Privacy Policy

1. Introduction

HaulSheet ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains what information we collect, how we use it, how long we retain it, and your rights regarding that information when you use the HaulSheet service ("Service").

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the Service.

For questions or to exercise your rights, contact us at support@haulsheet.com.

2. Information We Collect

2.1 Information you provide directly

• Account information: Your email address and a hashed password when you create an account.
• Load data: Load entries you create, including gross rates, mileage, fuel costs, origin/destination, broker names, broker fee percentages, notes, and accept/pass decisions.
• Expense data: Expense entries including category, amount, date, notes, and optionally a receipt photo or PDF.
• Maintenance data: Service records including service type, date, odometer, cost, and notes.
• IFTA data: Miles driven per state per quarter that you enter for IFTA tracking.
• Invoice data: Carrier information, shipper information, and load details you enter into the invoice generator. Invoice data is stored only in your browser and is not sent to our servers unless you save it.
• Preferences and settings: Weekly income goal, default fuel price, truck MPG, wear & tear rate, currency preference, CPM profile (insurance, truck payment, overhead), and load templates. These are stored in our database (Supabase) and synced across your devices.
• Referral data: If you use a referral link, we record the association between your account and the referring user to apply the applicable discount.

2.2 Information collected automatically

• IP address: Recorded at sign-up solely to prevent abuse of the free trial (rate limiting). Automatically deleted after 24 hours.
• Authentication tokens: Supabase sets secure session cookies necessary to keep you logged in. These are functional and cannot be disabled without breaking the Service.

2.3 What we do NOT collect

• We do not use third-party analytics tools (e.g., Google Analytics, Mixpanel).
• We do not collect your name, phone number, physical address, or government-issued identification.
• We do not track you across other websites.
• We do not serve advertisements and do not use advertising trackers.
• We do not store your payment card details — all payment data is handled by Paddle as our merchant of record.

3. How We Use Your Information

• To create and manage your account and authenticate your identity.
• To provide and operate the Service, including storing and displaying your load history, expenses, maintenance records, IFTA data, and calculating profit estimates.
• To manage your subscription and process payments via Paddle.
• To send transactional emails (e.g., email verification, password reset). We do not send unsolicited marketing emails.
• To generate anonymized, aggregated community benchmarks (e.g., average rate per mile across all users). No individual data is exposed.
• To prevent fraud and abuse, including duplicate free-trial exploitation.
• To troubleshoot technical issues and maintain the security and integrity of the Service.

We do not sell your data. We do not use your data for advertising. We do not build user profiles for commercial purposes beyond operating the Service.

Operator access for support: Authorized HaulSheet personnel (currently the sole operator) may access your account data — including your load history, expenses, maintenance records, IFTA entries, and profile settings — when necessary to provide customer support, investigate a reported issue, resolve a billing dispute, or enforce the Terms of Service. Such access is limited to what is necessary to address the specific issue and is not used for any commercial purpose.

4. Data Storage and Security

Your account data, load history, expenses, maintenance records, IFTA entries, and settings are stored by Supabase, a cloud database and authentication provider. Data is stored on servers located in the United States. Supabase employs industry-standard security measures including encryption at rest and in transit.

Receipt photos and PDFs you upload are stored in Supabase Storage, a cloud storage service. These files are stored securely and access is restricted to your account.

Payment information is handled exclusively by Paddle, our merchant of record. HaulSheet never stores, processes, or has access to your payment card details. Paddle is PCI-DSS compliant.

We also use Resend or compatible SMTP providers to send transactional emails (e.g., verification, password reset). Your email address is shared with this provider solely to deliver these messages.

While we take reasonable measures to protect your information, no method of electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties. We share data only in these limited circumstances:

• Supabase: Authentication, database storage, and file storage.
• Paddle: Payment processing and subscription management as merchant of record.
• Transactional email provider: Your email address is shared only to deliver account-related emails.
• Legal requirements: If required by law, court order, or governmental authority.
• Business transfer: In the event of a merger, acquisition, or sale of assets, user data may be transferred subject to equivalent privacy protections.

6. Cookies and Local Storage

The Service uses cookies solely for authentication (session management via Supabase). We do not use advertising cookies, tracking pixels, or third-party cookies.

The Service may temporarily cache some preferences in your browser's local storage as a performance optimization. The authoritative source of truth for all settings is your account in our database — changes sync across devices when you log in.

7. Data Retention

We retain your account data, load history, expenses, maintenance records, IFTA entries, and uploaded files for as long as your account exists — including periods where your subscription is inactive or lapsed. If you wish your data to be removed, you must delete your account from the Settings page. You may delete individual records or your entire load history at any time from the Settings page.

Account deletion: When you delete your account, your data is not removed immediately. It is retained for 30 days from the date of deletion to allow for dispute resolution, chargeback investigation, or accidental-deletion recovery. During this period your account is inaccessible and no new data is written. After 30 days, all associated data — including your load history, expenses, maintenance records, IFTA entries, profile, and uploaded receipts — is permanently and irreversibly deleted from our systems.

IP addresses collected for rate limiting are automatically deleted after 24 hours. Your email address is retained in a blocked-email list indefinitely to prevent free-trial abuse; this record contains only your email address and the date it was added.

8. Your Rights

You have the following rights with respect to your personal data:

• Access: You can view all data you have entered within the Service.
• Export: You can export your load history to CSV from the Service.
• Deletion: You can delete your load history, expenses, maintenance records, and other data from Settings at any time.
• Account closure: You can stop using the Service and request deletion of your data by contacting us.
• Correction: You can edit your data using the edit features within the Service.

Depending on your jurisdiction, you may have additional rights under applicable privacy laws including GDPR (EU/EEA), CCPA/CPRA (California), PIPEDA (Canada), and other applicable regulations. To exercise any such rights, use the data management tools within the Service or contact us at support@haulsheet.com.

California residents: Under the CCPA, you have the right to know what personal information we collect, to delete your personal information, and to opt out of the sale of your personal information. We do not sell personal information.

Canadian residents: Under PIPEDA and applicable provincial laws, you have the right to access and correct your personal information and to withdraw consent for its collection. Contact us to exercise these rights.

9. International Data Transfers

HaulSheet is operated from Sri Lanka. Your data is stored on servers in the United States via Supabase. By using the Service, you consent to the transfer of your data to the United States and acknowledge that US data protection laws may differ from those in your jurisdiction.

We rely on Supabase's data processing agreements and standard contractual clauses for cross-border data transfers where required by applicable law.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected such information, we will promptly delete it.

11. Data Breach Notification

In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required, applicable data protection authorities within the timeframes required by applicable law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. For material changes, we will notify you via email or a notice within the Service. Your continued use after changes are posted constitutes acceptance of the updated policy.

13. Contact

For privacy-related inquiries, data access requests, or to exercise any of your rights under applicable privacy laws, please contact us at: support@haulsheet.com

We aim to respond to all legitimate privacy inquiries within 30 days.