# Privacy Policy — Load Nova

**Last updated:** April 29, 2026
**Effective date:** April 29, 2026

---

## 1. Who we are

Load Nova (the "**Extension**", "**Service**") is a Google Chrome browser extension developed and operated by:

**Frontier X Labs Technologies Inc.** ("**Frontier X Labs**", "**we**", "**us**", "**our**")
A corporation incorporated under the *Canada Business Corporations Act* (Corporation Number 1787444-8), with its registered office at 2-81 James Street, Ottawa, ON, Canada K1R 5M2, and extra-provincially registered in the Province of Ontario.

**Contact for all matters (privacy, support, legal, security):** support@loadnova.app
**Website:** https://www.loadnova.app

For the purposes of the Canadian *Personal Information Protection and Electronic Documents Act* ("**PIPEDA**") and applicable foreign privacy laws, Frontier X Labs is the **controller** of personal information processed through the Extension.

**PIPEDA Privacy Officer:** Andrii Karabutov, Director. Contact: support@loadnova.app.

### 1.1 Independence Notice

Load Nova is an independent product developed by Frontier X Labs Technologies Inc. We are not affiliated with, endorsed by, sponsored by, certified by, or otherwise associated with DAT, Truckstop, Google, or any other third-party platform that may operate alongside the Extension in your browser. All product names, logos, brands, and trademarks referenced anywhere in connection with the Service are the property of their respective owners. References to any third-party platform are for descriptive and compatibility purposes only and do not imply any partnership or endorsement.

## 2. Scope of this Policy

This Privacy Policy describes how we collect, use, disclose, and protect personal information when you install, access, or use the Extension and any related backend services operated at `api.loadnova.app` (collectively, the "**Service**"). It does not apply to third-party websites, services, or platforms (such as load boards, Google, Stripe, or Mapbox) that may be open in your browser while you use the Extension — those services are governed by their own privacy policies.

By installing or using the Extension, you acknowledge the practices described in this Policy. If you do not agree, do not install or use the Extension.

## 3. Information we collect

### 3.1 Information you provide

- **Account information** — your name, email address, company, role, and password hash (or Google sign-in identifier) when you create an account.
- **Subscription and billing information** — name, billing address, last four digits of payment card, and Stripe customer identifiers. Full card data is collected and stored by **Stripe, Inc.**; we never store full card numbers.
- **Driver, equipment, and dispatching data** — driver names, contact details, license plates, equipment, addresses, and notes that you enter into the Extension to manage your dispatch operations.
- **Email templates** — message templates that you create within the Extension for use in broker communications.
- **Feedback and support communications** — content of any messages you send to us.

### 3.2 Information collected automatically when you use the Extension

- **Authentication tokens** — a JWT issued by our backend and, when applicable, OAuth tokens issued by Google. The short-lived access JWT is held in `chrome.storage.session` (browser memory only); the long-lived refresh token, which must survive browser restarts for silent re-authentication, is stored in `chrome.storage.local` encrypted-at-rest with AES-GCM. See Section 10 for full details.
- **Load and route data** — when you actively click to save or process a load within the Extension on a third-party load board page, you instruct the Extension to read the visible load details (such as origin, destination, weight, rate, and posting metadata) from your browser session and send them to our backend for storage and route calculation. The Extension does not automatically scrape, harvest, or crawl any third-party page; data is read only at your explicit direction. You alone are responsible for your use of any third-party load board and for compliance with its terms of service.
- **Route geometry** — origin and destination addresses are sent to Mapbox for geocoding and to our backend for route calculation; the resulting polyline is stored in your local browser cache (IndexedDB) and on our backend.
- **Device and technical information** — browser version, extension version, operating system, locale, and approximate time-zone — used for service operation and diagnostics.
- **Diagnostic logs** — limited error and timing logs. Logging is **disabled by default in production builds**. Logs are scrubbed of authentication tokens, passwords, and sensitive identifiers before being recorded.

### 3.3 Information collected via Google Workspace integrations

If you connect a Google account, we request OAuth permission to access certain Gmail data so the Extension can display load-related email threads and let you reply to brokers from within the dispatch flow. Specifically, we use the following Google Workspace Gmail API scopes:

- `https://www.googleapis.com/auth/gmail.readonly` — read-only access to Gmail messages and metadata for the purpose of displaying load-related threads in the Extension and processing them to extract structured load and route information at your direction.
- `https://www.googleapis.com/auth/gmail.send` — sending email replies from the Extension to brokers and load-board contacts at your explicit direction.
- **Google profile basics** — name, email, and profile picture associated with the Google account you authorize.

We do **not** request access to modify, delete, archive, label, or otherwise alter messages in your Gmail account. The Extension cannot delete or modify your emails.

You can revoke our access at any time at https://myaccount.google.com/permissions.

### 3.4 AI-Assisted Email Processing

When you connect your Gmail account and enable AI-assisted email processing, our backend AI processing pipeline may process the content of incoming load-related emails on your behalf to extract structured load and route information. The processing pipeline operates as follows:

**(a) Retrieval.** Email content is retrieved from the Gmail API at your direction using your authorized OAuth tokens.

**(b) In-memory processing.** Email content is held transiently in memory and forwarded via encrypted HTTPS to a third-party Large Language Model ("**LLM**") provider for structured data extraction. We use commercial LLM APIs from leading providers — including but not limited to OpenAI, Anthropic, and Google — all operating from data centers located within the United States. We retain the discretion to change LLM providers from time to time among providers that meet the following commercial requirements:

- The provider does not use customer data submitted via API for training or improving its models;
- The provider retains data only for short-term abuse monitoring purposes (typically up to 30 days);
- The provider operates under SOC 2 Type II or equivalent security controls;
- The provider's processing occurs on servers located in the United States.

**(c) What is persisted by Frontier X Labs.** The original email body, subject lines, and attachments are **not** persisted by us. Only the following derived and metadata items are retained:

- Extracted load and route information (origin, destination, rate, equipment, timing, broker contact);
- Thread activation metadata (track ID, processing status, timestamp, email reference identifiers);
- Email templates that you explicitly create;
- Thread activation state, retained for up to seven (7) days and reset on each new incoming message in the thread.

**(d) Retention of derived data.** Extracted route and load information is retained as part of your dispatch board for the life of your account, plus the retention period described in Section 9. Even if you delete the original email from Gmail, derived structured data may remain in your Frontier X Labs dispatch board until you delete it from there or close your account.

**(e) User control.** You may disable AI-assisted email processing at any time in the Extension settings. You may delete derived load and route data individually within the Extension or by deleting your account.

**(f) Separate consent.** Where required by Google's API Services User Data Policy, we will request your separate, affirmative consent for AI-assisted email processing in addition to the OAuth authorization screen.

### 3.5 Information from third-party data sources

When you opt in to factoring-broker credit lookups or similar features, the Extension may query third-party data providers (such as RTS Pro) using tokens that you authorize. We do not store provider credentials beyond what is required to perform the lookups you initiate.

### 3.6 Information we do **not** collect

- We do not use third-party analytics, advertising trackers, or session replay tools in the Extension.
- We do not knowingly collect information from children under 16.
- We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

## 4. Google API Services User Data Policy — Limited Use

Load Nova's use and transfer to any other app of information received from Google APIs will adhere to the [Google API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy), including the **Limited Use** requirements.

In particular:

1. We use Google user data **solely** to provide and improve the user-facing Gmail features described in Sections 3.3 and 3.4.
2. We **do not** transfer Google user data to third parties except: (a) to the LLM providers described in Section 3.4 strictly for the purpose of providing the user-facing features; (b) as necessary to comply with applicable law; or (c) as part of a merger, acquisition, or sale of assets with notice to users.
3. We **do not** use Google user data to serve advertisements.
4. We **do not** allow humans to read Google user data except: (a) with your affirmative agreement for specific messages; (b) where necessary for security purposes such as investigating abuse; (c) to comply with applicable law; or (d) where the data has been aggregated and anonymized and is used for internal operations.
5. Google user data is **not** used to train, develop, or improve generalized AI/ML models. The LLM providers we use process your data only at the time of your request and do not retain or use it for model training.

## 5. How we use information

We use the categories of personal information described above to:

- Provide, maintain, and operate the Extension and Service;
- Authenticate users and secure accounts;
- Calculate routes, manage trips, and synchronize dispatch state across your devices;
- Display and send Gmail messages within the Extension at your direction;
- Process and extract structured information from load-related emails (where AI-assisted processing is enabled);
- Process subscriptions, payments, refunds, and dunning communications via Stripe;
- Detect, investigate, and prevent fraud, abuse, and security incidents;
- Comply with applicable laws, regulations, and lawful requests;
- Communicate with you about service updates, support requests, and (with your separate consent where required) product news.

## 6. Legal basis for processing

We process personal information based on one or more of the following grounds: (a) performance of our agreement with you to provide the Service; (b) our legitimate interests in operating, securing, and improving the Service; (c) compliance with legal obligations applicable to us; or (d) your consent, where required by applicable law (including for the Gmail integration and AI-assisted email processing). You may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.

## 7. How we share information

We do **not** sell personal information. We share personal information only with the following categories of recipients, and only as necessary:

- **Service providers (sub-processors)** that operate parts of our infrastructure under contractual confidentiality and security obligations:
 - **Google LLC** — OAuth and Gmail Workspace APIs.
 - **Mapbox, Inc.** — geocoding, mapping, and routing.
 - **OpenWeather Ltd.** — weather data along routes.
 - **Stripe, Inc.** — subscription billing and payment processing.
 - **Cloud hosting provider** for the `api.loadnova.app` backend: Amazon Web Services or Google Cloud Platform, in United States regions.
 - **LLM API providers** — leading commercial LLM providers (including OpenAI, Anthropic, and Google), operating from United States data centers, as described in Section 3.4.
- **Professional advisers** — auditors, lawyers, and accountants under duties of confidentiality.
- **Government authorities and law enforcement**, where required by valid legal process and after appropriate review.
- **Successors in interest** — in connection with a merger, acquisition, reorganization, or sale of assets, with notice to affected users.

## 8. International data transfers and data location

Frontier X Labs is based in Canada. Personal information collected by the Service is processed and stored primarily in the **United States**. Specifically:

| Service / data | Location |
|---|---|
| Frontier X Labs backend (`api.loadnova.app`) | United States (AWS or Google Cloud, US regions) |
| Google services (Gmail API, OAuth) | United States and other regions where Google operates |
| Mapbox (geocoding, routing) | United States |
| OpenWeather (weather data) | United Kingdom |
| Stripe (payments) | United States and Ireland |
| LLM providers (transient processing) | United States |

By using the Service, you acknowledge and consent to the transfer and processing of your personal information in the United States and other jurisdictions outside your country of residence, which may have data protection laws that differ from those in your jurisdiction.

## 9. Retention

We retain personal information only for as long as is necessary to provide the Service and fulfil the purposes described in this Policy, and thereafter as required to comply with legal, accounting, or reporting obligations, to resolve disputes, and to enforce our agreements. Indicative retention periods:

| Category | Retention |
|---|---|
| Active account data | For the life of the account, plus up to 24 months after a deletion request |
| Authentication tokens (locally stored) | Until logout, account deletion, or token expiry |
| Gmail thread activation state on backend | Up to 7 days, reset on each new incoming message in the thread |
| Original Gmail message content (body, subject, attachments) | Not persisted by Frontier X Labs |
| Extracted load and route data derived from emails | For the life of the account, until you delete it or close your account |
| LLM provider-side data retention | Up to 30 days for abuse monitoring (managed by the LLM provider, not by us) |
| Billing records | Up to 7 years (Canada Revenue Agency / IRS requirements) |
| Diagnostic logs | Up to 30 days |

You may request earlier deletion as described in Section 11.

## 10. Security

We use technical and organizational safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction, including:

- TLS 1.2+ for all network traffic between the Extension and our backend, and between our backend and third-party providers;
- Authentication tokens are kept in `chrome.storage.session` (browser memory only) whenever the Chrome runtime supports it. The long-lived **refresh token**, which must persist across browser restarts to keep you signed in, is stored in `chrome.storage.local` **encrypted-at-rest with AES-GCM (256-bit)** using a key generated via the **Web Crypto API**; the key itself lives only in `chrome.storage.session` and is discarded when the browser session ends, so the persisted ciphertext is unreadable in any subsequent session and is replaced by a fresh re-authentication. We never write a plaintext authentication token to `chrome.storage.local`;
- Restricted access to production systems on a least-privilege basis;
- Continuous dependency vulnerability monitoring;
- Access logging and review on the backend;
- Incident response procedures.

No method of electronic transmission or storage is perfectly secure. If we become aware of a data breach affecting your personal information that creates a real risk of significant harm, we will notify you and the competent supervisory authorities (including the Office of the Privacy Commissioner of Canada) as required by applicable law and within applicable timelines.

## 11. Your rights

Depending on the laws applicable to you, you may have the following rights regarding your personal information:

- **Access** — obtain a copy of the personal information we hold about you.
- **Rectification** — correct inaccurate or incomplete information.
- **Erasure / deletion** — ask us to delete your personal information.
- **Restriction** — limit how we use your personal information.
- **Portability** — receive your information in a structured, machine-readable format.
- **Objection** — object to processing based on legitimate interests.
- **Withdrawal of consent** — withdraw consent for processing that relies on consent (e.g., Gmail integration, AI-assisted email processing, marketing emails).

To exercise any of these rights, email us at support@loadnova.app. We will respond within the timeframes required by applicable law (generally 30 days). We may need to verify your identity before acting on a request.

## 12. Children

The Extension is intended for use by professionals aged 18 or older. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided us with personal information, please contact us at support@loadnova.app and we will delete it.

## 13. Cookies and local storage

The Extension itself does not set cookies. It uses:

- `chrome.storage.local` and `chrome.storage.session` to persist authentication state and user preferences;
- IndexedDB to cache route geometry and load snapshots locally;
- The browser's standard mechanism to remember which Google account you authorized.

You can clear all locally stored data by signing out of the Extension or by removing the Extension from Chrome.

Our backend may issue session cookies to authenticated browsers; these are strictly necessary for service operation.

## 14. Third-party services

The Extension may operate alongside third-party services in your browser session. Your use of any such service is governed by that service's own privacy policy and terms. Examples of services whose privacy policies you may wish to review:

- Google: https://policies.google.com/privacy
- Mapbox: https://www.mapbox.com/legal/privacy
- OpenWeather: https://openweather.co.uk/privacy-policy
- Stripe: https://stripe.com/privacy
- OpenAI: https://openai.com/policies/privacy-policy
- Anthropic: https://www.anthropic.com/legal/privacy

We do not endorse or assume responsibility for any third-party service.

## 15. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify users in-product (sidepanel banner) at least 14 days before the change takes effect, and we will update the "Last updated" date above. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

## 16. Contact us

Questions, requests, or complaints about this Privacy Policy or our practices may be directed to:

**Frontier X Labs Technologies Inc.**
2-81 James Street, Ottawa, ON, Canada K1R 5M2
Email: support@loadnova.app

**PIPEDA Privacy Officer:** Andrii Karabutov, Director.

If you are not satisfied with our response, you may have the right to lodge a complaint with the privacy regulator in your jurisdiction. Canadian residents may contact the Office of the Privacy Commissioner of Canada at https://www.priv.gc.ca/.