Skip to main content
X3 Compass
Sign in★ Start free →
LEGAL · PRIVACY POLICY

Privacy Policy

Effective date: To be set on counsel sign-off · Last updated: June 3, 2026 · Version 0.9 (counsel review draft)

Phase 1 / Counsel review draft.This Privacy Policy describes the data practices X3 intends to operate under once counsel-reviewed and live. Carriers using the platform before the effective date are protected by these practices as described below; any subsequent counsel-driven changes take effect on 30 days' notice.

CONTENTS
  1. 1. Scope & Roles
  2. 2. What We Collect
  3. 3. How We Use It
  4. 4. Who We Share With
  5. 5. FCRA-Covered Records
  6. 6. DOT Compliance Records
  7. 7. Retention & Destruction
  8. 8. Security
  9. 9. Your Rights
  10. 10. Children
  11. 11. Changes to this Policy
  12. 12. SMS Communications
  13. 13. Contact

1. Scope & Roles

This Privacy Policy explains how X3 Fleet Safety, LLC (operator of X3 Compass — "X3 Compass," "X3," "we") handles personal information when motor carriers and their personnel use the X3 Compass platform (the "Service"). It applies to information we collect at x3compass.com, app.x3compass.com, and any X3 Compass mobile or driver applications.

Roles. When a motor carrier subscribes to X3 Compass and uploads records about its drivers, vehicles, or operations:

  • The motor carrier ("Customer") is the data controller (or, in California, the "business"). The carrier decides what records to collect, what to do with them, and how long to keep them within applicable legal retention rules.
  • X3 is the data processor (or, in California, the "service provider"). We process records only on the carrier's behalf, per our Terms of Service.

Drivers and other carrier personnel whose records appear in the Service should direct privacy questions and access/deletion requests to their carrier-employer first. X3 will support whatever response the carrier instructs us to make.

2. What We Collect

We collect three categories of information:

2.1 Information Customer (the carrier) provides directly

  • Carrier identity: legal name, DBA, USDOT number, MC number, EIN, business address, principals.
  • Personnel records: driver names, dates of birth, contact information, CDL numbers, license states, hire/termination dates, employment history, references.
  • Compliance records: driver qualification files (medical certs, applications, road tests, MVRs), drug and alcohol test results, hours-of-service logs, DVIRs, accident reports, inspection reports, training records.
  • Vehicle records: VIN, license plate, registration, inspection history, maintenance records.
  • Operational data: trip-mileage exports, fuel-card statements, IFTA filing data, CSA snapshots.

2.2 Information we collect automatically

  • Account & usage data: login timestamps, IP addresses, browser type, pages visited, features used, error events.
  • Device data: operating system, device type for mobile applications.
  • Cookies and similar technologies: session cookies and a small number of authentication cookies. We do not use third-party advertising cookies.

2.3 Information from third-party services (only when Customer authorizes)

  • FMCSA SAFER snapshots (public).
  • Background check, MVR, and drug-test results from partner networks (Checkr, Health Street, future MVR partners).
  • ELD telematics data (Samsara, Motive, Geotab) when Customer connects an account.
  • Fuel-card transaction data (WEX, Comdata, EFS) when Customer connects an account.
  • Payment and billing data via our payment processor (Stripe). We never store full card numbers.

3. How We Use It

We use information to:

  • Operate and maintain the Service for Customer's benefit.
  • Authenticate users and authorize access at the carrier and role level.
  • Generate reports, summaries, and outputs at Customer's request.
  • Send compliance reminders (driver document expirations, MVR refreshes, IFTA deadlines, CSA snapshot reminders) on Customer's behalf.
  • Diagnose and fix bugs, monitor for fraud and security incidents, prevent abuse.
  • Improve the Service in aggregated, anonymized ways that cannot be traced to a specific carrier or person.
  • Comply with legal obligations and respond to legitimate legal process.

We do not sell personal information. We do not share personal information with advertisers. We do not use Customer Data to train any artificial intelligence model except where the Customer has explicitly opted in to features that require it (and even then, only on Customer's own data, not pooled across customers).

4. Who We Share With

We share personal information only with:

  • Service providers who power the platform: Supabase (database, authentication, file storage), Cloudflare (content delivery, hosting), Stripe (payments), Resend (transactional email), Twilio (text messaging when enabled), Sentry (error tracking), Anthropic (AI fallback parsing for unstructured uploads). Each has a published Data Processing Addendum and is bound to use data only for the purposes we specify.
  • Partner networks when Customer enables an add-on: Checkr (background checks), Health Street (drug & alcohol testing), and future MVR / IFTA partners. Data flows are limited to what's needed for the requested service.
  • Carrier-authorized recipients: when Customer asks us to send a record to a third party (e.g., an insurer doing a fleet review, an auditor, an attorney), we follow Customer's instructions.
  • Successors in interest in the event of a merger, acquisition, or sale of substantially all assets — with notice to Customer and continued protection equivalent to this Policy.
  • Government and law enforcement when legally required (subpoena, court order, valid warrant). We notify Customer where legally permitted.

5. FCRA-Covered Records

Background checks, MVRs, and certain investigative reports may be governed by the federal Fair Credit Reporting Act (FCRA). When the Service handles FCRA-covered records on Customer's behalf:

  • Customer is the "user" of the consumer report under FCRA. Customer is responsible for permissible-purpose certification, applicant disclosure, written authorization, pre-adverse-action notice, and adverse-action notice when applicable.
  • X3 is a conduit and recordkeeping aid; X3 is not a consumer reporting agency, does not furnish reports to third parties, and does not assemble investigative consumer reports.
  • Partner networks (Checkr, future MVR providers) are the consumer reporting agencies under FCRA; their CRA-level obligations remain with them.

If a driver disputes the accuracy of a record, the dispute should be made to the originating CRA (e.g., Checkr) per FCRA's dispute process. X3 will assist by surfacing the record and the originating CRA contact.

6. DOT Compliance Records

DOT compliance records have layered obligations beyond ordinary privacy law. Some records (DQF contents, drug-test records, hours-of-service) have regulatory minimum retention windowsthat override ordinary deletion requests. Our Data Retention & Destruction Policy details the windows. In summary:

Record classRegulationMinimum retention
DQF contents49 CFR § 391.513 years post-termination
MVR pulls§ 391.513 years
D&A test (negative)§ 382.4011 year
D&A test (positive/refusal)§ 382.4015 years
Hours-of-service / RODS§ 395.86 months
DVIR§ 396.1190 days
IFTA mileage + fuelIFTA Articles § P5604 years

X3 retains records for the regulatory minimum plus a 1-year safety buffer.

7. Retention & Destruction

We retain Customer Data for as long as Customer's account is active, plus the regulatory retention windows above for DOT-covered records, plus up to 90 days for backups to age out. Audit logs are retained for 7 years to support our own compliance and audit defense.

8. Security

We protect personal information using administrative, physical, and technical safeguards including encryption at rest and in transit, role-based access controls, row-level security for tenant isolation, audit logging, and regular security reviews. Despite these measures, no system is impervious; if we discover unauthorized access to your data, we will notify Customer (the data controller) within 72 hours of confirmation, per our Incident Response Policy.

9. Your Rights

Depending on where you live, you may have rights to access, correct, delete, port, or restrict the processing of personal information about you. Under California's CCPA / CPRA, residents have the right to know what data we hold, request deletion, request correction, and opt out of "sale" or "sharing" (we do neither).

Because X3 is a data processor for carrier customers, individual rights requests should typically be directed to the carrier-controller first. If a carrier instructs us to access, export, correct, or delete a record, we will do so unless prevented by regulatory retention obligations. If you are unable to reach the carrier or believe the carrier is not responding, contact [email protected] and we will route your request appropriately.

10. Children

The Service is not directed at children under 16, and we do not knowingly collect personal information from children. Commercial driver licensure requires drivers to be 18+ (interstate) or 21+ for many operations, so the Service inherently does not contemplate child users.

11. Changes to this Policy

We may update this Privacy Policy. Material changes will be communicated to Customer by email and an in-app banner with at least 30 days' notice before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. SMS Communications

If a user provides a mobile phone number and checks the SMS consent checkbox during account signup, X3 Compass may send operational SMS messages to that number. SMS messages are transactional and operational only — we never use SMS for marketing, promotions, or solicitation.

Message types include:

  • Subscription renewal and billing notifications
  • Driver qualification file (DQF) expiry alerts
  • Motor Vehicle Report (MVR) renewal notices
  • Drug and alcohol random-selection notifications
  • Drug & Alcohol Clearinghouse query results
  • Background check completion notices
  • Account security alerts (new sign-in, password reset)
  • Other DOT compliance and account notifications

Frequency. Approximately 2–5 messages per user per month, depending on the number of drivers managed and pending compliance events.

Consent. Explicit, opt-in only. Users must check an unchecked-by-default consent checkbox on the signup page at app.x3compass.com/signup. Consent is logged in our database with timestamp, IP address, user agent, and a hash of the exact text the user agreed to. Consent records are retained for 4 years per FCC TCPA requirements.

Opt-out. Users can opt out at any time by replying STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT to any message. The system processes opt-outs within 30 seconds and sends a single confirmation message. To resubscribe, reply START. Users may also opt out by emailing [email protected].

Help. Reply HELP for support, or email [email protected].

Costs. Message and data rates may apply depending on your mobile carrier and plan. X3 Compass does not charge for SMS messages.

Mobile information sharing. Mobile information (including phone numbers and SMS consent data) will not be shared with third parties or affiliates for marketing or promotional purposes. We share SMS delivery data only with our SMS service provider (Twilio) as a sub-processor strictly to deliver messages on our behalf.

Carrier disclaimer. Mobile carriers are not liable for delayed or undelivered messages. Service availability depends on your carrier and signal coverage.

13. Contact

Privacy questions: [email protected] (subject line: "Privacy"). Postal address available on request to that email.

© 2026 X3 Fleet Safety, LLC · operating X3 CompassTerms of Service · Legal Index · Back to app