Privacy Policy

Version 1.1 · Effective Date: April 9, 2026 · Last Updated: April 9, 2026

1. Introduction

This Privacy Policy explains how Optera AI LLC (“Company,” “we,” “us,” or “our”) collects, uses, and protects your personal information when you use RampFlow, a product of FBODesk (the “Service”).

Company Information: Optera AI LLC, 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801. Contact: hello@fbodesk.com

Geographic scope: The Service is designed for Fixed Base Operators in the United States. We do not target or market the Service to individuals outside the United States.

Multi-tenant data roles: For Customer Data uploaded or created by Organization members (fuel logs, ticket images, job records), the Company acts as a data processor on behalf of the customer Organization (the data controller). For account, billing, and usage data, the Company is the data controller. This policy covers all data the Company processes.

2. Information We Collect

Information You Provide Directly

  • Account data: Name, email address, and password (stored as a cryptographic hash)
  • Organization data: FBO name, ICAO airport code (optional), organization address, phone, and logo
  • Billing information: Processed by Stripe. We store your Stripe customer ID and subscription ID but never store full credit card numbers on our servers
  • Operational data: Fuel logs, job records, truck information, fuel ticket images, team member roles, notes, and service records
  • Team member information: Email addresses and roles of users invited by Organization Owners
  • Support requests: Communications you send to us

Information Collected Automatically

  • IP address (used for rate limiting and security)
  • Browser type and version
  • Device information and operating system
  • Log data (access times, error logs, referring URLs)

Information from Third Parties

  • Stripe: Transaction status and subscription state (not full card details)
  • Anthropic Claude API: Processed OCR results returned from ticket images you upload. The AI provider does not send us additional data about you
  • FAA Aircraft Registry: Publicly available aircraft registration records (manufacturer, model, type, owner name, and location) queried when you look up a tail number

Multi-Tenant Data Distinction

  • Account Data (controller: the Company) — Your name, email, login credentials, billing information
  • Operational Data (controller: your Organization) — Data you create or upload within your Organization's workspace (fuel logs, jobs, ticket images). Your Organization Owner controls this data and determines how it is used within the Service

3. How We Use Information

We use your information to:

  • Provide the Service: Operate RampFlow, including authentication, data storage, AI-powered ticket extraction, FAA aircraft lookups, and all core features
  • Process transactions: Manage billing through Stripe, send invoices and receipts
  • Communicate with you: Send account-related emails (team invitations, billing notifications, trial reminders, daily digest reports, and service updates)
  • Ensure security: Detect fraud, prevent abuse via rate limiting, protect against unauthorized access
  • Comply with law: Respond to legal requests, enforce our Terms, meet regulatory obligations

We do NOT:

  • Sell your personal information to third parties
  • Use your Customer Data to train AI or machine learning models
  • Use your data for purposes unrelated to providing the Service without your consent
  • Share your data with advertisers
  • Use third-party analytics or advertising trackers

4. How We Share Information

We share your information only in these circumstances:

  • Service providers / subprocessors: Third parties that help us operate the Service (see Section 5). They process data only on our instructions and are bound by data processing agreements.
  • Within your Organization: Organization members can see data shared within the Organization as configured by the Organization Owner. For example, all members can view fuel logs and job records within their Organization.
  • Business transfers: If the Company is involved in a merger, acquisition, or sale of assets, your data may be transferred. We will notify you before your data becomes subject to a different privacy policy.
  • Legal requirements: We may disclose data if required by law, subpoena, court order, or government request. We will notify you unless legally prohibited.
  • With your consent: We may share data with third parties when you explicitly direct us to.
  • Aggregated / de-identified data: We may share data that cannot reasonably identify you.

We do not sell or share your personal information for cross-context behavioral advertising.

5. Subprocessors & Third-Party Services

We use the following third-party services to operate RampFlow:

ProviderPurposeData Processed
SupabaseDatabase, authentication, file storageAll account and operational data (hosted on AWS, US)
Anthropic (Claude API)AI-powered ticket OCRFuel ticket images (processed, not retained for training)
StripePayment processingEmail, subscription data (PCI-DSS compliant)
VercelApplication hostingRequest logs, IP addresses
ResendTransactional emailEmail addresses, email content
Upstash (Redis)Rate limitingIP addresses, request counts

We maintain a list of subprocessors and will notify customers of material changes at least 30 days in advance.

6. AI & Automated Processing

How We Use AI

RampFlow uses artificial intelligence to read and extract information from photographs of fuel tickets that you upload. When you scan a ticket, the image is sent to Anthropic's Claude API, which extracts fields such as tail number, fuel quantities, truck identifier, product type, prist additive status, and timestamps.

What Data Is Sent to the AI Provider

The photo you upload and a set of instructions for what information to extract. Anthropic processes this data solely to return results to us and does not retain your data for model training or any other purpose, per their API data usage policies.

Data Retention by AI Provider

Anthropic does not retain your data after processing, per their API terms. For details, see Anthropic's privacy policy and data handling documentation.

Accuracy

AI-generated outputs are provided as a convenience and may contain errors. All extracted values are presented for your review and require your confirmation before being recorded. You are responsible for reviewing and verifying all AI-extracted information. We do not guarantee the accuracy, completeness, or reliability of AI outputs.

Automated Decision-Making

Our AI features are assistive tools that present information for your review — they do not make autonomous decisions that affect your legal rights or produce similarly significant effects. All AI-extracted data requires human confirmation before it is recorded.

7. Cookies & Tracking Technologies

Cookies We Use

RampFlow uses only strictly necessary cookies for user authentication and session management. These cookies are required for the Service to function and cannot be disabled. They are set by Supabase (prefixed with “sb-”) and contain authentication tokens.

We do not use functional, analytics, or marketing cookies. We do not use third-party tracking cookies, advertising pixels, or analytics services that track individual users across websites.

Managing Cookies

You can control cookies through your browser settings. Disabling authentication cookies will prevent you from using the Service.

Do Not Track

Because we do not use tracking or analytics cookies, Do Not Track browser signals do not change our behavior. We do not track individual users across third-party websites.

Future Changes

If we ever add optional analytics or functional cookies, we will update this policy, notify you, and provide an opt-out or consent mechanism before deploying any non-essential cookies.

8. Data Retention

Data CategoryRetention PeriodReason
Account dataDuration of account; deleted immediately on account deletionService provision
Billing recordsRetained via Stripe for up to 7 years after transactionTax and legal requirements
Customer Data (fuel logs, jobs, images)Duration of account; deleted immediately and irreversibly on account deletionService provision
Server logsGoverned by hosting provider (Vercel) retention policiesSecurity and debugging
Infrastructure backupsGoverned by Supabase retention policiesDisaster recovery
Consent records (ToS acceptance)Retained independently of account deletion for legal compliance purposesLegal compliance and enforceability

Account deletion is immediate and irreversible. We strongly recommend exporting your data using the in-app export features before deleting your account. You may also request deletion of specific data without deleting your entire account (see Section 10).

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

Technical Measures

  • Encryption in transit (TLS 1.2+)
  • Encryption at rest (AES-256)
  • Secure authentication with cryptographically hashed passwords
  • Row-level security (RLS) policies for organization-level data isolation
  • IP-based rate limiting on authentication endpoints to prevent brute-force attacks
  • Invite tokens with 7-day expiration for team member onboarding

Organizational Measures

  • Access to personal data limited to personnel who need it
  • Role-based access control within Organizations (owner, manager, front desk, lineman)
  • Incident response procedures

Breach Notification

In the event of a data breach that poses a risk to your rights, we will notify affected individuals and relevant authorities as required by applicable US state breach notification laws (typically within 30–60 days of discovery, depending on the state).

No system is 100% secure. While we use commercially reasonable measures to protect your data, we cannot guarantee absolute security.

10. Your Privacy Rights

For All Users

Regardless of where you are located, you may:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data
  • Data portability: Request your data in a machine-readable format (CSV/JSON)
  • Objection: Object to processing you believe is unlawful

California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act:

  • Right to know: Request the categories and specific pieces of personal information we collect
  • Right to delete: Request deletion of your personal information
  • Right to correct: Request correction of inaccurate personal information
  • Right to opt-out: We do not sell or share your personal information. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link
  • Non-discrimination: We will not discriminate against you for exercising your rights
  • Authorized agents: You may designate an authorized agent to make requests on your behalf

We will respond to verified requests within 45 days (extendable by an additional 45 days for complex requests).

Other US State Privacy Laws

Residents of Virginia, Colorado, Connecticut, and other states with comprehensive privacy laws have the right to know, access, delete, correct, and opt-out of targeted advertising, as well as the right to appeal a denied request. We will respond to verified requests within the timeframes required by applicable state law (typically 45 days).

How to Exercise Your Rights

Email us at hello@fbodesk.com with your request. We may need to verify your identity before processing (typically by confirming your account email). We do not charge a fee for exercising your rights, except for manifestly unfounded or excessive requests.

Team member data: If you are removed from an Organization, your membership record is deleted. Operational data you created (fuel logs, jobs) may be retained by the Organization with your user reference removed. Contact your Organization Owner for data managed by your Organization.

11. Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, please contact us at hello@fbodesk.com.

12. Marketing Communications

Transactional emails (account confirmations, security alerts, billing notices, team invitations, trial reminders, daily digests) are sent as necessary to provide the Service. You cannot opt out of these while your account is active.

Marketing emails (product updates, newsletters, promotions): We will only send marketing emails with your consent. Every marketing email includes an unsubscribe link. We honor unsubscribe requests within 10 business days per CAN-SPAM.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' advance notice via email and/or in-app notification before the changes take effect.

The “Last Updated” date at the top reflects the most recent revision. Previous versions are archived and available upon request.

Continued use of the Service after the effective date of changes constitutes acceptance, except where affirmative consent is required by law.

14. Contact Information

For privacy-related inquiries or to exercise your rights:

Optera AI LLC
1309 Coffeen Avenue STE 1200
Sheridan, Wyoming 82801
Email: hello@fbodesk.com

Terms of Service: fbodesk.com/terms