Skip to content
Legal

Privacy Policy

Last Updated: 2026-06-04

This policy explains what data the CollisionLoop and FleetLoop services (together, the “Services”) collect, how we use it, who we share it with, and the rights you have over it. It covers both the shops that subscribe to the Services and the customers and renters whose data those shops upload to the Services.

About this policy

The Services are operated by WeaveHub Technologies LLC, a New York limited liability company with offices at 418 Broadway, STE N, Albany, NY 12207 (“WeaveHub,” “we,” or “us”). CollisionLoop is our SaaS platform for collision and body shops; FleetLoop is our SaaS platform for independent rental shops. Both share the same backend architecture and the same privacy practices, which is why this policy is unified.

Shops have staff accounts. End users — repair customers and renters — do not have accounts. They interact with a shop through SMS, MMS, and one-time magic-link portal pages.

What we collect

We collect the data we need to run the Services. Nothing else.

  • Staff account data. Name, email, shop name, shop address, and authentication identifiers for shop staff. Phone number if you give us one for support.
  • Customer and renter contact data. Name, phone number, email, and address that the shop uploads or that we capture from SMS, MMS, or portal submissions.
  • Vehicle data. Year, make, model, VIN, license plate, registration, insurance, mileage, photos, and condition information for customer vehicles (CollisionLoop) and fleet vehicles (FleetLoop).
  • Repair-order and rental content. RO numbers, rental agreements, estimates, signatures, status updates, line items, taxes, and invoices the shop creates through the Services.
  • Document images. Photos of driver licenses, insurance cards, vehicle registrations, fleet vehicle registration and insurance cards, odometer readings, and any other documents the shop or an end user uploads or texts in. These images are stored per tenant.
  • OCR-extracted fields. Text fields we extract from those images, such as license numbers, expiration dates, policy numbers, and odometer values.
  • Payment metadata. Payment amounts, tip, tax, status, and processor reference IDs. We do not see or store full card numbers — the bring-your-own payment processor handles cardholder data.
  • SMS and MMS content. Inbound and outbound text messages and media attachments between the shop and its customers or renters, including delivery status and opt-out records.
  • Accounting sync metadata. Identifiers, timestamps, and status returned by QuickBooks Online when invoices, payments, or refunds are synced from the Services to a tenant’s company file.
  • Usage telemetry. Page views, performance timings, and error reports. Used to keep the product fast and stable.
  • Support correspondence. Email and chat we exchange when you contact us.

How we use it

  • Deliver the Services to your shop and its customers or renters.
  • Send the SMS and MMS your shop chooses to send to its end users.
  • Run optical character recognition on documents so your staff doesn’t have to retype them.
  • Sync your invoices, payments, and refunds to your own QuickBooks Online realm if you connect it.
  • Bill your shop for the subscription.
  • Provide support when you ask for it.
  • Improve the Services based on aggregate usage patterns.
  • Detect and prevent fraud and abuse.
  • Send transactional email about your account, your subscription, and the Services. We do not send marketing email without explicit opt-in.

AI and OCR

The Services use Anthropic vision models, routed through Cloudflare AI Gateway, to extract structured fields from images. This includes:

  • Driver licenses
  • Customer and fleet insurance cards
  • Vehicle registration documents (customer and fleet)
  • Odometer photos
  • Inbound MMS attachments. Photos that customers or renters text to the shop’s phone number are received and may be automatically classified and OCR-processed.

For each OCR call we send the document image to the model and store both the original image and the extracted fields in your tenant’s database and object storage. We use AI only to deliver and improve the Services. Under our commercial agreement with Anthropic, the content you send through us is not used to train models and is not used for advertising.

Tenants can request deletion of stored document images by emailing support@collisionloop.com.

SMS and MMS

Opt-in (how you start receiving messages)

CollisionLoop may send transactional SMS — repair status, pickup or return reminders, signature requests, and balance notifications — only to people who affirmatively opt in. Opt-in happens at the shop, in person, when you sign the repair authorization or rental contract. The signing screen displays your phone number, a clearly unchecked “Yes, text me updates at this number” checkbox, and the CTIA disclosure language: “By checking this box, I consent to receive transactional SMS from CollisionLoop at this number about my repair or rental. Message and data rates may apply; message frequency varies. Reply STOP to opt out, HELP for help. Consent is not a condition of service.”The checkbox is unchecked by default — you must check it yourself before the consent is recorded. Consent is captured per phone number, per shop, and is logged with timestamp, IP, and the exact disclosure text you saw.

Opt-out (how you stop)

You can opt out of further messages at any time by replying STOP to any message. The opt-out is logged and persisted per shop phone number and is honored on all future sends across every shop using the platform. Reply HELP at any time for assistance.

Mobile information and marketing (carrier disclosure)

CollisionLoop does not sell or share mobile information or SMS opt-in consent with third parties or affiliates for promotional or marketing purposes. CollisionLoop may disclose this information only to service providers, including FleetLoop, telecommunications carriers, and messaging vendors, solely to deliver and support the messaging program or as required by law.

Recipients can opt out at any time by replying STOP, and get help by replying HELP. Opt-out records are retained to honor the request. For assistance, email hello@fleetloop.us. FleetLoop provides messaging support for CollisionLoop.

Carrier and routing

Outbound and inbound SMS and MMS are delivered by Telnyx under 10DLC registration or toll-free verification on behalf of each shop. Message content and metadata are shared with Telnyx and with the originating and terminating carriers solely for delivery. We do not sell phone numbers or message content, and we do not share them with third parties for marketing.

Inbound MMS attachments are stored and may be automatically classified or OCR-processed as described in the AI and OCR section. This means a photo a customer or renter sends to the shop’s phone number — even one that is not a document — may be retained against the conversation and may be passed through the AI Gateway for classification.

Sub-processors

We use the sub-processors below to run the Services. Each one has a specific job, and we share only the data needed for that job.

Sub-processorPurposeJurisdiction
Cloudflare, Inc.Hosting (Workers, D1 database, R2 object storage, KV), edge network, DNS, and AI Gateway transport for OCR.United States
Cloudflare TurnstileBot protection on web sign-in, sign-up, and password-reset forms. Cloudflare processes IP address, browser characteristics, and behavioral signals to determine human-vs-bot. No personally identifying form data is sent.United States
Anthropic, PBCVision models (via Cloudflare AI Gateway) that perform OCR on driver licenses, insurance cards, vehicle registrations, fleet registration and insurance cards, odometer photos, and inbound customer-texted media.United States
Telnyx LLCOutbound and inbound SMS and MMS. Inbound media (photos the customer texts to the shop number) is received, stored, and may be classified or OCR-processed.United States
Google LLC (Firebase)Staff account authentication (Sign in with Apple, email/password) and push notification delivery to staff devices.United States
Apple Inc.Sign in with Apple and Apple Push Notification service (APNs) for staff devices.United States
Stripe, Inc.Subscription billing for shops, and optional bring-your-own customer payment processing per tenant.United States
Block, Inc. (Square)Optional bring-your-own customer payment processing per tenant.United States
iPOS PaysOptional bring-your-own customer payment processing per tenant.United States
Authorize.net (Visa)Optional bring-your-own customer payment processing per tenant.United States
Intuit Inc. (QuickBooks Online)Optional accounting sync per tenant. Tenants connect their own QuickBooks Online realm via OAuth; we push invoices, payments, and refunds to their company file on a daily schedule and on manual "Sync now."United States
Resend, Inc.Transactional email delivery — receipts, magic links, password resets, and scheduled reports.United States

This list is canonical. We will update it with notice before any new sub-processor handles personal data.

Your rights

Depending on where you live, you may have rights under the California Consumer Privacy Act (CCPA), other US state privacy laws (including those in Virginia, Colorado, Connecticut, Utah, Texas, and Oregon), or other applicable law. Where granted, these rights include:

  • Access the data we hold about you.
  • Correct it if it is wrong.
  • Delete it (subject to legal retention requirements).
  • Export it in a portable format. Shops can export their data using the in-product CSV, XLSX, and PDF report endpoints.
  • Opt out of the “sale” or “sharing” of personal data. We do not sell or share personal data for cross-context behavioral advertising; this right is listed for completeness.

To exercise any of these rights, email support@collisionloop.com. We respond within the period required by applicable law, and within 30 days where no specific period applies.

If you are a customer of a shop using the Services and want your data removed, contact the shop first — they are the controller of their customer data and we are the processor. We will help the shop process the request.

Data retention

  • Active accounts. We retain your data for as long as your subscription is active.
  • Cancelled accounts. We keep your data for a 30-day grace period in case you reactivate, then we delete it.
  • Backups. Deleted data is rolled out of encrypted backups within 90 days.
  • Audit logs. Security audit logs are retained for at least one year to support incident response.
  • Tenant-requested deletion. Tenants may request deletion of specific document images or records at any time by emailing support.

Security

  • Data is encrypted in transit using TLS and at rest using the underlying provider’s standard at-rest encryption (Cloudflare D1, R2, and KV).
  • OAuth tokens for third-party integrations (such as QuickBooks Online and bring-your-own payment processors) are protected with AES-GCM envelope encryption using a master key that lives only in our Cloudflare Workers secret store.
  • Staff authentication is delivered by Firebase Authentication with Sign in with Apple and email/password options.
  • We follow Cloudflare’s recommended ATS posture for Workers. Consistent with platform policy, we do not implement certificate pinning on our mobile clients.
  • We will notify affected shops without undue delay if we discover a personal data breach that is likely to result in risk to individuals.

Cookies

We use only essential cookies: session, authentication, and CSRF protection. We do not run analytics tracking, and we do not set third-party cookies.

If we add analytics in the future, we will update this policy and ask for your consent first.

Children

The Services are not directed at children under 13. We do not knowingly collect data from minors. If we learn that we have, we delete it.

International transfers

The Services are operated from the United States. Each tenant’s primary database lives in a US data center on Cloudflare D1 (Eastern North America region). Data may be processed in the United States by Cloudflare and the other sub-processors listed above. We do not replicate tenant application data outside the United States.

Static assets (CSS, fonts, JavaScript) are served from Cloudflare’s global edge network for performance, but contain no personal data.

Changes to this policy

We will notify the account owner by email at least 30 days before any material change takes effect, and we will post the updated policy here. Continued use of the Services after the effective date is your acceptance of the updated policy.

Contact

Questions about this policy, requests to access or delete data, or opt-out requests should be sent to support@collisionloop.com, or by mail to:

WeaveHub Technologies LLC
418 Broadway, STE N
Albany, NY 12207
United States

You can also use the contact form.