RIG53

Privacy Policy

Effective Date: May 21, 2026  ·  Last Updated: May 21, 2026

This Privacy Policy explains how RIG53, Inc. (“RIG53,” “we,” “us,” or “our”) collects, uses, stores, and shares personal data when you use the RIG53 platform, mobile application, and related services (collectively, the “Platform”). It applies to all users globally, with additional disclosures for EU/UK users (GDPR), California residents (CCPA), and Canadian users (PIPEDA).

By using the Platform, you acknowledge that you have read and understood this Policy. Where we rely on consent as our legal basis, you may withdraw consent at any time without affecting the lawfulness of prior processing.

1. Data Controller

RIG53, Inc. is the data controller responsible for your personal data processed through the Platform. Our primary privacy contact is:

RIG53, Inc.

Privacy / Data Protection Officer

Email: privacy@rig53.com

General: legal@rig53.com

EU and UK users may also have a right to contact a local supervisory authority (see Section 8). RIG53 is based in the United States; if required under GDPR Art. 27, we will designate an EU/UK representative — contact us at privacy@rig53.com for the current designated representative.

2. Data We Collect

We collect data you provide directly, data generated by your use of the Platform, and data from authorized third-party sources.

Account and Registration Data

Name, email address, phone number, hashed password, account type (commercial, driver, personal), two-factor authentication method and status, email verification status, account suspension status.

Commercial Organization Data

Legal entity name, organization type, operating status, USDOT number, MC number, EIN (Employer Identification Number — encrypted at rest using AES-256), DUNS number, your position/title within the organization, and whether you are an administrator.

Driver Profile Data

CDL class, endorsements, restrictions, license number and issuing state, expiration date. We do not collect Social Security Numbers.

Driver Qualification (DQ) File Data

Documents and data required by 49 CFR Part 391: motor vehicle reports (MVR), medical examiner certificate details, employment and driving history (3 years), road test certification, CDLIS (Commercial Driver’s License Information System) query results, Drug & Alcohol Clearinghouse (DACH) query results, and pre-employment drug test confirmations. All DQ file data is encrypted at rest (AES-256).

Transactional Data

Load postings (origin, destination, commodity description, weight, dimensions, equipment type, rate, pickup/delivery windows), job postings (role, location, pay structure), rate confirmations, Bills of Lading (BOL), delivery confirmations, dispute records, and accessorial charge records.

Payment Data

Subscription plan, billing status, and payment history are recorded by RIG53. Full card numbers, CVV codes, and bank account details are processed exclusively by Stripe, Inc. and are never stored by RIG53. See Stripe’s privacy policy for their data practices.

Communication Data

Platform messages between users, support tickets submitted to RIG53, ratings and reviews you provide or receive.

Location Data

Real-time GPS coordinates collected from drivers during active loads (see Section 10). Approximate location inferred from IP address for fraud detection and regional feature delivery.

FMCSA Database Query Results

Responses from FMCSA SAFER API (carrier operating authority, insurance status, safety ratings, inspection history), CDLIS query results (CDL holder verification), and Drug & Alcohol Clearinghouse query results. These are stored on behalf of carriers who initiate the queries. See Section 9.

Technical and Usage Data

IP address, browser type and version, operating system, device identifiers, pages visited, feature interactions, API request logs, error logs, and session duration. This data is used for security, debugging, abuse prevention, and product improvement.

Analytics Data

Consent-gated analytics (e.g., Google Analytics 4) collect aggregate usage patterns, page performance, and conversion events. Analytics data is only collected if you have provided consent via our Cookie consent banner.

3. How We Use Your Data

  • Create and manage your account and organization profile
  • Facilitate load matching, job posting, and freight transactions
  • Verify carrier operating authority via FMCSA SAFER API
  • Enable carriers to assemble and maintain Driver Qualification files
  • Query CDLIS and DACH on behalf of carrier users (who are the querying entity of record)
  • Calculate the Trust Score from your platform activity (see Section 5)
  • Process subscription payments via Stripe
  • Send transactional emails (account activity, verification, system alerts)
  • Send marketing emails (with consent; you may unsubscribe at any time)
  • Track driver location during active loads (with consent; load-scoped)
  • Detect and prevent fraud, abuse, and regulatory violations
  • Respond to support requests and dispute investigations
  • Comply with FMCSA regulations, court orders, and law enforcement requests
  • Improve Platform features and performance (using anonymized/aggregated data or consent-gated analytics)
  • Enforce our Terms of Service

4. Legal Bases for Processing (GDPR)

For EU/UK users, every processing activity has a lawful basis under GDPR Art. 6:

Data / ActivityLegal Basis
Account registration and managementContract — Art. 6(1)(b)
Transaction data (loads, jobs, BOL)Contract — Art. 6(1)(b)
Commercial org data (EIN, DUNS)Contract — Art. 6(1)(b)
DQ file assembly and storageContract + Legal obligation (49 CFR §391) — Art. 6(1)(b)(c)
CDLIS and DACH query storageLegal obligation (49 CFR §§382, 391) — Art. 6(1)(c)
Carrier insurance verification (SAFER)Legitimate interests (safety, fraud prevention) — Art. 6(1)(f)
Trust Score calculationLegitimate interests (platform integrity) — Art. 6(1)(f)
GPS tracking during active loadsContract + Consent — Art. 6(1)(a)(b)
Fraud detection and security loggingLegitimate interests — Art. 6(1)(f)
Transactional emailsContract — Art. 6(1)(b)
Marketing emailsConsent — Art. 6(1)(a)
Analytics (GA4)Consent — Art. 6(1)(a)
Audit logs (compliance holds)Legal obligation — Art. 6(1)(c)
Responding to law enforcementLegal obligation — Art. 6(1)(c)

5. Automated Decision-Making — Trust Score

The Trust Score is calculated automatically from your platform activity: payment timeliness, load and job completion rate, communication response time, compliance status, peer ratings, and dispute history. It affects how your profile appears in search results and how other users perceive your commercial reliability.

GDPR Art. 22 rights (EU/UK users). If the Trust Score produces decisions that significantly affect your opportunities on the Platform, you have the right to: (a) obtain a meaningful explanation of the factors and weighting used; (b) request human review of any outcome you contest; and (c) express your point of view and challenge the result. Contact privacy@rig53.com.

Trust Score inputs are retained as long as your account is active and are recalculated periodically. Upon account deletion, Trust Score data is anonymized and removed from your profile within 90 days, except where subject to a legal hold.

6. Data Sharing and Sub-Processors

We do not sell your personal data. We share data only as described below.

Other Users

Profile information, organization name, operating authority data, and Trust Score are visible to other Platform users as necessary to facilitate transactions. BOL commodity details are shared only with the parties to the shipment.

Sub-Processors

We engage the following third-party processors under Data Processing Agreements:

ProcessorPurposeLocation
Stripe, Inc.Payment processing, subscription managementUS / Global
Amazon Web Services, Inc.Cloud infrastructure, file storageUS / Global
Resend, Inc.Transactional email deliveryUS
Vercel, Inc.Frontend hosting and CDNUS / Global
Google LLC (GA4)Analytics (consent-gated)US / Global
FMCSA / US DOTSAFER API — carrier authority verification (data source, not a processor)US (government)

Legal and Regulatory Disclosure

We may disclose your data to law enforcement, regulatory authorities (including FMCSA), courts, or government agencies where required by law, court order, or to protect the safety of users or the public. We will notify you of such disclosures where legally permitted.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity. You will be notified via email or in-app notice at least 30 days before data is subject to a materially different privacy policy.

7. Data Retention

We retain personal data only as long as necessary for the purposes set out in this Policy and as required by applicable law.

Data TypeRetentionLegal Basis
Account data (name, email, phone)Account lifetime + 90 days post-deletionContract
Commercial org data (EIN, DUNS)Account lifetime + 90 daysContract
CDL and driver credentials7 yearsFMCSA legal obligation (49 CFR §391)
DQ file documents3 years active + 3 years post-termination (7 years for specific docs)FMCSA legal obligation (49 CFR §391.53)
CDLIS query results7 yearsFMCSA legal obligation
DACH query results7 yearsFMCSA legal obligation (49 CFR §382.705)
BOL data7 yearsFMCSA + legal hold
Transaction records7 yearsTax, legal obligation
Payment records7 years (Stripe retains per PCI DSS)Tax + legal obligation
Messages2 years after last activityLegitimate interest (dispute resolution)
GPS pings30 days (live) / 90 days (archive)Contract; consent-scoped to load
Trust Score inputsAccount lifetime; deleted on account closure (90-day grace)Legitimate interest
Audit and access logs7 yearsLegal obligation (FMCSA, fraud)
Support tickets2 yearsLegitimate interest
Analytics data (GA4)14 monthsConsent
Cookie consent records5 yearsLegal obligation (GDPR accountability)

Data subject to a legal hold is retained until the hold is lifted, regardless of the standard schedule above.

8. Your Privacy Rights

EU and UK Users (GDPR / UK GDPR)

Under GDPR Articles 12–22, you have the right to:

  • Access — obtain a copy of your personal data (Art. 15)
  • Rectification — correct inaccurate data (Art. 16)
  • Erasure — request deletion where no legal ground for retention exists (Art. 17)
  • Restriction — limit processing in specific circumstances (Art. 18)
  • Portability — receive your data in a structured, machine-readable format (Art. 20)
  • Object — object to processing based on legitimate interests (Art. 21)
  • Automated decisions — request human review of Trust Score outcomes (Art. 22)
  • Supervisory authority — lodge a complaint with your local data protection authority

California Residents (CCPA / CPRA)

California residents have the right to: know what personal information is collected and how it is used; request deletion; opt out of the sale or sharing of personal information (RIG53 does not sell personal data); correct inaccurate information; limit use of sensitive personal information; and non-discrimination for exercising these rights.

Canadian Users (PIPEDA)

Canadian users have the right to: access personal information; correct inaccurate information; withdraw consent for non-essential processing; and be notified of breaches that present a real risk of significant harm.

How to Exercise Your Rights

Submit a request to privacy@rig53.com with your name, email address, and a description of your request. We respond within 30 days (EU/UK/Canada) or 45 days (California).

9. FMCSA-Regulated Data Disclosures

  • SAFER / FMCSA data — carrier authority, safety rating, and inspection data retrieved from FMCSA SAFER is public regulatory data. We cache responses (7-day TTL) for performance.
  • CDLIS queries — CDL holder verification performed by the carrier, facilitated through the Platform. Results stored on behalf of the carrier. 7-year retention per 49 CFR §391.
  • DACH queries— Drug & Alcohol Clearinghouse queries performed by carrier users per 49 CFR § 382.701. Results encrypted (AES-256) and retained for 7 years per 49 CFR § 382.705.
  • DQ file documents — assembled on behalf of carriers. Carriers are the custodians of record.

10. GPS and Location Data

When a driver accepts a load through the Platform, GPS location data is collected via the driver’s device for the duration of that load for: real-time shipment visibility, route verification in disputes, and fraud detection.

Consent is load-scoped. Accepting a load constitutes consent for GPS tracking during that load only. GPS data is retained for 30 days at full resolution and archived for 90 days before permanent deletion.

11. Children’s Privacy

The Platform is intended for users 18 years of age and older. We do not knowingly collect personal data from individuals under 16 (EU/UK) or under 13 (US). Contact us at privacy@rig53.com if you believe a minor has registered.

12. International Data Transfers

RIG53 is based in the United States. For EU/UK users, transfers are governed by EU Standard Contractual Clauses (SCCs) as approved by the European Commission under GDPR Art. 46, or equivalent UK International Data Transfer Agreements (IDTAs).

13. Security

  • AES-256 encryption at rest for EIN, DUNS, DQ file data, and DACH/CDLIS results
  • TLS 1.3 for all data in transit
  • Bearer token authentication (Laravel Sanctum) with refresh token rotation
  • Role-based access control (RBAC) via Spatie Permissions
  • Rate limiting on all API endpoints
  • Immutable audit logs for all access to sensitive data
  • Two-factor authentication available for all accounts
  • Passwords stored as bcrypt hashes; never stored in plaintext

In the event of a data breach, we will notify affected users and, where required, supervisory authorities within 72 hours of discovery (GDPR Art. 33).

14. Cookies and Tracking

  • Essential — authentication, session management, CSRF protection. Cannot be disabled.
  • Analytics — GA4 usage analytics. Requires consent.
  • Functional — user preferences (theme, language). Requires consent.
  • Marketing — remarketing pixels. Requires consent. Not currently active.

Manage cookie preferences at any time via the cookie consent banner. For full details, see our Cookie Policy.

15. Third-Party Links

The Platform may contain links to third-party websites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

16. Changes to This Policy

We may update this Policy to reflect changes in our practices or applicable law. We will provide at least 14 days’ notice of material changes via email, in-app notification, or a prominent notice on the Platform.

17. Contact and Data Protection

For privacy questions, data subject requests, or to report a concern:

Privacy / Data Protection

privacy@rig53.com

Response time: 30 days (EU/UK/Canada) · 45 days (California)

EU/UK users may also contact their national supervisory authority. A list of EU supervisory authorities is available at edpb.europa.eu. The UK supervisory authority is the ICO at ico.org.uk.

Terms of Service← Back to sign in