Privacy Policy

Effective Date: 26 May 2026 Last Reviewed: 26 May 2026

1. Who We Are

TrucklineMP is operated by Dainton Hunter Weighill, based in Great Britain, who acts as the data controller for personal data processed through this platform.

Privacy questions and rights requests: [email protected]
Security reports: [email protected]
General support: through the in-platform support system at /support

2. Scope

This policy covers personal data processed through:

the TrucklineMP web platform (trucklinemp.com and its subdomains, including beta.trucklinemp.com and id.trucklinemp.com);
the recruitment portal;
the support system and knowledge base;
VTC (Virtual Trucking Company) features, including events;
the developer / OAuth-app and API features;
the TrucklineMP mobile application;
email correspondence sent to or received from @trucklinemp.com addresses.

It does not cover the in-game multiplayer service itself or third-party services you choose to connect (Steam, Discord, Google, YouTube, Twitch), each of which has its own privacy policy.

3. Data We Collect

3.1 Account and profile

account ID, username, handle, display name;
profile avatar (a URL to either a third-party CDN — Steam / Discord — or a file you upload to our storage; see section 9);
optional profile links you choose to add (e.g. social or VTC links);
account creation date, last seen, and onboarding status.

3.2 Authentication, sessions, and security

session tokens, session expiry, login IP address, user agent;
two-factor authentication status and (when enabled) an encrypted TOTP secret;
security and audit logs (login attempts, role changes, admin actions, ban/appeal records);
request metadata used for rate limiting and abuse prevention.

3.3 Connected accounts (OAuth providers)

When you choose to connect an external account, we receive and store the minimum identifiers needed to keep the link in place: provider ID (e.g. Steam ID, Discord ID, Google subject ID, YouTube channel ID, Twitch user ID), a display name or avatar URL where the provider returns one, and an OAuth access/refresh token bound to your account.

We do not pull data from connected providers beyond what each integration needs to function (e.g. we do not read your Discord DMs, YouTube watch history, or Google contacts).

3.4 Recruitment

application submissions, answers to position questions, scorecards, and interview slots;
staff-side notes, reviewer assignments, and audit events tied to your application;
any messages exchanged with our team in the context of an application.

3.5 VTC (Virtual Trucking Companies)

VTC profile, member roster, role assignments, and audit events;
linked Discord guild ID and guild name, where a VTC owner verifies their server;
events you create or attend, attendance records, and event moderation history.

3.6 Support

support tickets, replies, attachments, internal notes (visible to staff only), CSAT survey responses, and the metadata the system records about each ticket (status, priority, SLA, escalation level, assignee).

3.7 Developer / API

API tokens you generate, scopes assigned to those tokens, and last-used metadata;
OAuth applications you register (name, redirect URIs, scopes), client IDs and hashed client secrets, and authorizations granted to each app;
webhooks you configure (URL, secret, subscribed events) and recent delivery logs;
devlog entries you publish.

3.8 Notifications

notification preferences;
in-app notifications generated for you;
where ops have configured a Discord webhook target, the contents of certain notifications (e.g. a new public ticket reply, a recruitment status change) may also be sent to that Discord webhook. See section 9.5.

3.9 Analytics

See section 8.

3.10 What we do not collect

We do not collect government IDs, payment cards, biometrics, health data, or any other GDPR Article 9 special categories.
We do not collect precise (city- or address-level) geolocation. Country/region only.
We do not fingerprint your device.

4. What We Do Not Do

We do not sell personal data for monetary or other valuable consideration.
We do not share personal data for cross-context behavioral advertising.
We do not run advertising, retargeting, or third-party ad networks.
We do not profile you or make automated decisions that produce legal or similarly significant effects. (Our profile-picture moderation is the only automated decision we make, it is limited to a safety check, and it is reviewable by a human — see section 9.)
We do not use any third-party analytics, tag managers, or marketing pixels.

This statement is provided in language that maps onto CCPA/CPRA "no sale, no share" disclosures and the equivalent provisions of the Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, Oregon OCPA, Montana CDPA, Iowa ICDPA, and Florida FDBR.

5. How We Collect Data

We collect data:

directly from you when you register, submit forms, upload content, or contact us;
automatically during use (session and security logs, support and audit events, server-derived analytics fields);
from third-party providers you choose to connect (e.g. Steam returns your Steam ID and avatar URL when you sign in);
from the URL of inbound links (UTM parameters such as utm_source, utm_medium, utm_campaign, utm_content, utm_term) so we can measure which external partners and campaigns are sending traffic to us. UTM data is captured by our self-hosted analytics only; it is not sent back to the partner.

6. Legal Bases (UK / EU GDPR)

Contract — to provide the account, VTC, recruitment, support, and developer features you actively use.
Legitimate interests — to secure the platform, prevent abuse, run first-party aggregate analytics, moderate user-uploaded content, route operational notifications, and run the service reliably. We have documented a legitimate-interest assessment for each of these purposes.
Legal obligation — where required by law (e.g. responding to lawful authority requests, retaining limited records for fraud or abuse defense).
Consent — for clearly optional features that require it (e.g. opt-in marketing, if and when offered). At present we run no marketing communications.

You can withdraw consent at any time for any consent-based processing. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. Cookies and Storage

We use a small number of strictly necessary cookies for core functionality. We do not use any optional, analytics, advertising, or tracking cookies. We do not read or write to localStorage, sessionStorage, or IndexedDB for tracking purposes.

The cookies we set or that may appear on our domains:

better-auth.session_token (or __Secure-better-auth.session_token in secure contexts) — keeps you signed in.
queue_id — identifies your queue position while queue protection is active.
maintenance_bypass — used only when staff bypass is enabled during maintenance.
__cf_bm (Cloudflare bot management) — set by Cloudflare to distinguish humans from bots; expires within 30 minutes of inactivity. This is a strictly necessary security cookie.

Because all of the above are strictly necessary for the service you have requested, no cookie consent banner is shown. See /cookie for full details.

8. Analytics (TinyTracker)

We run a self-hosted, first-party, cookieless analytics service called TinyTracker. The browser-facing endpoints are served same-origin from trucklinemp.com (the script at /js/tt and event collection at /api/event); both are server-side proxies to our TinyTracker instance at analytics.trucklinemp.com, which runs on infrastructure we own and operate. There are no third parties involved, no advertising integrations, no data brokers, and no analytics data leaves our servers.

What the browser sends

the site domain (always trucklinemp.com);
the current page path and query string (e.g. /jobs/1234?ref=indeed);
the HTTP referrer (the page you came from), if any;
the browser viewport width in pixels;
UTM campaign parameters from the URL: utm_source, utm_medium, utm_campaign, utm_content, utm_term.

What our server derives from request headers

Without storing the underlying headers, our server derives:

your country and region as two-letter ISO codes, from edge/proxy geolocation (city-level geolocation is disabled);
your browser name and major version, operating system name and version, and device category (desktop / mobile / tablet), parsed from the User-Agent string.

What is used transiently and never stored

Your IP address is used only:

to enforce per-minute rate limits, held in an in-memory cache for 60 seconds; and
as one input to a daily-rotating salted SHA-256 hash that produces an opaque 32-character session identifier.

The IP address itself is never written to disk. The hash salt rotates at UTC midnight every day, so the same visitor cannot be re-identified across days by design.

What is stored durably

We store the fields above (browser-sent and server-derived), the daily session identifier, and a UTC timestamp, in our analytics database. Records are automatically deleted after 24 months by a database TTL.

What is never collected by analytics

No cookies, localStorage, sessionStorage, or IndexedDB.
No device fingerprinting (no canvas, fonts, audio context, or similar).
No mouse, keyboard, scroll, or form-content tracking.
No cross-site or cross-device identifiers.
No automated decision-making and no advertising profiles.

Legal basis and how to opt out

We rely on legitimate interests under UK / EU GDPR Art. 6(1)(f). The script automatically becomes a no-op when your browser sends:

the Do Not Track header (DNT: 1); or
the Global Privacy Control signal (Sec-GPC: 1).

When either signal is present, no analytics request is made. You can also object to this processing at any time at [email protected].

9. Service Providers and Recipients

We use a small number of service providers ("processors" under GDPR, "service providers" under CCPA/CPRA) to operate the platform. Each acts on our written instructions, handles data only for the purposes we set, and is contractually prohibited from using personal data for their own purposes. Where required, we rely on the UK International Data Transfer Addendum, the EU Standard Contractual Clauses, or applicable adequacy decisions.

Provider	Role	Data they process	Where
SummerHosting	Hosting / compute	All platform data on our servers	UK / EU
Cloudflare R2	Object storage for uploaded profile pictures	The image bytes you upload, plus a moderation log row	Region: EU (configured)
Cloudflare Email Routing	Inbound and outbound email	Email content sent to or from `@trucklinemp.com` addresses	Global Cloudflare network
Cloudflare Turnstile	CAPTCHA / bot challenge on forms	Challenge token, request metadata; no PII tied to your account	Global Cloudflare network
Cloudflare CDN / WAF	Edge delivery, DDoS protection, bot management (`__cf_bm` cookie)	IP, request metadata, TLS metadata	Global Cloudflare network
OpenAI	Automated NSFW / safety moderation of profile-picture uploads (see 9.4)	The image bytes of an uploaded profile picture, processed once per upload	United States
Sentry (planned)	Application error monitoring	Stack traces, request URLs, sanitized request metadata, occasional logged-in user ID	Region: EU (configured at deploy time)

We do not use any other third-party analytics, marketing, advertising, attribution, or behavioral-tracking services.

9.1 Connected-account OAuth providers

When you link an external account, that provider receives an authentication request from us and returns identifiers and tokens. The supported providers are Steam, Discord, Google, YouTube, and Twitch. We send these providers nothing about you beyond what each OAuth flow requires; they each have their own privacy policy and you should read it before connecting.

9.2 Steam first-party login

Account registration is currently Steam-first. When you sign in with Steam, we receive your Steam ID and public avatar URL. We do not see your Steam password, library, friends, or game time except where the OpenID extension we use exposes it.

9.3 Profile picture storage

Profile pictures you upload are stored as opaque object keys in Cloudflare R2 in our chosen region. We retain the most recent version while your account is active. If you delete your account, your uploaded profile pictures are deleted from R2.

9.4 Profile picture moderation (automated decision)

Before a profile picture is published, the image bytes are submitted once to OpenAI's moderation endpoint to check for content categories such as sexual content involving minors, graphic violence, and hate imagery. The verdict (clean / blocked / pending review) is recorded in our database alongside category scores and a copy of the image; the OpenAI API call returns immediately and we do not store anything OpenAI-side beyond what their service retains under their API terms (which, under their default API terms at the time of publication, do not train on API inputs).

This is the only automated decision we make about you. It is narrow (image safety only), it does not produce legal effects, and it is reviewable: blocked or held images are queued for human staff review, you are notified of the outcome, and you can contact [email protected] to challenge a decision or request human re-review.

9.5 Discord webhook notifications

Where we or a server administrator have configured a Discord webhook target for a particular scope (a department, a recruitment position, a specific ticket, or globally), certain operational notifications may be posted to that Discord webhook. The contents are limited to what the notification needs (e.g. "new ticket reply on ticket #1234", or "candidate moved to interview stage"). Once a payload is posted to a Discord webhook, it leaves our infrastructure and is governed by Discord's privacy policy. Discord is acting as a separate controller for the data in its messaging product.

9.6 Legal authorities

We may disclose data to law enforcement, regulators, or other authorities where we are legally required to or where we believe in good faith that disclosure is necessary to prevent imminent harm. Where lawful, we will tell you about such requests.

9.7 No other recipients

We do not share personal data with any other third parties. If we ever add a new recipient — for example, if we add Sentry to live deployments, or migrate email — we will update this list before the change goes live and bump the Last Reviewed date at the top.

10. International Transfers

Most processing happens in the UK / EU. The exceptions are:

OpenAI (United States) — image bytes for profile-picture moderation. Transferred under Standard Contractual Clauses and the UK IDTA.
Cloudflare — globally distributed edge. Cloudflare relies on a combination of adequacy where available and Standard Contractual Clauses elsewhere.
Sentry (when deployed) — configured for the EU region; cross-border access for Sentry support staff is governed by Standard Contractual Clauses.
OAuth providers you choose to connect (Steam, Discord, Google, YouTube, Twitch) operate globally; their transfers are governed by their own policies.

We do not transfer analytics data internationally; analytics is fully self-hosted.

11. Retention

Data	Retention
Account and profile	While your account is active
Sessions and login history	90 days from last activity
Two-factor secrets	While you have 2FA enabled
Recruitment applications	Duration of the recruitment process plus a reasonable defense period
Support tickets	Active ticket lifetime + closure period for dispute defense
Audit logs and moderation records	Up to 7 years where needed for safety, fraud, or legal defense
Profile pictures	Latest version while account is active; deleted on account deletion
Profile-picture moderation logs	24 months
Analytics events (TinyTracker)	24 months, then auto-deleted by database TTL
Discord webhook delivery logs	30 days
Sentry events (when deployed)	90 days

On account deletion, we remove or anonymize data where possible, subject to legal, security, and platform-integrity exceptions (for example, ban records and audit logs may be retained for safety and abuse prevention).

12. Your Rights — UK and EU

Under UK GDPR and EU GDPR, you may have the right to:

access the personal data we hold about you;
correct inaccurate data;
request deletion;
restrict or object to certain processing (including a standalone right to object to processing based on legitimate interests, such as our analytics or PFP moderation);
request data portability for data you provided to us;
withdraw consent for any consent-based processing;
not be subject to a decision based solely on automated processing that has legal or similarly significant effects (we do not make such decisions).

To exercise any right, email [email protected]. We respond within one month and may extend by a further two months for complex requests, telling you why.

You also have the right to complain to the UK Information Commissioner's Office (ICO) at https://ico.org.uk/ and, where applicable, your EU supervisory authority.

13. Your Rights — United States

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Florida, or another US state with applicable privacy law, you may have the right to:

know what personal information we have collected and the categories of sources and recipients;
access and obtain a portable copy of that information;
correct inaccurate information;
delete personal information, subject to listed exceptions;
opt out of sale or sharing for cross-context behavioral advertising — we do neither, so there is nothing to opt out of;
limit use of sensitive personal information — we do not use sensitive PI for any inferring or profiling purpose;
not be discriminated against for exercising your rights.

We honor the Global Privacy Control (Sec-GPC: 1) browser signal as an opt-out preference signal. Our analytics script respects it as a no-op, and we do not engage in any sale or sharing that would otherwise be triggered.

To exercise these rights, email [email protected]. We will verify the request via your account credentials or, where you request as a non-account-holder, through reasonable identity-confirmation steps. We will not charge you a fee for the first request in any 12-month period and will not deny goods or services for exercising a right.

You may also designate an authorized agent to make a request on your behalf; we will require written authorization or proof of power of attorney.

14. Children's Privacy

TrucklineMP is not directed at children under 13 and is not intended for children under 13 to use. Steam itself sets a minimum age of 13.

If you are under 13, do not use TrucklineMP and do not provide any personal information to us. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will delete the account and the data as soon as practicable.

If you are a parent or guardian and you believe a child under 13 has provided us with personal information, please contact [email protected] and we will act promptly.

If you are between 13 and 18 (or the age of majority in your jurisdiction), please use TrucklineMP only with a parent or guardian's permission, and read the Notice to Parents and Information for Young Players pages for guidance.

This policy is intended to align with the Children's Online Privacy Protection Act (COPPA) in the United States and with the UK Information Commissioner's Office Age-Appropriate Design Code.

15. Security

We apply reasonable technical and organizational measures, including:

TLS for all network traffic;
session-bound and IP-bound rate limits, plus CAPTCHA challenges on sensitive actions;
two-factor authentication (offered to all users, required for staff);
per-feature permission checks and audit logging for staff actions;
secret-rotation for daily analytics salts and signing secrets;
isolation of profile-picture moderation logs from publicly visible profile data.

No system is risk-free. To report a vulnerability: [email protected].

16. Beta and Pre-Launch

Some features are offered in beta or under a beta NDA. Beta participation is opt-in and may involve additional logging needed to debug new features. Once a feature exits beta, additional logging is removed.

17. Updates

We may update this policy as the platform evolves. Material changes will be communicated in-product or by email to active users. The Effective Date at the top is updated when changes are published; the Last Reviewed date is updated whenever we re-confirm the policy without changes.

18. Contact

Privacy and rights requests: [email protected]
Security reports: [email protected]
Postal: Dainton Hunter Weighill, Great Britain (postal address available on request to [email protected])

Changes in This Version

Replaced Google Analytics with self-hosted, cookieless first-party analytics (TinyTracker) and removed the analytics consent flow.
Added full inventory of third-party recipients including Cloudflare (R2, Email, Turnstile, CDN/WAF), OpenAI (PFP moderation), Sentry (when deployed), and the OAuth providers Steam, Discord, Google, YouTube, and Twitch.
Added a dedicated section on profile-picture moderation as an automated decision, with the right to human re-review.
Added a dedicated section on Discord webhook notifications.
Expanded the data inventory to cover VTC features, recruitment, support, the developer / OAuth-app system, the mobile app, and beta participation.
Added a per-data-class retention table, including 24-month analytics retention.
Expanded US state privacy section to cover the named newer state laws and the Global Privacy Control signal.
Bumped effective and last-reviewed dates to 26 May 2026.