Privacy Policy
Last updated: March 21, 2026 · Effective across 57 countries
1. Data Controller
Haul Command LLC ("HC", "we", "us") acts as the data controller for personal information processed through haulcommand.com and related services. Contact: privacy@haulcommand.com
2. Data We Collect & Legal Basis
| Category | Legal Basis | Retention |
|---|---|---|
| Business Directory Data | Legitimate Interest (Art. 6(1)(f)) | Until listing removed or business dissolves |
| Account & Authentication | Contract Performance (Art. 6(1)(b)) | Until account deletion |
| Payment & Transaction | Contract Performance (Art. 6(1)(b)) | 7 years (tax compliance) |
| Analytics & Usage | Legitimate Interest (Art. 6(1)(f)) | 26 months |
| ELD/Telematics (Motive) | Consent (Art. 6(1)(a)) | Active connection duration |
| Communication | Consent (Art. 6(1)(a)) | Until unsubscribe |
| Advertising | Legitimate Interest (Art. 6(1)(f)) | 90 days |
3. Your Rights
Under GDPR and applicable data protection laws, you have the right to:
- Access — Request a copy of all your personal data
- Rectification — Correct inaccurate information
- Erasure — Delete all your personal data (API endpoint)
- Portability — Export your data in JSON format (API endpoint)
- Object — Object to processing based on legitimate interest
- Restrict — Limit how we process your data
- Withdraw Consent — Revoke consent at any time
To exercise any right, email privacy@haulcommand.com or use our automated endpoints. We respond within 30 days (GDPR) / 28 days (UK GDPR) / 30 days (Australian Privacy Act).
4. Cookies & Tracking
We use the following categories of cookies:
- Essential — Authentication, session management (always active)
- Analytics — Google Analytics 4 (GA4) for usage patterns (consent required in EU/UK)
- Advertising — Google Ad Manager for programmatic ad delivery (consent required in EU/UK)
EU/UK visitors will see a cookie consent banner. You can manage preferences at any time.
5. International Data Transfers
HC processes data in the United States. For EU/UK data subjects, transfers are protected by Standard Contractual Clauses (SCCs) with our sub-processors:
- Supabase (database & auth) — US/EU
- Stripe (payments) — US/EU
- Vercel (hosting) — US/EU edge
- Google (analytics, maps, AI) — Global
- Motive (ELD telematics) — US
6. Data Breach Protocol
In the event of a personal data breach, HC will:
- Notify the relevant supervisory authority within 72 hours (GDPR Art. 33)
- Notify affected individuals without undue delay if high risk (Art. 34)
- Notify the UK ICO within 72 hours for UK GDPR breaches
- Notify the OAIC for Australian Privacy Act breaches
- Document all breaches in an internal register
🇬🇧 UK GDPR Notice
For UK data subjects, we comply with the UK GDPR (retained EU law as modified by the Data Protection Act 2018). Your supervisory authority is the Information Commissioner's Office (ICO): ico.org.uk
🇦🇺 Australian Privacy Act Notice
For Australian data subjects, we comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Your supervisory authority is the Office of the Australian Information Commissioner (OAIC): oaic.gov.au
We do not sell or trade personal information to overseas recipients except as described in Section 5 (International Data Transfers).
7. Children
HC services are intended for business users aged 18+. We do not knowingly collect data from children under 16 (EU) / 13 (US).
8. Changes
We may update this policy. Material changes will be notified via email and in-app banner. Continued use after notification constitutes acceptance.