Privacy Policy

1. Who We Are (Data Controller)

American Trans Data Systems, Inc. ("ATD," "we," "us," or "our") operates CARB Compliance Service at carbcomplianceservice.com and satisfycarb.com. For purposes of the GDPR, ATD is the data controller of personal data collected through the Service.

Our designated privacy contact is reachable at [email protected] or by phone at 714-751-3000.

2. Information We Collect

2.1 Information You Provide Directly

• Account information: Name, company name, email address, phone number, billing address
• Payment information: Credit or debit card details (processed and stored by Stripe; we do not store full card numbers)
• Fleet data: Vehicle identification numbers (VINs), license plate numbers, vehicle make/model/year, CARB compliance test records, and related fleet management data
• CARB portal credentials: When you use our portal sync feature, you may provide your CARB CTC portal username and password. These credentials are used solely to retrieve your compliance data and are not stored permanently on our servers.
• Communications: Messages, support requests, or feedback you send us

2.2 Information Collected Automatically

• Usage data: Pages visited, features used, time and date of access, referring URLs
• Device and browser data: IP address, browser type and version, operating system, device identifiers
• Cookies and similar technologies: Session cookies for authentication, preference cookies, and analytics cookies (see Section 8)

2.3 Categories of Personal Information (CCPA)

Under the CCPA, we collect the following categories of personal information: Identifiers (name, email, IP address); Commercial information (subscription and billing records); Internet or network activity (usage logs); Professional or employment-related information (company name, fleet data); and Inferences drawn from the above to create a profile about compliance status.

3. How We Use Your Information

We use the information we collect for the following purposes, and only as permitted by applicable law:

• Service delivery: To provide, operate, and maintain the CARB Compliance Service, including syncing your fleet data with the CARB portal
• Account management: To create and manage your account, process payments, and send billing communications
• Compliance alerts: To send you deadline reminders, test due date alerts, and compliance status notifications via email and SMS
• Customer support: To respond to your inquiries and resolve technical issues
• Service improvement: To analyze usage patterns, diagnose technical problems, and improve the Service
• Legal compliance: To comply with applicable laws, regulations, and legal processes
• Security: To detect, prevent, and address fraud, unauthorized access, and other security issues

Legal bases for processing (GDPR): We process your personal data on the following legal bases: (a) Contract performance — to deliver the Service you subscribed to; (b) Legitimate interests — to improve the Service, ensure security, and communicate service updates; (c) Legal obligation — to comply with applicable laws; and (d) Consent — for marketing communications, which you may withdraw at any time.

4. How We Share Your Information

We do not sell, rent, or trade your personal information to third parties. We may share your information in the following limited circumstances:

• Service providers: We share data with trusted third-party vendors who assist in operating the Service, including Stripe (payment processing), Amazon Web Services (cloud infrastructure and storage), and email/SMS delivery providers. These vendors are contractually bound to use your data only to provide services to us.
• IRP program: If you are an ATD IRP customer, your account status may be shared with ATD's IRP team to verify complimentary access eligibility.
• Legal requirements: We may disclose your information if required by law, court order, or governmental authority, or to protect the rights, property, or safety of ATD, our customers, or the public.
• Business transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email before your data is transferred and becomes subject to a different privacy policy.

5. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. After account cancellation, we retain your data for up to 24 months to comply with legal obligations, resolve disputes, and enforce our agreements. Fleet compliance records may be retained longer if required by applicable regulations.

You may request earlier deletion of your data as described in Section 7 below, subject to our legal retention obligations.

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal information, including:

• TLS/SSL encryption for all data in transit
• Encryption of sensitive data at rest on AWS infrastructure
• Access controls limiting data access to authorized personnel only
• Regular security reviews and monitoring
• CARB portal credentials are used in-session only and are not stored in our database

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, contact us immediately at [email protected].

7. Your Privacy Rights

7.1 California Residents — CCPA Rights

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions (e.g., information needed to complete a transaction or comply with a legal obligation).
• Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. No opt-out is required, but you may contact us to confirm.
• Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information for purposes beyond providing the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise your CCPA rights, submit a verifiable consumer request to [email protected] or call 714-751-3000. We will respond within 45 days. You may designate an authorized agent to make a request on your behalf.

7.2 European Residents — GDPR Rights

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15): Obtain a copy of the personal data we hold about you
• Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data
• Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements
• Right to Restrict Processing (Art. 18): Request that we limit how we use your data in certain circumstances
• Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes
• Right to Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
• Right to Lodge a Complaint: File a complaint with your local data protection authority (DPA)

To exercise your GDPR rights, contact our privacy team at [email protected]. We will respond within 30 days.

International Data Transfers: Our servers are located in the United States. If you are located in the EEA or UK, your data is transferred to the US under appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable.

8. Cookies and Tracking Technologies

We use the following types of cookies and similar technologies:

Most browsers allow you to control cookies through their settings. Disabling strictly necessary cookies may prevent you from using the Service.

9. Children's Privacy

The Service is intended for business use by fleet operators and is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a minor, please contact us immediately at [email protected].

10. Third-Party Links

The Service may contain links to third-party websites, including the California Air Resources Board portal (arb.ca.gov). We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies before providing any personal information.

11. Do Not Track

Some browsers transmit "Do Not Track" (DNT) signals. Our Service does not currently respond to DNT signals. We will update this policy if we implement a DNT response mechanism in the future.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email at least 30 days before the changes take effect and update the "Last Updated" date at the top of this page. Your continued use of the Service after the effective date constitutes acceptance of the revised policy.

13. Contact Us — Privacy Requests

For any privacy-related questions, requests, or complaints, please contact us: