Effective date: To be set on counsel sign-off · Last updated: April 27, 2026 · Version 0.9 (counsel review draft)
Phase 1 / Counsel review draft. This Privacy Policy describes the data practices X3 intends to operate under once counsel-reviewed and live. Carriers using the platform before the effective date are protected by these practices as described below; any subsequent counsel-driven changes take effect on 30 days' notice.
1. Scope & Roles
This Privacy Policy explains how X3 Fleet Safety, LLC ("X3") handles personal information when motor carriers and their personnel use the X3 platform (the "Service"). It applies to information we collect at x3fleetsafety.com, app.x3fleetsafety.com, and any X3 mobile or driver applications.
Roles. When a motor carrier subscribes to X3 and uploads records about its drivers, vehicles, or operations:
The motor carrier ("Customer") is the data controller (or, in California, the "business"). The carrier decides what records to collect, what to do with them, and how long to keep them within applicable legal retention rules.
X3 is the data processor (or, in California, the "service provider"). We process records only on the carrier's behalf, per our Terms of Service.
Drivers and other carrier personnel whose records appear in the Service should direct privacy questions and access/deletion requests to their carrier-employer first. X3 will support whatever response the carrier instructs us to make.
2. What We Collect
We collect three categories of information:
2.1 Information Customer (the carrier) provides directly
Carrier identity: legal name, DBA, USDOT number, MC number, EIN, business address, principals.
Compliance records: driver qualification files (medical certs, applications, road tests, MVRs), drug and alcohol test results, hours-of-service logs, DVIRs, accident reports, inspection reports, training records.
Vehicle records: VIN, license plate, registration, inspection history, maintenance records.
Diagnose and fix bugs, monitor for fraud and security incidents, prevent abuse.
Improve the Service in aggregated, anonymized ways that cannot be traced to a specific carrier or person.
Comply with legal obligations and respond to legitimate legal process.
We do not sell personal information. We do not share personal information with advertisers. We do not use Customer Data to train any artificial intelligence model except where the Customer has explicitly opted in to features that require it (and even then, only on Customer's own data, not pooled across customers).
4. Who We Share With
We share personal information only with:
Service providers who power the platform: Supabase (database, authentication, file storage), Cloudflare (content delivery, hosting), Stripe (payments), Resend (transactional email), Twilio (text messaging when enabled), Sentry (error tracking), Anthropic (AI fallback parsing for unstructured uploads). Each has a published Data Processing Addendum and is bound to use data only for the purposes we specify.
Partner networks when Customer enables an add-on: Checkr (background checks), Health Street (drug & alcohol testing), and future MVR / IFTA partners. Data flows are limited to what's needed for the requested service.
Carrier-authorized recipients: when Customer asks us to send a record to a third party (e.g., an insurer doing a fleet review, an auditor, an attorney), we follow Customer's instructions.
Successors in interest in the event of a merger, acquisition, or sale of substantially all assets — with notice to Customer and continued protection equivalent to this Policy.
Government and law enforcement when legally required (subpoena, court order, valid warrant). We notify Customer where legally permitted.
5. FCRA-Covered Records
Background checks, MVRs, and certain investigative reports may be governed by the federal Fair Credit Reporting Act (FCRA). When the Service handles FCRA-covered records on Customer's behalf:
Customer is the "user" of the consumer report under FCRA. Customer is responsible for permissible-purpose certification, applicant disclosure, written authorization, pre-adverse-action notice, and adverse-action notice when applicable.
X3 is a conduit and recordkeeping aid; X3 is not a consumer reporting agency, does not furnish reports to third parties, and does not assemble investigative consumer reports.
Partner networks (Checkr, future MVR providers) are the consumer reporting agencies under FCRA; their CRA-level obligations remain with them.
If a driver disputes the accuracy of a record, the dispute should be made to the originating CRA (e.g., Checkr) per FCRA's dispute process. X3 will assist by surfacing the record and the originating CRA contact.
6. DOT Compliance Records
DOT compliance records have layered obligations beyond ordinary privacy law. Some records (DQF contents, drug-test records, hours-of-service) have regulatory minimum retention windows that override ordinary deletion requests. Our Data Retention & Destruction Policy details the windows. In summary:
Record class
Regulation
Minimum retention
DQF contents
49 CFR § 391.51
3 years post-termination
MVR pulls
§ 391.51
3 years
D&A test (negative)
§ 382.401
1 year
D&A test (positive/refusal)
§ 382.401
5 years
Hours-of-service / RODS
§ 395.8
6 months
DVIR
§ 396.11
90 days
IFTA mileage + fuel
IFTA Articles § P560
4 years
X3 retains records for the regulatory minimum plus a 1-year safety buffer.
7. Retention & Destruction
We retain Customer Data for as long as Customer's account is active, plus the regulatory retention windows above for DOT-covered records, plus up to 90 days for backups to age out. Audit logs are retained for 7 years to support our own compliance and audit defense. Specific destruction practices are described in our Data Retention & Destruction Policy.
8. Security
We protect personal information using administrative, physical, and technical safeguards including encryption at rest and in transit, role-based access controls, row-level security for tenant isolation, audit logging, and regular security reviews. Despite these measures, no system is impervious; if we discover unauthorized access to your data, we will notify Customer (the data controller) within 72 hours of confirmation, per our Incident Response Policy.
9. Your Rights
Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of personal information about you. Under California's CCPA / CPRA, residents have the right to know what data we hold, request deletion, request correction, and opt out of "sale" or "sharing" (we do neither).
Because X3 is a data processor for carrier customers, individual rights requests should typically be directed to the carrier-controller first. If a carrier instructs us to access, export, correct, or delete a record, we will do so unless prevented by regulatory retention obligations. If you are unable to reach the carrier or believe the carrier is not responding, contact [email protected] and we will route your request appropriately.
10. Children
The Service is not directed at children under 16, and we do not knowingly collect personal information from children. Commercial driver licensure requires drivers to be 18+ (interstate) or 21+ for many operations, so the Service inherently does not contemplate child users.
11. Changes to this Policy
We may update this Privacy Policy. Material changes will be communicated to Customer by email and an in-app banner with at least 30 days' notice before they take effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
Privacy questions: [email protected] (subject line: "Privacy"). Postal address available on request to that email.