Privacy Policy

1. Introduction & Scope

This Privacy Policy explains how Avi Technologies Inc. ("Avi Technologies", "we") collects, uses, shares, and protects personal information processed through FleetForge. It applies to all visitors and authorized users of FleetForge, regardless of geography.

Where Avi Technologies acts as a data processor on behalf of a Client (i.e., the company licensing FleetForge), that Client is the data controller. Our processing of personal data on behalf of Clients is governed by the Data Processing Agreement, which supplements this Policy.

If you are an employee, contractor, driver, or customer of a Client using FleetForge, please direct questions about your data first to that Client (the controller). Avi Technologies will assist Clients in fulfilling data subject requests.

2. Information We Collect

2.1 Account & Identity Data

Name, email address, role, employer (Client), preferred theme/density settings, and timestamps of account creation and last login.

2.2 Fleet Operations Data

Equipment unit numbers, makes, models, VINs, registration and inspection records, lease contracts and snapshots, customer records, reservation and pickup data, mileage logs, work orders, and inspection reports.

2.3 Financial Data

Invoices, payment records, credit notes, rate cards, and outstanding balances. Payment card details are never stored by Avi Technologies; if a payment processor integration is enabled, card data is tokenized by that processor.

2.4 GPS & Telematics Data (when integration is enabled)

Vehicle location, speed, odometer readings, ignition state, fuel level, and engine diagnostics — pulled at intervals from third-party telematics providers (e.g. Samsara) at the Client's direction.

2.5 Usage Data

Login events, audit logs of state changes, feature usage statistics, and search queries within the application.

2.6 Communications

Support emails, in-app chat messages, and email templates you send through FleetForge to your customers.

2.7 Device & Technical Data

IP address, browser user agent, session token, and timestamps of requests. Used for security and audit purposes; not used for advertising or cross-site tracking.

3. How We Use Your Information

• Service delivery: operating FleetForge, fulfilling Client agreements, providing customer support
• Billing & payment processing: generating invoices, processing payments to Avi Technologies, applying late fees
• Security & fraud prevention: account lockout, rate limiting, anomaly detection, audit logging
• Compliance with legal obligations: tax records, CRA-required invoice retention (7 years), responding to lawful requests
• Product improvement: aggregated and anonymized analytics about feature usage
• Communications: service announcements, security notices, billing notifications

We do not sell personal information, do not use it for advertising, and do not resell individual-level data to third parties under any circumstance.

4. Legal Basis for Processing

We process personal information on the following legal bases under PIPEDA, BC PIPA, and (where applicable) GDPR Article 6:

• Contractual necessity — to perform our agreement with the Client and provide FleetForge
• Legitimate interests — to secure the platform, prevent fraud, and improve the service, where those interests are not overridden by your privacy rights
• Legal obligation — to comply with Canadian tax, financial, and transportation regulations
• Consent — for any processing where consent is the only available basis (rare in B2B context; typically captured by the Client from its end users)

5. GPS & Telematics Data

FleetForge integrates with third-party telematics providers (e.g. Samsara) at Client direction. When such integration is enabled, vehicle location, speed, odometer, and diagnostic data flow into FleetForge for fleet management purposes.

5.1 Client Responsibilities

The Client is responsible for ensuring that:

• Drivers and employees are informed of telematics monitoring (a BC PIPA requirement)
• Collection is reasonable and limited to business purposes
• Any applicable collective agreements or employment contracts are respected

5.2 Retention & Use

Active GPS data is retained for 90 days; archived telematics data may be retained up to 1 year for trend analysis. Avi Technologies does not sell location data, share it with advertisers, or use it for any purpose other than providing FleetForge to the Client.

6. How We Share Information

6.1 With Authorized Users

Within the Client's account, personal information is visible to other Authorized Users according to the role-based permissions configured by the Client's administrator.

6.2 Service Providers (Sub-processors)

We rely on a small number of trusted infrastructure providers:

• Amazon Web Services (AWS) — application hosting, database, file storage. Data residency in Canada (ca-central-1) and the United States.
• Samsara, Inc. — telematics data (only when Client enables the integration)
• Anthropic PBC — AI inference for the AI assistant feature, when enabled. Prompts and responses are processed under Anthropic's zero-retention enterprise terms.
• Sentry — error monitoring. Stack traces and user identifiers may be transmitted; PII is scrubbed before transmission where feasible.
• Amazon Simple Email Service (SES) — transactional email delivery

Each sub-processor is bound by contractual obligations equivalent to the protections in this Policy and the DPA.

6.3 Legal Requirements

We may disclose personal information when required by a valid court order, subpoena, or regulatory request. We will notify the Client where lawfully permitted and contest overbroad requests.

6.4 Business Transfers

If Avi Technologies is involved in a merger, acquisition, or sale of assets, personal information may transfer to the acquiring entity, subject to commercially reasonable confidentiality protections and prior notice to Clients.

6.5 Aggregated & De-Identified Data

We may share aggregated or de-identified statistics that cannot reasonably be used to identify any individual.

7. Data Retention

After the applicable retention period, personal information is deleted or irreversibly anonymized.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, or destruction:

• Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Role-based access controls and authentication (bcrypt password hashing, secure session cookies)
• Audit logging of every state-changing action
• Rate limiting on login and API endpoints; automatic account lockout after 5 failed login attempts
• Employee access on a need-to-know basis with periodic review
• Vulnerability scanning and patch management
• 72-hour breach notification to Clients per PIPEDA obligations

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify the relevant Client (controller) without undue delay and assist with downstream notifications.

9. Your Rights

Subject to applicable law (PIPEDA, BC PIPA, GDPR), you have the following rights with respect to your personal information:

• Right of access — request a copy of the personal information we hold about you
• Right to correction — request that we correct inaccurate or incomplete information
• Right to withdraw consent — where processing relies on your consent
• Right to data portability — receive a machine-readable copy of your personal information
• Right to deletion / erasure — request deletion, subject to legal retention requirements
• Right to object — to processing based on legitimate interests
• Right to lodge a complaint — with the Office of the Privacy Commissioner of Canada, the BC Office of the Information & Privacy Commissioner, or your local supervisory authority

To exercise these rights, email privacy@avitechnologies.ca. We will respond within 30 days. If you are an end user of a Client's FleetForge deployment, please contact the Client first; we will support the Client in responding to your request.

10. Cookies & Tracking

FleetForge uses only the cookies strictly necessary to operate the service:

• ff_session — authentication session (expires on browser close or after 8 hours of inactivity)
• ff_remember — 30-day persistent login when the user selects "Keep me signed in"
• csrf_token — CSRF protection on state-changing requests

We do not use advertising cookies, third-party analytics (no Google Analytics, no Mixpanel), or cross-site tracking. Theme and display preferences are stored in your browser's localStorage — never transmitted to our servers.

See the Cookie Policy for full details.

11. Children's Privacy

FleetForge is a B2B fleet management product not directed at individuals under 18. We do not knowingly collect personal information from minors. If we become aware that we have collected personal information from a minor without verifiable parental or guardian consent, we will delete it promptly.

12. International Transfers

FleetForge data is stored on Amazon Web Services infrastructure in Canada (ca-central-1) and the United States (us-east-1 / us-west-2). Transfers to the United States are governed by the US/Canada commercial relationship and, where applicable to EU data subjects, by appropriate safeguards such as the Standard Contractual Clauses (SCCs) adopted by the European Commission.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Clients via email at least 30 days before they take effect. The current version is always available at this URL and dated at the top.

14. Privacy Officer & Contact

Privacy Officer — Avi Technologies Inc.
Email: privacy@avitechnologies.ca

For security disclosures: security@avitechnologies.ca

Mailing address: Surrey, British Columbia, Canada

Office of the Privacy Commissioner of Canada — priv.gc.ca
BC Office of the Information & Privacy Commissioner — oipc.bc.ca