Privacy Policy

Last Updated: April 20, 2026

RefriTrak ("we," "us," or "our") operates the RefriTrak platform, including the web application and RefriTrak Mobile companion app (collectively, the "Service"). This Privacy Policy describes our practices regarding the collection, use, disclosure, and retention of your information. By using the Service, you agree to the collection and use of information in accordance with this policy.

1. Information Collection and Use

We collect several types of information for various purposes to provide and improve the Service.

1.1 Personal Data

While using the Service, we may ask you to provide certain personally identifiable information ("Personal Data"), including but not limited to:

Email address
First name and last name
Phone number
Business name, address, state, province, ZIP/postal code, and city

1.2 Usage Data

We automatically collect information about how the Service is accessed and used ("Usage Data"), including your IP address, browser type and version, the pages you visit, the time and date of your visit, time spent on pages, and other diagnostic data.

1.3 Refrigerant and Compliance Data

As part of the Service, you may upload equipment records, refrigerant logs, service histories, and related compliance data ("User Data"). You retain ownership of your User Data. RefriTrak processes this data solely to provide the Service and as described in Section 8 (Data Aggregation and Anonymization).

1.4 Mobile Application Data

When you use the RefriTrak Mobile app, we collect the following categories of data in addition to the data described above:

Camera and photo library access — The app uses your device's camera and (with your permission) photo library to scan QR codes on equipment and cylinders, capture photographs of equipment nameplates for optical character recognition (see Section 3, "Automated Processing Using Artificial Intelligence"), and attach photographs to units, transfers, and job notes. Photos you choose to attach are uploaded to our cloud storage (Amazon Web Services S3) and linked to your organization's records. Photos you discard before submission are not uploaded.
Location data (indirect) — The app does not continuously track your device location. When you use the address autocomplete field to enter a customer or job location, the partial address you type is transmitted to Google's Places API to return suggestions. Once selected, the resolved street address is stored in our database. Your device GPS coordinates are not collected.
Push notification tokens — If you grant permission for notifications, the app registers a device push token with Expo Push Service. This token is a random identifier that lets us deliver notifications to your device; it is not linked to your device's hardware identifier or phone number.
Crash and diagnostic data — The app sends anonymized crash reports to Sentry when it encounters an unexpected error. Reports may include the device model, operating system version, app version, and a stack trace of the crashing code. They do not include the contents of your records, your password, or your email address.
Authentication session tokens — To keep you logged in between sessions, the app stores an encrypted session token in your device's secure storage (iOS Keychain / Android Keystore). You can invalidate it by signing out.

Permissions you can revoke at any time via your device's operating system settings: camera, photo library, push notifications.

1.5 Tracking and Advertising

The RefriTrak Mobile app does not track you across other apps or websites, and does not use the Advertising Identifier (IDFA/GAID). We do not participate in ad networks or cross-contextual behavioral advertising.

2. Tracking & Cookies Data

We use cookies and similar tracking technologies to maintain session state, remember preferences, and analyze usage. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, certain features of the Service may not function properly without cookies.

Types of cookies we use:

Session Cookies: Required to operate the Service.
Preference Cookies: Remember your settings and preferences.
Analytics Cookies: Help us understand how users interact with the Service (e.g., via Vercel Analytics).

3. Automated Processing Using Artificial Intelligence

The RefriTrak Mobile app includes a feature that uses third-party artificial intelligence to read the information printed on equipment nameplates. When you use this feature:

The photograph you capture is uploaded to our cloud storage and transmitted to Anthropic's Claude API for analysis.
Claude extracts text fields (manufacturer, model number, serial number, refrigerant type, charge amount, etc.) and returns them to the app, where you can review and correct them before saving.
Anthropic processes the image solely to return the extracted data to us and, per Anthropic's commercial terms, does not retain the image or use it to train its models.
No automated decisions with legal or similarly significant effects are made on the basis of this processing — the extracted data is always presented for your review before it is saved to your records.

If you do not wish to have your photographs processed by Anthropic, do not use the nameplate scanner. You can enter all equipment data manually.

4. How We Use Your Information

We use the information we collect to:

Provide, operate, maintain, and improve the Service.
Process your account registration and manage your subscription.
Send administrative communications, security alerts, and support messages.
Respond to your inquiries and support requests.
Detect, prevent, and investigate fraud, abuse, or security incidents.
Comply with applicable legal obligations.
Create Anonymized Data as described in Section 8.

We do not sell your Personal Data to third parties for their own marketing purposes.

5. Disclosure of Data

RefriTrak may disclose your Personal Data only in the following circumstances:

Legal Obligations: To comply with applicable law, regulation, legal process, or enforceable governmental request.
Protection of Rights: To protect and defend the rights or property of RefriTrak, including enforcement of our Terms of Service.
Safety: To prevent or investigate possible wrongdoing or threats to public safety in connection with the Service.
Business Transfers: In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your Personal Data becomes subject to a different privacy policy.
With Your Consent: For any other purpose with your explicit consent.

6. Third-Party Service Providers

We employ third-party companies and individuals ("Service Providers") to facilitate the Service on our behalf. Each receives only the data needed to perform its function.

Service Provider	Purpose	Data Received
Vercel	Application hosting and edge network	Usage data, request metadata
MongoDB Atlas	Database storage	All stored application data (encrypted at rest)
Amazon Web Services (AWS)	File and object storage (S3)	Uploaded photographs and documents
Resend	Transactional email delivery	Email address, email content
Stripe	Payment processing	Billing information, subscription data
Anthropic, PBC	Nameplate OCR via Claude API (mobile app)	Equipment photographs you choose to scan
Sentry	Crash and error reporting (mobile app)	Anonymized stack traces, device/OS/app version
Google LLC	Address autocomplete via Places API	Partial address strings you type
Expo (650 Industries, Inc.)	Push notification delivery (mobile app)	Device push token, notification payload
Apple Inc. / Google LLC	App distribution (App Store / Google Play)	Data governed by the respective store's own privacy terms

These Service Providers are contractually obligated to protect your data and not to disclose or use it for any purpose other than performing their specific tasks on our behalf.

Subprocessor changes: We maintain a current list of our subprocessors at refritrak.com/privacy/subprocessors. When we add, replace, or remove a subprocessor, we will update that page and notify active account holders by email.

7. Data Retention

We retain your Personal Data for as long as your account is active or as needed to provide the Service. Specific retention periods by category:

Category	Retention Period
Account profile (name, email, login credentials)	For the life of your account; deleted 90 days after account closure
Equipment, cylinder, transfer, and compliance records	For the life of your account, then 7 years after account closure to meet EPA recordkeeping obligations (40 CFR § 82.166)
User-uploaded photographs	Same as the associated record
Usage and log data	Up to 12 months
Session tokens	Up to 30 days; deleted on sign-out
Push notification tokens	Until the app is uninstalled or notifications are revoked
Crash/diagnostic data (Sentry)	90 days
Audit logs	7 years (regulatory)
Support correspondence	3 years from last contact

You may request earlier deletion of any category not subject to a legal retention obligation. Notwithstanding the above, we may retain data for longer periods if required by law, regulation, or ongoing legal proceedings.

Account Deletion: You may delete your account and all associated personal data at any time through the account settings page within the Service, or by visiting refritrak.com/account/delete. Upon deletion, your account profile and personal data will be permanently removed within 90 days. Compliance and regulatory records (equipment, transfers, audit logs) may be retained for up to 7 years as required by EPA recordkeeping obligations (40 CFR § 82.166). You may also request deletion by emailing privacy@refritrak.com.

8. Data Aggregation and Anonymization

RefriTrak reserves the right to create, use, and commercialize Aggregated and Anonymized Data derived from User Data. Anonymized Data has been modified or combined such that it cannot reasonably be used to identify any individual user or specific organization.

Purpose: We may use Anonymized Data for industry benchmarking, environmental trend analysis, product optimization, and research.
Non-Personal: Because Anonymized Data does not identify you, it is not considered Personal Data under this policy or under applicable privacy laws including the CCPA.
Commercial Use: RefriTrak may share, license, or sell Anonymized Data sets to third parties (such as researchers, industry analysts, or government agencies) at its sole discretion.
CCPA Carve-Out: Your CCPA right to opt out of the "sale" of Personal Data (Section 10) does not apply to Anonymized Data, as Anonymized Data is not Personal Data. This is consistent with Cal. Civ. Code § 1798.140(o).

9. Data Security

We implement industry-standard technical and organizational measures to protect your Personal Data, including TLS 1.2+ encryption in transit, AES-256 encryption at rest, role-based access controls, and regular security assessments. However, no method of internet transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification: In the event of a data breach that affects your Personal Data, RefriTrak will notify you and any applicable regulatory authorities as required by applicable law (including California's data breach notification law, Cal. Civ. Code § 1798.82, and GDPR Article 33 where applicable). We will provide notice without unreasonable delay, and in no event later than 72 hours after we become aware of a breach that triggers notification obligations, where practicable.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

The Right to Know: You may request disclosure of the categories and specific pieces of Personal Data we have collected about you, and the purposes for which we use it.
The Right to Delete: You may request deletion of Personal Data we have collected, subject to certain legal exceptions.
The Right to Correct: You may request correction of inaccurate Personal Data we maintain about you.
The Right to Opt-Out of Sale/Sharing: RefriTrak does not sell your Personal Data. We do not share Personal Data for cross-contextual behavioral advertising. If you nonetheless wish to submit a "Do Not Sell or Share" request, you may do so by emailing privacy@refritrak.com with the subject line "Do Not Sell." We will honor verified requests within 15 business days. Note: this right does not apply to Anonymized Data (see Section 8).
The Right to Limit Use of Sensitive Personal Information: You may direct us to limit the use of your sensitive Personal Data to that which is necessary to perform the Service.
The Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at privacy@refritrak.com. We will respond to verifiable requests within 45 days, as required by law.

11. European Privacy Rights (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights regarding your personal data, in addition to any rights described elsewhere in this policy:

Right of access — You may request a copy of the personal data we hold about you.
Right to rectification — You may ask us to correct inaccurate or incomplete data.
Right to erasure ("right to be forgotten") — You may request deletion of your personal data, subject to our legitimate retention obligations (e.g., EPA compliance records we are required to retain).
Right to restriction of processing — You may ask us to temporarily stop processing your data while we investigate a request.
Right to data portability — You may request a machine-readable export of your data (see Section 13).
Right to object — You may object to processing based on our legitimate interests.
Right to withdraw consent — Where processing is based on your consent (e.g., push notifications, nameplate OCR), you may withdraw consent at any time.
Right to lodge a complaint — You may complain to your national data protection authority.

Our lawful bases for processing are: (a) performance of a contract (delivering the service you signed up for), (b) legitimate interests (security, fraud prevention, service improvement), (c) consent (optional features such as push notifications and AI-assisted scanning), and (d) legal obligation (tax, regulatory, and compliance record retention).

Requests can be made to privacy@refritrak.com. We will respond within 30 days.

International data transfers — Our primary infrastructure is located in the United States. If you are in the EEA/UK, your personal data will be transferred to the United States. We rely on the EU Standard Contractual Clauses (and the UK Addendum where applicable) with our subprocessors to provide an adequate level of protection.

12. Children's Privacy

RefriTrak is a business tool intended for use by HVAC and refrigeration professionals. The Service is not directed to children under 13 (or under 16 in the EEA/UK), and we do not knowingly collect personal data from children. If you believe a child has provided us personal data, please contact us at privacy@refritrak.com and we will delete it.

13. Data Portability and Export

You may request a machine-readable export of the personal data and records associated with your account by emailing privacy@refritrak.com. Exports are delivered as JSON and CSV files and typically include: account profile, customers, locations, units, circuits, cylinders, transfers, jobs, and uploaded media references. We will fulfill export requests within 30 days at no charge; we may charge a reasonable fee for repeat requests within a 12-month period.

14. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those sites. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or by posting a prominent notice within the Service at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes your acceptance of the updated policy.

16. Contact Us

For any questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us at:

RefriTrak — Privacy Team 611 Gateway Blvd Suite 120 South San Francisco, CA 94080 privacy@refritrak.com

For users in the EEA/UK, the Privacy Team also serves as our data protection point of contact under GDPR Article 37.