1. Introduction

This Privacy Policy describes how our Bus Management System ("we," "us," "our," or "Company") collects, uses, discloses, and otherwise processes personal information in connection with our web-based transportation management platform and related services (collectively, the "Service").

2. Information We Collect

2.1 Personal Information Provided by Users

We collect personal information that you provide directly to us, including:

• Account Information: Username, password, email address, full name, phone number, and user role/permissions
• Employee Information: Employment records, phone extensions, location assignments, and staff credentials
• Student Information: Student names, ages, enrollment status, grade levels, and emergency contact information
• Family Information: Parent/guardian names, contact information, email addresses, and relationship to students
• Customer Information: Billing addresses, payment methods, account numbers, and billing history
• Location Data: School locations, bus stops, home addresses, and GPS coordinates
• Driver Information: Driver names, license information, vehicle assignments, and dispatch preferences

2.2 Information Collected Automatically

• GPS and Tracking Data: Real-time bus location coordinates, route data, travel times, and arrival/departure information
• Surveillance Data: Video recordings from buses and facilities (if applicable)
• Device Information: Device type, operating system, browser type, IP address, and device identifiers
• Usage Data: Pages visited, features used, clicks, search queries, and time spent on the Service
• Communication Data: Phone call logs, phone system records, and message timestamps
• Audit Logs: User actions, system changes, and data modifications for compliance and security

2.3 Third-Party Information

We may receive information about you from third parties, including:

• School districts and educational institutions
• Parent and family information providers
• Payment processors and billing services
• Compliance and background check services

3. How We Use Your Information

We use the information we collect for various purposes, including:

• Service Delivery: Operating and maintaining bus routes, schedules, and transportation services
• Route Management: Planning, optimizing, and dispatching bus routes using GPS tracking data
• Student Enrollment & Management: Processing enrollments, managing student records, and coordinating transportation
• Billing and Payments: Processing charges, generating invoices, and managing customer accounts
• Staff Administration: Managing employee records, access control, phone extensions, and location assignments
• Compliance: Meeting regulatory requirements, maintaining audit trails, and ensuring legal compliance
• Safety and Security: Preventing fraud, monitoring illegal activity, surveillance, and protecting physical safety
• Communication: Sending service updates, notifications, alerts, and customer support messages
• Analytics: Analyzing usage patterns, improving service efficiency, and system optimization
• Personnel Management: Evaluating driver performance, dispatch visibility, and operational efficiency

4. How We Share Your Information

We may share your information in the following circumstances:

4.1 Service Providers

We share information with third parties who provide services on our behalf, including:

• Cisco UCM/Phone System Providers (for communication services)
• GPS and Radio Communication Services (Kirisun GPS tracking)
• Google Maps API providers (for route mapping)
• Payment processors and billing services
• Cloud storage and hosting providers
• Error tracking services (Sentry)
• Email and notification services

4.2 Legal Requirements

We may disclose your information when required by law, court order, or government request, including for:

• Compliance with subpoenas and legal process
• Investigation of fraud or security issues
• Protection of legal rights and safety
• Regulatory and governmental authorities

4.3 Multi-Tenant Environments

Our Service operates in a multi-tenant architecture where each organization's data is isolated. Information is strictly limited to your organization's tenant and authorized users within that tenant.

4.4 Other Disclosures

We do not sell your personal information to third parties for marketing purposes. However, we may share aggregated, anonymized data for analytics and service improvement.

5. Data Retention

• Account Information: Retained as long as your account is active and for 2 years after account closure for legal compliance
• GPS and Tracking Data: Retained for operational and compliance purposes; historical data archived after 90 days
• Billing Records: Retained for 7 years in accordance with tax and accounting regulations
• Audit Logs: Retained for 2 years for security and compliance purposes
• Surveillance Data: Retained according to applicable state and local regulations
• Communication Records: Retained for business record purposes as required by telecommunications laws

You may request deletion of certain data subject to legal and operational requirements.

6. Security Measures

We implement comprehensive security measures to protect your personal information:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password requirements and authentication mechanisms
• Role-based access control and permission management
• Multi-tenant data isolation and segregation
• Regular security audits and vulnerability assessments
• Firewall protection and intrusion detection systems
• Audit logging of all data access and modifications
• Regular security training for staff
• Incident response procedures

However, no security system is impenetrable. We cannot guarantee absolute security of your information.

7. Your Privacy Rights

7.1 Access and Correction

You have the right to access and correct your personal information. You may update your account information directly through the Service.

7.2 Data Deletion

You may request deletion of your personal information, subject to legal, operational, and contractual requirements. Some information may be retained for compliance purposes.

7.3 Opt-Out Options

You may opt out of non-essential communications by modifying your notification preferences in your account settings.

7.4 Portability

You may request a copy of your personal information in a portable format.

7.5 State-Specific Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or other jurisdictions with privacy laws, you may have additional rights under those laws. Please contact us to exercise your rights.

8. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to:

• Maintain user sessions and authentication
• Remember user preferences
• Analyze usage patterns and improve the Service
• Prevent fraud and enhance security

You can control cookie settings through your browser preferences, though some features may not function properly if cookies are disabled.

9. Children's Privacy

Our Service is used by schools and organizations to manage transportation for minors. While student data is collected as necessary for educational and safety purposes, we:

• Collect only information necessary for service delivery
• Limit access to authorized school personnel and parents/guardians
• Comply with FERPA (Family Educational Rights and Privacy Act) requirements
• Do not use student information for marketing purposes
• Implement additional safeguards for student data

Parents/guardians have the right to access, review, and request deletion of their child's information.

10. Third-Party Links and Services

Our Service may contain links to third-party websites and services. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review their privacy policies.

11. International Data Transfers

Your information may be transferred to, stored in, and processed in countries other than your country of residence. These countries may have data protection laws that differ from your home country. By using our Service, you consent to such transfers.

12. CCPA Compliance (California Residents)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You may request what personal information we collect, use, and disclose
• Right to Delete: You may request deletion of personal information (subject to certain exceptions)
• Right to Opt-Out: You may opt out of the sale or sharing of your personal information
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us using the information below.

13. GDPR Compliance (EU Residents)

If you are located in the European Union, we process your data in accordance with the General Data Protection Regulation (GDPR):

• Legal Basis: Processing is based on contract performance, legal compliance, legitimate business interests, and consent
• Data Rights: You have the right to access, correct, delete, and port your data
• Right to Object: You may object to certain types of processing
• Data Protection Officer: Contact our DPO with privacy concerns

14. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the updated policy on our website and updating the "Last Updated" date. Your continued use of the Service after such modifications constitutes your acceptance of the updated Privacy Policy.

15. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a privacy concern, please contact us:

16. Additional State-Specific Disclosures

16.1 Virginia (VCDPA)

Virginia residents have the right to know, delete, correct, and port personal information, and to opt out of targeted advertising. These rights are subject to certain exceptions.

16.2 Colorado (CPA)

Colorado residents have the right to know what information is collected, delete personal data, correct inaccuracies, and opt out of certain processing. We do not sell personal information.

16.3 Connecticut (CTDPA)

Connecticut residents have the right to access, delete, correct, and port personal information, and to opt out of targeted advertising and profiling.

16.4 Utah (UCPA)

Utah residents have the right to know, delete, correct, and opt out of certain types of personal data processing.