Privacy Policy

1. Introduction

Demurly, LLC ("Demurly," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our GPS-verified demurrage tracking platform (the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with our policies and practices, please do not use the Service.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, company name, role, and billing information
• Organization Data: Company details, driver information (names, driver numbers, PINs), customer contacts, and terminal configurations
• Demurrage Records: Load numbers, BOL numbers, wait times, notes, and customer information
• Communications: Messages, support requests, feedback, bug reports, and feature requests you send us
• Job Applications: Contact information, LinkedIn URL, cover letter, and any additional materials you choose to submit

2.2 Automatically Collected Information

• GPS Location Data: When drivers use the Service, we collect precise location data (latitude, longitude, timestamps) to verify arrival, wait times, and departure from terminals
• Device Information: Device type, operating system, browser type, and unique device identifiers
• Usage Data: Pages visited, features used, time spent on the Service, and interaction patterns
• Log Data: IP addresses, access times, referring URLs, and error logs
• Approximate Location: When precise GPS is unavailable, we may use IP-based geolocation services to estimate your approximate location. This involves sharing your IP address with third-party geolocation providers.

2.3 Photos and Media

When drivers capture photos through the Service to document terminal conditions or delays, we store these images along with their associated metadata (timestamp, location, file size).

2.4 Information from Third Parties

• Single Sign-On: If you authenticate via Google or Microsoft, we receive your name and email address from these providers
• ELD Integrations: If you connect Electronic Logging Devices (Samsara, Geotab, Motive), we may receive driver location and status data
• Payment Information: Stripe provides us with limited payment information (last four digits of card, billing address) but we never receive or store full card numbers

3. How We Use Your Information

We use the information we collect for the following purposes:

• Provide the Service: Track demurrage events, generate records, calculate charges, process payments, and facilitate communication between carriers and customers
• Verify Records: Use GPS data and timestamps to verify the accuracy of demurrage claims
• Process Payments: Handle subscription billing, demurrage payments, and carrier payouts
• Send Notifications: Deliver record updates, payment confirmations, aging alerts, and system notifications
• Improve the Service: Analyze usage patterns, identify bugs, and enhance features and user experience
• Customer Support: Respond to your inquiries, resolve issues, and provide technical assistance
• Security: Detect and prevent fraud, unauthorized access, and other malicious activities
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

4. Information Sharing

We may share your information in the following circumstances:

4.1 With Business Partners

Carriers and customers who are connected in the Service can view shared demurrage records. This includes GPS data, wait times, photos, and driver information associated with records.

4.2 Within Your Organization

Administrators within your organization can view and manage data for all users in their organization, including driver information and demurrage records.

4.3 Service Providers

We share information with vendors that help us operate the Service:

• Supabase: Database hosting, authentication, and file storage
• Vercel: Application hosting
• Cloudflare: Security services and CAPTCHA
• Stripe: Payment processing
• Resend: Transactional email delivery
• Sentry: Error monitoring and performance tracking
• Mapbox and OpenStreetMap: Mapping and location services
• Upstash: Rate limiting infrastructure

Each vendor processes data on our behalf under contractual data protection terms.

4.4 Legal Requirements

We may disclose your information when required by law, subpoena, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

4.5 Business Transfers

In connection with a merger, acquisition, bankruptcy, or sale of assets, your information may be transferred as a business asset. We will notify you of any such change in ownership or control.

We do not sell your personal information to third parties.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: We use TLS encryption for data in transit. Data at rest is protected using our hosting providers' encryption controls.
• Authentication: Secure password hashing, multi-factor authentication (MFA), and session management
• Access Controls: Role-based access controls (RBAC) and row-level security (RLS) policies
• CAPTCHA Protection: Cloudflare Turnstile to prevent automated attacks
• Rate Limiting: Protection against brute-force and denial-of-service attacks
• Audit Logging: Comprehensive logging of security-relevant events
• Security Reviews: We conduct security reviews and testing appropriate to our size and risk profile

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to implementing appropriate safeguards.

6. Data Retention

We retain data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods vary by data type:

• Driver session data: Up to 7 days after session expiration
• Notifications: 30-90 days depending on type
• Temporary data: API logs and idempotency keys are retained up to 90 days
• Operational records: Demurrage records, GPS data, payments, and audit logs are retained as required for business operations, contractual obligations, or legal requirements

Retention may vary based on your subscription plan, legal holds, or regulatory requirements. You may request deletion of your data subject to our retention requirements and legal obligations.

7. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request that we correct inaccurate or incomplete information
• Deletion: Request that we delete your personal information (subject to legal retention requirements)
• Portability: Request a machine-readable copy of your data
• Restriction: Request that we limit processing of your information
• Opt-Out: Unsubscribe from marketing communications
• Object: Object to processing based on legitimate interests

To exercise your privacy rights (access, correction, deletion, or portability), contact us at privacy@demurly.com. We will respond within the timeframe required by applicable law. If we develop in-product tools for these requests in the future, we will update this Policy accordingly.

8. Cookies and Tracking

We use cookies and similar technologies to:

• Maintain your session and authentication state
• Remember your preferences
• Provide security features (CAPTCHA, CSRF protection)
• Analyze Service usage and performance

For more information about our use of cookies, please see our Cookie Policy.

9. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@demurly.com.

10. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. We ensure appropriate safeguards are in place to protect your information in accordance with this Privacy Policy and applicable law.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected and how it's used
• Right to delete personal information
• Right to opt-out of the sale of personal information
• Right to non-discrimination for exercising these rights

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising as defined under California law.

We honor Global Privacy Control (GPC) signals where required by applicable law.

To exercise your CCPA/CPRA rights, contact us at privacy@demurly.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on the Service, updating the "Last updated" date, and sending you an email notification for significant changes. We encourage you to review this Privacy Policy periodically.

13. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, please contact us: