Privacy Policy

Last updated: February 26, 2026

This Privacy Policy explains how Final Mile (“we”, “us”, “our”) collects, uses, and shares information when you use the Service.

Last updated: February 26, 2026Applies to: Web app, API, and related services

Information we collect

We collect information you provide, plus technical data needed to run and secure the Service.

Account and organization data

Identifiers such as email, username, and display name (as configured by your Franchise)
Franchise membership data such as role, access level, and status
Authentication and security events related to login/session activity

Operational data you submit

Job/part-order information: items, quantities, notes, delivery method, urgency, reasons
Workflow actions and notifications related to orders
Admin-managed configuration data (e.g., patterns, finishes, types)

Technical and usage data

IP address and basic device/browser data
Logs and diagnostics used for reliability and security

Key points

We collect the minimum data needed to operate, secure, and support the Service.
Your Franchise controls roles and access, which affects what you can view and do.

Cookies

Cookies are used to run sessions and preserve tenant context.

We use cookies to operate the Service. The Service typically uses:

Session cookie

Used for authentication and session management. Set with Secure and SameSite=Lax, and typically HttpOnly.

Tenant selection cookie

Remembers tenant/Franchise context during navigation. Set with Secure and SameSite=Lax, and not HttpOnly.

Logout behavior

These cookies are cleared when you log out (or when a logout response is issued).

How we use information

We use information to operate the product, enforce security, and support users.

Provide and operate the Service
Authenticate users and enforce role-based access and tenant isolation
Secure the Service, prevent abuse, and investigate incidents
Provide support and service communications
Improve performance and user experience

Security measures and response headers

We apply standard hardening headers to reduce common web risks.

We apply security-focused response headers to reduce common web risks, including:

X-Frame-Options: DENY (reduces clickjacking risk)
X-Content-Type-Options: nosniff (reduces MIME sniffing risk)
Referrer-Policy: strict-origin-when-cross-origin (limits referrer leakage)
Permissions-Policy disabling camera, microphone, and geolocation in supported browsers

Key points

Headers reduce common browser-based attack surfaces.
They don’t replace authentication/authorization—those are enforced server-side.

How we share information

We share only as needed to operate the Service, comply with law, or protect users.

Within your Franchise: authorized users may access records based on their role.
Service providers: vendors that help run the Service (hosting, monitoring, email delivery) under contractual restrictions.
Legal and safety: when required by law or to protect rights, safety, and security.
Business transfers: in connection with a merger, acquisition, or asset sale.

Data retention

Retention depends on operational needs, legal requirements, and Franchise configuration.

We retain information as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Franchises may control retention expectations depending on plan and configuration.

Your choices

Most access and profile management is controlled by your Franchise administrators.

You can contact us with privacy questions via the Contact page.
Your Franchise admins may manage your access, role, and membership status.

Changes to this policy

We may update this policy and will reflect that in the Last updated date.

We may update this Privacy Policy from time to time. We will update the “Last updated” date and may provide additional notice for material changes.

Contact

Questions about privacy? Use the Contact page.

For privacy questions, use the Contact page.