TowBridge

Privacy Policy

Effective Date: March 26, 2026  |  Last Updated: March 26, 2026

Legna Studios Inc. ("TowBridge," "we," "us," or "our") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you visit our website (towbridge.com), use our web application, mobile applications, and related services (collectively, the "Services").

TowBridge is a product of Legna Studios Inc., headquartered in Burlington, Ontario, Canada. This policy is designed to comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL), and applicable provincial privacy legislation including Ontario's privacy laws. Where our Services are used outside of Canada, we also comply with applicable local privacy regulations.

By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.

1. Definitions

  • "Personal Information" means information about an identifiable individual, as defined under PIPEDA. This includes but is not limited to name, email address, phone number, physical address, payment information, location data, and device identifiers.
  • "Business Contact Information" means information used to contact an individual in their capacity as an employee or representative of an organization, such as their business email, title, and work phone number.
  • "Tenant" means an organization (towing company) that has registered for a TowBridge account.
  • "User" means any individual who accesses the Services under a Tenant's account, including owners, administrators, dispatchers, drivers, and billing staff.
  • "Customer Data" means all data, including personal information, that a Tenant or its Users upload, enter, or generate through the Services.

2. Information We Collect

2.1 Information You Provide Directly

  • Account Registration: Name, email address, phone number, company name, business address, and role/title.
  • Driver Profiles: Driver name, phone number, license information, assigned vehicle, and emergency contact details.
  • Job and Dispatch Data: Customer names, phone numbers, vehicle information (make, model, year, VIN, license plate), pickup and dropoff addresses, and service notes.
  • Inspection Data: Vehicle inspection reports including pass/fail status, inspector notes, odometer readings, and photographs of vehicle components.
  • Invoice and Payment Data: Invoice amounts, line items, tax calculations, payment records, and billing addresses. We do not directly store credit card numbers — payment processing is handled by PCI-compliant third-party processors.
  • Impound Records: Impounded vehicle details, storage fees, lien information, owner contact details, and release authorization records.
  • Communications: Messages sent through our in-app chat, support tickets, and emails to our team.

2.2 Information Collected Automatically

  • GPS Location Data: When drivers use the mobile application and are on an active shift, we collect real-time GPS coordinates at regular intervals (approximately every 30 seconds). This data is used for fleet tracking, dispatch optimization, and job management. Location tracking is active only during work hours when the driver has the app open or is on an active job.
  • Device Information: Device type, operating system, app version, unique device identifiers, and push notification tokens.
  • Usage Data: Pages visited, features used, time spent on the platform, click patterns, and error logs.
  • Log Data: IP address, browser type, referring URLs, access times, and server response information.
  • Cookies and Similar Technologies: We use cookies, local storage, and similar technologies to maintain session state, remember preferences, and analyze usage patterns. See Section 9 for details.

2.3 Information from Third Parties

  • VIN Decoding: We query the National Highway Traffic Safety Administration (NHTSA) database to decode Vehicle Identification Numbers and retrieve vehicle specifications.
  • Mapping Services: We use Google Maps APIs for geocoding, route calculation, and map display. Google's privacy policy applies to their processing of location queries.

3. How We Use Your Information

Under PIPEDA, we collect and use personal information only for purposes that a reasonable person would consider appropriate in the circumstances. We use your information for the following purposes:

  • Service Delivery: To provide, operate, and maintain our dispatch, tracking, inspection, invoicing, and fleet management services.
  • Account Management: To create and manage user accounts, authenticate users, and enforce role-based access controls.
  • Communications: To send transactional communications including job assignments, status updates, invoice notifications, and system alerts via push notification, SMS, and email.
  • Customer Support: To respond to your inquiries, troubleshoot issues, and provide technical assistance.
  • Safety and Compliance: To facilitate vehicle inspections, maintain compliance records, and support regulatory requirements.
  • Analytics and Improvement: To analyze usage patterns, monitor platform performance, identify errors, and improve our Services.
  • Security: To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities.
  • Legal Obligations: To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

4. Consent

In accordance with PIPEDA, we obtain your consent before collecting, using, or disclosing your personal information, except where permitted or required by law.

  • Express Consent: We obtain express consent for sensitive information, including GPS location tracking and inspection photographs. Drivers are prompted to grant location permissions when setting up the mobile app and can revoke these permissions at any time through their device settings.
  • Implied Consent: By creating an account and using our Services, you imply consent for us to collect and use your business contact information and operational data as necessary to provide the Services you have requested.
  • Withdrawal of Consent: You may withdraw your consent at any time by contacting us at privacy@towbridge.com. Please note that withdrawing consent may limit our ability to provide certain Services. We will inform you of the implications of withdrawing consent.

5. Disclosure of Information

We do not sell, rent, or trade your personal information. We may share your information in the following limited circumstances:

  • Within Your Organization: Information is shared between users within the same Tenant account as necessary for operations (e.g., dispatchers can see driver locations, managers can view inspection reports).
  • Service Providers: We engage third-party service providers who process data on our behalf. These providers are contractually bound to protect your information and use it only for the specific services we have engaged them to perform. Our current service providers include:
    • Amazon Web Services (AWS) — cloud hosting and data storage (Canada and US regions)
    • Google Maps Platform — mapping, geocoding, and navigation
    • Firebase Cloud Messaging — push notifications
    • Amazon SES — transactional email delivery
    • Amazon SNS — SMS notifications
    • Sentry — application error monitoring and performance tracking
  • Legal Requirements: We may disclose information if required to do so by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect the rights, property, or safety of TowBridge, our users, or the public.
  • Business Transfers: In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of the transaction. We will notify you of any such change in ownership or control of your personal information.

6. Data Storage, Security, and Cross-Border Transfers

6.1 Data Storage Location

Our primary data infrastructure is hosted on Amazon Web Services (AWS) in the Canada (Central) region (ca-central-1), located in Montreal, Quebec. Certain auxiliary services (such as content delivery and error monitoring) may process data in US regions. By using our Services, you consent to the transfer of your information to these locations.

6.2 Security Measures

We implement comprehensive technical and organizational security measures to protect your personal information, including:

  • Encryption in transit using TLS 1.2 or higher for all data transmitted between clients and servers
  • Encryption at rest for all data stored in our databases and file storage systems
  • Role-based access control (RBAC) with six granular permission levels
  • Multi-tenant data isolation ensuring complete separation between organizations
  • JWT-based authentication with short-lived access tokens (15 minutes) and rotating refresh tokens (7 days)
  • Audit logging of all significant data access and modification events
  • Regular security reviews and dependency vulnerability scanning
  • Soft-delete architecture ensuring data can be recovered if accidentally deleted

6.3 Cross-Border Transfers

When personal information is transferred outside of Canada (for example, to US-based service providers), we ensure that comparable levels of protection are in place through contractual agreements with our service providers, in compliance with PIPEDA's requirements for transborder data flows.

7. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention practices include:

  • Active Accounts: Data is retained for the duration of your account and subscription.
  • After Account Closure: Upon account termination, we retain core business records for a period of 7 years as may be required for tax, legal, and regulatory compliance purposes.
  • GPS Location Data: Real-time location data is retained for 90 days for operational purposes. Aggregated and anonymized location data may be retained longer for analytics.
  • Inspection Records: Inspection reports and photographs are retained for a minimum of 2 years to support regulatory compliance requirements.
  • Audit Logs: System audit logs are retained for 1 year.
  • Backup Data: Encrypted backup data may persist for up to 30 days after deletion from production systems.

8. Your Rights Under Canadian Privacy Law

Under PIPEDA and applicable provincial privacy legislation, you have the following rights:

  • Right of Access: You have the right to request access to the personal information we hold about you. We will respond to your request within 30 days, as required by PIPEDA.
  • Right to Correction: You have the right to request that we correct any inaccurate or incomplete personal information. You may also update your account information directly through the platform.
  • Right to Withdrawal of Consent: You may withdraw your consent for the collection, use, or disclosure of your personal information, subject to legal or contractual restrictions. We will inform you of the implications of withdrawal.
  • Right to Complain: If you believe we have not handled your personal information appropriately, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your applicable provincial privacy commissioner.
  • Right to Data Portability: Upon request, we will provide your data in a commonly used, machine-readable format (such as CSV or JSON).
  • Right to Deletion: You may request deletion of your personal information. Note that we may retain certain information as required by law or for legitimate business purposes. Account owners can request full account deletion through the Settings page or by contacting us.

To exercise any of these rights, please contact our Privacy Officer at privacy@towbridge.com. We will verify your identity before processing any request. There is no fee for exercising your rights.

9. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

CategoryPurposeCan Be Disabled
EssentialAuthentication, session management, security (JWT tokens, CSRF protection)No
FunctionalUser preferences, branch selection, theme settingsYes
AnalyticsUsage patterns, feature adoption, error tracking (Sentry)Yes

We do not use advertising or marketing cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may prevent the platform from functioning correctly.

10. Canada's Anti-Spam Legislation (CASL)

We comply with CASL regarding commercial electronic messages (CEMs). We send the following types of electronic messages:

  • Transactional Messages: Job assignments, status updates, invoice notifications, inspection alerts, and system notifications. These are exempt from CASL consent requirements as they relate directly to an existing business relationship and the Services you have requested.
  • Service Communications: Security alerts, maintenance notices, policy updates, and account-related messages. These are also exempt as they relate to your use of our Services.
  • Marketing Communications: We will only send marketing or promotional communications with your express consent. You can unsubscribe from marketing communications at any time using the unsubscribe link in each message or by contacting us.

11. Children's Privacy

Our Services are designed for use by businesses and are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

12. Privacy Officer and Complaints

TowBridge has designated a Privacy Officer who is responsible for our compliance with this Privacy Policy and applicable privacy legislation. If you have questions, concerns, or complaints about our privacy practices, you may contact:

Legna Studios Inc. — Privacy Officer

4145 N Service Rd, 2nd Floor, Burlington, ON L7L 6A3, Canada

Email: privacy@towbridge.com

Phone: +1 647 549 5569

We will acknowledge receipt of your complaint within 5 business days and provide a substantive response within 30 days.

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada at 30 Victoria Street, Gatineau, Quebec K1A 1H3, or online at priv.gc.ca.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email, in-app notification, or by posting a prominent notice on our website at least 30 days before the changes take effect. The "Last Updated" date at the top of this policy indicates when the most recent revisions were made. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.