Privacy Policy

Last Updated: December 15, 2025

Effective Date: December 15, 2025

Website: www.upperway.io

Application: app.upperway.io

Contact: contact@upperway.io

INTRODUCTION

UPPERWAY LLC operates the UpperWay Transportation Management System (TMS) software platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (www.upperway.io) and our software application (app.upperway.io).

This policy applies to:

  • Trucking company owners, dispatchers, and employees who use UpperWay TMS to manage their operations
  • Drivers whose information is entered into the system by their employers
  • Customers and vendors whose data is managed within the system
  • Visitors to our website

We are committed to protecting your privacy and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

INFORMATION WE COLLECT

1. Information You Provide Directly

Account Information:

  • Full name
  • Email address
  • Phone number
  • Password (stored securely hashed using BCrypt, never in plain text)
  • Username
  • Job title/role

Company Information (for trucking company owners):

  • Company name and DBA
  • Business address
  • Business phone and email
  • DOT number and MC number
  • Tax ID/EIN
  • Operating authority information

Driver Information (entered by employers about their drivers):

  • Full legal name (first, middle, last)
  • Date of birth
  • Social Security Number (SSN) - encrypted at rest
  • Home address and contact information
  • Emergency contact information
  • Commercial Driver's License (CDL) number, state, class, endorsements, and restrictions
  • CDL expiration date
  • Medical card expiration date
  • Drug testing records and dates
  • MVR (Motor Vehicle Record) information
  • Clearinghouse query dates
  • Hire date and termination date
  • Safety records and violations
  • Employment verification information

Vehicle and Equipment Information:

  • VIN numbers
  • License plate numbers and states
  • Make, model, year, and color
  • Fuel card numbers
  • I-Pass/toll transponder numbers
  • Insurance information
  • Maintenance records

Customer and Vendor Information:

  • Business names and contacts
  • Addresses and phone numbers
  • Payment terms and billing information

Load and Shipment Information:

  • Origin and destination addresses
  • Pickup and delivery dates/times
  • Freight rates and billing amounts
  • Commodity information
  • Temperature requirements

2. Information Collected Automatically

Technical Information:

  • IP address (for security and fraud prevention)
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used
  • Date and time of access
  • Session duration

Location Information (with consent):

  • GPS coordinates from driver mobile app
  • Vehicle location data from ELD integrations
  • Route and mileage tracking

Session Information:

  • Login timestamps
  • Session duration
  • User agent string
  • API access logs

3. Information from Third Parties

We may receive information from integrated services you connect:

  • QuickBooks (customer and invoice synchronization)
  • Motive/KeepTruckin (ELD data, vehicle locations, Hours of Service)
  • Google Maps (geocoding and routing data)
  • Trimble/PC*Miler (mileage calculations)
  • EFS (fuel transaction data)

HOW WE USE YOUR INFORMATION

We use collected information for the following purposes:

Service Delivery:

  • Provide and maintain our TMS platform
  • Process load management and dispatch operations
  • Generate invoices, statements, and reports
  • Calculate IFTA fuel tax reports
  • Track vehicle locations and driver status
  • Manage driver qualification files and safety compliance
  • Provide maintenance tracking and alerts

Communication:

  • Send service updates and notifications
  • Respond to inquiries and support requests
  • Send transactional emails (statements, invoices, alerts)
  • Provide safety and compliance reminders (expiring CDLs, medical cards, etc.)

Security and Fraud Prevention:

  • Detect and prevent fraudulent activity
  • Monitor for security threats
  • Enforce our terms of service
  • Authenticate users and sessions

Improvement:

  • Analyze usage patterns to improve our service
  • Develop new features and functionality
  • Fix bugs and technical issues

Legal Compliance:

  • Comply with DOT and FMCSA record retention requirements
  • Respond to lawful requests from authorities
  • Protect our legal rights

LEGAL BASIS FOR PROCESSING (GDPR)

If you are in the European Economic Area (EEA), we process your data based on:

1. CONTRACT PERFORMANCE

Processing necessary to provide our services to you

2. LEGITIMATE INTERESTS

Security, fraud prevention, and service improvement, where our interests don't override your rights

3. CONSENT

  • Marketing communications (you can opt out anytime)
  • GPS location tracking for drivers
  • Optional integrations

4. LEGAL OBLIGATION

  • DOT/FMCSA record retention requirements
  • Tax and financial record-keeping
  • Response to legal process

SENSITIVE PERSONAL INFORMATION

We collect and process sensitive personal information including:

Social Security Numbers (SSN): Encrypted using AES-256-GCM and stored securely. Used for tax reporting (1099s) and driver verification purposes.

Medical Information: Medical card expiration dates and drug testing dates for DOT compliance purposes.

Background Check Information: MVR (Motor Vehicle Record) data, PSP reports, and Clearinghouse queries as required for driver qualification files.

Location Data: Real-time GPS location from mobile apps and ELD integrations for dispatch and safety purposes.

We implement heightened security measures for all sensitive data.

DATA SHARING AND DISCLOSURE

We do NOT sell your personal information.

We may share data with:

1. Service Providers

We use trusted third-party services to operate our platform:

ProviderPurposeData Shared
Amazon Web Services (AWS)Cloud Hosting & StorageAll application data (encrypted)
AWS S3Document StorageUploaded documents (driver files, load documents)
SendGridEmail DeliveryEmail addresses, notification content
Google Maps APIMapping & GeocodingAddresses, routes
Trimble/PC*MilerMileage CalculationsZIP codes, routes
QuickBooks (if connected)AccountingCustomers, invoices, payments
Motive/KeepTruckin (if connected)ELD/TelematicsDriver IDs, vehicle data
EFS (if connected)Fuel ManagementTruck numbers, fuel transactions

All providers are bound by data processing agreements and maintain appropriate security certifications.

2. Legal Requirements

We may disclose information:

  • To comply with legal process or government requests
  • To respond to DOT, FMCSA, or state agency audits
  • To protect our rights, property, or safety
  • To prevent fraud or security threats

3. Business Transfers

If we merge with or are acquired by another company, your information may be transferred as part of that transaction. We will notify you of any change.

4. At Your Direction

When you connect integrations or export data

DATA RETENTION

We retain your information as follows:

Data TypeRetention Period
Active account dataDuration of your account + 30 days
Driver qualification files3 years after driver termination (per DOT requirements)
Drug/alcohol testing records5 years (per DOT requirements)
Accident records3 years after incident (per DOT requirements)
Load/dispatch records7 years (tax and legal requirements)
IFTA records4 years (per IFTA requirements)
Invoice/billing records7 years (tax requirements)
Session and access logs90 days
IP addresses90 days (then anonymized)
GPS location history6 months (then aggregated/anonymized)

DOT/FMCSA regulations require retention of certain records. We cannot delete data that must be retained for regulatory compliance.

You may request earlier deletion of non-regulated data subject to legal retention requirements.

YOUR PRIVACY RIGHTS

Rights for All Users

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate information
  • Deletion: Request deletion of your data (subject to legal retention requirements)
  • Portability: Receive your data in a portable format (CSV, JSON, PDF)
  • Objection: Object to certain processing activities
  • Restriction: Request limited processing of your data

Additional Rights for California Residents (CCPA)

  • Right to know what personal information is collected
  • Right to know if personal information is sold or disclosed
  • Right to opt-out of the sale of personal information
  • Right to non-discrimination for exercising privacy rights
  • Right to limit use of sensitive personal information

WE DO NOT SELL YOUR PERSONAL INFORMATION.

Categories of Personal Information Collected (CCPA):

  • Identifiers (name, email, SSN, CDL number)
  • Commercial information (transactions, load history)
  • Internet activity (browsing, features used)
  • Geolocation data (vehicle and driver locations)
  • Professional information (employment, CDL credentials)
  • Sensitive personal information (SSN, precise geolocation)

Additional Rights for EEA Residents (GDPR)

  • Right to lodge a complaint with your local data protection authority
  • Right to withdraw consent at any time
  • Right to data portability in machine-readable format

To exercise these rights, contact us at: contact@upperway.io

We will respond within:

  • 30 days for GDPR requests
  • 45 days for CCPA requests

Note: Some data cannot be deleted due to DOT/FMCSA regulatory retention requirements. We will inform you if this applies to your request.

COOKIES AND TRACKING

We use the following cookies:

Essential Cookies (Required):

  • Authentication session cookies (JWT tokens)
  • CSRF protection tokens
  • Security preferences

These cannot be disabled as they are necessary for the application to function.

Analytics Cookies:

  • We may use analytics to understand usage patterns
  • You will be presented with a consent option where required

We do NOT use:

  • Advertising or tracking cookies
  • Third-party marketing pixels
  • Cross-site tracking

DATA SECURITY

We implement industry-standard security measures:

Technical Safeguards:

  • AES-256-GCM encryption for sensitive data (SSN, API keys, tokens)
  • HTTPS/TLS 1.3 encryption for all data in transit
  • Secure password hashing (BCrypt)
  • JWT token-based authentication with expiration
  • CSRF protection on all forms
  • Rate limiting to prevent abuse
  • SQL injection and XSS prevention

Organizational Safeguards:

  • Multi-tenant data isolation (each company's data is completely separate)
  • Role-based access controls (Admin, Dispatcher, Accounting, Safety, Driver, Maintenance)
  • Regular security reviews
  • Employee access limitations
  • Audit logging of sensitive operations

Infrastructure:

  • Hosted on Amazon Web Services (AWS)
  • Data centers with SOC 2 Type 2 certification
  • Automatic encrypted backups
  • Geographic redundancy
  • DDoS protection

INTERNATIONAL DATA TRANSFERS

Our services are primarily hosted in the United States. If you access our services from outside the US, your information will be transferred to and processed in the US.

For EEA users, we rely on:

  • Standard Contractual Clauses (SCCs) with our service providers
  • Adequacy decisions where applicable
  • Your explicit consent for the transfer

DRIVER PRIVACY NOTICE

If you are a driver whose employer uses UpperWay TMS:

  • Your employer is the data controller for your information
  • We process your data on behalf of your employer
  • Your employer determines what data is collected and how it's used
  • Contact your employer first for privacy requests
  • We will assist in fulfilling legitimate requests

Information collected about drivers may include:

  • Personal identification (name, SSN, DOB)
  • CDL and medical certification information
  • Employment records
  • GPS location when using the driver mobile app
  • Hours of Service data (via ELD integration)
  • Safety records and violations

CHILDREN'S PRIVACY

Our services are not intended for individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have collected information from a minor, please contact us immediately.

CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. We will notify you of material changes by:

  • Posting the new policy on our website
  • Sending an email to your registered address
  • Displaying a notice in the application

Your continued use after changes constitutes acceptance of the updated policy.

CONTACT US

For privacy-related inquiries:

Email: contact@upperway.io

Address:

UPPERWAY LLC
16W235 83rd St STE E
Burr Ridge, IL 60527
USA

Data Protection Inquiries: contact@upperway.io

For CCPA requests:

Email: contact@upperway.io
Subject line: "CCPA Privacy Request"

For GDPR requests:

Email: contact@upperway.io
Subject line: "GDPR Privacy Request"

Response times:

  • General inquiries: 5 business days
  • Data access/deletion requests: 30 days (GDPR) / 45 days (CCPA)

DO NOT SELL MY PERSONAL INFORMATION (CCPA)

California residents have the right to opt-out of the sale of their personal information. UpperWay LLC does not sell personal information to third parties.

If you have questions about this, contact: contact@upperway.io

DO NOT TRACK SIGNALS

Our Service does not currently respond to "Do Not Track" browser signals. However, we do not track users across third-party websites.

AUTOMATED DECISION MAKING

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you.

STATE-SPECIFIC PRIVACY RIGHTS

In addition to CCPA rights for California residents, residents of other states may have additional rights under their state privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA). Contact us to exercise any applicable rights.

This privacy policy is governed by the laws of the State of Illinois. Any disputes arising from this policy shall be resolved through the American Arbitration Association in accordance with our Terms of Service.