PRIVACY POLICY

TruckDelay Evidence — iOS App

Apple App Store privacy notice for the TruckDelay Evidence iOS / iPadOS application.

Field

Value

Document

TruckDelay Evidence — Privacy Policy

Application

TruckDelay Evidence (iOS / iPadOS)

Issuing controller

ML Consulting MB · legal entity code 306991112

Version

1.0

Effective from

20 May 2026

Last updated

20 May 2026

Privacy contact

support+truckdelay@mlconsulting.lt

Lead supervisory authority

Valstybinė duomenų apsaugos inspekcija (VDAI), Vilnius

Distribution

Apple App Store

User profile

Business User (B2B) — haulage & drayage operators

Read together with the TruckDelay Evidence Terms and Conditions (Master Terms + Schedule A) published by ML Consulting MB.

AT A GLANCE

What you should know in 60 seconds.

→ We do not sell your personal data and we never will.

→ TruckDelay Evidence is local-first where the design allows: many records and captured files stay on your device, inside Apple's iOS sandbox.

→ We do not run advertising in the App, and we do not embed third-party advertising or tracking SDKs. The App is declared “Data Not Used to Track You” in the App Store.

→ Subscriptions are sold under a written Order Form (Direct Channel). Where any Apple App Store In-App Purchase is offered, Apple is the merchant of record and we never see your payment-card data.

→ Location is captured event-based only — at the moment of an evidentiary action you initiate. The App does not perform continuous GPS tracking.

→ Optional AI-assisted helpers are off by default, opt-in by a Workspace admin, never autonomous, and never used to train any third-party model with your inputs.

→ You can exercise the full set of EU GDPR rights at any time by writing to support+truckdelay@mlconsulting.lt.

→ Our lead supervisory authority is the Lithuanian State Data Protection Inspectorate (VDAI) in Vilnius.

→ TruckDelay Evidence is intended for business users only (B2B).

1. About this Privacy Policy

ML Consulting MB (“ML Consulting”, “we”, “us”, “our”) is the publisher of the TruckDelay Evidence iOS / iPadOS application (the “App”), distributed through the Apple App Store. This Privacy Policy explains what personal data we and the App process when you download, install, sign in to, subscribe to or use the App, why we process it, the legal bases on which we rely, with whom we share it, for how long we keep it, and the rights you have under the GDPR and other applicable privacy laws.

This Policy is written to satisfy Articles 12 to 14 of Regulation (EU) 2016/679 (the “GDPR”) and the Lithuanian Law on Legal Protection of Personal Data of the Republic of Lithuania, which implements the GDPR in Lithuania. It is also designed to be consistent with the App Privacy details (the App Store privacy “nutrition label”) published on the TruckDelay Evidence App Store listing.

TruckDelay Evidence is enterprise software intended for business users (B2B) sold under a written Order Form. This Policy should be read together with the TruckDelay Evidence Terms and Conditions (Master Terms + Schedule A) and, where ML Consulting acts as processor, the Master Data Processing Agreement (“Master DPA”) concluded with the Workspace Owner.

2. Controller identification

We are the data controller for the processing described as “we act as controller” in section 4 of this Policy. Our identification details are set out below.

Field

Value

Legal name

ML Consulting MB

Legal form

Mažoji bendrija (small partnership) governed by the law of the Republic of Lithuania

Legal entity code

306991112 (Centre of Registers of the Republic of Lithuania)

Website

https://mlconsulting.lt

Privacy contact

support+truckdelay@mlconsulting.lt

ML Consulting MB has not designated a Data Protection Officer because its current processing does not meet the criteria in Article 37(1) GDPR. The privacy contact above handles all data-protection enquiries. If our processing activities change such that a DPO becomes mandatory, we will appoint one and publish their contact details in this Policy.

Our lead supervisory authority for the purposes of the GDPR’s one-stop-shop mechanism (Article 56 GDPR) is the Lithuanian State Data Protection Inspectorate — Valstybinė duomenų apsaugos inspekcija (“VDAI”) — at L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania, telephone +370 5 271 2804, email ada@ada.lt, website vdai.lrv.lt.

3. Scope of this Policy

This Privacy Policy applies to:

■ the TruckDelay Evidence iOS / iPadOS application published by ML Consulting MB on the Apple App Store;

■ user accounts, workspaces, subscriptions, trials, pilots, onboarding sessions, support channels, billing operations and authentication services that we operate in connection with the App;

■ the App’s landing pages, help articles and documentation hosted on mlconsulting.lt that describe TruckDelay Evidence; and

■ email, in-application and other communications you exchange with us about the App.

Where Apple Inc. or its subsidiaries, Google LLC or its subsidiaries, or any other independent third party processes personal data on its own account in connection with the App — for example, the Apple App Store, Sign in with Apple, iCloud / CloudKit, Sign in with Google, or a payment-card network — that party acts as a separate controller and its own privacy policy applies in addition to this Policy.

4. Our two privacy roles — controller and processor

4.1 We act as controller

We determine the purposes and means of processing for the following categories, which is why this Policy applies to them directly:

■ account and authentication data we collect to identify you and operate your user account;

■ device, technical, telemetry and security-event data the App generates during normal use;

■ communications and support correspondence about the App;

■ billing and payment data we collect from directly-invoiced customers (the Direct Channel);

■ Apple App Store transaction metadata for any App Store In-App Purchase that we may offer.

4.2 We act as processor

TruckDelay Evidence operates on a workspace model. The business customer (the “Workspace Owner”) uses the App to manage information about its own drivers, dispatchers, admins, finance users, customers, ports, depots and other counterparties. For that Customer Data — including Driver Personal Data within the meaning of Schedule A of the Terms and Conditions — the Workspace Owner is the controller and ML Consulting acts as a processor under the Master DPA, which meets the requirements of Article 28 GDPR.

In that role we process Customer Data only on the documented instructions of the Workspace Owner, except where we are required to act otherwise by EU or Lithuanian law. If you are a driver, dispatcher, admin, finance user, customer, supplier or other individual whose personal data has been uploaded to TruckDelay Evidence by your employer, principal or commercial counterparty, that organisation is the controller and you should approach it first with any data-protection request. We will redirect any request we receive on its behalf without undue delay (see section 17.4).

5. Apple App Store and iOS platform context

Because the App is delivered through the Apple App Store and runs on Apple’s iOS / iPadOS platform, several aspects of how your personal data is handled are inherited from Apple’s platform. This section makes the most relevant ones explicit.

5.1 App Privacy details on the App Store

Apple requires every application on the App Store to publish a structured summary of the data the application collects (the “App Privacy details”, commonly described as the App Store privacy “nutrition label”). The App Privacy details for TruckDelay Evidence are kept consistent with this Policy and you can review them on the App Store listing before installing the App.

5.2 App Tracking Transparency

TruckDelay Evidence does not track you across other companies’ applications and websites within the meaning of Apple’s App Tracking Transparency framework. We do not request the App Tracking Transparency permission and we do not use the iOS Identifier for Advertisers (IDFA). The App’s App Store declaration is set to “Data Not Used to Track You”.

5.3 Privacy Manifest

TruckDelay Evidence ships an Apple-required Privacy Manifest (the PrivacyInfo.xcprivacy file) declaring the data categories the App collects, the reasons for any use of “required reason” iOS APIs and the third-party SDKs the App depends on. The Privacy Manifest is the machine-readable counterpart of this Policy.

5.4 iOS sandbox and Data Protection

On-device application data is held inside the iOS application sandbox and benefits from Apple’s default Data Protection (typically the “Complete Until First User Authentication” class), which encrypts that data at rest using a key derived from your device passcode. Where the App needs to retain a small secret value (for example, a session token), we use Apple’s Keychain Services rather than handling secrets ourselves.

5.5 Sign in with Apple and Sign in with Google

Where the App offers third-party sign-in options, Sign in with Apple is offered in line with Apple’s App Store Review Guidelines § 4.8. When you choose Sign in with Apple, Apple supplies us with a stable Apple Account identifier and either your real email address or an Apple-generated relay address (“Hide My Email”). When you choose Sign in with Google, Google supplies us with a verified email address and a stable Google Account identifier. We never receive your Apple Account or Google Account password.

5.6 Direct Channel billing and any App Store In-App Purchases

TruckDelay Evidence is primarily sold via the Direct Channel — billing by ML Consulting under a written or electronic Order Form. Where ML Consulting separately offers any feature through an App Store In-App Purchase or auto-renewable subscription, the purchase is sold and billed by Apple through the App Store using StoreKit. The seller of record for users in the European Economic Area, the United Kingdom and Switzerland is Apple Distribution International Limited (Hollyhill Industrial Estate, Hollyhill, Cork T23 YK84, Ireland); for users in other regions, the seller of record is the Apple legal entity designated by Apple for that region. We never receive your payment-card data. We receive only the outcome of the purchase — your subscription tier, the entitlement state and renewal events — through StoreKit.

5.7 iCloud / CloudKit and on-device frameworks

TruckDelay Evidence may offer optional iCloud / CloudKit storage of your private application data. iCloud is opt-in at the operating-system level and is governed by Apple’s own iCloud terms and privacy policy in addition to this Policy. The App uses only the Apple frameworks needed for its features (for example, AVFoundation for camera and audio input, Apple Vision for on-device text recognition / OCR, AuthenticationServices for sign-in, Core Location for event-based location capture, UNUserNotificationCenter for local notifications, SwiftData and the Keychain for local persistence).

5.8 App Privacy Report

iOS 15.2 and later provide an in-operating-system App Privacy Report (Settings → Privacy & Security → App Privacy Report) that lets you inspect, for any installed application, the sensors, data categories and network domains the App has accessed. TruckDelay Evidence is designed so that this report shows minimal activity — primarily Apple iCloud and Apple App Store domains, the ML Consulting service endpoints and any feature you have explicitly invoked.

6. Key terms used in this Policy

■ Personal data — any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.

■ Processing — any operation performed on personal data, including collection, recording, organisation, storage, use, disclosure and erasure.

■ Controller — the person who determines the purposes and means of processing.

■ Processor — a person who processes personal data on behalf of a controller.

■ Workspace Owner — the business customer (typically a haulage, drayage or road-transport operator) that uses TruckDelay Evidence to manage information about its drivers, dispatchers, customers, ports, depots and other counterparties.

■ Customer Data — all data submitted by, or generated for, the Workspace Owner through the App, including delay events, evidence attachments, Claim Packs, Terms Snapshots, Customer Scorecards, exports and audit logs.

■ Driver Personal Data — personal data relating to a driver processed through the App, including identification and contact data, work-time records, event-based location data, photographs, voice notes and any file in which the driver is identifiable.

■ Sub-processor — a third-party service provider that processes personal data on our behalf or that supports a feature of the App.

■ Event-Based Location — location data captured only in connection with a user-initiated or system-linked delay event, evidence submission, or related operational record — not continuous GPS tracking.

■ On-device — data stored or processed locally on the user’s iPhone or iPad inside the iOS application sandbox; it does not leave the device unless this Policy says otherwise.

■ EEA — the European Economic Area, comprising the EU Member States, Iceland, Liechtenstein and Norway.

■ VDAI — Valstybinė duomenų apsaugos inspekcija, the Lithuanian State Data Protection Inspectorate, our lead supervisory authority.

7. Personal data we process

We collect only the data we reasonably need to operate, secure, support and improve the App. The categories below describe what TruckDelay Evidence processes; not every workspace or user account will involve every category.

Category

Examples and notes

Account and authentication data

Name, email address, account identifier, authentication method (Sign in with Apple, Sign in with Google, or email-and-password), Apple-issued relay address where you used “Hide My Email”, organisation / workspace membership, role (driver, dispatcher, admin, finance) and permissions. Where password authentication is used, we store salted password hashes only — never plaintext passwords.

Device, technical and telemetry data

IP address (typically truncated for analytics), device model and operating-system version, App version, language and timezone, pseudonymised interaction events (screens viewed, features used, retention metrics), crash reports, performance traces and security-relevant events such as failed log-ins.

Communications and support data

The content and metadata of any email, support ticket, in-application help message, demo request, onboarding call note or other correspondence with us, including any attachments you choose to send.

Billing and payment data (Direct Channel customers)

For Workspace Owners invoiced directly by ML Consulting: invoicing entity name, registered address, VAT identifier, signatory contact, Order Form record (Plan, term, fees, truck / seat / block limits), payment-status data, bank-transfer reference and the last four digits of the payment card where card payment is used. We do not store full payment-card numbers.

Apple App Store transaction metadata (if any IAP is offered)

Where any App Store In-App Purchase is offered for a feature: the Apple-issued purchase identifier, the subscription tier, the entitlement state and renewal events. The contract for the purchase is concluded between you and Apple; we do not receive your Apple Account password, your full payment-card details or any other Apple-side billing information.

Customer Data and operational records

Job references, customer / location details (port, depot, warehouse, customer site), timestamps, reason codes, notes, evidence attachments, review history, claim amounts, claim status, watermarked Claim Pack PDFs, Terms Snapshots, Customer Scorecards, CSV exports and append-only audit logs. This data is governed by the Master DPA with the Workspace Owner (see section 4.2).

Driver Personal Data

Driver identification and contact data, work-time records captured through delay events, event-based location data, photographs, optional voice notes, the timestamp of each driver’s acknowledgment of the workspace’s driver privacy notice, and any other personal data captured as evidence in which the driver is identifiable. See section 11.

Camera, photo, microphone and on-device file data

Where you use evidence capture, OCR or document-scan features, captured frames and audio are processed in memory by Apple Vision and AVFoundation on your device. Stills, scans and voice notes are saved only when you (or the App’s explicit capture workflow) save them. Camera, photo-library and microphone access are controlled by the iOS permission prompt and may be revoked at any time in iOS Settings.

Event-Based Location data

Location is captured only at the moment of an evidentiary action you initiate — for example, when you record a delay event or attach evidence to one. The App does not perform continuous background GPS tracking and does not provide a fleet-tracking telematics function (clause A4 of Schedule A).

Notification preferences and tokens

Cadence toggles for any local or push notifications offered by the App; iOS notification permission state. Where push notifications are used, the device-level push token is processed by Apple Push Notification service.

Application-generated data

Outputs of computational features (waiting-time calculations, claim-readiness scores, missing-evidence warnings, stale-PDF detection, repeated-issue detection, customer-leakage rankings, summaries, alerts and archives), model-version markers and computed-at timestamps.

AI helper inputs and outputs

Where a Workspace admin has explicitly enabled an opt-in AI-assisted helper (for example, delay-event summary drafts, follow-up email drafts, note structuring, monthly summary), the prompts, selected records and generated text or structured notes associated with the helper. See section 14.

7.1 Special categories of personal data

TruckDelay Evidence is not designed to collect special categories of personal data within the meaning of Article 9 GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). You must not upload special-category data to the App unless it is strictly necessary for your lawful use of the App and you have a valid lawful basis under Article 9(2) GDPR. The Workspace Owner is responsible for that lawful basis.

7.2 What we do not collect

To remove ambiguity, TruckDelay Evidence does not collect:

■ the contents of your contacts, calendar or photo library beyond the images, scans or audio records you actively capture or attach;

■ behavioural-advertising identifiers; we do not run advertising, do not use the IDFA and do not share data with advertising networks;

■ analytics, attribution or crash-reporting data through any third-party SDK that has not been disclosed in this Policy and in the App Privacy details on the App Store listing;

■ continuous GPS or background-location data; location capture is event-based only.

8. How we collect personal data

We collect personal data in three ways:

1. Directly from you — when you create an account, complete a form, install or use the App, upload a file, capture a photograph, record a voice note, generate a Claim Pack or export, contact support or subscribe to a communication.

2. Automatically through your use of the App — when the App generates technical, telemetry, security or computational data necessary to deliver, secure or improve the service.

3. From third parties — when Apple supplies us with the result of Sign in with Apple or with App Store transaction metadata, when Google supplies us with the result of Sign in with Google, when a Workspace administrator invites you to the App, when a payment provider confirms a payment, or when an authority lawfully provides information in connection with a regulatory matter.

9. Why we process personal data and our legal bases

For each processing activity we rely on a lawful basis under Article 6(1) GDPR. The table below sets them out for the categories of processing covered by this Policy.

GDPR ref.

Provide and operate the App, including authentication, accounts, workspaces, evidence capture, Claim Pack generation, audit history, exports and reviews.

Account and authentication data; device, technical and telemetry data; Customer Data and operational records; Driver Personal Data (as processor).

Performance of a contract with you (or pre-contractual steps at your request).

Art. 6(1)(b)

Process payments and manage billing for Direct-Channel customers; comply with statutory accounting and tax retention.

Billing and payment data; account data.

Performance of a contract; compliance with a legal obligation under Lithuanian accounting and tax law.

Art. 6(1)(b); Art. 6(1)(c)

Operate Apple App Store entitlements via StoreKit (where any IAP is offered).

Apple App Store transaction metadata; account data.

Performance of a contract.

Art. 6(1)(b)

Camera, photo, microphone, OCR and document-scan features (evidence capture).

Camera and microphone input (in memory); captured stills, scans and voice notes (only when you save them).

Performance of a contract; consent for camera, photo-library and microphone access via the iOS prompt.

Art. 6(1)(b); Art. 6(1)(a)

Event-based location capture for evidentiary actions.

Event-Based Location data captured at the moment of an evidentiary action.

Performance of a contract with the Workspace Owner; consent via the iOS “When In Use” location prompt.

Art. 6(1)(b); Art. 6(1)(a)

Local and push notifications, cadence toggles and digests.

Notification preferences and tokens; application-generated alerts.

Consent (granted via the iOS prompt and in-app toggles).

Art. 6(1)(a)

Optional iCloud / CloudKit storage of private application data across the user’s Apple devices.

On-device application data; Customer Data (where applicable).

Performance of a contract; consent — you control iCloud at the operating-system level.

Art. 6(1)(b); Art. 6(1)(a)

Secure the App; prevent fraud, abuse, evidence tampering and unauthorised access.

Authentication data; device, technical and telemetry data; security-relevant events; append-only audit logs.

Legitimate interests in protecting the integrity, availability and confidentiality of the App and the evidentiary integrity of Claim Packs.

Art. 6(1)(f)

Improve the App; conduct privacy-respecting product analytics.

Pseudonymised telemetry; aggregated usage statistics.

Legitimate interests in understanding how the App is used. Where required, consent.

Art. 6(1)(f); Art. 6(1)(a)

Provide customer support and respond to enquiries.

Communications and support data; account data.

Performance of a contract; legitimate interests for general or pre-contractual enquiries.

Art. 6(1)(b); Art. 6(1)(f)

Respond to data-subject requests and operate the GDPR rights workflow.

All categories relevant to the request.

Compliance with a legal obligation under the GDPR.

Art. 6(1)(c); Arts. 12 to 22

Send service messages (security, billing, material change notices).

Account data; communications data.

Performance of a contract.

Art. 6(1)(b)

Operate optional AI-assisted helpers (where enabled by a Workspace admin).

Prompts, selected records and generated outputs.

Performance of a contract; consent (admin enablement).

Art. 6(1)(b); Art. 6(1)(a)

Defend or pursue legal claims.

Data relevant to the claim.

Legitimate interests in establishing, exercising or defending legal claims.

Art. 6(1)(f)

Comply with legal, regulatory and tax obligations and respond to lawful requests.

Data required by law (typically account, billing, audit and security logs).

Compliance with a legal obligation.

Art. 6(1)(c); Art. 23

Where we rely on legitimate interests under Article 6(1)(f) GDPR, we have carried out and documented a balancing assessment that concluded our interests are not overridden by your fundamental rights and freedoms. Where we rely on consent under Article 6(1)(a) GDPR, you may withdraw it at any time without affecting the lawfulness of processing carried out before the withdrawal — through iOS Settings, the relevant in-app toggle, the unsubscribe link in any marketing email or by writing to us.

10. On-device processing, local storage and iCloud sync

TruckDelay Evidence is designed to operate primarily on the user’s device. Local data may include in-flight delay events, captured photographs and scans, voice notes, drafts, cached files, diagnostics, notification tokens and preferences. If you delete the App without first using its in-app export or deletion tools, the operating system will remove the locally held data; workspace-level records held on our servers or in the Workspace Owner’s iCloud / CloudKit container may persist where they exist.

Where the App offers iCloud / CloudKit storage of your private application data, this is opt-in at the operating-system level and is governed by Apple’s iCloud terms and privacy policy in addition to this Policy. ML Consulting does not receive your Apple Account password and does not access iCloud data outside the App’s own private database.

11. Workspace Owners, drivers and invited users

TruckDelay Evidence is operated on a workspace model. The Workspace Owner’s administrator may invite drivers, dispatchers, admins and finance users, assign roles, view activity inside the workspace, export records, freeze Claim Packs and configure retention. The administrator is responsible for ensuring that invited users receive an appropriate privacy notice and that the organisation has a valid lawful basis for processing the personal data of its drivers, employees, contractors, customers, ports, depots and other counterparties.

For these features we act as processor of Customer Data (including Driver Personal Data) on behalf of the Workspace Owner under the Master DPA. Workspace Owners must rely on their own privacy notice for the substantive obligation under Articles 13 to 14 GDPR; this Policy applies in addition to that notice in respect of data we process as controller (account, telemetry, support, billing and similar data).

11.1 Worker monitoring under Article 88 GDPR

Because driver evidence capture and event-based location processing constitute employee monitoring in many EU jurisdictions, the Workspace Owner is responsible — under clause A8 of Schedule A of the Terms and Conditions — for satisfying the worker-monitoring obligations of the country where the driver normally works, including any required works-council or co-determination consultation under the law of that EU Member State.

Before granting any driver access to TruckDelay Evidence, the Workspace Owner must (i) provide each driver with a privacy notice meeting Articles 13 to 14 GDPR and the national worker-information rules implementing Article 88 GDPR; (ii) obtain the driver’s acknowledgment of that notice (the App records the timestamp); (iii) consult the works council, employee representatives or trade union where required; and (iv) establish and document an appropriate lawful basis under Article 6(1) GDPR. The App is designed for event-based evidence capture rather than continuous surveillance; no continuous GPS tracking is performed.

12. Recipients of personal data

We share personal data only with the categories of recipients listed below, and only to the extent necessary for the purpose. We do not sell personal data, and we do not “share” personal data for cross-context behavioural advertising as that term is defined under California law.

Recipient category

Purpose

Status

Apple Inc. and Apple Distribution International Limited

App Store distribution, App Store In-App Purchases via StoreKit (where offered), Sign in with Apple, iCloud / CloudKit storage where used, App Privacy Report and related Apple platform services.

Independent controller for App Store-side processing; sub-processor for iCloud / CloudKit storage of application data.

Google LLC and Google Ireland Limited

Sign in with Google, where you choose that authentication method.

Independent controller for the authentication-side processing.

Cloud hosting, database and object-storage providers

Operate accounts, workspaces, evidence files, Claim Packs, audit logs, backups, exports and service infrastructure where not held on-device.

Sub-processors under written terms.

Email-delivery and support providers

Send service messages, password resets, support replies and (where applicable) onboarding communications.

Sub-processors under written terms.

Analytics, monitoring and crash-reporting providers

Privacy-respecting product analytics, performance monitoring and bug diagnostics; pseudonymised where feasible.

Sub-processors under written terms; where required, used only after consent.

Payment and invoicing providers (Direct Channel)

Process payments, invoices, refunds, taxes and reconciliation for directly-invoiced Workspace Owners.

Independent controllers or sub-processors, depending on the provider.

AI text / language-model providers (only if a Workspace admin enables AI helpers)

Provide opt-in AI-assisted drafting, summary, OCR-formatting or translation features. Customer-identifying free text and third-party personal data are redacted before transmission where Schedule A requires redaction. Inputs and outputs are not used to train any third-party model.

Sub-processors under written terms.

Professional advisers (lawyers, accountants, auditors, insurers)

Legal, tax, audit, insurance and compliance advice on a need-to-know basis.

Independent controllers under their own duties of confidence.

Authorities, courts and regulators

Where we are required by law, court order or a binding regulatory request, including the Lithuanian State Data Protection Inspectorate (VDAI) and the Lithuanian State Tax Inspectorate (VMI) where applicable.

Independent controllers acting under their statutory powers.

Successor entity

In the context of a merger, acquisition, restructuring or sale of assets, subject to confidentiality safeguards and to the buyer continuing to honour the commitments in this Policy.

Independent controller after the transaction closes.

A current list of our sub-processors, together with the country in which each provider operates, is published at mlconsulting.lt/legal/sub-processors and is updated when the list changes. Each sub-processor we engage is bound by a written contract that imposes the data-protection obligations required by Article 28 GDPR (or, where ML Consulting is the controller, equivalent contractual safeguards).

13. International data transfers

ML Consulting MB is established in Lithuania and aims to keep personal data within the European Economic Area by default. Some of our sub-processors and the global infrastructure of Apple Inc. and Google LLC may process data in the United States or other regions where they operate.

Where personal data is transferred outside the EEA or the United Kingdom to a country that has not been the subject of an adequacy decision under Article 45 GDPR, we rely on one or more of the safeguards required by Chapter V GDPR, in particular:

■ European Commission adequacy decisions, including the EU-US Data Privacy Framework where the recipient is certified under it;

■ the European Commission’s Standard Contractual Clauses (Module Two — controller to processor — and Module Three — processor to sub-processor — as applicable), with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement for transfers from the United Kingdom;

■ additional technical measures including TLS 1.2 or higher for data in transit and encryption at rest, as well as contractual and organisational measures appropriate to the risk; and

■ any other lawful transfer mechanism under Articles 46 to 49 GDPR.

14. Automated decision-making and AI features

14.1 No solely-automated decisions with legal or similarly significant effects

We do not subject you to decisions producing legal effects concerning you or similarly significantly affecting you that are based solely on automated processing within the meaning of Article 22 GDPR. Where any aspect of a decision affecting you is informed by automated logic, a human is meaningfully involved in the outcome.

14.2 AI-assisted features in TruckDelay Evidence

TruckDelay Evidence may offer optional AI-assisted helpers — for example, delay-event summary drafts, customer follow-up email drafts, OCR helpers, note structuring, monthly summaries and translation. These features are governed by four principles: they are off by default and are activated only when an admin of the Workspace Owner explicitly enables them in Settings; they are assistive only and never autonomous; they never auto-write legally significant or status-bearing values into Claim Packs, scorecards or audit history; and the user must review, edit or reject the output before it is finalised in any record, communication, claim pack, audit pack, customer-facing output or evidentiary document.

14.3 Rules-first features

Rules-based features — missing-evidence warnings, claim-readiness checks, stale-PDF detection, repeated-issue detection, customer-leakage rankings and follow-up reminders — operate without third-party AI providers and run on data within the Workspace Owner’s tenancy. They are operational controls only and do not replace legal, contractual, finance or management review.

14.4 Third-party model providers

Where an AI helper relies on a third-party language-model provider, the provider acts as our sub-processor under a written agreement that prohibits the use of inputs or outputs to train any third-party model. We minimise the data we send, redact customer-identifying free text and third-party personal data where the helper supports redaction, and disclose the provider in our sub-processor list.

14.5 EU AI Act readiness

We design and operate AI helpers to be compatible with applicable obligations under Regulation (EU) 2024/1689 (the Artificial Intelligence Act), including transparency, logging and human-oversight requirements appropriate to the risk classification of the relevant feature. None of our current AI helpers is, or is held out as, a high-risk AI system within the meaning of Annex III of the AI Act.

15. How long we keep personal data

We keep personal data only for as long as we need it for the purpose for which it was collected, or as required by applicable law. The retention periods below are indicative; the actual period for any item of personal data is the longest of the periods that apply to the purposes for which we use it.

Category

Retention period

Trigger for deletion or anonymisation

Account and authentication data

Lifetime of the account; in any case deleted or anonymised within 24 months of complete inactivity, save where statutory retention applies.

Account deletion, 24-month inactivity sweep or end of statutory retention.

On-device application data

Held on your device for as long as you keep it; included in iCloud Backup if you have it enabled. Removed by the operating system on application deletion.

You delete the data, the App or your account.

Telemetry and service-operation data

Pseudonymised at collection where feasible; retained in identifiable form for a maximum of 13 months; aggregated or anonymised data may be retained indefinitely.

Time-based deletion or aggregation.

Communications and support data

Up to 24 months from the close of the last related correspondence; longer where the matter relates to a complaint, dispute, regulatory request or legal claim, until the matter is resolved plus the applicable limitation period.

Time-based deletion or matter closure.

Billing, accounting and tax records

Up to 10 years from the end of the relevant accounting period, in line with the Lithuanian Law on Financial Accounting and the Lithuanian Law on Tax Administration.

Expiry of the statutory retention period.

Apple App Store transaction metadata (if any IAP is offered)

For the lifetime of the entitlement plus the period required to handle refunds, disputes and statutory accounting; aligned with the billing-records period above.

Expiry of the statutory retention period.

Customer Data and Driver Personal Data within workspaces (we are processor)

Governed by the Master DPA: a 30-day data-export window in read-only mode after termination, followed by deletion or anonymisation within a further 60 days, save for records the Workspace Owner is required by law to retain.

Termination of the customer agreement, plus the period set in the Master DPA.

Append-only evidence audit history

Default 36 months from creation (configurable in the Workspace settings under clause A5.3 of Schedule A), preserved through capture, edit, status change, snapshot freeze, export and claim-send events.

Workspace retention setting or end of contract.

Security and platform audit logs

Up to 24 months, or longer where necessary for security, fraud-prevention or legal-claim purposes.

Time-based deletion.

Backups

Standard backup-rotation cycles (typically up to 30 days). Backups are not used to restore deleted accounts and are themselves overwritten on the rotation cycle.

Backup-rotation cycle.

16. Security and personal-data breaches

16.1 Article 32 measures

We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration or disclosure, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk to your rights and freedoms (Article 32 GDPR). For TruckDelay Evidence specifically, these measures include time-bounded signed URLs (with a default time-to-live of fifteen minutes) for evidence file access, watermarking of Claim Packs and audit-trail blocks, frozen Terms Snapshots at freeze time, and an append-only audit history that records capture, edit, status change, snapshot freeze, export and claim-send events.

16.2 Notification of personal-data breaches

If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours after becoming aware of the breach (Article 33 GDPR). Where the breach is likely to result in a high risk, we will notify the affected data subjects without undue delay (Article 34 GDPR). Where ML Consulting is acting as processor on behalf of a Workspace Owner, we will notify the Workspace Owner without undue delay in accordance with Article 33(2) GDPR and the Master DPA.

16.3 Reporting a suspected breach to us

If you suspect a security incident or unauthorised access affecting your account or any personal data we hold, please notify us at support+truckdelay@mlconsulting.lt without undue delay. Provide as much detail as you can; do not include passwords or other secrets in the email.

17. Your rights as a data subject

Subject to the conditions set out in the GDPR, you have the rights below. These rights are not absolute and may be restricted by law.

Right of access (Article 15). Confirm whether we process personal data about you and obtain a copy together with the information set out in Article 15.

Right to rectification (Article 16). Have inaccurate personal data corrected and incomplete data completed.

Right to erasure (Article 17). Have personal data erased where the conditions in Article 17 apply, including where the data is no longer necessary or where you withdraw consent and there is no other legal basis. The App also offers an in-app “Delete account” control.

Right to restriction of processing (Article 18). Restrict our processing while we verify the accuracy of contested data, while we deal with an objection or in the other circumstances set out in Article 18.

Right to data portability (Article 20). Where processing is based on consent or contract performance and is carried out by automated means, receive the data you provided in a structured, commonly-used and machine-readable format. The App provides in-app CSV exports and Claim Pack PDFs.

Right to object (Article 21). Object to processing based on legitimate interests on grounds relating to your particular situation, and at any time to direct marketing.

Rights related to automated decision-making (Article 22). Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects, and obtain human intervention, express your point of view and contest the decision where the right applies. See section 14.

Right to withdraw consent (Article 7(3)). Where we rely on consent, withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

Right to lodge a complaint (Article 77). Complain to our lead supervisory authority — the VDAI in Vilnius — or to the supervisory authority of the EU Member State where you habitually reside, where you work or where the alleged infringement took place. We would, however, appreciate the opportunity to address your concern directly first.

17.1 How to exercise your rights

You can exercise the rights above by sending an email to support+truckdelay@mlconsulting.lt with the words “Privacy request — TruckDelay Evidence” in the subject line.

We will respond to verifiable requests without undue delay and in any event within one month of receipt under Article 12(3) GDPR. We may extend that period by up to a further two months for complex or numerous requests, in which case we will inform you of the extension and the reason within the first month. We may need to verify your identity (typically by asking you to authenticate to the relevant account or to provide proof of identity proportionate to the request and the data concerned). The service is free of charge unless your request is manifestly unfounded or excessive (Article 12(5) GDPR).

17.2 Workspace-controlled data

For Customer Data and Driver Personal Data that we process as processor on behalf of a Workspace Owner, please direct your request to the Workspace Owner first; if you cannot identify the Workspace Owner, contact us at support+truckdelay@mlconsulting.lt and we will redirect your request without undue delay.

18. Regional rights notices

18.1 United Kingdom

If you are in the United Kingdom, the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply to processing within their territorial scope. The rights set out in section 17 apply equivalently. The UK supervisory authority is the Information Commissioner’s Office (ICO).

18.2 Switzerland

If you are in Switzerland, the Swiss Federal Act on Data Protection (revFADP) applies to processing within its territorial scope. The Swiss supervisory authority is the Federal Data Protection and Information Commissioner (FDPIC). Where we transfer data to Switzerland, we apply the Swiss addendum to the Standard Contractual Clauses where required.

18.3 California, United States

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA / CPRA”), gives you the right to (i) know the categories and specific pieces of personal information we collect, (ii) request deletion, (iii) request correction, (iv) limit the use and disclosure of sensitive personal information, and (v) opt out of any “sale” or “sharing” of personal information. We do not sell personal information and we do not “share” personal information for cross-context behavioural advertising. We will not discriminate against you for exercising any of these rights.

18.4 Other US states

Similar rights are available to residents of Colorado, Connecticut, Virginia, Utah, Texas and other US states with comprehensive privacy laws. To exercise any state-law right, write to support+truckdelay@mlconsulting.lt.

18.5 Global Privacy Control

On the App’s landing pages, we honour the Global Privacy Control signal where technically feasible, treating it as an objection to non-essential cookies and a request to opt out of any “sale” or “sharing” of personal information.

19. Children

TruckDelay Evidence is intended for business users (B2B) only and is not directed at children. We do not knowingly collect personal data from children below the age of digital consent applicable in their jurisdiction. Apple’s App Store age rating reflects the relevant minimum age for the App. If we become aware that we have collected personal data from a child without the appropriate authorisation, we will delete it without undue delay. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at support+truckdelay@mlconsulting.lt.

20. Cookies and similar technologies

The TruckDelay Evidence iOS app does not use analytics, advertising, profiling or marketing cookies. The App uses on-device storage (the iOS application sandbox, the Keychain, SwiftData, UserDefaults and — where the Workspace admin enables it — a private iCloud / CloudKit container) to deliver its features. This is not “cookies” within the meaning of the ePrivacy Directive 2002/58/EC and is governed by this Policy rather than by this section. The App’s landing pages on mlconsulting.lt use only strictly-necessary cookies.

21. Communications

21.1 Service messages

We send transactional service messages (security alerts, billing notices, password resets, support replies, material change notices) on the basis of contract performance under Article 6(1)(b) GDPR. Service messages are not commercial marketing and cannot be opted out of without ceasing to use the App.

21.2 Direct marketing

Where we send commercial marketing emails about TruckDelay Evidence — product updates, launch announcements, educational materials or event invitations — we rely either on (i) your prior consent under Article 6(1)(a) GDPR and Article 13 of the ePrivacy Directive, or (ii) the “soft opt-in” under Article 13(2) of the ePrivacy Directive (existing customer relationship, similar products or services, with a clear opt-out at the point of collection and in every message). You may opt out at any time by clicking the unsubscribe link in any marketing email, by emailing support+truckdelay@mlconsulting.lt or by updating your preferences in your account where applicable.

22. Changes to this Policy

22.1 Routine updates

We may update this Policy from time to time, for example to reflect new features, regulatory developments, sub-processor changes or operational changes. The latest version is always published on the App’s App Store listing and at mlconsulting.lt/truckdelay/privacy.

22.2 Material changes

Where a change is material and adversely affects your rights or expectations, we will give reasonable advance notice — typically at least 30 days, unless a shorter period is required by law — by in-app notice and, where we have your email address, by email. Non-material changes (typographical fixes, clarifications, contact-detail updates, sub-processor list updates) take effect on posting.

22.3 Versioning

Each version of this Policy is dated and archived. The version in force at the time of the relevant processing governs that processing.

23. Contact us

For any question, request or complaint about this Policy or about how we process your personal data, please contact us using the details below.

Field

Value

Controller

ML Consulting MB

Address

Vilnius, Republic of Lithuania

Legal entity code

306991112

Privacy contact (email)

support+truckdelay@mlconsulting.lt

Website

https://mlconsulting.lt

Lead supervisory authority

Valstybinė duomenų apsaugos inspekcija (VDAI), L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania · +370 5 271 2804 · ada@ada.lt · vdai.lrv.lt

Document end · Version 1.0 · Effective 20 May 2026 · TruckDelay Evidence — Privacy Policy · © 2026 ML Consulting MB