Legal Documentation

Last Updated: January 1, 2026

These Terms of Service ("Terms") govern your access to and use of CrashTrak software, mobile applications, web applications, and related services (collectively, "Services") provided by CrashTrak, Inc. ("Company", "we", "us", or "our"). By accessing or using the Services, you agree to be bound by these Terms.

1. Permitted Use

You may use the Services solely for lawful purposes in connection with documenting vehicular incidents, managing fleet safety data, and related commercial transportation activities. The Services are intended for use by professional drivers, fleet administrators, and authorized commercial vehicle operators.

2. Prohibited Use

You may not:

• Scrape, copy, or reproduce any portion of the Services for competitive intelligence or to build competing products
• Use crash report data for purposes other than your own incident documentation and fleet safety management
• Share access credentials or allow unauthorized third parties to access your account
• Reverse engineer, decompile, or disassemble any component of the Services
• Use the Services to transmit malware, spam, or unlawful content
• Circumvent any rate limiting, access controls, or security mechanisms

3. Account Termination

We reserve the right to suspend or terminate your account immediately and without prior notice if you violate these Terms, engage in fraudulent activity, or if your continued use poses a risk to other users or the platform. Upon termination, your license to use the Services ceases immediately. You may request an export of your report data within 30 days of termination.

4. Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY'S TOTAL LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS OR THE SERVICES SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS PAID BY YOU IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM OR (B) ONE HUNDRED DOLLARS ($100).

IN NO EVENT SHALL THE COMPANY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING WITHOUT LIMITATION LOSS OF PROFITS, DATA, OR GOODWILL, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

5. Governing Law

These Terms shall be governed by and construed in accordance with the laws of the State of Texas, without regard to its conflict of law principles. Any legal action arising from these Terms shall be brought exclusively in the state or federal courts located in Travis County, Texas.

6. Mandatory Arbitration

Any dispute, controversy, or claim arising out of or relating to these Terms or the Services shall be resolved by binding arbitration administered by the American Arbitration Association under its Commercial Arbitration Rules. The arbitration shall be conducted in Austin, Texas. The arbitrator's decision shall be final and binding.

7. Class Action Waiver

YOU AGREE THAT ANY ARBITRATION OR LEGAL PROCEEDING SHALL BE LIMITED TO THE DISPUTE BETWEEN YOU AND THE COMPANY INDIVIDUALLY. TO THE FULL EXTENT PERMITTED BY LAW, YOU WAIVE THE RIGHT TO PARTICIPATE IN CLASS ACTIONS, CLASS ARBITRATIONS, OR REPRESENTATIVE ACTIONS.

8. Force Majeure

The Company shall not be liable for any failure or delay in performance due to circumstances beyond our reasonable control, including without limitation acts of God, natural disasters, pandemics, government actions, cyberattacks, or failures of third-party infrastructure providers.

Effective Date: January 1, 2026. This Privacy Policy is GDPR and CCPA compliant.

1. Data We Collect

• Account Information: Name, email address, company name, role
• GPS Location Data: Coordinates captured at the time of incident only — not continuous tracking
• Incident Report Data: Photos, audio recordings, damage diagrams, witness information, police data, and all other fields in submitted reports
• Device Information: Device type, OS version, app version, unique device identifier
• Usage Data: Feature interactions, error logs (no sensitive content logged)

2. How We Use Your Data

• To operate and maintain the Services
• To generate incident documentation reports on your behalf
• To sync reports with your fleet admin portal
• To provide customer support
• To send transactional communications (report confirmations, billing invoices)
• To improve the Services through aggregated, anonymized analytics

3. Third-Party Services

• Firebase / Google Cloud: Authentication, Firestore database, Cloud Storage, Cloud Functions — data processed in US-Central by Google LLC
• Cloudflare: CDN, WAF, and DDoS protection — Cloudflare Inc. processes request metadata
• Vercel: Marketing site hosting — Vercel Inc. processes server-side request logs

4. Data Retention

• Incident reports: 7 years minimum, in compliance with FMCSA 49 CFR Part 390 transportation record-keeping requirements
• Account data: Retained while your account is active, plus 30 days after cancellation
• Audio recordings: Retained with reports for the 7-year period
• Server access logs: 90 days

5. Your Rights

Under GDPR and CCPA, you have the right to access, correct, export, or delete your personal data. To exercise these rights, email privacy@crashtrak.com. We will respond within 30 days. Note: deletion of incident report data may not be possible during the 7-year retention period required by law.

6. Contact

Privacy inquiries: privacy@crashtrak.com

Effective Date: January 1, 2026

This End User License Agreement ("EULA") is a legal agreement between you ("End User") and CrashTrak, Inc. governing your use of the CrashTrak mobile and web applications ("App").

1. License Grant

Subject to your compliance with this EULA and the Terms of Service, CrashTrak grants you a limited, non-exclusive, non-transferable, non-sublicensable, revocable license to install and use the App on devices you own or control solely for your personal or internal business purposes.

2. Intellectual Property

The App and all its content, features, and functionality — including source code, algorithms, UI design, database schemas, and generated PDF templates — are and remain the exclusive property of CrashTrak, Inc. and are protected by United States and international copyright, trademark, patent, and trade secret laws.

3. Restrictions

• You may not sell, rent, lease, sublicense, or distribute the App
• You may not modify, adapt, translate, or create derivative works from the App
• You may not remove any proprietary notices, labels, or marks on the App
• You may not use the App on more devices than your license permits

4. Termination

This license is effective until terminated. Your rights under this EULA terminate automatically upon any breach. Upon termination, you must cease all use of the App and delete all copies.

Effective Date: January 1, 2026

Permitted Activities

• Documenting commercial vehicle incidents you are directly involved in
• Managing incident reports for your fleet organization
• Sharing reports with your own legal counsel, insurance carrier, or law enforcement
• Accessing the portal with your assigned credentials

Prohibited Activities

• Submitting false, fraudulent, or fabricated incident reports
• Using the platform to harass, defame, or harm third parties
• Uploading content that infringes third-party intellectual property rights
• Attempting to gain unauthorized access to other users' reports or accounts
• Using automated tools to scrape, bulk-download, or systematically extract report data
• Sharing your account credentials with unauthorized individuals
• Using the Services in violation of any applicable transportation or commercial vehicle law

Enforcement

Violations may result in immediate account suspension, permanent ban, and referral to law enforcement. We reserve the right to preserve and disclose content when required by law or to protect the safety of any person.

Effective Date: January 1, 2026. This DPA supplements the Terms of Service for enterprise clients subject to GDPR Article 28.

1. Roles

The enterprise client ("Controller") instructs CrashTrak, Inc. ("Processor") to process personal data on its behalf for the purposes described in the Terms of Service.

2. Processing Instructions

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country unless required to do so by applicable law.

3. Confidentiality

The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4. Security

The Processor implements appropriate technical and organizational measures including AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, audit logging, and regular security assessments.

5. Sub-Processors

The Processor uses the following approved sub-processors:

• Google LLC (Firebase / Google Cloud Platform) — Authentication, database, storage, and compute
• Cloudflare, Inc. — Network security and content delivery
• Vercel, Inc. — Marketing site hosting

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to requests from data subjects exercising their rights under GDPR Chapter III within the applicable timeframes.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and no later than 72 hours) after becoming aware of a personal data breach affecting Controller data, per GDPR Article 33.

8. Contact for DPA Requests

Enterprise clients requiring a signed DPA: legal@crashtrak.com

Effective Date: January 1, 2026

Cookies We Use

• Firebase Authentication Session Cookie — Required for portal login sessions. HTTP-only, Secure flag, SameSite=Strict. Cannot be disabled without losing authentication.
• ct_cookie_consent (localStorage) — Stores your cookie consent preference. Not a cookie; local storage item only.
• Vercel Analytics — Privacy-first analytics. No cookies. Uses edge network data only. No personal identifiers stored.

Optional Analytics

If you consent, we may set a PostHog analytics session identifier to improve product features. This identifier is pseudonymous and does not contain your name or email. You can opt out at any time by clicking "Decline" in the cookie consent banner or by emailing privacy@crashtrak.com.

How to Control Cookies

You can disable cookies in your browser settings. Disabling the Firebase authentication cookie will prevent portal login. You can withdraw consent at any time by clearing your browser's local storage or clicking the cookie preferences link in the footer.

Effective Date: January 1, 2026

Encryption

• All data at rest is encrypted using AES-256 via Google Cloud Storage and Firestore encryption
• All data in transit is protected by TLS 1.3 with HSTS (max-age 2 years) enforced on all endpoints

Access Controls

• Role-based access control: Drivers access only their own reports; Fleet Admins access only their client organization's reports; Platform Owners access the full platform
• Firebase Security Rules enforce access control at the database level — not just at the application layer
• All authentication uses Firebase Auth with industry-standard OAuth 2.0 and optional multi-factor authentication

Audit Logging

All administrative actions in the portal are written to an immutable audit log. Logs are retained for 2 years.

Incident Response

In the event of a security incident affecting personal data, we will notify affected users and relevant supervisory authorities within 72 hours of discovery, per GDPR Article 33.

Vulnerability Disclosure

To report a security vulnerability, email security@crashtrak.com. We aim to acknowledge reports within 48 hours.

SOC 2

CrashTrak is working toward SOC 2 Type II certification. Enterprise customers can request our current security posture documentation.

Effective Date: January 1, 2026

CrashTrak respects the intellectual property rights of others and expects users to do the same. In accordance with the Digital Millennium Copyright Act (17 U.S.C. § 512), we will respond to valid notices of claimed copyright infringement.

Designated Agent

DMCA Agent: CrashTrak, Inc.
Email: dmca@crashtrak.com

Takedown Notice Requirements

A valid DMCA takedown notice must include:

• Your physical or electronic signature
• Identification of the copyrighted work claimed to be infringed
• Identification of the allegedly infringing material with sufficient detail for us to locate it
• Your contact information (address, phone, email)
• A statement that you have a good faith belief that the use is not authorized
• A statement, made under penalty of perjury, that the above information is accurate and that you are the copyright owner or authorized to act on behalf of the owner

Counter-Notice

If you believe material was removed in error, you may send a counter-notice to dmca@crashtrak.com with your signature, identification of the removed material, a statement under penalty of perjury that removal was a mistake, and consent to jurisdiction of the federal district court for your location.