Privacy Policy

1. Introduction

PaxPilot, Inc. ("PaxPilot," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard information when you use our fleet management platform.

We provide services to organizations ("Customers") that transport vulnerable populations, including students, medical patients, and seniors. This creates special privacy obligations that we take seriously.

2. Information We Collect

2.1 Information from Customers (Fleet Operators)

Account Information:

• Organization name and address
• Administrator name and contact information
• Billing information (processed securely by Stripe)

Fleet Information:

• Vehicle details (make, model, license plate, capacity)
• Driver profiles (name, phone, license number)
• Route and schedule information

2.2 Information from End Users

Drivers:

• Profile information (name, phone number)
• GPS location data (only during active routes)
• App usage data and device information

Dispatchers and Administrators:

• Account credentials
• Activity logs within the platform

Parents/Guardians (Viewers):

• Account credentials
• Linked passenger relationships
• Notification preferences

2.3 Passenger Information (Collected via Customers)

We process the following information about passengers on behalf of our Customers:

• Names and dates of birth
• Pickup and dropoff addresses
• Emergency contact information
• Special needs and accommodations
• Medical information (NEMT only)
• Photo verification images (if enabled)
• Custody and guardian relationships

2.4 Automatically Collected Information

• IP addresses and browser information
• Device identifiers
• Usage analytics (pages viewed, features used)
• Cookies and similar technologies

3. How We Use Information

We use collected information to:

Provide the Service:

• Manage fleet operations and dispatch
• Optimize routes and reduce travel time
• Track custody events and send notifications
• Generate compliance documentation

Improve the Service:

• Analyze usage patterns to enhance features
• Debug issues and improve performance
• Develop new capabilities

Communicate:

• Send transactional emails (confirmations, alerts)
• Provide customer support
• Send product updates (with consent)

Ensure Safety and Security:

• Detect and prevent fraud
• Enforce our Terms of Service
• Protect against security threats

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area, we process personal data based on:

• Contract Performance: Processing necessary to provide the Service
• Legitimate Interests: Product improvement, security, fraud prevention
• Consent: Marketing communications, optional features
• Legal Obligation: Compliance with applicable laws

5. Information Sharing

5.1 Service Providers

We share information with trusted service providers who assist in operating our business:

All service providers are contractually obligated to protect your information.

5.2 Within Customer Organizations

Customers control access to data within their organization through role-based permissions:

• Administrators: Full access
• Dispatchers: Operational data
• Drivers: Assigned route information only
• Parents/Guardians: Linked passenger information only

5.3 Legal Requirements

We may disclose information when required by law, such as:

• Court orders or subpoenas
• Government agency requests
• To protect safety or prevent harm
• To enforce our Terms of Service

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

5.5 What We Do NOT Do

• We do not sell personal information
• We do not share data with advertisers
• We do not use data for profiling or automated decision-making
• We do not retain data longer than necessary

6. Data Retention

7. Data Security

We implement robust security measures:

Technical Safeguards:

• Encryption in transit (TLS 1.3)
• Encryption at rest (AES-256)
• Row Level Security (multi-tenant data isolation)
• Regular security audits and penetration testing

Organizational Safeguards:

• Role-based access controls
• Employee security training
• Incident response procedures
• Background checks for employees with data access

Certifications (Planned):

• SOC 2 Type II
• HIPAA compliance attestation

8. Children's Privacy

8.1 COPPA Compliance

PaxPilot does not knowingly collect personal information directly from children under 13. When we process children's data, we do so on behalf of schools and transportation providers who have obtained appropriate parental consent.

8.2 Parental Rights

Parents may:

• Request access to their child's data (through the school)
• Request correction of inaccurate data
• Request deletion of data (subject to compliance requirements)

8.3 Schools' Responsibilities

Schools using PaxPilot for student transportation must:

• Obtain necessary parental consents under FERPA
• Provide parents with notice of PaxPilot's data practices
• Honor parental requests regarding their children's data

9. Regulatory Compliance

9.1 FERPA (Student Educational Records)

For schools and educational institutions:

• We act as a "school official" with legitimate educational interest
• Student transportation records are used only for transportation purposes
• We maintain strict access controls on student data
• We do not use student data for marketing or advertising

9.2 HIPAA (Protected Health Information)

For NEMT providers handling PHI:

• We execute Business Associate Agreements (BAAs)
• PHI is encrypted and access-controlled
• We maintain audit logs for all PHI access
• We follow breach notification requirements

9.3 CCPA (California Consumer Privacy Act)

California residents have the right to:

• Know: What personal information we collect
• Delete: Request deletion of personal information
• Opt-Out: We do not sell personal information
• Non-Discrimination: We will not discriminate for exercising rights

To exercise CCPA rights, contact [email protected].

9.4 State-Specific Requirements

We monitor and comply with state-specific privacy laws, including:

• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Other emerging state regulations

10. Your Rights

Depending on your location, you may have the right to:

• Access: Request a copy of your personal information
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (subject to legal requirements)
• Portability: Receive your data in a portable format
• Restriction: Limit how we process your data
• Objection: Object to certain processing activities
• Withdraw Consent: Withdraw consent for consent-based processing

To exercise these rights, contact [email protected].

11. International Data Transfers

PaxPilot is based in the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S.

For users in the European Economic Area:

• We use Standard Contractual Clauses for data transfers
• Data Processing Agreements are available upon request

12. Cookies and Tracking

We use cookies and similar technologies for:

• Essential: Authentication, security, preferences
• Analytics: Understanding how the Service is used
• Performance: Improving Service speed and reliability

You can control cookies through your browser settings. Note that disabling cookies may affect Service functionality.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

• Email to account administrators
• In-app notification
• Banner on our website

The "Last Updated" date indicates when changes were made.

14. Contact Us

For privacy-related inquiries:

For general support: [email protected]
For legal matters: [email protected]