WrenchReady Privacy Policy

1. INTRODUCTION

WrenchReady LLC ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect information you provide through WrenchReady ("Service"), our website, and related services.

This Privacy Policy applies to:

• All users of WrenchReady (both during pre-launch waitlist phase and active service)
• Individuals employed by shops using WrenchReady team accounts
• Visitors to our website

Jurisdiction Note: While this Privacy Policy complies with federal U.S. standards and international practices, we have specifically designed it to meet California Consumer Privacy Act (CCPA) requirements as amended effective January 1, 2026. This policy therefore provides protections applicable to all users regardless of location.

2. INFORMATION WE COLLECT

2.1 Information You Provide Directly

Account Registration:

• Name and email address
• Shop/business name and location
• Job title and role
• Password (hashed and not stored in plain text)

Subscription and Billing:

• Billing name and address
• Payment method information (credit card, ACH, etc.)
• Billing history and invoice preferences
• Tax ID or business registration number (if applicable)

Compliance Data:

• Safety Data Sheets (SDSs) and chemical inventory
• EPA hazardous waste manifests
• OSHA 300 logs and injury/illness records
• Training records and certifications
• Inspection records and photos
• Equipment maintenance logs
• Employee names and injury information (for OSHA logs)
• Substance and chemical details

2.2 Information Collected Automatically

Technical Information:

• IP address and geolocation data
• Browser type and operating system
• Device identifier and hardware characteristics
• Pages accessed and time spent on pages
• Referring URL and exit pages
• Links clicked within the Service
• Error logs and crash reports

Behavioral Data:

• Features used and frequency of use
• Document uploads and processing
• Report generation and exports
• Search queries and filters applied
• Account settings changes

2.3 Information from Third Parties

• Payment Processors: Billing information and transaction history
• Identity Verification Services: Verification results for account confirmation
• Email Service Providers: Bounce rates and engagement metrics
• Business Databases: Company information and industry classification

2.4 Information About Children

The Service is not directed to individuals under age 18. We do not intentionally collect personal information from children. If we learn we've collected information from a minor, we will delete it promptly. If you believe we've collected information from a child, please contact privacy@wrenchready.com immediately.

3. HOW WE USE YOUR INFORMATION

3.1 Service Delivery

We use information to:

• Provide, maintain, and improve the Service
• Process and fulfill your subscription
• Generate compliance reports and manifests
• Store and retrieve your User Data
• Authenticate your account and verify identity
• Provide customer support and respond to inquiries
• Debug, troubleshoot, and optimize Service functionality

3.2 Communication

We use information to:

• Send transactional emails (receipts, password resets, account confirmations)
• Provide technical support and resolve issues
• Send Service-related announcements
• Notify you of changes to Terms or policies
• Respond to your direct communications

3.3 Marketing and Business Development

With your consent, we use information to:

• Send promotional emails about new features or services
• Display personalized advertisements (if applicable)
• Conduct market research and surveys
• Recommend features or services based on your usage
• Improve marketing campaigns and measure effectiveness

You may opt out of marketing communications by:

• Clicking "unsubscribe" in any marketing email
• Adjusting notification preferences in your account settings
• Emailing marketing@wrenchready.com

3.4 Compliance and Legal Obligations

We use information to:

• Comply with laws and regulations (GDPR, CCPA, OSHA, EPA, etc.)
• Respond to legal requests and court orders
• Detect and prevent fraud, abuse, and security incidents
• Enforce these Terms and other agreements
• Protect the rights, property, and safety of the Company, users, and public
• Maintain compliance and audit records

3.5 Analytics and Improvement

We use information to:

• Analyze how the Service is used
• Identify trends and usage patterns
• Develop new features and services
• Improve user interface and experience
• Measure Service performance and reliability
• Create aggregated, de-identified reports

4. LEGAL BASIS FOR PROCESSING

We process information based on:

• Contract Performance: Information needed to provide the Service under your subscription agreement
• Legitimate Business Interests: Service improvement, fraud prevention, security, analytics, and business operations
• Consent: Marketing communications, non-essential cookies, and optional features
• Legal Obligation: Compliance with OSHA, EPA, DOT, tax, and other regulations
• Legal Claims: Defending against claims and enforcing agreements

Sensitive personal information (such as employee injury details in OSHA logs) is processed only as necessary to comply with occupational safety regulations and with appropriate safeguards.

5. HOW WE SHARE YOUR INFORMATION

5.1 Third-Party Service Providers

We share information with trusted service providers who process data on our behalf:

Data Hosting and Infrastructure:

• Supabase: Database hosting, user authentication, data storage (Data Processing Agreement signed; SOC 2 Type 2 certified; GDPR compliant)
• Vercel: Application hosting, content delivery, CDN services (DPA signed; SOC 2 Type 2 certified)

Payment Processing:

• Payment Processor (Stripe or similar): Credit card information, billing details, transaction history (PCI DSS compliant; does not retain full card data)

Email and Communications:

• Email Service Provider: Transactional emails, notifications, marketing emails (compliant with GDPR and CCPA)

Analytics:

• Google Analytics or similar: Anonymized usage data, traffic sources, behavior analytics

All service providers have executed Data Processing Agreements (DPAs) and are prohibited from using your data for purposes other than providing services to WrenchReady.

5.2 Legal Requirements and Enforcement

We may disclose information when required by law or when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, or legal process
• Enforce our Terms of Service and other agreements
• Respond to valid government requests (warrants, subpoenas, etc.)
• Protect against fraud and security incidents
• Protect the safety and rights of WrenchReady, users, and the public

We will provide notice of legal requests when permitted by law.

5.3 Aggregated and De-identified Data

We may share aggregated, anonymized data that does not identify individuals with:

• Business partners and affiliates
• Researchers and industry analysts
• Marketing partners
• Public reporting (blog posts, whitepapers)

This data cannot be re-identified to you and is used for industry benchmarking and insights.

5.4 Business Transfers

If WrenchReady is involved in a merger, acquisition, bankruptcy, asset sale, or other business transaction, your information may be transferred as part of that transaction. We will provide notice before your information becomes subject to a different privacy policy.

5.5 With Your Consent

We do not share personal information beyond the above purposes without your explicit consent. If you consent to sharing information with partners or third parties, such sharing will be disclosed at the point of collection.

6. YOUR PRIVACY RIGHTS

6.1 CCPA/CPRA Rights (California Residents)

California residents have the following rights:

Right to Know: You may request what personal information we collect, use, and share about you.

Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (e.g., information needed for legal compliance, fraud prevention).

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt Out: You may opt out of:

• Sale or sharing of personal information (we do not sell data)
• Targeted advertising and profiling
• Automated decision-making technology that produces legal or similarly significant effects

Right to Non-Discrimination: We will not discriminate against you for exercising privacy rights by denying goods or services, charging different prices, providing different levels of quality, or suggesting you will receive different treatment.

6.2 GDPR Rights (EU Residents)

While WrenchReady is a U.S. company, we respect GDPR rights for residents of the European Union and other jurisdictions with similar laws:

• Right to Access: Request a copy of personal data we hold about you
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of personal data ("right to be forgotten"), subject to legal obligations
• Right to Restrict Processing: Limit how we process your data
• Right to Data Portability: Receive your data in a structured, commonly used, machine-readable format
• Right to Object: Oppose processing for marketing, profiling, or other purposes
• Right to Lodge a Complaint: Contact your local data protection authority

6.3 Other U.S. State Privacy Laws

We comply with emerging state privacy laws including:

• Virginia Consumer Data Protection Act (VCDPA)
• Colorado Privacy Act (CPA)
• Connecticut Data Privacy Act (CTDPA)
• Utah Consumer Privacy Act (UCPA)
• Montana Consumer Data Privacy Act (MCDPA)

6.4 Exercising Rights

To exercise any privacy right:

1. Provide sufficient information to identify your account or the data in question
2. Verify your identity (we may request government ID, account confirmation, or similar)
3. Specify the right you are exercising
4. Designate an authorized agent if applicable (we may require power of attorney)

We will confirm receipt within 10 business days and respond within applicable timeframes.

7. DATA RETENTION

7.1 Retention Periods

Active Account:

• Account information retained while account is active
• User Data retained for as long as account is active
• Transaction history retained for 7 years (tax and financial compliance)

Terminated Account:

• Account metadata retained for 12 months (payment disputes, refund verification)
• User Data deleted from active systems within 30 days; from backups within 90 days
• Compliance records (OSHA 300 logs, SDS data, hazardous waste manifests) retained for 30 years per OSHA regulations
• Anonymized usage analytics retained indefinitely

7.2 Right to Deletion Exception

Data required for OSHA, EPA, DOT, or other legal compliance; fraud prevention and security; dispute resolution and enforcement; tax or accounting records; or legitimate business interests is not deleted even if you request deletion.

8. SECURITY AND ENCRYPTION

8.1 Security Measures

WrenchReady implements industry-standard security measures to protect your information:

Data Encryption:

• In Transit: TLS 1.2+ encryption for all data transmitted to/from the Service
• At Rest: AES-256 encryption for sensitive data stored on servers
• User Data: Encrypted at the database layer and in backups
• Payment Data: Encrypted and not stored by WrenchReady (processed by PCI DSS compliant third parties)

Access Controls:

• Role-based access control (RBAC) for employees
• Two-factor authentication (2FA) available for user accounts
• Secure password requirements (minimum 12 characters, complexity rules)
• Session timeouts for inactive accounts
• Audit logs tracking data access

8.2 Breach Notification

If we discover a breach of personal information, we will:

• Notify affected individuals without unreasonable delay (within 30 days)
• Provide information about the breach and mitigation steps
• Comply with state and federal notification laws
• Cooperate with law enforcement if applicable

9. COOKIES AND SIMILAR TECHNOLOGIES

For detailed information about our use of cookies, please see our Cookie Policy.

10. INTERNATIONAL DATA TRANSFERS

10.1 Data Processing Locations

WrenchReady is based in Washington State, USA. Your information is processed and stored in the United States. Our third-party service providers (Supabase, Vercel) may process data in multiple locations globally.

10.2 Transfers from EU/UK/Other Jurisdictions

For individuals in the European Union, UK, or other jurisdictions restricting data transfers:

Legal Mechanisms:

• Standard Contractual Clauses (SCCs): Our service providers (Supabase, Vercel) utilize approved SCCs
• Data Processing Agreements: Executed DPAs address data protection for transfers

11. CHANGES TO THIS PRIVACY POLICY

WrenchReady may update this Privacy Policy at any time. Changes become effective upon posting. We will:

• Notify you of material changes via email
• Post the update date at the top of this policy
• Request re-consent if changes materially affect your rights (with 30 days' notice)

Continued use following notice constitutes acceptance of changes. Review this policy periodically for updates.

12. CONTACT US

For Privacy Questions:
Email: privacy@wrenchready.com

Data Protection Officer (DPO):
Available for GDPR and advanced privacy inquiries
Email: dpo@wrenchready.com

California Residents (CCPA Inquiries):
Email: ccpa@wrenchready.com

Disclaimer: This Privacy Policy is provided as a general framework and should be reviewed by qualified legal counsel before finalization. It does not constitute legal advice. Privacy laws evolve rapidly; ensure this policy remains compliant with current CCPA, GDPR, and state-specific requirements.