← LastdayLASTDAY

Lastday Privacy Policy

This Privacy Policy explains how 1001537887 Ontario Inc. operating as Lastday ("Lastday", "we", "us", or "our") collects, uses, stores, discloses, and deletes personal information when providing the Lastday platform at command.lastdayops.com and related services.

Lastday is a Canadian SaaS platform for trucking carriers. Lastday helps customers collect operational signals from email, SMS, uploads, reports, voice input, and connected systems, then turns those signals into issues for human review in Intake, Runbook, and Command.

This policy is written for PIPEDA, the Personal Information Protection and Electronic Documents Act. GDPR is not the operating privacy framework for Lastday at launch, but may become relevant if Lastday later processes personal information of individuals in the European Economic Area or United Kingdom.

1. Who We Are

Legal entity: 1001537887 Ontario Inc. operating as Lastday

Jurisdiction: Ontario, Canada

Production application: command.lastdayops.com

Marketing site: lastdayops.com

Privacy contact: jordan@lastdayops.com

2. Our Role

For customer operational data, Lastday generally acts as a processor or service provider. The customer, usually the trucking carrier, controls what operational signals are sent to Lastday and is responsible for its own lawful basis, consent, notices, and employment-related privacy obligations.

The customer generally acts as the controller of personal information in signals, issues, attachments, and operational records. Lastday processes that information only to provide the Lastday service, support the customer, secure the platform, comply with law, and enforce the applicable agreement.

For account administration, billing, support, security, and our own business records, Lastday may act as an accountable organization for information it collects directly from customer administrators and users.

3. Information We Collect

Lastday collects account information, tenant setup information, operational signals, issues, attachments, OAuth connector records, billing records, support records, usage records, and security logs.

Signals may include email bodies and headers, Gmail messages from connected accounts, SMS content, report-form text, browser speech transcripts, uploaded files, photos, QuickBooks signals, Motive signals, source references, timestamps, and source department metadata.

Issues may include titles, descriptions, domain, severity, confidence, owner, notes, actions, bleed estimates, Octavian analysis, event timelines, linked issues, attachments, sensitivity flags, unlock records, and resolution status.

OAuth connector records may include access tokens, refresh tokens, token expiry time, connected account identifiers, sync cursors, and provider-specific metadata. OAuth tokens are stored in Supabase backend tables and are not sent to the frontend.

Billing is handled through Stripe. Lastday may store Stripe customer IDs, subscription status, plan status, billing event records, and payment status. Stripe processes payment method information. Lastday does not store full credit card numbers.

Application logs must not contain raw signal content with personal information, passwords, API keys, session tokens, medical information, or fuel card numbers. Logs may contain event type, entity IDs, timestamps, performance metrics, processing status, and error records.

4. How We Use Information

Lastday uses information to provide Intake, Runbook, Command, report, onboarding, settings, billing, support, security, troubleshooting, and account administration.

Lastday also uses information to ingest signals from configured sources, process signals through Octavian, classify signals into operational domains, create issues and event trails, estimate operational bleed and severity, identify duplicates and related issues, detect resolutions and ghost patterns, generate briefs and proof packets, authenticate users, enforce tenant isolation, manage billing, and investigate incidents.

Lastday does not sell customer data. Lastday does not share customer data across tenants. Lastday does not train models on customer data. Lastday does not create cross-tenant analytics, shared embeddings, anonymized derivatives, or benchmarking datasets from customer data.

5. Octavian and AI Processing

Octavian is Lastday's AI layer. Octavian processes signals automatically after the HTTP response from an intake route. Octavian proposes, but humans decide.

Octavian uses three AI providers:

  • Anthropic Claude Sonnet 4.6 (claude-sonnet-4-6) for signal processing (Job 1) and as the fallback model for NIM jobs.
  • Anthropic Claude Opus 4.7 (claude-opus-4-7) for morning brief, proof chat, carrier maturity brief, monthly trend, and welcome brief (Jobs 4, 6, 11 and named Opus surfaces).
  • NVIDIA NIM Llama 3.3 70B (meta/llama-3.3-70b-instruct) for relation detection, ghost pattern detection, onboard research, market pressure digest, and match engine (Jobs 2, 5, 7, 9, 10), with Claude Sonnet fallback if unavailable.
  • Google Vertex AI (Gemini Flash and Gemini Pro) as the defensive fallback for Job 1 and Job 4 when the primary Anthropic provider is unavailable or rate-limited.
  • OpenAI text-embedding-3-small for embeddings used in vector similarity search.

AI outputs are labeled as Extracted, Inferred, or Unknown where applicable. Sensitive domains, including safety, compliance, finance, and people, do not route to Tier 1 regardless of confidence. Safety, compliance, finance, and people resolutions require human confirmation. Octavian may auto-resolve non-sensitive ops, maintenance, and customers issues only when a high-confidence resolution signal is detected.

AI providers process data in the United States. Customer data is not sent to AI providers for model training by Lastday.

5A. Public Carrier Data, Maturity Briefs, and Prospect Research

FMCSA public carrier safety data. Lastday collects publicly available carrier safety records from the United States Federal Motor Carrier Safety Administration (FMCSA), including fleet size, safety ratings, inspection history, crash data, and BASIC safety measurement scores. This data is public government data, not personal information. It is collected automatically when a carrier onboards using their company name and is stored as part of the tenant's research profile.

Carrier Maturity Brief. Lastday generates AI-assisted assessments of trust, operational health, and digital maturity using publicly available data and operational data within the platform. Assessments of the tenant's own operation are stored and accessible only to that tenant. External assessments of third-party carriers use only publicly available data.

Prospect research. Lastday may collect publicly available FMCSA carrier data for prospective customers prior to onboarding, for sales and research purposes. This data is not linked to any tenant account and contains only public government records. Prospect records are deleted once a tenant is created for the same carrier.

Accessorial enrichment. When an email signal indicates detention or another accessorial event, Lastday cross-references against connected QuickBooks data to identify unbilled charges. The cross-reference result is stored within the tenant's issue records and is never disclosed to other tenants.

Outbound email events. Lastday receives delivery status, bounce, and complaint notifications from our email provider (Resend) to maintain email deliverability and respect unsubscribe requests. These events are stored in the tenant's event log.

AI-generated content disclaimer. Carrier Maturity Briefs, morning briefs, proof chat narratives, and other AI-generated content are produced by AI models and may contain errors, omissions, or inaccuracies. They are for internal operational awareness only and should not be relied upon for legal, compliance, insurance, underwriting, or regulatory decisions. Users are responsible for independently verifying AI outputs before acting on them.

6. Where Information Is Stored and Processed

All customer data is stored in Supabase Canada Central, ca-central-1. No alternative storage location is permitted without explicit founder approval per Constitution §0.

The production application runs at command.lastdayops.com on Vercel. Application requests and serverless execution may involve infrastructure outside Canada.

AI processing crosses the Canadian border to United States providers when Lastday sends signal text, extracted attachment text, issue summaries, or embedding input to Anthropic, NVIDIA, or OpenAI for the limited processing described in this policy and in the customer agreement.

Billing processing through Stripe, email processing through Resend and Google, and communications processing through Twilio if enabled may occur in the United States.

7. Subprocessors

Lastday uses subprocessors listed in 13_SUBPROCESSOR_LIST.md, including Anthropic, NVIDIA, OpenAI, Supabase, Vercel, Stripe, Resend, Google, and Twilio.

We update the public subprocessor list when we add or materially change a subprocessor. Customer objection rights are described in 13_SUBPROCESSOR_LIST.md and the Data Processing Agreement.

8. Retention

The working retention schedule is:

  • Signals: tenant configurable, default 12 months.
  • Issues: lifetime of the account plus 30 days, unless earlier deleted on account termination.
  • Event and audit trail records: lifetime of the account plus 90 days for compliance, unless earlier deleted on account termination.
  • User account data: 30 days after account deletion.
  • OAuth tokens: deleted immediately on disconnect or tenant deletion.
  • AI usage records: 90 days.
  • Supabase automatic backups: 7-day rolling retention, subject to Supabase plan configuration.

On customer account termination, all tenant data is deleted within 60 days, subject to backup aging and any legally required records that do not contain customer operational content.

Retention numbers in this policy are aligned with 03_TRUST_AND_COMPLIANCE.md, 11_DPA.md, and 16_DATA_RETENTION.md: 12 months default signal retention, 60 days termination deletion window.

9. Access, Correction, Export, and Deletion

Customers can request export or deletion of their tenant data by contacting Lastday. Individuals whose information appears in a customer's signals should generally contact their employer or the relevant trucking carrier first, because the customer controls what operational information is submitted to Lastday.

Lastday will assist customers with access, correction, export, and deletion requests within 30 days, unless a shorter period is required by law or a longer period is permitted because the request is complex, incomplete, or legally restricted.

10. Cookies

command.lastdayops.com uses cookies and similar browser storage for Supabase authentication sessions, OAuth state and security cookies that expire after approximately 10 minutes, CSRF, login, and application security purposes.

Lastday does not currently use advertising cookies or analytics cookies on command.lastdayops.com.

The marketing site at lastdayops.com is not yet fully deployed. If analytics cookies are added to lastdayops.com, Lastday will update this policy and the Cookie Policy before using them.

11. Security

Lastday uses technical and organizational safeguards appropriate to the sensitivity of the information, including Supabase Row Level Security, tenant_id scoping, TLS, encryption at rest through Supabase-managed infrastructure, Supabase Auth, backend-only OAuth token storage, Vercel environment variables for secrets, logging restrictions, sensitivity gate controls, and production guards on development endpoints.

No security system is perfect. If we discover a security incident, we will investigate, contain, document, and notify as described below.

12. Breach Notification

Under PIPEDA, Lastday will assess breaches of security safeguards to determine whether they create a real risk of significant harm. If a breach creates a real risk of significant harm, Lastday will report to the Office of the Privacy Commissioner of Canada and notify affected individuals as soon as feasible, unless prohibited by law.

Lastday will notify affected customers without undue delay and target notification within 72 hours after confirming a security incident involving customer personal information.

Lastday keeps records of breaches as required by PIPEDA.

13. Children's Information

Lastday is a B2B platform for trucking operations and is not intended for children. Customers must not intentionally submit information about children unless they have a lawful basis and the information is operationally necessary.

14. Changes to This Policy

Lastday may update this policy from time to time. If we make material changes, we will provide notice through the application, by email, or by another reasonable method.

15. Contact

Jordan Layden

1001537887 Ontario Inc. operating as Lastday

Ontario, Canada

jordan@lastdayops.com

Change Log

Version 1.2. April 20, 2026. Jordan Layden. Governance Wave 5 reconciliation. Header pin sweep: Constitution cite bumped to v3.14, Trust & Compliance cite bumped to v2.8. Voice exemption clause added after the header citing §25.3(a) which authorizes this document to use "platform", "AI", "dashboard" as legal/technical terms of art. No substantive legal language changed; DRAFT status preserved.

Version 1.3. April 24, 2026. Claude Code. Doc reconciliation Wave 3. AI processing section updated to reflect live model versions: Claude Sonnet 4 now cited as Sonnet 4.6 (claude-sonnet-4-6), Claude Opus 4 now cited as Opus 4.7 (claude-opus-4-7), NIM Llama 3.1 70B now cited as Llama 3.3 70B (meta/llama-3.3-70b-instruct) per the Wave 1 Constitution v3.15 migration driven by NVIDIA AI Enterprise Lifecycle Policy Llama 3.1 End of Life notice. Google Vertex AI (Gemini Flash / Gemini Pro) added explicitly as the defensive fallback for Jobs 1 and 4. Header pin sweep: Constitution cite bumped to v3.20, Trust & Compliance cite bumped to v2.10. No substantive legal language changed; DRAFT status preserved.