Privacy Policy
Back Office Agent by UC Bureau — Effective April 7, 2026
This Privacy Policy ("Policy") describes how UC Bureau ("we," "us," or "our") collects, uses, stores, and protects information when you use the UC Bureau Back Office Agent ("Service"). By using the Service, you consent to the practices described in this Policy.
1. Information We Collect
Account Information (Signup Fields): Company name, MC or USDOT number, email address, and phone number provided during registration.
Telegram Data: Telegram user ID, chat identifiers, and message content exchanged with the Service through the Telegram messaging interface.
Operational Data: Load and trip records, dispatch history, rate information, lane data, and routing details entered into or generated by the Service.
Financial Data: Invoices, expenses, settlement breakdowns, profit-and-loss data, and accounting records entered into or synced through the Service (including QuickBooks data).
ELD and Fleet Data: Electronic logging device telemetry, Hours of Service records, GPS location data, vehicle diagnostics, DVIR reports, and maintenance records synced from Motive, Samsara, or other ELD providers.
Compliance Documents: Driver qualification files, permits, insurance certificates, inspection reports, and regulatory documents uploaded to the Service.
Third-Party Credentials: API keys, OAuth tokens, and account credentials for integrated services (DAT, Truckstop, Motive, Samsara, QuickBooks) that you voluntarily provide.
Usage Data: Feature usage patterns, AI message counts, session timestamps, and interaction logs collected automatically.
2. How We Collect Information
We collect information through: (a) direct input from you during registration, onboarding, and ongoing use of the Service; (b) automated collection via system processes including AI agent interactions, compliance monitoring schedules, expiration alert checks, and Telegram bot interactions; and (c) third-party APIs — data retrieved from services you connect, including DAT, Truckstop, Motive, Samsara, QuickBooks, and FMCSA public databases.
3. How We Use Your Data
We use your information for: (a) service delivery — operating and maintaining the Service, processing your requests, and delivering AI agent responses; (b) AI processing — sending relevant context to large language models (currently OpenAI GPT-4o-mini) to generate real-time recommendations, analysis, and responses; (c) compliance monitoring — tracking regulatory deadlines, sending expiration alerts, and monitoring FMCSA status; (d) payment processing through Stripe; (e) communicating with you about your account and Service updates; and (f) improving the Service through aggregated, de-identified analytics.
We do not use your data to train AI models. Your data is processed by AI providers solely to generate real-time responses and is not retained by those providers after processing.
4. Data Storage and Security
Encryption: Third-party credentials (API keys, OAuth tokens) are encrypted at rest using Fernet symmetric encryption. Data in transit is encrypted via TLS 1.2 or higher.
Tenant Isolation: Each carrier account operates in a logically isolated tenant. Your data is accessible only through your authenticated account. No other carrier can access your data.
Infrastructure: Data is stored in PostgreSQL databases hosted on secure cloud infrastructure within the United States.
We implement commercially reasonable administrative, technical, and physical safeguards to protect your data. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.
5. Third-Party Data Sharing
We do NOT sell your personal data. Your data is shared only with the following categories of service providers, solely as necessary to deliver the Service:
(a) Telegram FZ-LLC — messaging platform for delivering AI agent interactions; (b) OpenAI (GPT-4o-mini) — AI processing of your queries, with no data retention by OpenAI after processing; (c) Stripe, Inc. — payment processing, limited to billing information; (d) Brevo (Sendinblue) — transactional email delivery; (e) Vercel, Inc. — web application hosting and anonymous analytics; (f) Sentry — error monitoring and application performance (no personal data is intentionally sent to Sentry).
Your connected third-party integrations (DAT, Truckstop, Motive, Samsara, QuickBooks) receive only the data necessary to perform the integration functions you request. We may disclose information if required by law, regulation, or legal process.
6. Data Retention Schedule
| Data Category | Retention Period |
|---|---|
| Account information | Duration of active account + 90 days after termination |
| Operational data (loads, dispatch, trips) | Duration of active account + 90 days after termination |
| Financial and accounting data | Duration of active account + 90 days (or up to 7 years if required by tax law) |
| Third-party credentials (API keys, tokens) | Deleted immediately upon account termination or credential removal |
| AI conversation logs | 90 days rolling (oldest messages purged automatically) |
| Compliance documents | Duration of active account + 90 days after termination |
| Payment and billing records | Up to 7 years (tax and financial reporting requirements) |
| Usage analytics (aggregated) | Indefinite (anonymized, non-identifiable) |
| Telegram user IDs and chat metadata | Duration of active account + 90 days after termination |
7. Data Breach Notification
In the event of a data breach that affects your personal information or account data, UC Bureau will notify affected carriers within seventy-two (72) hours of confirming the breach. Notification will be sent via email to your registered address and will include: (a) the nature and scope of the breach; (b) the categories of data affected; (c) likely consequences; and (d) measures taken or proposed to address the breach.
Credential-Specific Protocol: If the breach involves third-party credentials (API keys, OAuth tokens, or account passwords) stored within the Service, the notification will also include specific instructions for immediate credential rotation. UC Bureau will revoke or invalidate compromised credentials where technically feasible.
8. Your Rights
You have the right to: (a) Access — request a copy of all data we hold about you; (b) Deletion — request deletion of your data (subject to legal retention requirements); (c) Correction — request correction of inaccurate or incomplete data; (d) Portability — receive your data in a standard machine-readable format (JSON or CSV) for transfer to another service.
To exercise any of these rights, email admin@ucbureau.com. We will acknowledge your request within ten (10) business days and provide a substantive response within forty-five (45) calendar days.
9. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). This section provides the required disclosures.
Categories of Personal Information Collected:
| CCPA Category | Examples Collected |
|---|---|
| A. Identifiers | Company name, email, MC/USDOT number, Telegram user ID |
| B. Personal information (Cal. Civ. Code 1798.80) | Company name, phone number, business address |
| D. Commercial information | Load history, invoices, rates, transaction records |
| F. Internet or network activity | Feature usage logs, session data, AI interaction history |
| G. Geolocation data | GPS coordinates from ELD integrations (Motive, Samsara) |
| H. Professional or employment information | Driver qualification files, CDL information, employment records |
| K. Inferences | AI-generated recommendations, lane analysis, rate predictions |
Sensitive Personal Information: GPS location data obtained through ELD integrations (Motive, Samsara) is considered sensitive personal information under the CPRA. This data is used solely for trip tracking and safety compliance features and is not sold or shared for cross-context behavioral advertising.
Right to Opt-Out of Sale/Sharing:We do not sell or share personal information for cross-context behavioral advertising. If this practice changes, we will provide a "Do Not Sell or Share My Personal Information" link and honor Global Privacy Control (GPC) signals.
Authorized Agent: You may designate an authorized agent to submit CCPA requests on your behalf. We may require the agent to provide proof of authorization and may verify your identity directly.
Response Timeline: We will acknowledge verifiable consumer requests within ten (10) business days and provide a substantive response within forty-five (45) calendar days of receipt. If additional time is needed, we will notify you of the extension and the reason (up to an additional 45 days). We will not discriminate against you for exercising your CCPA rights.
10. GDPR Notice (European Economic Area)
Jurisdictional Scope: While UC Bureau primarily serves motor carriers operating within the United States, if you access the Service from the European Economic Area (EEA), United Kingdom, or Switzerland, the General Data Protection Regulation (GDPR) and equivalent local laws may apply to our processing of your personal data.
Telegram User IDs: Telegram user IDs collected through the Telegram messaging interface are personal data under the GDPR. We process this data on the legal basis of contractual necessity (Article 6(1)(b) GDPR) to provide the Service.
Right to Erasure: You may request erasure of your personal data under Article 17 of the GDPR. Upon a valid erasure request, we will delete your personal data within thirty (30) calendar days, except where retention is required by law or necessary for the establishment, exercise, or defense of legal claims.
Data Transfers: Your data is stored and processed in the United States. If you are located in the EEA, data transfers to the United States are conducted pursuant to Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms recognized under the GDPR.
Additional GDPR Rights: In addition to the rights listed in Section 8, EEA residents have the right to: restrict processing, object to processing, lodge a complaint with a supervisory authority, and withdraw consent (where processing is based on consent).
11. Additional State Privacy Rights
Residents of Colorado (Colorado Privacy Act), Connecticut (Connecticut Data Privacy Act), Virginia (Virginia Consumer Data Protection Act), Utah (Utah Consumer Privacy Act), Texas (Texas Data Privacy and Security Act), Oregon (Oregon Consumer Privacy Act), Montana (Montana Consumer Data Privacy Act), and other states with comprehensive privacy legislation may have additional rights, including the right to access, correct, delete, and obtain a copy of personal data, as well as the right to opt out of targeted advertising and profiling. To exercise these rights, email admin@ucbureau.com. We will process your request in accordance with the applicable state law.
12. AI Processing Disclosure
The Service uses OpenAI GPT-4o-mini to process your queries and data in real time. When you interact with an AI agent, relevant context from your account (such as load details, compliance status, financial records, or ELD data) may be included in the prompt sent to OpenAI.
Your data is NOT used to train AI models. OpenAI processes your data in real time and does not retain it after generating a response, in accordance with our data processing agreement with OpenAI. UC Bureau does not fine-tune, train, or otherwise use your carrier data to develop or improve AI models.
13. Cookies and Analytics
The web application uses Vercel Analytics, which collects anonymous, privacy-focused usage metrics. Vercel Analytics does not use cookies, does not track users across sites, and does not collect personally identifiable information. We do not use third-party advertising trackers, remarketing pixels, or cross-site tracking technologies.
14. Children's Privacy
The Service is not directed to individuals under eighteen (18) years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that we have collected information from a person under 18, we will delete that information promptly.
15. Changes to This Policy
We may update this Policy from time to time. We will notify you of material changes by sending notice to your registered email address at least thirty (30) days before the changes take effect. The updated Policy will also be posted on this page with a revised effective date. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
16. Contact
For questions or concerns about this Privacy Policy, contact us at admin@ucbureau.com.