Privacy Policy
FK Command Center is a tool that helps Turo hosts run their fleet operations. This policy explains what data we collect, how we use it, and the choices you have. We've kept the language plain because privacy docs that nobody reads aren't privacy at all.
What we collect
Only the data you choose to put into the product, plus the minimum needed to run it.
- License key + email: when you sign up for a trial or paid plan
- Stripe customer ID: if you upgrade to a paid plan (we never see your card number — that stays at Stripe)
- Your fleet, trip, maintenance, claim, and tax data: stored encrypted in Supabase, accessible only by your license key
- Uploaded files (invoices, photos, receipts): stored in Supabase Storage, private to your license
- Server logs: IP, user agent, request paths — kept for ≤30 days for abuse prevention
We don't run analytics scripts that track you across the web. There's no Google Analytics, no Meta Pixel, no LinkedIn tag.
What we don't do
- We don't sell your data to anyone, ever.
- We don't share aggregated benchmarks unless you opt in (Settings → Data Sharing).
- We don't use your business data to train AI models. The Ask FK assistant sends your current question's data snapshot to a third-party AI provider (OpenRouter) so it can answer — that snapshot strips EIN and full VINs. It's not used for training and isn't retained.
Third-party processors
To run the product, your data is processed by these services:
- Stripe — payment processing
- Supabase — database + file storage
- Resend — transactional email (license keys, trial verifications)
- Sentry — error monitoring (no PII intentionally captured)
- OpenRouter — only for Ask FK questions you submit (per-question, not retained)
- Railway — application hosting
Each has its own privacy practices. They're contractually bound not to use your data for their own purposes.
Your rights
- Export everything: Settings → Backup downloads your full data as JSON.
- Delete your account: Settings → ⛔ Delete Account erases everything in one click — license, fleet data, uploaded files, marketing-list entry. An active Stripe subscription cancels at period end so you keep paid-for access until natural expiry. If you'd rather have a human do it, email [email protected]. Reversible within 30 days from backups; permanent after.
- California residents (CCPA): you have the right to know, delete, and opt out of any sale (we don't sell). Same email gets you there.
- EU residents (GDPR): we don't actively market in the EU, but if you've signed up, the same rights apply. We're our own data controller.
Security
We use industry-standard practices: HTTPS everywhere, HMAC-signed session cookies, Row-Level Security in the database, signed-URL file access. The code is open-source-readable if you want to verify what we say here.
Changes to this policy
We'll update the "Last updated" date above when we change anything material. Significant changes (new categories of data, new third-party processors) will be announced by email to active license holders.