Privacy Policy

Effective Date: April 2, 2026 | Last Updated: April 2, 2026

1. Who We Are

This Privacy Policy explains how Under the Sun Logistics (“we,” “us,” “our”) collects, uses, stores, and protects your personal information when you use the UTS Logistics Terminal (“the Service”) at app.utslogistics.net and our website at utslogistics.net.

We are a business registered in the Republic of Serbia.

Contact for privacy matters: privacy@utslogistics.net

2. Information We Collect

2.1 Account Information

When you sign in using Google Authentication, we receive and store:

Data	Source	Purpose	Stored Where
Email address, display name, profile photo URL	Google Sign-In	Account identification, support	Firebase Auth
Firebase User ID (UID)	Firebase Auth (auto-generated)	Unique account identifier, data isolation key	Firebase Auth
Subscription plan, Paddle customer ID	Paddle webhook events	Feature gating, billing	Firestore `userProfiles`

We do not receive or store your Google password.

2.2 Business Data You Enter

Through your use of the Service, you may provide:

Data	Stored Where
Driver names, profiles, and equipment information	Firestore `users/{UID}`
Load details (origin, destination, revenue, miles, dates, broker info)	Firestore `users/{UID}`
Financial data (revenue, expenses, fees, settlements)	Firestore `users/{UID}`
Company information, notes, folder structures	Firestore `users/{UID}`
Uploaded documents (rate confirmations, BOLs, images, PDFs)	Firebase Storage `users/{UID}/docs/`

2.3 Automatically Collected Information

When you use the Service, the following may be automatically collected by our hosting infrastructure (Vercel):

Browser type and version
Device type
IP address
Pages visited and features used
Date and time of access
Referring URL

This data is collected as part of standard web server logs and is not used for advertising, profiling, or cross-site tracking.

3. How We Use Your Information

We use your information to:

Provide and operate the Service, including storing your dispatch data and syncing it across your devices.
Authenticate your identity and manage your account.
Process documents you upload through our AI-powered extraction feature.
Process payments and manage your subscription (through Paddle).
Communicate with you about your account, service updates, and support inquiries.
Improve and develop the Service.
Comply with legal obligations.

4. How Authentication Works

We use Firebase Authentication with Google Sign-In:

You click “Sign in with Google” and authenticate directly with Google in a secure popup or redirect.
Google issues an authentication token to Firebase. Firebase creates or retrieves your account using a unique User ID (UID).
Your Google password is never transmitted to or stored by our systems. We receive only your display name, email address, and profile photo URL.
Your session persists across browser sessions until you explicitly sign out.

There are no passwords, PINs, or passcodes stored in our system. All credential management is handled by Google and Firebase.

5. Data Isolation & Security

Your data is isolated from other users and protected through multiple layers:

Application layer: The app only reads and writes data under the authenticated user’s UID. The client-side code never constructs paths to other users’ data.
Database rules: Firestore Security Rules enforce that any client request can only access data within the path matching the authenticated user’s UID.
Storage rules: Firebase Storage Security Rules enforce the same UID-based access control for uploaded files.
Encryption in transit: All data transmitted between your browser and Firebase/Google Cloud is encrypted using TLS/SSL.
Encryption at rest: Firebase/Google Cloud encrypts stored data at rest using Google Cloud’s default encryption (AES-256).
Regular reviews: We conduct regular security reviews of our codebase and infrastructure.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. You are responsible for maintaining the security of your Google account credentials.

6. Our Access to Your Data

We maintain a clear separation between subscription management data and your operational dispatch data:

What our admin tools access: Your email, plan tier, subscription status, and Paddle customer ID (stored in userProfiles). Used solely for subscription management and customer support.
What our admin tools do not access: Your dispatch data, driver information, load details, settlement records, uploaded documents, or any content stored in your users/{UID} document or Firebase Storage files.

Infrastructure-level access disclosure: As the operator of the Firebase/Google Cloud project, we have the technical capability to access all data stored in the project. This is inherent to all cloud-hosted services (including Google, Microsoft, Amazon, and every SaaS product). We commit to not exercising this access to your operational data except:

When compelled by valid legal process (court order, subpoena) under Serbian or applicable international law.
When investigating a credible, specific security incident affecting your account, with notification to you as soon as legally permitted.
When you specifically and explicitly request data recovery or technical support that requires accessing your data.

7. AI Document Processing

When you use the Magic Fill feature to extract data from uploaded documents:

Your document content is sent to Google’s Gemini API for real-time processing.
Google processes the document to extract structured data (origin, destination, revenue, dates, etc.) and returns the results to the Service.
Under the Gemini API’s paid tier terms, your input data is not used by Google to train or improve their models.
Document content is not stored by the AI service beyond the processing session.
The extracted data is stored as part of your log entry within your Firestore document.

AI extraction may produce errors. You are solely responsible for verifying all AI-populated data.

8. Third-Party Services

Service	Provider	Purpose	Data Shared
Firebase Auth	Google LLC	User sign-in and identity	Email, name, profile photo
Cloud Firestore	Google LLC	Data storage and sync	All business data you enter
Firebase Storage	Google LLC	Document file storage	Uploaded images and PDFs
Gemini API	Google LLC	AI document extraction	Document content for processing
Paddle	Paddle.com Market Ltd	Payment processing (MoR)	Email, name, payment details
Vercel	Vercel Inc.	App hosting, serverless functions	IP address, browser info (logs)
CookieYes	CookieYes Ltd	Cookie consent management	Consent preferences

Each third-party service operates under its own privacy policy. We do not sell, rent, or share your data with any third parties for marketing, advertising, or data brokering purposes.

9. Data Sharing

We do not sell, rent, or trade your personal information or business data to third parties. We may share your information only in the following circumstances:

Service providers: With the third-party services listed in Section 8, solely to provide and operate the Service.
Legal requirements: When required by law, regulation, legal process, or enforceable governmental request.
Protection of rights: When necessary to protect our rights, safety, or property, or the rights, safety, or property of our users or the public.
Business transfer: In connection with a merger, acquisition, or sale of assets, in which case your data would remain subject to this Privacy Policy.

10. Payment Information

We do not directly collect, store, or process credit card numbers or payment details. All payment processing is handled by Paddle, who acts as the Merchant of Record. Paddle collects and processes your payment information in accordance with PCI DSS standards and their own privacy policy.

We receive only transaction confirmation details (subscription status, plan type, billing dates) from Paddle.

11. Cookies & Local Storage

The Service uses:

Firebase Auth session tokens — essential for keeping you signed in.
localStorage — stores a backup copy of your data (excluding uploaded file binaries) for offline resilience and faster loading.
CookieYes consent banner — manages your cookie preferences.
Terms acceptance cookie (uts_tos_accepted) — remembers that you agreed to the Terms of Service (1 year duration).

We do not use advertising cookies, tracking pixels, or analytics cookies. For complete detail, see our Cookie & Storage Policy.

12. How We Store Your Data

Cloud Storage

Your account and business data is stored in Google Firebase (Cloud Firestore), hosted on Google Cloud Platform infrastructure. Data is stored as encrypted documents associated with your unique user account. Google Cloud data centers are primarily located in the United States.

Local Storage

If you use the Service in “local-only mode” (without signing in), your data is stored exclusively in your browser’s local storage and is not transmitted to our servers.

Optional Desktop Sync

If you enable local folder sync, a copy of your data is written to a folder you choose on your device using the File System Access API.

13. Data Retention & Deletion

We retain your data for as long as your account is active or as needed to provide the Service.

If you downgrade or cancel your subscription, your data is never deleted. Feature access is restricted, but all data remains intact.
To request complete deletion, email privacy@utslogistics.net.

Upon verified deletion request:

Active data (Firestore document, Firebase Storage files, subscription profile, Firebase Auth account) is deleted within 30 days.
Backup copies in Firebase/Google Cloud infrastructure are deleted within 90 days.
Anonymized, aggregated data (which cannot identify you) may be retained indefinitely for analytics purposes.

14. Your Rights

14.1 All Users

Access: All your data is visible to you within the app. You may also request a copy of the personal data we hold about you.
Export: The desktop folder sync feature writes your complete dataset as a JSON file to a local folder you control.
Correction: You can edit any data directly in the app.
Deletion: Delete individual records in the app, or request full account deletion via privacy@utslogistics.net.
Withdraw consent: Stop using the Service at any time. To revoke Google Sign-In access, visit your Google Account security settings.

14.2 EU/EEA Residents (GDPR)

If you are located in the European Union or European Economic Area, you have additional rights under the General Data Protection Regulation:

Legal basis: We process your data based on: (a) your consent (account creation), (b) contract performance (providing the Service), and (c) legitimate interests (service improvement, security).
Data portability: Receive your data in a structured, machine-readable format.
Restriction: Request restriction of processing in certain circumstances.
Objection: Object to processing based on legitimate interests.
Withdrawal of consent: Withdraw consent at any time by deleting your account.
Complaint: Lodge a complaint with your local data protection authority.

14.3 California Residents (CCPA)

If you are a California resident, you have the right to:

Know what personal information we collect and how it is used.
Request deletion of your personal information.
Opt out of the sale of personal information. Note: We do not sell personal information.
Non-discrimination for exercising your privacy rights.

15. International Data Transfers

Your data may be transferred to and processed in:

United States — where Google Cloud and Vercel infrastructure is located.
United Kingdom — where Paddle is headquartered.

These transfers are protected by:

Google’s Standard Contractual Clauses and Data Processing Terms.
Paddle’s compliance with applicable data protection regulations.
Vercel’s Data Processing Addendum.

16. Children’s Privacy

The Service is designed for business use and is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

17. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. If we make material changes, we will notify you via the email associated with your account or through the Service at least 14 days before the changes take effect. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

18. Governing Law

This Privacy Policy is governed by the laws of the Republic of Serbia.

19. Contact

For privacy-related questions, data access requests, or to exercise your rights:

General support: support@utslogistics.net
Privacy & data requests: privacy@utslogistics.net
Dispatch inquiries: dispatch@utslogistics.net
Website: utslogistics.net