Data Processing Agreement
Last updated: April 30, 2026. This DPA forms part of the Terms of Service between Haul Sharp LLC ("Processor", "HaulSharp", "we") and the Customer ("Controller", "you") who has agreed to those Terms.
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed under the Terms.
- "Processing" has the meaning given in applicable data protection law (any operation performed on Personal Data — collection, storage, retrieval, deletion, etc.).
- "Controller" means you — the Customer who decides why and how Personal Data is processed.
- "Processor" means HaulSharp — we process Personal Data on your behalf, on your instructions.
- "Subprocessor" means a third-party engaged by HaulSharp to assist in providing the service.
- "Applicable Law" means any data protection law applicable to the parties — including the California Consumer Privacy Act (CCPA), the Oregon Consumer Privacy Act, the EU/UK GDPR (where relevant via the EU SCCs), and analogous state and federal laws in the United States.
2. Roles and scope
You are the Controller of any Personal Data you upload to or generate within HaulSharp — including names, contact details, employment records, and operational data of your drivers, dispatchers, customers, and other contacts. We are the Processor and process this data on your documented instructions only.
This DPA applies for the duration of your active subscription and any wind-down period afterward.
3. Categories of data we process for you
| Category | Typical fields | Data subjects |
|---|---|---|
| Account / identity | Name, email, phone, role | Your staff (admins, dispatchers, mechanics, drivers) |
| Driver records | Name, license #, medical-card dates, DQ documents, employment dates | Your drivers |
| Customer / contact | Company name, contact name, email, phone, address | Your customers and their employees |
| Operational | Loads, dispatches, inspections, time records, repair logs, GPS-derived locations (when you choose to capture them) | Your staff and drivers |
| Financial | Invoice line items, payroll calculations, payment timestamps | Your staff, customers, drivers |
We do not knowingly process special-category data (race, ethnicity, religion, biometrics, health beyond DOT-required medical-card status, etc.). Don't upload such data to HaulSharp without first contacting us — we may not be the right tool for that workload.
4. Our obligations as Processor
- Process Personal Data only on your documented instructions, including the instructions implied by your use of the service. If law requires us to process beyond your instructions, we'll notify you first unless the law prohibits notice.
- Apply the security measures described in our Security page — encryption in transit and at rest, role-gated APIs, row-level tenant isolation, audit logs, and access controls scoped to staff who need them.
- Ensure that any personnel with access to Personal Data are bound by confidentiality.
- Engage Subprocessors only as listed in Section 7, and impose contractual obligations no less protective than this DPA.
- Assist you, at your reasonable request, in responding to data-subject requests (access, correction, deletion, portability) and in conducting data-protection impact assessments where required.
- Notify you without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting your data, including details required by Applicable Law.
5. Your obligations as Controller
- You are responsible for ensuring you have a lawful basis to upload and process Personal Data through HaulSharp — including any required notices to drivers, employees, or customers.
- You will not upload Personal Data unless you are entitled to do so.
- You will configure HaulSharp settings (roles, permissions, integrations) appropriately for your use case.
- You will respond to data-subject requests directed to you. We'll help where the data lives in HaulSharp.
6. Data-subject rights and law-enforcement requests
If a data subject (one of your drivers, customers, etc.) contacts us directly with a request to access, correct, delete, or restrict their Personal Data, we'll forward that request to you and not act unilaterally — you are the Controller and the proper recipient.
If a government authority compels disclosure of your Personal Data, we'll attempt to redirect the authority to you, and where lawfully able, notify you so you can seek a protective order.
7. Subprocessors
We use the following Subprocessors to deliver the service. Each is contractually obligated to apply protections at least as protective as this DPA.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database (Postgres), authentication, file storage, Edge Functions | United States (AWS us-west-2) |
| Stripe, Inc. | Subscription billing and payment processing | United States |
| Anthropic, PBC | AI inference for the Roy assistant. Anthropic does not retain or train on this data per their commercial API terms. | United States |
| Twilio, Inc. (SendGrid) | Transactional email delivery | United States |
| Cloudflare, Inc. | Content delivery network and DDoS protection | Global edge |
| Netlify, Inc. | Static site hosting | United States |
We will notify you by email at least 30 days before engaging any new Subprocessor that processes your Personal Data. You may object to the change by emailing hello@haulsharp.com within that period. If we cannot reasonably accommodate the objection, you may terminate the affected portion of the service for a pro-rata refund of any pre-paid fees.
8. International data transfers
HaulSharp is operated from the United States and your Personal Data is processed in the United States. If you are based outside the United States and Applicable Law requires a transfer mechanism, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor, 2021/914/EU), and the UK International Data Transfer Addendum where applicable, are incorporated by reference into this DPA. Where a transfer mechanism is required, the parties will execute a counter-signed addendum on request.
9. Security measures
HaulSharp implements technical and organizational measures appropriate to the risk, including those described in our Security page. We update these measures over time and you can request the current version at any time. We do not weaken protections without notice.
10. Audits
You may, no more than once per twelve-month period and at your cost, request reasonable information sufficient to verify our compliance with this DPA. We will respond to a written request within 30 days. Where you require an on-site audit, the parties will agree the scope, timing, and commercial terms in advance. On-site audits during business hours, with reasonable notice, will not be unreasonably refused for Customers on the Scale or Enterprise plan.
11. Deletion and return of data
On termination of your subscription:
- You can export your data as CSV from within the app at any time during the subscription term and during the 30-day post-termination grace period.
- After the grace period, we will delete or de-identify your Personal Data within a further 30 days, except where retention is required by law (e.g., financial records required by tax authorities).
- We do not retain backups beyond their normal rotation (30 days). Personal Data in expired backups is rendered inaccessible and deleted in the ordinary course of backup expiry.
12. Liability
Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited by Applicable Law.
13. Conflicts
If there is a conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA controls. If there is a conflict between this DPA and the EU SCCs (where they apply), the SCCs control.
14. Changes
We may update this DPA from time to time. Material changes that reduce protections will be communicated by email at least 30 days in advance. Continued use of the service after the effective date constitutes acceptance.
15. Contact
Haul Sharp LLC
Bend, Oregon, United States
hello@haulsharp.com
541-550-1275