

Account and identity data

When you create a RigBase account or are added to an organization by an administrator, we collect your name, work email address, role, and authentication credentials. We do not store raw passwords — credentials are hashed using industry-standard algorithms.

Operational and fleet data

The core function of the platform requires operational records. This includes:

• Driver profiles: name, CDL number, license state, medical card status, endorsements, and linked contact details
• Vehicle records: VIN, unit number, license plate, year, make, model, and associated maintenance history
• Load records: origin and destination, commodity, weight, assigned driver and vehicle, status, and billing details
• Pre-trip inspection (PTI) submissions including inspection results, defects noted, and driver sign-off data
• Safety and compliance records: incidents, violations, FMCSA data links, CSA scores, and DOT inspection outcomes
• Work orders and PM schedules tied to fleet equipment
• Documents uploaded by users, including registrations, proof-of-delivery, and incident supporting files

Usage and telemetry data

We collect information about how users interact with the platform — page views, feature usage frequency, session duration, and error events. This data is aggregated and used to improve the product. We use Sentry for error monitoring and may capture stack traces and session context when application errors occur.

Device and network data

Standard HTTP request metadata is logged by our infrastructure: IP address, browser or app user-agent, device type, and referring URL. These logs are retained for security and diagnostic purposes for up to 90 days.

Communication data

If you contact our support team or submit a lead inquiry through the contact-sales form, we retain the content of those communications to respond to your request and improve our support processes.

We use the data we collect for the following purposes:

• Delivering and maintaining the platform — authentication, feature access, real-time dispatch events, PTI sync, and notification delivery
• Providing customer support — diagnosing reported issues, reproducing bugs, and communicating resolutions
• Improving the product — analyzing aggregate usage patterns, prioritizing features, and identifying error-prone workflows
• Security and fraud prevention — detecting anomalous access patterns, protecting user accounts, and responding to incidents
• Billing and subscription management — processing payments, generating invoices, and managing subscription state
• Legal compliance — maintaining records required by applicable law and responding to lawful government requests

We do not use your operational fleet or driver data to train AI models or derive insights for third-party commercial purposes.

We don't sell your data

RigBase does not sell, rent, or broker customer data to third parties for advertising, marketing, or data-broker purposes — ever.

Service providers

We share data with third-party vendors who help us operate the platform. These providers are contractually bound to use data only as directed and to maintain appropriate security practices. See Section 4 for the current subprocessor list.

Legal requirements

We may disclose data when required by law, court order, or governmental authority, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of RigBase, our customers, or the public.

Business transfers

In the event of a merger, acquisition, or sale of assets, customer data may be transferred as part of that transaction. We will notify affected account holders via email prior to any such transfer and before data becomes subject to a materially different privacy policy.

Within your organization

Users within the same organizational tenant can access data scoped to that organization based on their assigned role. Administrators control which roles can access which features and records. Cross-tenant data access is technically prevented at the database level.

The following third-party service providers process data on behalf of RigBase:

We review subprocessors periodically. Material additions will be announced via our changelog and reflected in an updated version of this policy.

RigBase uses a minimal set of cookies and browser storage mechanisms necessary to operate the platform. We do not use third-party advertising cookies or cross-site tracking.

Session cookies

Authentication tokens issued by Supabase Auth are stored as secure, HttpOnly cookies scoped to the platform domain. These are required to maintain your authenticated session.

Functional storage

Certain user preferences — such as notification settings and UI state — are persisted in localStorage or as short-lived session cookies. This data never leaves your browser to third-party domains.

Analytics

If we use analytics tooling, it is configured to anonymize IP addresses, respect browser Do-Not-Track signals, and avoid fingerprinting. We do not use behavioral advertising pixels from ad platforms.

We retain data for as long as your organization's account is active. Specific retention windows:

• Active account data (fleet records, loads, drivers, compliance docs): retained for the duration of the subscription plus a 90-day post-cancellation window
• Error and diagnostic logs: retained for up to 90 days in Sentry before rolling deletion
• Infrastructure access logs: retained for 90 days
• Billing and payment records: retained for 7 years to satisfy financial and tax compliance obligations
• Support communications: retained for 3 years after ticket closure

After account deletion is confirmed, we will remove or anonymize your organization's operational records within 30 days, except where retention is required by applicable law.

Depending on your jurisdiction, you may have the following rights with respect to your personal data:

To exercise any of these rights, contact us at privacy@rigbase.io. We will respond within 30 days. Identity verification may be required before we fulfill a data request.

For California residents (CCPA): You have the right to know, delete, and opt out of sale. We do not sell personal information, so the opt-out right is satisfied by default.

We apply the following controls to protect customer data:

• TLS 1.2+ encryption on all data in transit between clients, our application layer, and infrastructure providers
• AES-256 encryption at rest on all database storage through Supabase's managed infrastructure
• Role-based access control enforced at the database row level — users can only query data within their organization's scope
• Authentication tokens issued with short expiry windows and rotating refresh token mechanics
• Automated vulnerability scanning on application dependencies as part of the CI/CD pipeline
• Incident response procedures for security events with defined escalation and notification timelines

No system is perfectly secure. If you discover a potential security vulnerability in the platform, please disclose it responsibly to security@rigbase.io before public disclosure.

RigBase is a business-to-business platform designed for use by organizations and their employees in a commercial trucking context. We do not knowingly collect personal data from individuals under the age of 16. If we become aware that we have inadvertently collected such data, we will delete it promptly.

RigBase is operated primarily from the United States. If you access the platform from outside the US, your data will be transferred to and processed in the United States. By using the platform, you acknowledge this transfer.

For users in the European Economic Area or UK, transfers occur under appropriate safeguards including Standard Contractual Clauses where applicable. Contact us for a copy of applicable transfer mechanisms.

We may update this Privacy Policy as the platform evolves. When we make material changes — such as new data collection categories or changes to sharing practices — we will notify account administrators via email at least 14 days before the change takes effect.

Non-material changes (such as clarifying language or correcting formatting) will be reflected in an updated effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

For questions, requests, or concerns about this Privacy Policy or our data practices: