LEGAL · OFIFLOW

Privacy Policy

EFFECTIVE MAY 1, 2026v2026.05.01-1

Privacy Policy

Effective: May 1, 2026 · Version: 2026.05.01-1

This Privacy Policy explains how OfiFlow ("OfiFlow," "we," "us," "our") collects, uses, shares, and safeguards information when you visit ofiflow.com or use the OfiFlow vertical-software platform supporting frac-sand hauling operations (the "Services").

If you have questions, email legal@ofiflow.com.

1. Who we are and what we do

OfiFlow is a vertical software-as-a-service platform that helps frac-sand hauling carriers (our "Customers") manage dispatch, billing, compliance, and driver communications. Our Customers' employees and contracted drivers are the people whose data we typically process, on the Customer's behalf.

Most of our processing of personal information is as a service provider (CCPA term) or processor (GDPR-equivalent term) acting on a Customer's instructions. The Customer is the business or controller with primary responsibility for personal information about its drivers and operations. This Privacy Policy explains both:

  • (A) Our processing on behalf of Customers (most processing); and
  • (B) Our direct collection of information from website visitors and Customer Authorized Users (limited processing for our own purposes).

2. Information we process on a Customer's behalf

When a Customer uses the Services, we process personal information about that Customer's drivers, employees, contractors, and customer contacts on the Customer's behalf. This includes:

Drivers:

  • Identifying information: name, employee ID
  • Contact information: phone (E.164), SMS fallback number, optional email
  • Credentials: CDL number, state, class, endorsements, expiration; medical certificate number, examiner, national number, expiration; drug test dates and results; MVR records; clearinghouse query results; DQ-file audit status
  • Employment: hire date, road test status, safety verification status, restrictions
  • Operational: Hours-of-Service state snapshots; current vehicle/trailer assignment; location implicit through appointment + load timestamps
  • Communications: WhatsApp / SMS / email message content and media attachments
  • Identity documents: license photo, medical-cert photo (OCR'd, stored as images)

Customer Authorized Users (dispatchers, managers, finance, executives, administrators):

  • Name, email, optional phone, optional avatar
  • Role assignments and MFA status
  • Account activity logs (login timestamps, audit trail)

Customer contacts (third-party shippers, brokers, sand mines, frac sites):

  • Name, email, optional phone, role/title
  • Operational metadata about their interactions with the Customer

We process this information only as needed to provide the Services to the Customer, to follow Customer's documented instructions, to comply with law, or to generate aggregated and de-identified analytics. We do not sell or share this information for advertising. Our specific commitments are in our Data Processing Addendum.

Drivers and other Data Subjects: To exercise your rights regarding personal information processed by OfiFlow on your employer's behalf (access, correction, deletion, portability), please contact your employer (the Customer) — they are the business / controller and direct what we do with the data. We will assist your employer to fulfill legitimate requests.

3. Information we collect directly

When you visit ofiflow.com or use the dashboard, we collect:

Account information (Customer Authorized Users only): your email, name, role, and account activity needed to provide and secure the dashboard.

Communications with us: when you email legal@, support@, security@, or sales@ ofiflow.com, we receive your message content, email address, and any information you choose to share.

Website usage data:

  • Pages visited, referring source, time on page (Vercel Analytics — anonymous Web Vitals + page-view metrics; cookieless; no session replay)
  • Browser type, operating system, approximate location derived from IP (essential for security + anti-abuse)
  • Cookies used: see Cookie Policy at /cookies

Application telemetry:

  • Errors and stack traces (Sentry) — scrubbed of personal identifiers; used for debugging
  • LLM usage traces (Langfuse, opt-in per Customer) — used to improve agent quality

We do NOT collect:

  • Financial account numbers (Stripe handles billing data; it never touches our infrastructure)
  • Government-issued identifiers other than CDL # for drivers (regulatory necessity)
  • Health information beyond medical-certificate expiration date (which is a regulatory compliance fact, not health data)
  • Children's personal information (the Services are not directed to anyone under 18; if we learn we have collected information about a person under 18, we will delete it)

4. How we use personal information

For information processed on a Customer's behalf, see Section 2 — our use is bounded by the Customer's instructions and the Data Processing Addendum.

For information we collect directly, we use it to:

  • Provide and secure the Services (authentication, fraud prevention, abuse detection)
  • Communicate with you about your account, the Services, and changes to our policies
  • Improve the Services (anonymous analytics; aggregated benchmarking)
  • Comply with legal obligations (tax, accounting, litigation hold, regulatory inquiries)
  • Detect, prevent, and respond to security incidents

5. Who we share personal information with

We share personal information only with:

  • Subprocessors that help us deliver the Services (Supabase, Vercel, Inngest, Google Cloud, Twilio, Meta WhatsApp, Sentry, PostHog, Resend, Stripe, and others). Our current Subprocessor list is at /subprocessors. We require each Subprocessor to maintain confidentiality and security obligations at least as protective as ours.
  • Our Customers (for personal information about their own drivers, users, and contacts — this is the primary recipient since we're processing on their behalf).
  • Legal authorities when compelled by valid legal process (we will, where legally permissible, give the affected Customer prompt notice so they may seek a protective order).
  • A successor entity in connection with a merger, acquisition, reorganization, or sale of all or substantially all of our assets (such successor will be subject to this Privacy Policy and any applicable Data Processing Addendum).

We do not sell or share personal information to third parties for their advertising or marketing purposes.

6. Data location and international transfers

Our primary data location is AWS us-west-2 (Oregon, United States).

If you are accessing the Services from outside the United States, your information is transferred to and processed in the United States, which may have data protection laws different from those in your country. By using the Services, you consent to this transfer.

For Customers with international data subjects (e.g., EU drivers), additional contractual protections (Standard Contractual Clauses or equivalent) are available; contact legal@ofiflow.com.

7. How long we keep personal information

Retention varies by data category. Highlights:

  • Customer Personal Data: kept for the duration of the Customer's contract, then exported to Customer (30-day window) and deleted per the Data Processing Addendum (production within 60 days, backups within 180 days).
  • Driver communications (WhatsApp/SMS/email): 18 months rolling, then purged unless under legal hold.
  • Audit logs: 7 years (regulatory necessity).
  • Application telemetry (Sentry): 90 days.
  • Product analytics (PostHog): 12 months.
  • Email logs (Resend): 30 days.

Full retention schedule is in our internal Data Retention Policy; the highlights above match that policy.

8. Security

We use industry-standard technical and organizational measures to protect personal information, including:

  • Encryption: AES-256 at rest, TLS 1.2+ in transit
  • Tenant isolation: Postgres row-level security on every Customer-data table
  • Authentication: Supabase Auth with magic link by default; MFA optional; OAuth providers supported
  • Access control: role-based permissions; least-privilege; service-role key audited via append-only logs
  • Monitoring: Sentry for errors, Langfuse for LLM traces (Customer opt-in), PostHog for product analytics
  • Vulnerability management: dependency scanning, secrets scanning, regular review

More detail at /security. No system is perfectly secure; we will notify affected Customers of confirmed Security Incidents within 72 hours per our Data Processing Addendum.

9. Your privacy rights

California residents (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and share about you
  • Delete personal information we hold about you, subject to certain exceptions
  • Correct inaccurate personal information
  • Limit the use of sensitive personal information (we do not use sensitive personal information for purposes that would be subject to limitation)
  • Opt out of sale or sharing for cross-context behavioral advertising — we do not sell or share personal information for these purposes, so this right does not generate a different outcome with us
  • Non-discrimination for exercising your rights

To exercise these rights as a Customer Authorized User, contact us at legal@ofiflow.com. To exercise these rights as a driver or other Customer-related Data Subject, contact your employer (the Customer); we will assist them in fulfilling your request.

We do not use personal information for "automated decision-making" with significant effect on you within the meaning of CPRA.

Other US states (Colorado, Connecticut, Texas TDPSA, Virginia, etc.)

Where these laws apply, you have similar rights to access, delete, correct, and opt out of certain processing. Contact legal@ofiflow.com.

EU/UK residents (defensive — V1 deployment is US-only)

If GDPR or UK GDPR applies to you, you have the rights to access, rectification, erasure, restriction of processing, data portability, and to object to processing. Where we process on a Customer's behalf, contact the Customer first; we will assist.

10. Cookies and tracking

We use only the cookies described in our Cookie Policy at /cookies. By default we set only essential cookies needed for the site and dashboard to function. With your consent, we set anonymous analytics cookies (PostHog). We do not use advertising cookies, cross-context behavioral advertising trackers, or third-party advertising SDKs.

11. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the updated version at this URL, update the "Effective" date and "Version" number at the top, and (for material changes) notify Customer Authorized Users by email and require re-acceptance on next dashboard login.

12. Contact

13. Related documents

  • Cookie Policy — /cookies
  • Terms of Service — /terms
  • Data Processing Addendum (public version) — /dpa
  • Security Disclosure — /security
  • Subprocessor List — /subprocessors
  • Acceptable Use Policy — /acceptable-use
  • SLA — /sla