Privacy Policy

Account data: your email address and a password (stored as a hash by our authentication provider).

Compliance data you enter: facility names and addresses, tank and equipment details, inspection results and notes, photos you upload, corrective actions, and the names of designated operators and trainers you record. Some of this may identify individuals (for example, an operator's name on a training record or the signature name on an inspection).

Billing data: your subscription status and billing identifiers. Card numbers are collected and stored by Stripe, our payment processor — they never touch our servers.

Technical data: server logs (IP address, timestamps, requests) kept for security and reliability, and the cookies described below.

To provide the Service (generate your schedule, store your records, produce exports), to send service emails (account verification, compliance reminders and digests, billing notices), to bill you, to secure and debug the Service, and to comply with our own legal obligations. The legal bases under EU law are performance of our contract with you, our legitimate interest in running and securing the Service, and legal obligation.

We do not sell personal data, we do not use your data for advertising, and we do not use your compliance records for anything except providing the Service to you.

The Service uses only the cookies needed to keep you signed in (authentication session cookies). There are no advertising or cross-site tracking cookies.

We use a small set of service providers (subprocessors) to run the Service:

• Supabase — database, authentication, and file storage (your records and photos).
• Vercel — application hosting.
• Stripe — payment processing.
• Resend — transactional email delivery.

These providers process data in the United States and other countries. Where EU data protection law applies to a transfer, we rely on the providers' standard contractual clauses and equivalent safeguards. We will update this list if it changes.

The Service is record-keeping software, and regulated UST records carry retention requirements — so compliance records are kept for as long as your account exists, and completed inspection records are immutable by design (they cannot be edited or deleted through the Service). If you cancel, your records remain available read-only for export.

If you ask us to delete your account, we delete your account data and the compliance records it contains, except where we must retain information for our own legal obligations (for example, invoicing records). Before requesting deletion, export anything you are required to retain — deletion is permanent, and the retention duty for UST records stays with you, not us.

Subject to applicable law, you can request access to, correction of, deletion of, or a portable copy of your personal data, and you can object to or ask us to restrict certain processing. EU residents may also lodge a complaint with a supervisory authority — in Spain, the Agencia Española de Protección de Datos (AEPD). Residents of US states with privacy statutes have analogous rights to the extent those laws apply; we honor them on the same terms, and since we do not sell or share personal data for advertising, there is nothing to opt out of.

One honest caveat: correction and deletion requests cannot alter a completed inspection record, because record immutability is the integrity feature the Service exists to provide. Where a record contains inaccurate personal data, the remedy is a new record or an annotation, not silent edition of the original.

To exercise any right, email privacy@ustpilot.com from your account address.

Data is encrypted in transit, access to customer data is segregated per account at the database level (row-level security), photos and exports are served through expiring signed URLs, and completed records are protected against modification at the database layer. No system is perfectly secure; if a breach affects your personal data, we will notify you as required by law.

The Service is for businesses and is not directed at children. We do not knowingly collect data from anyone under 16.

We may update this policy. For material changes we will notify you by email or in the Service before they take effect.

TEXNI VELOCIDAI, SOCIEDAD LIMITADA · Pl. del Dr. Letamendi 1, 2nd floor, L'Eixample, 08007 Barcelona, Spain · privacy@ustpilot.com