Privacy Policy

1. Who We Are and Our Roles

1.1 Identity. FR8 Tech, Inc. (“FR8 Tech”, “we”, “us”, or “our”) operates the VisitorFlow visitor management platform (“Service”). Our registered address is [to be inserted], Wilmington, DE, USA.

1.2 Controller and processor roles. The GDPR and similar data protection laws distinguish between data “controllers” (entities that determine the purposes and means of processing) and data “processors” (entities that process data on behalf of controllers).

When a business (“Tenant”) deploys VisitorFlow at its facilities to manage visitors, drivers, and contractors, the Tenant is the data controller for the personal data of those individuals, and FR8 Tech acts as a data processor on the Tenant’s behalf. In that context, the terms of our Data Processing Addendum govern.

When we collect information directly from Tenants (account holders, admins, billing contacts) and from visitors to our marketing website, FR8 Tech acts as the data controller. This Privacy Policy addresses both contexts.

2. Categories of Data We Collect

2.1 Visitor and operational data (processor context). When processing data on behalf of Tenants, we handle: full name, email address, phone number, employer or company affiliation, purpose of visit, vehicle information, bill of lading numbers, identity document images (driver’s licence, national ID), self-portrait photographs, electronic signatures, health screening declarations, NDA acknowledgements, PPE compliance records, and hazmat documentation. Where Tenants enable biometric features, we may process facial geometry data extracted from photographs as permitted by applicable law and the Tenant’s configuration.

2.2 Account and billing data (controller context). When you create a Tenant account, we collect: name, work email address, phone number, company name, billing address, and payment card information (processed and stored by Stripe — we retain only the last four digits and card type).

2.3 Usage and technical data (controller context). We automatically collect log data, IP addresses, browser type, device identifiers, feature-usage events (via PostHog), and error reports (via Sentry) to operate, secure, and improve the Service.

2.4 Marketing and communication data (controller context). If you subscribe to our newsletter, attend a webinar, or request a demo, we collect your name, email address, company, and engagement history to manage our relationship with you.

3. How We Use Your Data and Legal Bases

3.1 Performance of contract (GDPR Art. 6(1)(b)). We process account data, billing data, and platform usage data as necessary to fulfil our contractual obligations to Tenants under the Terms of Service — including provisioning accounts, processing subscriptions, delivering the Service, and providing customer support.

3.2 Legitimate interests (GDPR Art. 6(1)(f)). We process technical and usage data on the basis of our legitimate interest in maintaining the security, integrity, and reliability of the Service; detecting and preventing fraud and abuse; improving product features based on aggregate usage patterns; and communicating with existing customers about relevant product updates. We have conducted balancing tests to confirm our interests are not overridden by your fundamental rights and freedoms.

3.3 Consent (GDPR Art. 6(1)(a)). Where required by applicable law — including for marketing communications to prospective customers, for the use of non-essential cookies, and for biometric data processing in jurisdictions that require explicit consent — we will obtain your consent before processing. You may withdraw consent at any time without affecting the lawfulness of prior processing.

3.4 Legal obligation (GDPR Art. 6(1)(c)). We may process personal data where necessary to comply with a legal obligation, such as responding to lawful requests from law enforcement or regulatory authorities, maintaining tax records, or complying with data retention obligations.

4. Recipients and Sub-Processors

4.1 Within FR8 Tech. Access to personal data is limited to FR8 Tech personnel who need it to provide or support the Service, subject to confidentiality obligations and the principle of least privilege.

4.2 Sub-processors. We engage trusted third-party service providers (“sub-processors”) to help operate the Service. Our current list of sub-processors is maintained at visitorflow.com/legal/sub-processors. Key sub-processors include Vercel (hosting), Neon (database), AWS (storage, KMS, AI services), Stripe (billing), Resend (email), Twilio (SMS), Inngest (background jobs), PostHog (analytics), and Sentry (error monitoring). Each sub-processor is bound by contractual data processing agreements with security standards equivalent to those in our DPA.

4.3 Other disclosures. We may share personal data with professional advisors (lawyers, auditors) under confidentiality obligations; with regulators, law enforcement, or courts where required by law; and with a successor entity in connection with a merger, acquisition, or sale of assets, subject to the successor agreeing to honor the commitments in this Privacy Policy.

5. International Data Transfers

5.1 Transfer mechanism. FR8 Tech’s primary infrastructure is located in the United States (Vercel and Neon US East regions). Where we transfer personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States or another country not recognized as providing an adequate level of data protection, we rely on the European Commission’s Standard Contractual Clauses (“SCCs”) as the lawful transfer mechanism, supplemented by appropriate technical safeguards including encryption in transit (TLS 1.3) and at rest (AES-256).

5.2 Transfer impact assessment. We have conducted transfer impact assessments for each country to which personal data is transferred and have implemented supplementary measures where the SCCs alone are insufficient. Copies of the SCCs and transfer impact assessment summaries are available to Tenants upon written request.

6. Data Retention

6.1 Tenant-configured retention. For visitor and operational data processed on behalf of Tenants, retention periods are configured per data category within the Tenant’s account settings. Tenants can independently set retention for visitor photographs, identity documents, signatures, and health screening data, within minimums and maximums set by FR8 Tech and applicable law. Every new Tenant workspace is pre-configured with sane defaults designed to satisfy GDPR data-minimization obligations out of the box. Default values and rationale are documented in the Data Retention Policy.

6.2 Account and billing data. We retain account and billing data for as long as the Tenant subscription is active and for 7 years thereafter, to comply with tax and accounting obligations.

6.3 Marketing data. We retain marketing contact data until you withdraw consent or unsubscribe, plus a 30-day grace period to process the request.

7. Your Data Subject Rights

Where we process your personal data as a controller, you have the following rights under applicable data protection law (including GDPR Chapter III):

7.1 Right of access (Art. 15). You may request a copy of the personal data we hold about you, together with information about how it is processed.

7.2 Right to rectification (Art. 16). You may request correction of inaccurate or incomplete personal data.

7.3 Right to erasure (Art. 17). You may request deletion of your personal data in certain circumstances (e.g., where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent).

7.4 Right to data portability (Art. 20). Where processing is based on consent or contract and carried out by automated means, you may request a structured, machine-readable copy of your data.

7.5 Right to restrict processing (Art. 18). You may request that we restrict processing of your data in certain circumstances.

7.6 Right to object (Art. 21). You may object to processing based on legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds.

7.7 How to exercise your rights. Visitors who checked in at a Tenant facility may exercise rights via the self-service Privacy Portal. Tenant account holders may manage their data from account settings or by emailing privacy@visitorflow.com. We will respond within 30 days (extendable by a further 2 months for complex requests).

7.8 Right to lodge a complaint. If you believe we have infringed your rights, you have the right to lodge a complaint with your local data protection authority. For EU residents, a list of national DPAs is available at the European Data Protection Board website.

8. Cookies and Tracking Technologies

Our marketing website uses essential session cookies to maintain your login state, and with your consent, analytics cookies (PostHog) to understand how users navigate the site. You can manage cookie preferences at any time via the cookie banner or your browser settings. We do not sell your personal data or use it for cross-site advertising. A full list of cookies and their durations is maintained in our Cookie Notice, which supplements this Privacy Policy.

9. Children

The Service is not directed to children under the age of 16 (or a higher age threshold where required by applicable law). We do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data from a child, please contact us at privacy@visitorflow.com and we will take steps to delete it promptly.

10. Security

We implement technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, and destruction. These include AES-256 encryption at rest (including per-tenant KMS keys for high-sensitivity data), TLS 1.3 in transit, mandatory two-factor authentication for admin accounts, strict tenant data isolation at the application layer, and an append-only audit log. Our full security posture is described on our Security page and SOC 2 readiness documentation. No system is completely secure; in the event of a data breach that may affect your rights and freedoms, we will notify affected Tenants and relevant supervisory authorities within 48 hours of becoming aware, as required by the DPA.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice in the dashboard or by email at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Privacy Policy. We will maintain an archive of previous versions accessible via the “Previous versions” link at the top of this page.

12. Contact and DPO

For any questions about this Privacy Policy or to exercise your data subject rights, please contact our privacy team:

• Email: privacy@visitorflow.com
• Data Protection Officer: [DPO name/contact to be inserted — engage counsel to determine DPO appointment obligation]
• Postal: FR8 Tech, Inc., [Address to be inserted], Wilmington, DE, USA

EU and UK Tenants may also contact our EU representative (to be designated) at the above email address.