Dray FlowTMS

Privacy Policy

Effective Date: March 1, 2026  · Last Updated: March 1, 2026

Dray Flow LLC is a Washington State limited liability company wholly owned by Forge Perfect LLC.

This Privacy Policy explains how Dray Flow LLC (“Dray Flow,” “we,” “us,” or “our”) collects, uses, stores, shares, and protects information when you use the Dray Flow Transportation Management System and related services (the “Service”). It also describes your rights with respect to your information.

By using the Service, you agree to the practices described in this Policy. If you do not agree, please do not use the Service.

1. Information We Collect

1.1 Account and Registration Information

When you create an account, we collect:

  • Full name and email address;
  • Password (stored in hashed form; we never store plaintext passwords);
  • Organization name and role within your organization;
  • Billing contact information (name, email, billing address).

1.2 Business and Operational Data

As part of normal use of the Service, you and your authorized users enter operational data, which may include:

  • Load and container information (container numbers, booking numbers, vessel names, port details);
  • Driver information (names, contact information, license numbers, assignment records);
  • Equipment records (trucks, trailers, chassis — including identification numbers and status);
  • Customer and carrier records (company names, contacts, addresses, rate information);
  • Financial data (invoices, accessorial charges, rate agreements);
  • Document attachments (bills of lading, delivery orders, photos, inspection records);
  • Location and appointment data (pickup/delivery addresses, port names, timestamps).

Collectively, the above is referred to as “Customer Data.” You retain ownership of Customer Data. We process it only as necessary to provide the Service.

1.3 AI Assistant Inputs

When you use the AI Assistant, you may submit text content such as pasted booking confirmations, bills of lading, or other documents. This input is transmitted to our AI provider (Anthropic, PBC) for processing. See Section 4 (Sub-processors) for details on how Anthropic handles this data.

1.4 Automatically Collected Data

When you use the Service, we automatically collect:

  • Device and browser information (browser type, operating system, screen resolution);
  • IP address and general geographic region (country/state);
  • Pages visited, features used, and actions taken within the Service;
  • Session duration and access timestamps;
  • Error logs and performance diagnostics.

This data is used to maintain and improve the Service and is not used to build individual advertising profiles.

1.5 Payment Information

We do not store your full payment card number, CVV, or bank account details. All payment data is collected and tokenized directly by Stripe, Inc. We receive only a payment token, the last four digits of your card, and billing metadata from Stripe.

1.6 Audit Log Data

The Service automatically creates an immutable audit log of all database changes, recording the action performed, the timestamp, and the user ID of the person who performed the action. These logs are stored within your Tenant's isolated workspace and are accessible only to your authorized administrative users and (in limited circumstances for platform integrity) to Dray Flow personnel.

2. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service;
  • Authenticate users and enforce access controls;
  • Process subscription payments and manage your account;
  • Send transactional emails (account setup, password resets, billing receipts, operational alerts);
  • Respond to support requests and resolve disputes;
  • Monitor Service performance, diagnose errors, and improve reliability;
  • Enforce our Terms of Service and protect the integrity of the platform;
  • Comply with applicable law, legal process, or regulatory requirements.

We do not use your Customer Data to train AI models, build advertising profiles, or sell data to third parties for marketing purposes.

3. How We Share Your Information

3.1 Within Dray Flow LLC and Forge Perfect LLC

Dray Flow LLC is a wholly owned subsidiary of Forge Perfect LLC. Forge Perfect LLC is the developer and intellectual property owner of the Service. Internal access to Customer Data is limited to personnel who require it to operate, support, or improve the Service.

3.2 Sub-processors

We engage the following third-party companies (“Sub-processors”) to help provide the Service. Each is subject to contractual data protection obligations.

Sub-processorPurposeData ProcessedLocation
Supabase, Inc.Database, authentication, and file storageAll Customer Data, account credentialsAWS (United States)
Vercel, Inc.Application hosting, edge delivery, and AI Gateway (routes AI Assistant requests to Anthropic)Web requests, page performance metrics, AI Assistant inputs in transitUnited States
Stripe, Inc.Payment processingPayment card data, billing informationUnited States
Anthropic, PBCAI Assistant inference (Claude language model, accessed via Vercel AI Gateway)Text content submitted to the AI AssistantUnited States
Resend, Inc.Transactional email deliveryEmail address, email content (alerts, receipts)United States
Google LLCWorkspace email and identity verificationEmail address, domain verificationUnited States
Amazon Web ServicesDNS and domain infrastructure (via Route 53)Domain routing; no Customer Data storedUnited States

Note on the AI Provider Data Chain

AI Assistant requests are routed through Vercel AI Gateway before being processed by Anthropic's Claude language model. Vercel AI Gateway acts as an intermediary that handles request routing, rate limiting, and observability. Under our commercial agreements with both Vercel and Anthropic, data submitted through the AI Assistant is not used to train or improve any AI foundation models. Content is processed ephemerally — it is not retained by either Vercel or Anthropic beyond the scope of the individual request, in accordance with their respective enterprise data handling policies.

3.3 Legal Disclosures

We may disclose your information when we believe in good faith that disclosure is required by law, subpoena, court order, or other legal process; to enforce our Terms of Service; or to protect the rights, property, or safety of Dray Flow, our users, or the public.

3.4 Business Transfers

If Dray Flow LLC or Forge Perfect LLC undergoes a merger, acquisition, financing, or sale of assets, Customer Data may be transferred to the successor entity. We will notify you of any such transfer via email or a prominent notice within the Service.

3.5 No Sale of Personal Information

We do not sell, rent, or license your personal information or Customer Data to any third party for monetary or other valuable consideration.

4. Data Retention

We retain Customer Data for as long as your account is active. When you cancel your subscription, your data is retained for 30 days to allow you to request an export. After this period, Customer Data is permanently deleted from production systems.

Certain records may be retained for a longer period where required by applicable law (for example, billing records for tax compliance purposes). Audit log data is retained as long as your account is active and for the 30-day post-cancellation window.

Backup copies may persist for up to 90 days in encrypted storage before they are purged through normal backup rotation cycles.

5. Security

We take the security of your data seriously and implement appropriate technical and organizational measures, including:

  • Multi-Tenant Isolation: Row-level security (RLS) policies enforced at the database level ensure that no Tenant can access another Tenant's data, even if they share the same underlying infrastructure.
  • Encryption in Transit: All data transmitted between your browser and our Service is encrypted using TLS 1.2 or higher.
  • Encryption at Rest: Customer Data stored in our database is encrypted at rest by our infrastructure provider (Supabase / AWS).
  • Authentication: User authentication is managed through Supabase Auth, which uses bcrypt-hashed passwords and supports email-based verification workflows.
  • Immutable Audit Logs: All changes to operational records are written to an append-only audit log that cannot be modified or deleted by regular users.
  • Access Controls: Role-based access controls limit which users within your organization can view, edit, or delete specific data.

No security system is impenetrable. If you believe your account or data has been compromised, contact us immediately at security@drayflow.com.

6. Your Rights and Choices

6.1 General Rights (All Users)

You have the right to:

  • Access: Request a copy of the personal information we hold about you;
  • Correction: Request correction of inaccurate personal information;
  • Deletion: Request deletion of your personal information, subject to our legal retention obligations;
  • Data Portability: Request an export of your Customer Data in a machine-readable format;
  • Opt Out of Non-Essential Communications: Unsubscribe from marketing emails at any time using the link in those emails. Transactional and security emails cannot be opted out of while your account is active.

To exercise any of these rights, contact us at privacy@drayflow.com. We will respond within 30 days.

6.2 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”) provides you with additional rights:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale or Sharing: We do not sell or share personal information for cross-context behavioral advertising purposes. No opt-out action is required.
  • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email privacy@drayflow.com with “CCPA Request” in the subject line. We may ask you to verify your identity before processing the request.

6.3 Washington State Residents

The Washington My Health My Data Act applies to consumer health data. The Dray Flow TMS does not collect health data as part of its core functionality. To the extent driver wellness or drug test documentation is uploaded by your organization, we treat such data with the same security and access controls as all other Customer Data and do not use it for purposes beyond operating the Service.

7. Cookies and Analytics

The Service uses minimal cookies and local storage for session management, authentication state, and performance caching. We do not use advertising cookies or cross-site tracking technologies.

We use Vercel Analytics and Vercel Speed Insights to understand aggregate usage patterns and application performance. These tools collect anonymized technical data and do not use cookies to track individuals across other websites.

You can disable cookies in your browser, but doing so may prevent certain features of the Service from functioning correctly.

8. Children's Privacy

The Service is intended for business use by individuals who are at least 18 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected information from a child under 13, we will delete it promptly.

9. International Users

Dray Flow is currently offered to businesses operating within the United States. Our Service infrastructure is hosted in the United States. If you access the Service from outside the United States, you do so at your own initiative and are responsible for compliance with your local laws. We do not represent that the Service is appropriate or available for use in other jurisdictions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice within the Service at least 14 days before the changes take effect. The “Last Updated” date at the top of this page reflects the most recent revision. Your continued use of the Service after the effective date constitutes your acceptance of the revised Policy.

11. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Dray Flow LLC
c/o Forge Perfect LLC
Vancouver, Washington
Email (Privacy): privacy@drayflow.com
Email (Security): security@drayflow.com
Email (Legal): legal@drayflow.com

We will respond to privacy-related inquiries within 30 days.

← Terms of ServiceCreate an account →