Privacy Policy

Effective date: 2026-04-25

Xponzy Tech LLC ("we", "us", "TLCDesk") operates the TLCDesk mobile application and related services (the "Service"). This policy explains what information we collect, how we use it, and the choices you have.

1. Information we collect

1.1 Account information

• Email address (for authentication and account recovery).
• Full name (for profile display, legal contracts, and dispute resolution).
• Role selection (driver or vehicle owner).
• Password: stored as a salted hash by Supabase Auth; never visible to us.

1.2 Driver verification (drivers only)

• TLC license number (verified against the NYC Taxi & Limousine Commission's public OpenData records).
• DMV Class E chauffeur license photo.
• Proof of address (utility bill, bank statement, lease, or government mail from the last 90 days).
• Optional phone number.

1.3 Owner verification (owners only)

• Optional business name (for tax / entity reporting).
• Optional contact phone.

1.4 Payment information

• Card details (number, CVC, expiration, ZIP): collected by Stripe, Inc. and never stored on our servers. We retain a Stripe Customer ID and a reference to each PaymentIntent, Subscription, or Refund.
• Weekly rental charges, deposit holds, and refunds are processed through Stripe under Stripe's terms.

1.5 Rental activity

• Booking requests (vehicle, driver, timestamps, message to owner).
• Active rentals (dates, weekly rate, deposit, payment status, subscription identifier).
• Weekly payment history (amount, status, attempt count, outcome).
• Pickup documentation (photos of vehicle condition at pickup, odometer reading, optional driver/owner notes).
• Deposit deductions submitted by the owner (type, amount, reason, evidence photos) and any dispute responses from the driver.

1.6 Communication

• Messages exchanged between driver and owner within a rental thread.
• Customer support communications (future).

1.7 Usage data

• Session log timestamps (login, logout).
• Device metadata (platform, OS version, app version).

2. How we use your information

• To provide the vehicle rental marketplace Service.
• To verify driver credentials against NYC TLC public records.
• To process payments via Stripe.
• To facilitate driver ↔ owner communication.
• To resolve disputes regarding deposits, damage, and charges.
• To comply with legal obligations (tax reporting, law enforcement requests).
• To detect fraud and protect Service integrity.
• To improve the Service.

3. Information sharing

We share information only with:

• Stripe, Inc. — payment processing (cards, subscriptions, payouts). See Stripe's privacy policy at stripe.com/privacy.
• Supabase Inc. — backend infrastructure (database, authentication, file storage). See Supabase's privacy policy at supabase.com/privacy.
• NYC Open Data — we query public TLC driver-license records (data.cityofnewyork.us) to verify driver credentials. No personal information about you is sent; we only query by license number you provide.
• Law enforcement — when required by a valid subpoena, warrant, or court order, or to prevent imminent harm.

We do not sell your personal information to third parties. We do not use your information for advertising.

4. Data retention

• Account data: retained while your account is active.
• Rental records (booking requests, rentals, weekly charges): retained for 7 years (IRS and TLC record-keeping requirements).
• Pickup documentation and deposit-deduction evidence: retained for 2 years after rental end.
• Messages: retained for 1 year after rental end.
• Payment data (Stripe): retained per Stripe's retention policies, typically 7 years.
• Driver documents (DMV license photo, proof of address): retained while the account is active + 2 years for legal defense window.

After the applicable retention period expires, we delete or anonymize the data.

5. Your rights

You may:

• Access your personal information via the Account screen in the app.
• Request deletion of your account. Some records must be retained for legal reasons (see §4). Use the "Delete my account" option in the Account screen; our team will process the request after a 7-day grace period during which you may cancel.
• Export your rental history in a machine-readable format (contact us).
• Correct inaccurate information via the Account screen.

New York residents and residents of jurisdictions with applicable privacy laws (e.g., California CCPA/CPRA, EU GDPR) have additional rights. Contact us using the details below to exercise them.

6. Security

We implement industry-standard security measures:

• Encrypted data transmission (HTTPS / TLS 1.2+).
• Row-level security on our Postgres database — each user can only read their own records and the records of parties to their rentals.
• Stripe handles all card data under its PCI-DSS Level 1 compliance.
• No plaintext storage of sensitive credentials (passwords hashed, payment data tokenized at Stripe).
• Separate service-role credentials used only by backend functions, never bundled into the mobile app.

7. Minors

TLCDesk is for users 21 years of age and older. New York State TLC driver licenses are only issued to qualifying adults. We do not knowingly collect information from minors.

8. Changes to this policy

We will notify users of material changes via the app and, where practical, email. The effective date above reflects the most recent revision.

9. Contact

Xponzy Tech LLC
418 Broadway STE R, Albany NY 12207-2922
Email: legal@tlcdesk.com
Phone: 516-780-8094

For privacy requests, include the subject line "Privacy Request" and the email address associated with your account.