Privacy Policy
Plain-language description of what we collect, why, who touches it, and the rights you have over it. We do not sell personal information. Telematics data is accessed only with your explicit connection.
Status: Not yet in effect — pending counsel review
FleetPath is an operating division of Lavish Enterprises, Inc. This policy explains how FleetPath handles data across the web application, the iOS application, and the backend services that run them. It applies to carriers, fleets, drivers, dispatchers, owners, and the brokers and shippers who interact with a carrier through FleetPath.
FleetPath is a multi-tenant platform. Each carrier organization is a separate tenant. Data is isolated per tenant at the database level with row-level security, and one tenant cannot read another tenant's data.
Account & identity.
Name, work email, role within the organization, and the tenant you belong to. Authentication is handled by our identity provider; we do not store your password.
Operational data.
Loads, trips, rate confirmations, bills of lading, proof of delivery, lumper and scale receipts, invoices, expenses, permits, inspections, and messages you create or upload. Documents you upload are processed by an automated extraction model to read structured fields (for example, the rate and lane on a rate confirmation).
Telematics & ELD data — only with your connection.
FleetPath does not record hours of service and is not a registered ELD. We display telematics data only when your organization explicitly connects a third-party provider (such as Motive or Samsara) using your own provider credentials. See section 4 for detail.
Technical data.
Standard request metadata (IP address, timestamps, user agent) for security and audit logging, and error diagnostics with personal identifiers and credentials scrubbed before storage.
We use data to operate the platform: to run your loads and settlements, extract fields from documents you upload, surface operational alerts, route trips, process billing, and keep the service secure. We use aggregated, de-identified data to improve the product.
We do not sell personal information. We do not share your data with third parties for their own marketing. We do not use your operational data to train third-party general-purpose models.
FleetPath is a visibility layer, not a compliance system of record. We do not capture, generate, certify, or store hours-of-service duty status as an authoritative record. The carrier remains responsible for ELD compliance under 49 CFR Part 395.
When your organization connects a telematics or ELD provider, the connection uses an authorization flow scoped to the data you approve. FleetPath reads only the data fields required for the features you use, displays them, and stops reading them when you disconnect. Provider credentials are encrypted at rest and every access to them is recorded in an audit log. Disconnecting a provider revokes the stored credential and stops further data collection; historical records already displayed are retained per section 6 unless you request deletion.
The platform is fully usable without any telematics provider connected. Features that benefit from live telematics degrade to a manual or estimated mode rather than being withheld.
We rely on a small set of vetted subprocessors to run the service. Each receives only the data necessary for its function and is contractually bound to protect it:
Payment card data is handled entirely by Stripe. FleetPath never stores card numbers.
We retain operational records for as long as your organization has an active account, and after that for the period required by the applicable regulation (for example, DOT and IFTA record-keeping windows) or our documented retention schedule, whichever is longer. Transient processing artifacts — such as document analysis screenshots — are deleted on a short cycle measured in hours to days. When you delete your account, we soft-delete immediately and hard-delete after the applicable retention window.
Data is encrypted in transit (TLS 1.2+) and provider credentials are encrypted at rest. Tenant isolation is enforced at the database with row-level security. Access is role-based, multi-factor authentication is available, credential access is audit-logged, and we maintain incident-response runbooks. We follow a control set mapped to OWASP ASVS Level 2; the assessment is documented internally and reviewed quarterly.
Depending on your jurisdiction (including under GDPR and the CCPA/CPRA), you may request access to the personal data we hold about you, a portable export of it, correction of inaccuracies, or deletion. You may also object to or restrict certain processing. We do not sell personal information, so there is nothing to opt out of in that respect.
To exercise any of these rights, contact privacy@fleetpath.app. We verify the requester before acting and respond within the timeframe the applicable law requires.
FleetPath is operated from the United States and data is processed there. The platform is a business tool intended for commercial motor carrier operations and is not directed to children; we do not knowingly collect data from anyone under 16.
If we make a material change, we will update the effective date above and, where required, notify account administrators. Continued use after an update constitutes acceptance of the revised policy.