Privacy Policy — ComTrax

Effective date: 2026-05-05 Last updated: 2026-05-05

1. Who we are

This Privacy Policy describes how TraxSys LLC ("TraxSys", "ComTrax", "we", "us", "our") collects, uses, and shares information when you ("Customer", "you") use the ComTrax distribution and warehouse management platform (the "Service"), including our website, web application, integrations, and APIs.

Contact: patrick@traxsys.ai Mailing address: TraxSys LLC; 4411 Park Ave; Fort Smith, AR 72903

2. Scope

This policy applies to two relationships:

Information we collect about you as our customer or user — when you sign up, manage your account, or use the Service.
Information we process on your behalf about your end customers, vendors, employees, and other business contacts — when you input it into the Service or when we retrieve it from a third-party system you connect (e.g., QuickBooks Online, Shopify).

For relationship (2), you are the data controller and we act as the data processor. The terms of that relationship are governed by our Terms of Service and any Data Processing Addendum we sign with you.

3. Information we collect

3.1 Account information

Name, email address, phone number, role
Organization name, business address, tax ID
Authentication credentials (managed by Clerk; we do not store passwords directly)
Billing contact details (when applicable)

3.2 Business data you input into the Service

Customer records, vendor records, item/SKU catalogs, inventory levels
Orders, purchase orders, shipments, returns, payments
Pricing, costs, tax, and accounting information
Files and attachments you upload
Notes, tasks, and addons you create against business records

3.3 Data we retrieve from connected third-party systems

When you authorize a connection (via OAuth or API credentials), we retrieve information from the corresponding system. Specifically:

QuickBooks Online (Intuit): customer records, vendor records, item/SKU records, invoices, bills, payments, journal entries, chart of accounts, and report data (Profit & Loss, Balance Sheet, Aged Receivables/Payables, etc.). We retrieve only the data within the scopes you authorize during the OAuth flow.
Shopify: orders, customers, products, fulfillment events, shop configuration.
Amazon Vendor Central (SP-API): purchase orders, ASN status, invoice acknowledgements, shipment data.
EDI trading partners (TrueCommerce, SPS Commerce, others): documents (850, 855, 856, 810, 997) routed through configured VAN channels.
Carrier and shipping providers (EasyPost, GlobalTranz, others): rate quotes, label data, tracking events.
Payment processor (Stripe): charge metadata, refund metadata, payout summaries (we do not store full card numbers; Stripe is the card-data processor).
Email and messaging providers (Resend for outbound; configured inbound providers): delivery metadata for transactional and case-related communications.

3.4 Usage and technical data

Log files (IP address, user agent, request paths, timestamps)
Application telemetry (feature usage, error reports)
Cookies and similar technologies (see Section 8)

3.5 Information you provide for support

Communications you send to support (case messages, emails, phone notes)
Screenshots, files, or logs you attach to support requests

We do not knowingly collect information from children under 13 (or under 16 where applicable). The Service is not directed to children.

4. How we use information

We use information to:

Provide, operate, and maintain the Service.
Authenticate users and authorize access to your data.
Synchronize data between ComTrax and the third-party systems you connect.
Generate reports, projections, and analytics that you request (e.g., proforma scenarios, demand forecasts, reconciliation reports).
Process transactions you initiate (e.g., shipping label purchases, payment captures via Stripe).
Communicate with you about your account, the Service, support requests, and security matters.
Detect, prevent, and respond to security incidents, fraud, and abuse.
Comply with our legal obligations and enforce our Terms of Service.
Improve and develop the Service, including diagnosing and resolving technical issues. Where we use information for product improvement, we do so on aggregated and de-identified datasets wherever possible.

We do not sell, rent, or trade your information or your business data to third parties for their own marketing purposes.

We do not use QuickBooks Online data, Shopify data, Amazon data, EDI documents, or any other connected-system data for any purpose other than providing the Service to you. In particular, we do not use this data to train machine-learning models for general use, to build derivative datasets sold to third parties, or to otherwise commercialize it outside the scope of the Service.

5. Legal bases (where applicable)

Where the GDPR or similar laws apply, we rely on the following bases to process personal information:

Contract: to provide the Service to you under our agreement.
Legitimate interests: to operate, secure, and improve the Service, where those interests are not overridden by your rights.
Legal obligation: to comply with applicable laws.
Consent: for any processing where consent is the appropriate basis (e.g., specific marketing communications).

6. How we share information

6.1 Subprocessors

We use the following categories of subprocessors to provide the Service. Specific vendor names, locations, and roles are maintained in a current subprocessor list available on request. As of this draft, the categories include:

Category	Purpose
Cloud hosting	Application servers, database hosting, storage
Authentication	User identity and access management
Email	Transactional and case email delivery and inbound routing
Payments	Card processing, virtual terminal, payment links
Shipping & carrier APIs	Rate quotes, label generation, tracking
Accounting & e-commerce integrations	The third-party systems the customer connects (QuickBooks Online, Shopify, Amazon, EDI VANs)
Error monitoring & analytics	Operational telemetry
AI vision providers	Document and image parsing for AI-assisted features (only when used)

We do not disclose the specific subprocessor list within this policy because the list changes; the current list is provided on request and updated in our DPA.

6.2 QuickBooks Online / Intuit

Data we receive from Intuit's APIs is used solely to provide the features you authorize within ComTrax. We do not redistribute QuickBooks Online data to other customers, sell it, or use it for purposes outside the Service. Customers can disconnect their QuickBooks Online integration at any time from the ComTrax accounting settings; on disconnect, we stop syncing and, on request, delete the cached snapshot data subject to legal retention requirements.

6.3 Legal disclosures

We may disclose information when we believe in good faith that disclosure is necessary to: comply with a legal obligation; respond to lawful requests from public authorities; enforce our Terms of Service; protect the rights, property, or safety of ComTrax, our users, or others.

6.4 Business transfers

If we are involved in a merger, acquisition, or asset sale, your information may be transferred. We will provide notice before your information becomes subject to a different privacy policy.

7. International data transfers

Information we process may be transferred to, stored in, and processed in jurisdictions outside your country of residence, including the United States. Where required, we rely on appropriate transfer mechanisms (such as Standard Contractual Clauses).

8. Cookies and similar technologies

We use cookies and similar technologies for authentication, security, preferences, and basic analytics. You can control cookies through your browser settings. Essential cookies are required for the Service to function.

9. Data retention

We retain information for as long as your account is active and for a reasonable period afterward to comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods include:

Account information: for the duration of the account, plus a reasonable post-termination period (typically up to 2 years) for legal and audit purposes.
Business data and integration data: retained while the relevant integration or feature is in use; on integration disconnect or account termination, deleted on the schedule described in our Terms of Service.
Logs and operational telemetry: retained for 90 days for security and operational purposes.

10. Your rights

Depending on your location, you may have the following rights regarding your personal information:

Access: request a copy of personal information we hold about you.
Correction: request that we correct inaccurate or incomplete information.
Deletion: request deletion of your personal information, subject to legal retention requirements.
Portability: request a copy of your data in a structured, machine-readable format.
Objection / restriction: object to or request restriction of certain processing.
Withdraw consent: where processing relies on consent, withdraw it at any time.

To exercise these rights, contact us at the address in Section 1. We may need to verify your identity before responding. We will respond within the time periods required by applicable law.

10.1 California residents (CCPA / CPRA)

California residents have additional rights, including the right to know what categories of personal information we collect, to request deletion, and to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.

11. Data security

We implement administrative, technical, and physical safeguards designed to protect information from unauthorized access, disclosure, alteration, and destruction. These include encryption in transit, encryption at rest for sensitive credential data, role-based access controls, and audit logging. No method of electronic storage or transmission is perfectly secure; we cannot guarantee absolute security but commit to ongoing review and improvement of our practices.

If we become aware of a security incident affecting your information, we will notify you in accordance with applicable law.

12. End customers and contacts of our customers

When our customers (e.g., a distribution business) input or sync information about their own customers, vendors, or contacts (e.g., a person who placed an order with the distribution business), we process that information solely on the customer's instructions and as a data processor. The customer is the data controller and is responsible for providing notices and lawful bases to those individuals. End customers and contacts wishing to exercise rights regarding their personal information should contact the ComTrax customer who maintains the relationship; we will assist that customer as required by law.

13. Changes to this policy

We may update this policy from time to time. We will post the updated policy and update the "Last updated" date. If changes are material, we will provide additional notice (such as email to account administrators) before they take effect.

14. Contact us

For privacy questions, requests, or complaints:

Email: patrick@traxsys.ai
Mail: TraxSys LLC; 4411 Park Ave; Fort Smith, AR 72903