Scope

This policy applies to information collected via our website, mobile apps, APIs, and related services (the "Service"). It applies to vendors, customers, drivers, employees, contractors and visitors who interact with CTMS.

What We Collect

Information You Provide

• Account data: name, email, phone, password hash, business name.
• Billing & payment metadata: billing address and payment tokens (processing handled by third-party payment providers).
• Vendor/driver details: delivery zones, vehicle info, scheduling information.
• Content you upload: menus, logos and images.

Information Collected Automatically

We collect technical and usage data such as IP address, device/browser characteristics, pages visited, feature usage, and timestamps. We use cookies and similar technologies for analytics and essential site functionality.

How We Use It

• Deliver and improve the Service, features and reliability.
• Process orders, subscriptions and payments.
• Send administrative messages, support responses and security alerts.
• Analyze usage to optimize routing and performance.
• Prevent fraud and enforce our Terms of Service.

Sharing & Disclosure

We do not sell personal data. We may disclose personal data to:

• Service providers under contract (payment processors, hosting, analytics, email delivery).
• Partners for integrated features (e.g., mapping/routing providers).
• Affiliates or successors in connection with a business transaction (sale, merger, reorganization).
• Law enforcement, courts or regulators when required by law or to protect rights and safety.

Security

We implement administrative, technical, and physical safeguards to protect personal data. These measures include encryption in transit (TLS), access controls, and regular security reviews and testing.

Although we take reasonable steps to protect personal data, no system can be guaranteed completely secure. If you suspect a security incident or breach, please notify us immediately at privacy@ctms.example so we can investigate and remediate.

Breach Response & Notification

In the event of an actual or reasonably suspected security incident affecting personal data (a "Security Incident"), CTMS will take prompt steps to investigate, contain, and remediate the incident. Our incident response processes include:

• Immediate containment and mitigation to limit further unauthorized access.
• Forensic investigation to determine the scope and root cause.
• Notification to affected parties and regulators when required by applicable law, including providing information about the nature of the incident and the steps we have taken to address it.
• Remediation actions to prevent recurrence and to restore the integrity of affected systems.

Notification timelines and content will follow applicable legal requirements. We will not publicize Security Incidents in a manner that would impede law enforcement investigations or otherwise cause additional harm.

Security Limitations, Remedies & Allocation of Risk

While CTMS maintains reasonable and industry-standard security measures, you acknowledge that no technical or organizational measure can eliminate all risks. Therefore:

• CTMS does not warrant or guarantee that its security measures will prevent every unauthorized access, disclosure, or loss.
• To the maximum extent permitted by law, the exclusive remedies for Security Incidents are those expressly set forth in these policies and any governing agreement with CTMS.
• CTMS's liability for claims directly arising from a Security Incident will be subject to the limitations and caps set forth in the Limitation of Liability section of this policy.

Cooperation & Customer Responsibilities

Customers and users must promptly notify CTMS of suspected Security Incidents and cooperate with CTMS's investigation and remediation efforts. Customers are responsible for maintaining reasonable security practices within their own accounts (including password hygiene and access controls) and for securing any third-party integrations they configure.

Insurance & Mitigation

Where commercially reasonable, CTMS maintains cybersecurity insurance and other protections to help cover liabilities arising from certain security incidents. Insurance does not replace obligations to mitigate damages or to comply with notification requirements.

No Guarantee; Limitation of Remedies

CTMS provides the Service on an "as is" and "as available" basis and does not guarantee uninterrupted or error-free operation. Except where prohibited by applicable law, CTMS expressly disclaims all warranties, whether express or implied, including any implied warranties of merchantability, fitness for a particular purpose, or non-infringement.

Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict or port your personal data, and to withdraw consent where applicable. To exercise these rights contact us at privacy@ctms.example. We may require information to verify your identity.

Data Retention

We retain personal data for as long as necessary to provide the Service, comply with legal obligations, resolve disputes and enforce agreements. Where feasible we remove or anonymize personal data when it is no longer required.

Limitation of Liability

To the maximum extent permitted by applicable law, CTMS and its affiliates, officers, directors, employees, agents, suppliers and partners will not be liable for any indirect, incidental, consequential, special, punitive, or exemplary damages arising from your use of the Service, including loss of profits, loss of data, or loss of business opportunity.

Our aggregate liability for claims arising out of or relating to the Service will not exceed the amounts you paid to CTMS in the twelve (12) months preceding the claim, or one hundred U.S. dollars (USD $100), whichever is greater.

This limitation does not affect any liability that cannot be excluded or limited under applicable law (for example, liability for personal injury or death where such exclusions are not permitted).

Indemnification

You agree to indemnify, defend and hold harmless CTMS and its officers, directors, employees and agents from and against any claims, liabilities, damages, losses and expenses (including reasonable legal fees) arising out of or related to:

• Your use of the Service in violation of these policies;
• Your breach of any representation, warranty or obligation under these policies; or
• Your violation of any law or third-party rights.

Governing Law & Disputes

These policies and any disputes arising out of or related to them will be governed by the laws of the jurisdiction in which CTMS is organized, unless otherwise required by applicable local law.

If a dispute arises, we will first attempt to resolve it through good-faith negotiation. If negotiation does not resolve the dispute, the parties agree to resolve the dispute by binding arbitration in the governing jurisdiction, except where arbitration is prohibited by law.

Notwithstanding the above, either party may seek injunctive or other equitable relief in a court of competent jurisdiction where necessary to prevent irreparable harm or to protect intellectual property rights.

Data Processing & Subprocessors

Where CTMS processes personal data on behalf of customers (data controllers), we will act as a data processor under the relevant agreement and will enter into standard contractual terms or other lawful mechanisms where required. We maintain a list of subprocessors and will provide notice of material changes.

Third-Party Links

Our Service may link to third-party sites. We are not responsible for their content or privacy practices; please review their policies before sharing personal information.

Changes to this Policy

We may update this policy. If changes are material we will provide notice (email or a prominent notice on the Service). Continued use after changes indicates acceptance.

Contact

If you have questions, requests or concerns about this policy, contact the Data Protection Team at privacy@ctms.example.