← Back to home Legal

Privacy Policy

Last updated: May 20, 2026  ·  Effective: May 20, 2026

This Privacy Policy describes how ThriveWorks Media LLC (“TruckBooks,” “we,” “us,” or “our”) collects, uses, and shares information about you when you visit truckbooksapp.com, join our waitlist, or use the TruckBooks mobile application (together, the “Service”).

We built TruckBooks to be private by default. Most of your data stays on your device. This policy explains what leaves it, and why.

1. Information we collect

Information you give us

• Waitlist signup. When you join the waitlist we collect your email address and which form on the page you submitted (e.g. hero vs. final CTA).
• Account information. After launch, when you create an account we collect your email address, a hashed password (or an OAuth token if you use single sign-on), and your chosen display name.
• Expense data. Receipts, amounts, dates, categories, notes, and voice transcripts you record in the app. This data is stored on your device first and synced to our servers only if you enable cloud sync.
• Support correspondence. When you email us at support@truckbooksapp.com, we keep the message and your email address to respond.

Information we collect automatically

• IP address, hashed. When you join the waitlist we compute a one-way hash of your IP combined with the date and a secret salt. We use this hash to rate-limit signups. We do not store your raw IP.
• User-agent string. For the waitlist, we store the browser user-agent so we can debug issues and distinguish real signups from bots.
• Subscription status. If you subscribe to Pro, our subscription-state provider (Adapty, validating purchases made via Apple App Store, Google Play, or Stripe web checkout) tells us whether your subscription is active. We never see your card number or full payment details.
• Crash and diagnostic data. The mobile app sends anonymized crash reports (Sentry) and product-analytics events (PostHog). Both can be disabled in Settings.

Information we do NOT collect

• We do not sell or rent your information to data brokers. Ever.
• We do not use your expense data or receipts to train machine-learning models.
• We do not access your photo library except when you explicitly attach a receipt photo.
• The mobile app does not embed advertising SDKs or third-party advertising pixels. (Website analytics on truckbooksapp.com are disclosed in Section 3.)

2. How we use information

We use the information we collect to:

• Operate and improve the Service.
• Send you transactional emails: welcome, receipts, password resets, and important account or security notices.
• Send occasional product-update emails if you joined the waitlist. You can unsubscribe from any email with one click.
• Process subscription billing and manage Pro entitlements.
• Provide customer support.
• Detect, prevent, and respond to abuse, fraud, and security incidents.
• Comply with law and legal process.

We do not use your expense data to train machine-learning models, profile you for advertising, or share it with anyone except the limited service providers listed below.

3. Cookies and website analytics

On truckbooksapp.com we use Google Tag Manager to load a small number of analytics and attribution tags. Google Tag Manager itself is a container — the tags it loads may include:

• Google Analytics 4 (GA4). Anonymous page-view, session, and interaction metrics so we can understand which parts of the site are useful. We ask GA4 to anonymize IP addresses and we do not enable Google Signals (no cross-device ad personalization).
• Meta Pixel (also called the Facebook Pixel). A page-view tag and a Lead conversion tag that fires when you submit the waitlist form. We use it to (a) measure which Facebook / Instagram ad creatives drive signups, and (b) build retargeting and lookalike audiences for future ads. The Pixel sees a hashed identifier, your IP address, your user-agent, and the URL of the page you visited. It does not see your expense data.
• Other attribution tags for paid campaigns (e.g. Google Ads conversion tracking, TikTok or X pixels — if and when we run campaigns on those platforms). These let us measure whether an ad led to a waitlist signup. They do not identify you by name.

These tags set small first- and third-party cookies (typically _ga, _gid, _fbp, _fbc, and similar short-lived IDs). None of them hold your name, email, or expense data.

We also send a small server-side copy of the same waitlist Lead event to Meta via their Conversions API, from our backend. This is the same event the browser pixel sends — deduplicated by a shared event ID — and exists only because the browser version is increasingly blocked (iOS ATT, ad blockers, Safari ITP). The server-side copy uses the hashed form of your email so Meta can match it to an account if you have one, but the underlying email is never sent in clear text.

Opting out. You can block analytics in several ways:

• Browser: enable Do Not Track or a privacy extension such as uBlock Origin, Privacy Badger, or Firefox strict tracking protection — all of these block Google Tag Manager and the Meta Pixel by default.
• Install the Google Analytics opt-out browser add-on.
• Adjust your Meta ad preferences to opt out of activity-based ad personalization.
• Clear or block cookies for truckbooksapp.com, google-analytics.com, and facebook.com in your browser settings.

The mobile app itself contains no third-party analytics or advertising SDKs. The cookies described here apply only to the website.

4. Who we share it with

We share the minimum necessary information with a small number of service providers (“subprocessors”) who help us run the Service. Each is bound by a data processing agreement (DPA) and may use your information only on our documented instructions.

• Supabase, Inc. (US-East region) — Postgres database, file storage, authentication, and Edge Functions backend. Hosts the waitlist table, user accounts, and any cloud-synced expense data.
• OpenAI, L.L.C. — three features in the mobile app rely on OpenAI APIs: Whisper for voice-note transcription, GPT-4o-mini for expense categorization, and Vision for receipt OCR. Audio, text, and image inputs are sent to OpenAI's API only for the duration of processing and, per OpenAI's API data policy, are not used to train OpenAI models and are not retained by OpenAI after the request completes.
• Adapty Tech, Inc. — subscription state management and entitlement validation for in-app purchases. Receives your Adapty user ID, subscription product ID, and store transaction metadata. Does not see your payment card.
• Functional Software, Inc. (Sentry) — crash reporting and performance monitoring for the mobile app. Receives anonymized stack traces, device model, OS version, and app version when an error occurs. You can disable this in Settings.
• PostHog, Inc. (US Cloud) — product analytics and optional session replay inside the mobile app. Pseudonymous per-user identifier, screen names, button taps, and aggregate counters. Session replays mask all text input by default. You can disable this in Settings.
• Resend, Inc. — transactional and waitlist email delivery (welcome, weekly report, support replies, drip sequence). Receives your email address, the message content, and delivery telemetry (delivered / bounced / opened).
• Stripe, Inc. (US users only) — web-checkout payment processing for users who subscribe outside the mobile app stores. Stripe handles the payment card; we receive only the result (success / failure) and a Stripe customer ID. Subject to Stripe's privacy policy.
• Apple, Inc. — (a) App Store billing for iOS in-app purchases; (b) “Sign in with Apple” OAuth identity provider. For Sign in with Apple, we receive only the opaque user identifier and (if you allow it) your email address.
• Google LLC — (a) Play Store billing for Android in-app purchases; (b) “Sign in with Google” OAuth identity provider (we receive your name, email, and profile picture URL); (c) Google Tag Manager and Google Analytics on the website only (see Section 3). Google is contractually prohibited from using website analytics data for its own purposes.
• Cloudflare, Inc. — website hosting (Pages), CDN, and DDoS protection. Cloudflare logs minimal request metadata (IP, user-agent, URL, timestamp) for security purposes.
• Meta Platforms, Inc. — the Meta Pixel (browser side) and Meta Conversions API (server side) on the website only (see Section 3). We share a hashed email, IP address, user-agent, and event metadata so Meta can attribute waitlist signups to specific ad campaigns and build audiences. We use the standard Meta Business Tools data-sharing terms; we do not enable Advanced Matching beyond a single hashed email.

A current list of all subprocessors is maintained on this page. We will update it before adding a new subprocessor that handles personal data, and (where required by law) provide you an opportunity to object.

We may disclose information if required by subpoena, court order, or other valid legal process, or to protect our rights, users, or the public. If legally permitted, we will notify you first.

5. Where your data lives

Our databases and email systems are hosted in the United States. If you use the Service from outside the United States, your information will be transferred to and processed in the United States.

Expense data in the mobile app is stored on your device using encrypted local storage (WatermelonDB + secure storage for credentials). If you enable cloud sync, a copy is replicated to our Supabase database and encrypted at rest.

6. Data retention

• Waitlist emails are kept until you unsubscribe or we launch and you convert to a user account. Unsubscribed rows are retained only to honor your opt-out.
• Account data is retained for as long as your account is active. You can delete your account at any time from Settings; we will delete your personal data within 30 days, except where we must retain it to comply with law.
• Support emails are retained for up to 2 years.
• Aggregated, anonymized analytics (e.g. total active users per month) may be retained indefinitely.

7. Your rights

No matter where you live, you can:

• Ask us what personal data we hold about you.
• Ask us to correct or delete it.
• Export a copy of your data in a portable format.
• Unsubscribe from marketing emails with one click.
• File a complaint with a data-protection authority if you believe we have mishandled your data.

To exercise any of these rights, email support@truckbooksapp.com. We respond within 30 days.

8. California residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know what categories and specific pieces of personal information we collect, use, disclose, and sell.
• Request deletion of your personal information.
• Correct inaccurate personal information.
• Opt out of the sale or sharing of personal information. We do not sell personal information. We do use limited advertising-adjacent cookies on the website (see Section 3), which some California authorities classify as “sharing” under CPRA; you can opt out with any standard browser anti-tracking setting (Do Not Track, Global Privacy Control, or a content blocker such as uBlock Origin), all of which we honor.
• Limit the use of sensitive personal information. We do not collect or use sensitive personal information for any purpose other than what is strictly necessary to provide the Service.
• Be free from discrimination for exercising your privacy rights.

To submit a verifiable consumer request, email support@truckbooksapp.com with the subject “CCPA Request.”

9. EU/UK residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation (GDPR) and the UK GDPR, including the right to access, rectify, erase, restrict processing, object to processing, and data portability.

Our legal bases for processing your data are: (a) performance of the contract under which we provide the Service to you; (b) your consent, which you can withdraw at any time; and (c) our legitimate interests in operating a secure, reliable Service.

Because our servers are in the United States, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses as the legal basis for international transfers. You can request a copy of the applicable SCCs by emailing us.

10. Children's privacy

TruckBooks is a business tool intended for users 18 years or older. We do not knowingly collect information from children under 16. If we learn we have collected information from a child under 16, we will delete it promptly. If you believe a child has given us information, email support@truckbooksapp.com.

11. Security

We take reasonable measures to protect your information:

• TLS/HTTPS in transit for all network traffic.
• Encryption at rest for databases and backups.
• Row-level security in our database so one user cannot see another user's data.
• Payment details are handled exclusively by Apple (App Store), Google (Play Store), Stripe (web checkout, US users), and Adapty (subscription state). We never see or store payment cards.
• Waitlist unsubscribe links are signed with HMAC-SHA256 so they cannot be forged.

No system is 100% secure. If we learn of a breach affecting your personal data, we will notify you without undue delay, as required by applicable law.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and by posting a notice on the website before the changes take effect. The “Last updated” date at the top of this page shows when the current version took effect.

13. Contact us

Questions, complaints, or requests? Email support@truckbooksapp.com.

ThriveWorks Media LLC
Wyoming, United States