Privacy Policy

Effective Date: June 26, 2026 • Jurisdiction: State of Florida, USA

This Privacy Policy describes how Airport Medical Solutions, LLC, a Florida limited liability company with principal place of business at 5203 NW 36th St, Miami Springs, FL 33166 (“AMS”, “we”, “us”, or “our”), collects, uses, and protects information processed through the FMCSA-ASSISTANT platform (the “Service”). AMS acts as a Data Processor for the Employer (the Data Controller) under applicable privacy frameworks. Driver data is processed solely to administer the federally required testing program under 49 CFR Part 382 and 49 CFR Part 40.

1 Introduction & Role Clarification

AMS serves motor carriers and their DERs as a C/TPA — a service provider that processes personal data on behalf of the Employer and under the Employer's authority. The Employer, as the entity that decides which drivers are enrolled and directs AMS's actions, is the data controller for purposes of applicable privacy law. AMS processes data only as instructed by the Employer and as required by federal DOT regulations.

This policy covers data collected through the FMCSA-ASSISTANT website (amstrainingportal.com), the DER portal, the admin dashboard, the enrollment flow, and any related API integrations.

2 What We Collect

From the Employer (company-level data):

Company legal name and DBA (if applicable)
USDOT number and MC number (if applicable)
Federal Employer Identification Number (EIN) — collected at enrollment for IRS-compliant billing records
DER name, title, email address, and phone number
Billing contact name and email address
Billing address (street, city, state, ZIP, country)
Payment method details — processed and tokenized by Stripe; AMS does not store raw card numbers or bank account numbers

From or about Drivers (submitted by the Employer):

Legal full name
Date of birth
Commercial Driver's License (CDL) number and issuing state
CDL expiration date
Hire date with the Employer
Driver contact information (phone number and/or email), if voluntarily provided by the Employer for DER notification purposes

System and Platform Data:

Login timestamps and session metadata for DER and admin accounts
Audit logs of dashboard actions (driver additions, removals, draw initiations, outcome entries, Clearinghouse query submissions) — required for 49 CFR Part 382 recordkeeping
IP address and browser/device type for security and fraud-prevention purposes

3 Categories of Data — DOT Drug & Alcohol Records

In connection with the administration of the federally mandated testing program, AMS may process and store the following highly sensitive records under 49 CFR §40.321:

Random Selection Records: Draw date, draw period (e.g., Q1 2026), pool size, selection methodology, and the identity of selected drivers.
Test Outcome Records: Whether a selected driver's test returned a negative, positive, adulterated, substituted, cancelled, or refused result, as reported by the Employer's DER into the platform.
Violation Reports: Information submitted to the FMCSA Drug and Alcohol Clearinghouse on the Employer's behalf, including the nature and date of a reportable violation.
Return-to-Duty Documentation: SAP referral confirmations and return-to-duty test outcomes logged by the DER.
Clearinghouse Query Logs: Records of pre-employment and annual limited queries, and any full queries, conducted through the FMCSA Clearinghouse on the Employer's behalf.

These records are among the most sensitive categories of personal data maintained by AMS and are subject to the strict confidentiality requirements of 49 CFR §40.321. See Section 6 for disclosure rules.

4 How We Use the Data

AMS uses collected data only for the following purposes:

Random Driver Selection: Running cryptographically secure random draws against the Employer's pool of enrolled drivers.
DER Notifications: Generating and transmitting selection lists to the Employer's DER following each draw.
MIS Reporting: Generating the annual DOT Management Information System (MIS) report data for the Employer's review and submission to FMCSA per 49 CFR §382.403.
Clearinghouse Actions: Conducting pre-employment queries, annual limited queries, and (upon DER instruction) full queries and violation reports through the FMCSA Drug and Alcohol Clearinghouse — only where the Employer has executed a written C/TPA delegation.
Renewal Billing: Calculating annual renewal invoices based on Employer enrollment date and applying charges through Stripe.
Audit Compliance: Maintaining records to satisfy DOT recordkeeping requirements and to produce documentation in response to a lawful DOT audit or inspection.
Platform Security: Detecting and preventing unauthorized access, fraud, and misuse of the platform.

AMS does not use driver data for advertising, marketing, behavioral profiling, or any purpose unrelated to the administration of the FMCSA testing program.

5 Legal Basis for Processing

AMS processes personal data under the following legal bases:

Performance of Contract: Processing is necessary to fulfill the C/TPA services agreement with the Employer and to enable the Employer to comply with its legal obligations under 49 CFR Part 382.
Legal Obligation: Federal law (49 CFR Parts 40 and 382) mandates that certain records be created, maintained, and made available upon request. Processing is required to satisfy these obligations.
Legitimate Interests: Security logging and fraud prevention are carried out pursuant to AMS's legitimate interest in protecting the integrity of the platform and its users.

6 Who We Share Data With

AMS does not sell driver data. We do not use it for advertising. We do not share it with marketing partners or data brokers. Data is shared only as described below:

FMCSA Drug and Alcohol Clearinghouse: Driver violation reports and query submissions are transmitted to the federal Clearinghouse only when required by 49 CFR §382.705 (violations) or when the Employer has designated AMS as its Clearinghouse C/TPA under 49 CFR §382.701(d) (queries).
Subsequent Employers: Driver records are transferred to a subsequent employer's C/TPA or shared with a subsequent employer only with the driver's prior written consent, per 49 CFR §40.25 and §382.413.
Substance Abuse Professionals (SAPs): Relevant test history is shared with a qualified SAP for return-to-duty evaluation, at the direction of the Employer's DER.
DOT Agencies: Records are provided to FMCSA, NTSB, or other DOT modal agencies upon lawful request, audit, or court order.
Stripe (Payment Processor): Billing contact information and payment method data are shared with Stripe for payment processing. Stripe never receives driver test data. Stripe's privacy practices are governed by Stripe's Privacy Policy.
Supabase (Database Hosting): Employer and driver data is stored in Supabase-hosted PostgreSQL databases with encryption at rest. Supabase operates as a data sub-processor under its Data Processing Addendum.
Cloudflare (Compute & CDN): Web traffic is routed through Cloudflare for performance and DDoS protection. TLS 1.2+ encryption is enforced in transit. Cloudflare may process transient request metadata (IP, headers) per its privacy practices.

We do NOT sell driver data. We do NOT use it for advertising. We do NOT share with marketing partners or data brokers. Driver records exist solely to administer the federally mandated testing program.

7 Driver Rights

Drivers whose data is held by AMS on behalf of their employer have the following rights, which they may exercise by contacting AMS directly at support@amstrainingportal.com:

Right to Access: A driver may request a copy of the records AMS holds about them (random selection history, test outcomes logged in the platform, Clearinghouse query logs).
Right to Correct: A driver may request correction of demographic data (name, DOB, CDL number) if that data was submitted inaccurately by the Employer. AMS will notify the Employer of any correction request.
Right to Transfer: A driver who has obtained new employment with a different motor carrier may request that their records be transferred to a new C/TPA, consistent with 49 CFR §40.25 and the written consent requirements of 49 CFR §382.413.

Note: Federal law (49 CFR §40.321) restricts certain disclosures regardless of individual requests. AMS cannot delete test result records during any applicable DOT retention period, as retention is a federal legal obligation, not a discretionary choice.

8 Data Retention

AMS retains records in accordance with the following schedule, applying the longer of: the applicable DOT requirement or active enrollment plus one year:

Record Type	Minimum Retention Period	Regulatory Basis
Negative drug/alcohol test results	1 year	49 CFR §382.401(b)(1)
Positive test results, refusals, adulterated/substituted results	5 years minimum	49 CFR §382.401(b)(2)
SAP evaluation records & return-to-duty tests	5 years minimum	49 CFR §382.401(b)(2)
Random selection documentation (draw records, pool size)	2 years	49 CFR §382.401(b)(3)
Annual MIS reports	5 years	49 CFR §382.403
Clearinghouse query records	3 years	49 CFR §382.717
Billing records	7 years	IRS standard recordkeeping

After the applicable retention period expires and there is no ongoing enrollment, active dispute, or audit hold, AMS will securely delete or anonymize the relevant records.

9 Security

AMS employs the following safeguards to protect employer and driver data:

Encryption in Transit: All data transmitted to and from the AMS platform is encrypted using TLS 1.2 or higher.
Encryption at Rest: All data stored in the Supabase database is encrypted at rest using AES-256.
Row-Level Security (RLS): Database access policies enforce that each Employer account can access only its own records; cross-account data access is prevented at the database layer.
Server-Side Credentials: Service-role database credentials and API keys are stored exclusively on the server side and are never exposed to the browser or frontend code.
Access Logging: All significant platform actions — driver additions, removals, draw executions, Clearinghouse submissions, and admin operations — are logged with timestamps and user identifiers for audit purposes.
Annual Security Review: AMS conducts an annual review of its security practices, access controls, and third-party service provider agreements.

No security system is impenetrable. AMS cannot guarantee that unauthorized access, hacking, or data loss will never occur. AMS maintains an incident response plan and will act promptly to contain and remediate any confirmed security incident.

10 Data Location

All Employer and driver data is stored and processed primarily in the United States. Specifically:

Database records are hosted in Supabase data centers located in the United States.
Web traffic may pass through Cloudflare edge nodes globally for performance and security purposes; Cloudflare edge processing is transient and governed by Cloudflare's data processing addendum.

AMS does not intentionally transfer driver or test-result data outside the United States.

11 Breach Notification

In the event of a security incident that AMS determines has resulted in, or is reasonably likely to result in, unauthorized access to or disclosure of driver personal data or test result records, AMS will:

Notify the affected Employer's DER and billing contact within 72 hours of confirming the breach, by email to the addresses on file.
Provide a description of the nature of the breach, the categories of data affected, the estimated number of records involved (if known), and the steps AMS has taken or plans to take to remediate the incident.
Cooperate with the Employer in its own notification obligations under applicable state breach notification laws and DOT confidentiality requirements.

12 State Privacy Rights (CCPA / Florida / Texas)

To the extent that applicable state privacy laws — including the California Consumer Privacy Act (CCPA/CPRA), the Florida Digital Bill of Rights, or the Texas Data Privacy and Security Act — grant drivers rights with respect to their personal data, AMS will honor those rights consistent with its role as a service provider (under CCPA terminology) or data processor.

The Employer is the "business" or controller under applicable state law and is responsible for honoring driver privacy rights requests directed to the Employer.
AMS will assist the Employer in responding to verifiable driver rights requests to the extent technically feasible and permitted by federal DOT confidentiality requirements.
AMS does not "sell" or "share" driver personal information for cross-context behavioral advertising as those terms are defined under CCPA/CPRA.

13 Age Restriction

FMCSA-ASSISTANT is intended exclusively for use by motor carriers and their designated representatives. Commercial Motor Vehicle drivers must be at least 21 years of age to operate in interstate commerce (49 CFR §391.11) and at least 18 for intrastate operations — in all cases well above the age of 18. AMS does not knowingly collect personal data from individuals under 18 years of age. If you believe a minor’s data has been submitted in error, contact support@amstrainingportal.com immediately.

14 Changes to This Privacy Policy

AMS may update this Privacy Policy from time to time. For material changes — including changes to data sharing practices, retention periods, or security controls — AMS will provide at least 30 days' advance notice via email to the billing contact on file and via an in-app notification. The updated policy will display the new effective date at the top of this page. Continued use of the platform after the effective date constitutes acceptance of the updated policy.

15 Contact

For privacy-related questions, data requests, or security concerns:

Airport Medical Solutions, LLC
5203 NW 36th St, Miami Springs, FL 33166
Email: support@amstrainingportal.com

For privacy-specific inquiries, email our compliance team at the same address with subject line “Privacy Request — FMCSA-ASSISTANT”.

For questions about how this privacy policy interacts with your obligations as an Employer under the Terms of Service, please review both documents together or contact us.