Privacy Policy

Last updated: December 2024

Introduction

Universal Maintenance Passport ("UMP," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including our website, APIs, and applications.

Information We Collect

Information You Provide

We collect information you directly provide to us, including:

  • Account information (name, email, organization)
  • Asset and maintenance data you choose to record
  • Evidence files (photos, documents) attached to maintenance events
  • Communications with our support team

Information Collected Automatically

When you use our services, we automatically collect:

  • Device and browser information
  • IP address and general location
  • Usage patterns and feature interactions
  • Performance and error data

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our services
  • Create and manage your account
  • Process and anchor maintenance credentials
  • Enable verification of credentials by authorized parties
  • Send service-related communications
  • Detect and prevent fraud or security issues
  • Comply with legal obligations

Data Storage and Security

Credential Data

Maintenance credentials are stored using industry-standard security practices. Credential hashes are anchored to an append-only ledger (AWS QLDB) for tamper-evidence. Evidence files are stored with WORM (Write Once Read Many) protection.

Cryptographic Keys

Private keys used to sign credentials are stored in hardware-backed key management systems (AWS KMS). Keys never leave the secure enclave.

Data Retention

Maintenance credentials and evidence are retained for the lifetime of the asset passport unless you request deletion. Deleted data may be retained in backups for a limited period as required by law.

Information Sharing

We share your information only in the following circumstances:

  • With your consent: When you explicitly authorize sharing, such as generating a Passport Pack for a buyer or auditor
  • For verification: When a verifier checks a credential you've shared, they receive the credential data and verification status
  • Service providers: With trusted third parties who assist in operating our services (cloud hosting, analytics)
  • Legal compliance: When required by law, regulation, or legal process

Your Rights and Choices

You have the right to:

  • Access your personal information
  • Correct inaccurate data
  • Request deletion of your data (subject to retention requirements)
  • Export your data in a portable format
  • Opt out of marketing communications

International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers in compliance with applicable data protection laws.

Children's Privacy

Our services are not directed to children under 16. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date.

Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us.