Privacy Policy

1. Information We Collect

Account Information

When you register for an account through our authentication provider (Clerk), we collect:

• Full name
• Email address
• Profile picture (if provided)
• Authentication credentials (managed by Clerk)

Organization Data

When you create or join an organization on VRTMS, we collect:

• Organization name and details
• Member roles and permissions
• Team member invitations

Fleet and Booking Data

Through your use of the Service, we collect and store data you enter, including:

• Vehicle information (make, model, plate number, status)
• Driver information (name, contact details, license)
• Customer information (name, contact details, booking history)
• Booking records (rental dates, tour itineraries, pricing, payment status)
• Financial data (income, expenses, payment records, maintenance costs)
• Uploaded files and images (vehicle photos, documents)

Usage and Analytics Data

We automatically collect certain technical information:

• Browser type and version
• Device type and operating system
• IP address and approximate location
• Pages visited and features used within the Service
• Error logs and performance metrics (via Sentry)
• Session duration and interaction patterns

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service and its features
• Authenticate your identity and manage access to your organization
• Process and display your fleet, booking, and financial data
• Send transactional emails (booking confirmations, payment receipts, alerts)
• Monitor and improve the performance, security, and reliability of the Service
• Diagnose and fix technical issues and errors
• Communicate with you about service updates, security alerts, and support
• Comply with legal obligations and enforce our Terms of Service

We do not sell your personal information to third parties. We do not use your data for advertising purposes.

3. Data Storage and Infrastructure

Your data is stored and processed using the following infrastructure:

• Database: Neon PostgreSQL — a serverless PostgreSQL database hosted in cloud infrastructure
• Application Hosting: Vercel — a cloud platform for deploying web applications
• File Storage: Vercel Blob — for uploaded images and documents

All data is transmitted using TLS encryption in transit. Database connections are encrypted and managed through secure connection pooling.

4. Third-Party Services

We use the following third-party services to operate the platform. Each service processes data in accordance with its own privacy policy:

• Clerk — Authentication, user management, and organization management. Clerk processes your login credentials, email, and profile information.
• Vercel — Application hosting, serverless functions, and file storage. Vercel processes request data and serves the application.
• Neon — PostgreSQL database hosting. Neon stores and processes all application data including fleet, booking, and financial records.
• Resend — Transactional email delivery. Resend processes recipient email addresses and email content for notifications and alerts.
• Sentry — Error tracking and performance monitoring. Sentry receives error logs, stack traces, and performance metrics to help us identify and fix issues.

5. Data Retention

We retain your data as follows:

• Active accounts: Your data is retained for as long as your account is active and you continue to use the Service.
• Deleted records: Certain records (vehicles, drivers, customers, bookings) are soft-deleted and retained for audit and financial reporting purposes. Soft-deleted records are excluded from normal views but preserved in the database.
• Terminated accounts: Upon account termination, we will delete or anonymize your personal data within 90 days, except where retention is required by law or for legitimate business purposes.
• Backups: Database backups may retain deleted data for up to 30 days after deletion.

6. Your Rights

Under the Philippine Data Privacy Act of 2012 and applicable data protection laws, you have the following rights regarding your personal data:

• Right to Access: You may request a copy of the personal data we hold about you.
• Right to Correction: You may request that we correct inaccurate or incomplete personal data.
• Right to Deletion: You may request the deletion of your personal data, subject to any legal obligations requiring retention.
• Right to Object: You may object to the processing of your personal data for certain purposes.
• Right to Data Portability: You may request your data in a structured, commonly used, machine-readable format.
• Right to File a Complaint: You may file a complaint with the National Privacy Commission of the Philippines if you believe your data privacy rights have been violated.

To exercise any of these rights, please contact us at support@vrtms.app. We will respond to your request within 30 days.

7. Cookies and Tracking

The Service uses the following types of cookies and tracking:

• Essential Cookies: Required for authentication, session management, and core functionality. These cannot be disabled.
• Authentication Tokens: Managed by Clerk to maintain your signed-in state securely.
• Performance Monitoring: Sentry may use cookies or local storage to track errors and performance for debugging purposes.

We do not use advertising cookies, social media tracking pixels, or third-party analytics tools that track you across other websites.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• Multi-tenant Isolation: Each organization's data is logically isolated using application-level scoping and PostgreSQL Row-Level Security (RLS) policies, ensuring that one organization cannot access another's data.
• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using TLS.
• Encryption at Rest: Database storage is encrypted at rest by our database provider.
• Role-Based Access Control: Within each organization, access is governed by roles (owner, admin, manager, dispatcher, driver, viewer) to ensure users only access data appropriate to their role.
• Secure Authentication: Authentication is handled by Clerk, which provides industry-standard security including password hashing, session management, and optional multi-factor authentication.

While we take reasonable steps to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

9. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at support@vrtms.app.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Post the revised policy on this page with an updated “Last updated” date
• Notify you via email or through the Service at least 15 days before the changes take effect

We encourage you to review this page periodically to stay informed about how we protect your data.

11. Data Protection Compliance

VRTMS is committed to compliance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its Implementing Rules and Regulations. We adhere to the principles of transparency, legitimate purpose, and proportionality in the collection and processing of personal data.

If you have concerns about our data processing practices, you may contact the National Privacy Commission of the Philippines:

• Website: www.privacy.gov.ph

12. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

• Email: support@vrtms.app