Privacy Policy

Last updated: July 19, 2025

1. Introduction

RailScanPro (“we”, “us”, “our”) is a service operated by Winsit LLC in Illinois, USA. This Privacy Policy explains how we handle your personal data. Use of the Service constitutes acceptance of these terms.

2. Information We Collect

  • Personal Data: name, email, address, phone, billing details.
  • Payment Data: processed via Stripe; includes billing and transaction records.
  • Usage Data: IP, device/browser info, timestamps, feature usage.
  • User Content: images, metadata, annotations you upload.
  • Biometric Data: collected only if explicitly enabled (e.g., VIN scanning).

3. How We Collect Data

  • Directly from you when you register, subscribe, upload content, or contact support.
  • Automatically via cookies, analytics tools, and server logs.
  • Through third-party integrations such as Stripe and hosting platforms.

4. Use of Data

  • To provide, maintain and enhance the Service.
  • To process transactions and prevent fraud.
  • To communicate updates, notifications, and support messages.
  • To analyze usage trends and improve features.
  • To protect against threats and ensure security.
  • To satisfy legal obligations.

6. Data Sharing

We share your personal data only as necessary to provide our Service and as described below. We do not sell or rent personal data to third parties.

Service Providers & Processors

We work with trusted third-party service providers bound by data processing agreements (DPAs) to protect your data:

Provider Service Data Shared Safeguards
Stripe, Inc. Payment processing Billing details, payment info PCI DSS, DPF certified, SCCs
Amazon Web Services Cloud hosting, storage User content, system data SOC 2, ISO 27001, encryption
Google Analytics Website analytics Usage data, anonymized metrics Data Processing Amendment, IP anonymization
Email service providers Communications Email addresses, message content GDPR-compliant DPAs

Legal Compliance

We may disclose information when required by law or to:

  • Comply with legal processes, court orders, or government requests
  • Protect our rights, property, or safety, or those of our users
  • Prevent fraud, security threats, or violations of our Terms
  • Cooperate with law enforcement investigations

Data Processing Agreements

All service providers processing personal data on our behalf are bound by:

  • GDPR Article 28 compliance: EU-standard data processing agreements
  • Security requirements: Technical and organizational measures matching our standards
  • Limited processing: Data used only for specified services, not for their own purposes
  • Subprocessor oversight: Prior approval required for any subprocessors
  • Data return/deletion: Guaranteed data return or destruction upon contract termination

7. Data Retention

  • Account & billing data: retained up to 7 years for tax and audit purposes.
  • System logs: retained up to 3 years for security and compliance.
  • User-uploaded content: deleted within 30 days of deletion or account close, unless legal hold applies.
  • Biometric data (if any): destroyed within 3 years of last use or once its intended purpose is fulfilled.

8. Biometric Data Compliance

What is Biometric Data?

"Biometric data" means identifiers derived from scans, measurements, or analysis of biological characteristics, including but not limited to:

  • Facial geometry or facial recognition templates
  • Fingerprints, palm prints, or hand geometry
  • Retinal or iris scans
  • Voice recognition patterns
  • Keystroke dynamics or other behavioral biometrics
  • Digital representations of physical characteristics used for identification

Multi-State Biometric Compliance

If you enable biometric features (such as VIN scanning with facial recognition), we comply with applicable biometric privacy laws including:

Illinois (BIPA)

  • Provide written notice before collecting any biometric data, specifying the purpose, retention schedule, and destruction timeline
  • Obtain your explicit consent prior to collection
  • Maintain a publicly accessible written retention and destruction policy before collecting any biometric data
  • Permanently destroy biometric data when its initial purpose is fulfilled, or within 3 years of your last interaction—whichever occurs first

Texas (CUBI - Capture or Use of Biometric Identifier)

  • Inform you before collecting biometric identifiers
  • Obtain your consent prior to collection
  • Store biometric data with reasonable care and in a secure manner
  • Destroy biometric identifiers within one year of termination of the purpose for collection

Washington State

  • Provide clear notice and obtain consent for biometric collection
  • Implement reasonable security measures
  • Provide destruction timelines upon request

EU/UK (GDPR - Special Category Data)

Under GDPR/UK GDPR, biometric data is "special category" personal data requiring:

  • Explicit consent: Clear, specific, informed consent separate from general terms
  • Data Protection Impact Assessment (DPIA): Required for high-risk biometric processing
  • Enhanced security: Technical and organizational measures appropriate to the risk
  • Right to withdraw consent: Easy withdrawal mechanism without detriment

Our Biometric Commitments

  • Separate consent: Biometric consent is collected separately from general account terms
  • Purpose limitation: Biometric data is used only for the specific purpose disclosed
  • No sale or disclosure: We never sell or disclose biometric data to third parties
  • Secure storage: Encrypted storage with access limited to authorized personnel
  • Regular audits: Periodic review of biometric data handling and security

This ensures compliance with BIPA Sections 15(a) and 15(b), including the requirement to have a retention policy in place at the time biometric data is first collected. Illinois courts have confirmed this requirement under Mora v. J&M Plating, 2022.

9. Security & Data Protection

Technical and Organizational Measures

We implement comprehensive security measures to protect your information:

  • Encryption: Data encrypted in transit (TLS 1.3+) and at rest (AES-256)
  • Access controls: Multi-factor authentication and role-based access for staff
  • Network security: Firewalls, intrusion detection, and regular penetration testing
  • Data minimization: Collect and process only data necessary for stated purposes
  • Regular audits: Quarterly security reviews and annual third-party assessments
  • Incident response: 24/7 monitoring and documented response procedures
  • Staff training: Regular privacy and security training for all personnel

Payment Security

Payment data is secured through Stripe using industry-standard compliance frameworks including PCI DSS Level 1 certification. We do not store payment card information on our systems.

Data Breach Notification

In the event of a data breach affecting your personal information, we will:

  • Illinois residents (PIPA): Notify within 45 days of discovery, as required by Illinois Personal Information Protection Act
  • California residents (SB-1386): Notify without unreasonable delay for breaches of unencrypted personal information
  • EU/UK residents (GDPR): Notify supervisory authorities within 72 hours and individuals without undue delay if high risk
  • All users: Provide clear information about what happened, what information was involved, and steps we're taking

Privacy by Design

We follow privacy-by-design principles:

  • Proactive not reactive: Privacy measures built into system design from the start
  • Default settings: Highest privacy settings applied by default
  • Data minimization: Collect only what's necessary, delete when no longer needed
  • Transparency: Clear, understandable privacy notices and controls

10. Your Rights

Your privacy rights depend on your location and the applicable laws. We provide the following rights to all users, with additional protections where legally required:

Universal Rights (All Users)

  • Access, correct, update, or delete your data
  • Request data portability in commonly used formats
  • Withdraw consent for non-essential processing
  • Object to processing based on legitimate interests

Rights by Jurisdiction

Jurisdiction Key Rights How to Exercise
Illinois (BIPA) Consent for biometrics, destruction timelines, written notice Email privacy@railscanpro.com
California (CCPA/CPRA) Right to know, delete, opt-out of sales, correct inaccuracies, limit sensitive data use Email privacy@railscanpro.com or submit form on website
Virginia (VCDPA) Access, correction, deletion, data portability, opt-out of targeted advertising Email privacy@railscanpro.com
Colorado (CPA) Access, correction, deletion, opt-out of profiling and targeted advertising Email privacy@railscanpro.com
Connecticut (CTDPA) Access, correction, deletion, data portability, opt-out of profiling Email privacy@railscanpro.com
Texas (TDPSA) Access, correction, deletion, opt-out of targeted advertising Email privacy@railscanpro.com
EU/UK (GDPR) Access, rectification, erasure, objection, portability, restrict processing Contact DPO at privacy@railscanpro.com

Exercising Your Rights

  • Response Time: We respond to verified requests within 45 days (or as required by applicable law)
  • Verification: We may request additional information to verify your identity
  • Authorized Agents: California and other state residents may use authorized agents to submit requests
  • Appeals: If unsatisfied with our response, you may appeal or contact your local supervisory authority
  • No Discrimination: We will not discriminate against you for exercising your privacy rights

11. Cookies & Tracking

We use cookies and similar technologies to analyze usage and improve site performance. You can manage or disable cookies through your browser settings. Disabling cookies may impact certain features.

13. International Transfers

Your information may be transferred to and stored in the United States. Stripe is certified under the EU–U.S. Data Privacy Framework (DPF), the Swiss–U.S. DPF, and the UK Extension, and also relies on Standard Contractual Clauses (SCCs) for data transfers from the EU/UK/Switzerland. This provides legal safeguards for international data transfers.

14. Children's Privacy

Our Services are not directed to children under 18. If we become aware of personal data from someone under 18, we will promptly delete it.

15. Policy Updates & Reviews

Annual Privacy Reviews

We conduct comprehensive privacy reviews to ensure this Policy remains current and effective:

  • Annual policy review: Full assessment of privacy practices and legal compliance
  • Feature-triggered reviews: When adding new features (e.g., biometrics, AI capabilities)
  • Regulatory updates: Following new privacy laws or significant legal developments
  • Privacy Impact Assessments (PIAs): For high-risk processing activities under GDPR

Policy Changes

We may update this Privacy Policy to reflect:

  • Changes to our services or business practices
  • New legal requirements or regulatory guidance
  • Enhanced privacy protections or user controls
  • Feedback from users or privacy advocates

Change Notifications

When we make changes, we will:

  • Update this page: With a new "Last updated" date and change summary
  • Email notification: For material changes, sent at least 14 days before effective date
  • In-app notification: Prominent notice when you next use the Service
  • Opt-out opportunity: For significant changes affecting your rights, 30-day opt-out period

Your Consent

By continuing to use our Service after changes take effect, you consent to the updated Policy. If you disagree with changes, you may:

  • Contact us to discuss your concerns at privacy@railscanpro.com
  • Exercise your right to delete your account and data
  • Opt out of specific features affected by the changes (where applicable)

16. Contact Information

If you’d like to discuss this policy or your rights, contact:

  • Email: privacy@railscanpro.com
  • Postal Address:
    Winsit LLC
    Attn: Privacy Officer
    35W752 Parsons Rd, Dundee, IL 60118, USA