At Onsite Rail Solutions (“Onsite,” “we,” “our,” or “us”), we are committed to protecting the privacy and security of individuals who interact with our web-based platform and related services (collectively, the “Platform”). This Privacy Policy explains how we collect, use, store, share, and protect personal information obtained through our Platform, and outlines your rights and choices regarding your personal data.
This Privacy Policy applies to all users of the Platform, including individuals who access our services through the Onsite website located at https://onsiterailsolutions.com, as well as those who provide information in connection with our services but are not registered users (such as worksite contacts entered into the system by a registered user). By accessing or using the Platform, you agree to the collection and use of your personal information in accordance with this Privacy Policy.
Our services are designed specifically for use by professionals and entities in the railcar repair industry. As such, our Platform facilitates the coordination and management of railcar maintenance operations, including technician scheduling, repair documentation, and communication with customers and site contacts. In the course of providing these services, we collect and process personal data in order to ensure operational efficiency, compliance, and effective communication.
We take your privacy seriously and implement reasonable and appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of your data. While no method of transmission over the Internet or method of electronic storage is entirely secure, we strive to use commercially acceptable means to protect your personal information.
This Privacy Policy describes, in detail: The types of information we collect; How we collect and use that information; The legal bases for processing your data (where applicable);With whom and under what circumstances we may share information; How long we retain personal data; How we protect your data and respond to breaches; Your rights and options with respect to your personal data; How we handle data related to children, cookies, and international transfers.
This Privacy Policy is intended to comply with applicable data protection laws and regulations in the jurisdictions where we operate, including but not limited to the California Consumer Privacy Act (CCPA), the Children’s Online Privacy Protection Act (COPPA), and other relevant U.S. state privacy laws. Although we do not currently offer our services to individuals in the European Union, we have included certain rights and principles that reflect best practices under the General Data Protection Regulation (GDPR) for transparency and user empowerment.
We may update this Privacy Policy from time to time to reflect changes in our services, data practices, or applicable laws. When we do, we will revise the “Last Updated” date at the top of this page and notify users by email where required. We encourage you to review this Privacy Policy periodically to stay informed about how we handle your personal information.
If you have any questions about this Privacy Policy, our data practices, or your privacy rights, please refer to the “Contact Us” section at the end of this document.
TYPES OF DATA WE COLLECT.
Onsite collects various categories of personal information from users in order to facilitate the effective operation of our railcar repair management platform. The types of data we collect are generally limited to information that is necessary to create user accounts, enable daily operational use of the Platform, process payments, and communicate updates to both users and relevant third parties involved in railcar repair workflows.
When users register for an account or interact with the Platform, we collect identifying information such as full names, email addresses, phone numbers, company names, and, in some cases, physical addresses related to the location of railcar work sites. Users may also provide business contact emails and distribution lists associated with repair facilities, enabling communications with individuals who may not be registered users of the Platform. Additionally, employer information may be collected where relevant to the coordination of job sites and technician dispatching.
We collect payment-related information, including credit card details and purchase order numbers, to process subscription fees through our integrated payment processor, Stripe. Although we do not store full payment credentials directly on our servers, payment information is transmitted securely to our third-party processor in accordance with industry-standard practices.
As part of the daily use of our Platform, users may upload or enter operational and work-related content, such as technician assignments, railcar repair records, service notes, site-specific forms, procedural documents, reports, and proprietary materials related to their own business operations. This information may include identifiers or contact details for non-user individuals who are relevant to a specific worksite or repair project. While these individuals are not direct users of the Platform, their information may be used to provide updates regarding the status of repairs or to invite them to create an account if needed.
We do not knowingly collect any sensitive personal data, such as health-related information or protected financial details like Social Security Numbers. Additionally, we do not use tracking technologies or cookies to collect behavioral data at this time. Any personal data collected is submitted voluntarily by users through the Platform’s web-based forms and tools, either during the account creation process or throughout the course of standard operational use.
The types of data we collect are limited to what is reasonably necessary to provide, maintain, and enhance our services, ensure compliance with applicable operational regulations, and support internal business functions such as billing, customer service, and security. We apply principles of data minimization and purpose limitation to ensure that only relevant data is collected and processed in connection with our Platform.
HOW WE COLLECT DATA.
Onsite collects personal information directly from users through their voluntary interactions with our Platform. We do not rely on third-party analytics tools, advertising trackers, or background data brokers to gather user information. All data collection occurs through clearly defined and user-initiated processes designed to support the operational functionality of our web-based railcar repair management system.
The primary method of data collection occurs during the account registration process. When users sign up for the Platform via https://onsiterailsolutions.com, they are prompted to provide specific information necessary to create an account and activate their service. This includes their name, email address, phone number, company name, and payment details. The information provided during sign-up is used to identify and authenticate users, configure account settings, and process billing through our secure third-party payment processor.
After account creation, additional information may be collected during routine use of the Platform. As users engage with the system to manage railcar repairs, they may input data related to worksites, technician schedules, repair progress, and communications with third parties. This may include entering contact details for individuals who are not registered users of Onsite—such as site managers, supervisors, or other stakeholders—in order to send repair status updates or dispatch instructions. This information is collected solely through user-submitted forms and tools available on the Platform and is used to facilitate job coordination, ensure regulatory compliance, and support seamless communication across repair projects.
We do not collect personal information through passive tracking methods such as cookies, web beacons, or pixel tags. The Platform does not currently employ behavioral analytics or use automated data scraping tools. All data collected is the result of intentional actions by users who submit the information in order to utilize the features of the service.
By focusing on direct, purpose-driven data collection, Onsite ensures that only information relevant to the services provided is gathered and processed. We maintain transparency in how and why data is collected, and we empower users to control the information they provide through self-managed settings within the Platform.
HOW WE USE DATA.
Onsite uses the personal information we collect to operate, maintain, and improve our web-based railcar repair management platform and to deliver the services you expect from us. Our data use practices are guided by principles of necessity, transparency, and relevance, ensuring that we only process information that is reasonably required to fulfill legitimate business purposes, meet user needs, and comply with applicable obligations.
The core purpose of collecting user data is to enable access to and functionality within our Platform. This includes authenticating user identities, configuring account settings, processing subscription payments, and managing permissions across multiple facilities or worksites. We use contact information—such as names, phone numbers, email addresses, and company affiliations—to facilitate user communication and support the day-to-day operation of our service.
Operational data, including site locations, technician schedules, and repair records, is used to support logistics, monitor work progress, document compliance, and deliver updates to relevant stakeholders. In many cases, users input contact information for third-party individuals, such as worksite managers or supervisors, who are not registered users of the Platform. We use this information solely to send necessary notifications regarding the status of repairs or to invite such individuals to create an account if appropriate. These notifications may also serve a limited marketing function, such as encouraging non-users to sign up for the Platform, though such use remains incidental to the core operational communication.
We also use data to communicate with users about their accounts, service updates, and platform changes, including notices of maintenance, feature improvements, and changes to our policies or terms. Where permitted by law, we may also use email addresses to deliver onboarding materials or promotional content, although such messages will always include a means to opt out of future communications.
In addition to these core functions, we may process certain data to comply with regulatory and legal obligations, including those under federal transportation rules such as 49 CFR Part 179 and 49 CFR Part 180 Subpart F. We may also use information to resolve disputes, respond to inquiries, enforce our Terms of Service, detect and prevent fraud or abuse, and ensure the integrity and security of our systems.
Importantly, we do not use personal information for automated decision-making or profiling, and we do not sell user data or use it for behavioral advertising. All data is handled in accordance with applicable laws and our internal data protection policies, with a focus on supporting the efficient, compliant, and secure delivery of our services.
LAWFUL BASIS FOR COLLECTION.
Onsite collects and processes personal information in accordance with applicable privacy laws and recognized industry standards. Although we are a U.S.-based company primarily serving customers within the United States and are not currently subject to the European Union’s General Data Protection Regulation (“GDPR”), we adopt a principles-based approach to data protection and privacy that aligns with international best practices. This includes maintaining transparency about the legal grounds on which we collect, use, and share your personal information. Our lawful bases for collecting and processing personal data include: The primary legal basis for collecting your personal information is to fulfill our contractual obligations to you. When you register for and use our Platform, we process your data in order to create and manage your account, provide access to our software features, support your operational needs, and deliver the services outlined in our Terms of Service. This includes managing billing and payment information, facilitating technician dispatch and communication, and ensuring that your use of the Platform is functional, reliable, and secure.
In certain instances, we rely on your explicit or implied consent to collect and process personal data. For example, when you voluntarily submit contact information during the registration process or provide additional details about worksites, technicians, or third-party stakeholders, you consent to our use of that information for the purposes described in this Privacy Policy. You may also consent to receive optional communications such as onboarding guidance or promotional messages. Where consent is required by law, we will ensure it is obtained in a clear and affirmative manner and that you have the ability to withdraw your consent at any time.
We may process certain data based on our legitimate interests, provided that such interests are not overridden by your rights or expectations. These interests include improving our services, enhancing Platform functionality, ensuring system security, communicating with users about important updates, and promoting responsible use of the Platform. We may also use non-user contact information provided by registered users to send repair notifications or invitations to join the Platform when operationally necessary. In all cases, we limit the use of data under this basis to what is strictly necessary and proportionate.
We may also process personal information when required to comply with applicable laws and regulations, including transportation, safety, and recordkeeping obligations under federal law. This may involve retaining certain data for audit or regulatory review by government agencies such as the Federal Railroad Administration or in accordance with 49 CFR Part 179 and Part 180 Subpart F. Additionally, we may process or disclose data in response to lawful requests from law enforcement, to protect legal rights, or to respond to disputes, claims, or subpoenas.
Although unlikely in the context of our services, we reserve the right to process personal information where necessary to protect the vital interests of an individual or to perform a task in the public interest, such as responding to an emergency or cooperating with public safety requests.
We evaluate the appropriate legal basis for each instance of data collection and ensure that our data handling practices comply with applicable legal standards. If you have questions about the legal basis under which your data is processed or wish to understand how a particular activity is justified, you are encouraged to contact us using the information provided in the “Contact Us” section of this Privacy Policy.
HOW WE SHARE DATA.
Onsite takes your privacy seriously and limits the sharing of personal information to only those instances where it is necessary to operate our Platform, fulfill our contractual and legal obligations, or protect the integrity and security of our services. We do not sell personal information to third parties under any circumstances, and we do not share data for advertising, analytics, or behavioral profiling purposes.
We may share limited personal data with trusted third-party service providers who support the technical infrastructure of our Platform. For example, we use Amazon Web Services (AWS) to host and store platform data, including files uploaded by users and information maintained in our MongoDB database. We also rely on Stripe to securely process payments. When users enter payment details during registration, that information is transmitted directly to Stripe in accordance with industry-standard encryption and compliance protocols. We do not store full credit card numbers on our servers.
In the course of using the Platform, users may input contact information for individuals who are not registered users, such as worksite managers or client contacts. We use that information only to send operational notifications—such as status updates or repair confirmations—that are relevant to the services being performed. In some cases, these communications may contain an invitation to join the Platform, which may be considered a limited form of marketing. However, we do not engage in unsolicited outreach campaigns, nor do we license or transfer non-user data for unrelated promotional purposes.
We may also disclose personal information if required by law, regulation, or legal process. This includes sharing data with government authorities or regulators, such as the Federal Railroad Administration or the Association of American Railroads, in compliance with applicable obligations under federal regulations like 49 CFR Part 179 and Part 180 Subpart F. We may also share information when necessary to detect or prevent fraud, enforce our Terms of Service, or respond to subpoenas, court orders, or lawful investigative requests.
In the event of a corporate transaction, such as a merger, acquisition, reorganization, or sale of assets, personal information may be transferred as part of the transaction. If such a transfer occurs, we will ensure that your data continues to be protected in a manner consistent with this Privacy Policy and will notify users in advance if material changes are made to data handling practices.
Additionally, personal information may be accessed by authorized personnel within our organization or by contractors bound by confidentiality obligations, solely for purposes such as technical support, customer service, or system maintenance. We apply strict access controls and review permissions regularly to ensure that data is only accessible by those who require it to perform essential functions.
Onsite does not permit third-party advertising, analytics tracking, or behavioral data collection on our Platform, and we do not include third-party plugins or embedded content that would allow external services to access user information without consent. All sharing of data is narrowly tailored, purpose-driven, and handled in accordance with applicable legal, contractual, and ethical standards.
DATA SECURITY.
Onsite is committed to protecting the confidentiality, integrity, and availability of the personal information we collect and maintain. We implement a range of physical, technical, and administrative safeguards designed to prevent unauthorized access, use, disclosure, alteration, or destruction of data stored within our Platform. While no system can guarantee absolute security, we employ commercially reasonable measures that reflect industry standards and are appropriate to the nature and sensitivity of the data involved.
All user data is stored on secure infrastructure hosted by Amazon Web Services (AWS), including AWS S3 for file storage and a MongoDB database hosted on a protected EC2 instance. Access to these environments is restricted to authorized personnel and is protected using encryption protocols, role-based access controls, and multi-factor authentication. Our systems are configured to limit external exposure, and access to production data is granted only to individuals with a legitimate business need.
We take steps to ensure that personal information is protected both in transit and at rest. Sensitive data transmitted through our Platform, including payment details processed via Stripe, is encrypted using secure socket layer (SSL) technology or its equivalent. While payment data is transmitted directly to our payment processor and not stored by us, we work with Stripe to ensure that all financial transactions meet applicable compliance and security standards, including PCI-DSS.
Internally, we maintain strict access policies and employee confidentiality obligations. Our personnel and contractors are trained on the importance of data protection and are required to handle user information in accordance with our privacy and security protocols. Access to user data is logged, monitored, and reviewed to detect and respond to any unauthorized access attempts or suspicious activity.
Although we have not formally adopted a third-party certification framework such as SOC 2 or ISO 27001, we apply industry-recognized security practices and continuously evaluate and update our controls to address emerging threats and vulnerabilities. In the event of a security incident involving personal data, we follow a documented incident response plan, investigate the scope and root cause of the breach, notify affected parties as required by law, and implement remediation measures to prevent recurrence.
Users also play an important role in maintaining the security of their own accounts. We encourage you to use strong passwords, restrict access to your login credentials, and report any suspected unauthorized activity immediately. If you believe your personal data has been compromised, or if you have any questions about our security practices, we urge you to contact us using the details provided in the “Contact Us” section of this Privacy Policy.
Our commitment to data security is ongoing, and we recognize that maintaining user trust requires vigilance, transparency, and continual improvement of our systems and practices.
DATA RETENTION.
We retain personal information for only as long as it is reasonably necessary to fulfill the purposes for which it was collected, to comply with our legal and regulatory obligations, to enforce our rights, and to maintain the integrity and functionality of the Platform. The duration for which we retain specific categories of data may vary depending on the nature of the information, the purpose for which it was collected, and applicable retention requirements under law.
User account information, including profile details, help history, and activity logs, is retained for as long as your account remains active. If you choose to delete your account, we will take steps to deactivate your account and securely delete or anonymize personal data associated with it within a reasonable timeframe, subject to any retention obligations described below. Please note that certain residual information may persist in backup or archival systems for a limited period, but will not be used for any active processing purposes during that time.
We may retain limited information after account closure to comply with applicable legal obligations, such as tax reporting, audit requirements, fraud prevention, dispute resolution, or law enforcement investigations. For example, we may be required to retain certain transaction records, background check confirmations, or administrative logs for a fixed statutory period even after a user has requested deletion.
Information collected through cookies and analytics tools is retained in accordance with our cookie policy and the applicable retention practices of our third-party analytics providers. Such data is generally aggregated or anonymized for statistical purposes and does not identify individual users.
In all cases, Onsite applies reasonable data minimization principles to ensure that we do not retain personal information longer than necessary. When information is no longer needed for the purposes outlined in this Privacy Policy, we will either delete it securely, anonymize it, or isolate it from further processing in accordance with our internal data lifecycle protocols.
If you have specific questions about our data retention practices or would like to request deletion of your information, please contact us using the details provided in the “Contact Us” section of this Privacy Policy. We will evaluate all requests in accordance with applicable legal obligations and respond within a reasonable timeframe.
COOKIE POLICY.
At this time, Onsite does not use cookies or similar tracking technologies on our website or within our web-based Platform. We do not deploy first-party or third-party cookies for analytics, advertising, behavioral tracking, or user preference storage, nor do we use tools such as web beacons, pixel tags, or local storage objects to monitor user activity.
Because we do not use cookies, we do not present cookie banners, seek cookie consent, or store data in users’ browsers for tracking or analytics purposes. Our Platform operates strictly on the basis of information voluntarily submitted by users through forms and workflows designed for railcar repair management. All data processing is performed transparently and directly in connection with user-initiated activities.
If our use of cookies or similar technologies changes in the future—such as to support improved functionality, analytics, or user experience—we will update this Cookie Policy accordingly. At that time, we will provide clear notice to users, describe the specific categories of cookies used, and obtain any required consents in compliance with applicable laws and regulations.
Although we do not currently use cookies, our Platform may still interact with your browser in ways necessary to establish secure connections, display content properly, and ensure basic system integrity. These interactions do not involve the storage or retrieval of personal information.
We remain committed to respecting user privacy and maintaining full transparency about any technologies we may use. If you have questions about our current or future use of cookies, please contact us using the information provided in the “Contact Us” section of this Privacy Policy.
CHILDREN’S PRIVACY.
Our Platform is committed to protecting the privacy of children. Consistent with the Children's Online Privacy Protection Act (COPPA) and other applicable laws and regulations, we do not knowingly collect, use, or disclose personal information from children under the age of 18.Age Restriction: Our services are not directed to children under the specified age. We do not knowingly engage in transactions or communications with children under this age. Our Terms and Conditions prohibit users under this age from accessing our Platform and services.
Deletion: If we learn that we have collected personal information from a child under the specified age without parental consent, we will take steps to delete the information as soon as possible. Commitment to Data Security: We understand the importance of safeguarding children’s privacy and security online. We implement stringent security measures to protect children's personal information and comply with relevant legal requirements pertaining to data protection and privacy.
Updates to our Children’s Privacy Policy: This policy may be updated periodically to reflect changes in our practices or legal requirements. We encourage parents and guardians to review this policy regularly.
Reporting Concerns: We take concerns about children's privacy seriously. If you have any questions or concerns about our Children's Privacy Policy or our practices concerning children’s personal data, please contact us using the information provided in the "Contact Us" section.
USER RIGHTS.
At this time, Onsite Rail Solutions does not use cookies or similar tracking technologies on our website or within our web-based Platform. We do not deploy first-party or third-party cookies for analytics, advertising, behavioral tracking, or user preference storage, nor do we use tools such as web beacons, pixel tags, or local storage objects to monitor user activity.
Because we do not use cookies, we do not present cookie banners, seek cookie consent, or store data in users’ browsers for tracking or analytics purposes. Our Platform operates strictly on the basis of information voluntarily submitted by users through forms and workflows designed for railcar repair management. All data processing is performed transparently and directly in connection with user-initiated activities.
If our use of cookies or similar technologies changes in the future—such as to support improved functionality, analytics, or user experience—we will update this Cookie Policy accordingly. At that time, we will provide clear notice to users, describe the specific categories of cookies used, and obtain any required consents in compliance with applicable laws and regulations.
Although we do not currently use cookies, our Platform may still interact with your browser in ways necessary to establish secure connections, display content properly, and ensure basic system integrity. These interactions do not involve the storage or retrieval of personal information.
We remain committed to respecting user privacy and maintaining full transparency about any technologies we may use. If you have questions about our current or future use of cookies, please contact us using the information provided in the “Contact Us” section of this Privacy Policy.
THIRD-PARTY LINKS.
Our Platform may contain links to third-party websites or services that are not operated or controlled by us. These third-party links are provided for your convenience and reference only. Please note that we have no control over the content, policies, or practices of these third-party websites or services.
By clicking on these third-party links, you acknowledge and agree that we are not responsible for the privacy practices or the content of such websites or services. This Privacy Policy applies solely to the information collected by our Platform. We encourage you to read the privacy policies of any third-party websites you visit to understand their data collection, use, and disclosure practices.
While we strive to include only reputable and trusted third-party links on our Platform, we cannot guarantee the accuracy, completeness, or quality of the information, products, or services provided on these external sites. The inclusion of any third-party link on our Platform does not imply our endorsement, sponsorship, or recommendation of the linked website or its content.
Please be aware that when you leave our Platform and access a third-party website, your interactions and any information you provide are subject to the terms and policies of that website. We encourage you to exercise caution and review the privacy policies of any website you visit.
DATA BREACH RESPONSE.
At Onsite, we are committed to protecting your personal data and have implemented robust measures to ensure its security. In the unlikely event of a data breach, we have a structured response plan in place to manage the situation promptly and effectively while complying with all legal obligations.
If a breach occurs, we will act immediately to identify and contain the issue. This includes isolating affected systems to prevent further unauthorized access or data loss. Once contained, we will conduct a thorough investigation to determine the cause, scope, and impact of the breach. Our goal is to assess the risks posed to affected individuals and ensure appropriate remediation measures are implemented.
We will notify affected users as required by applicable laws. Notifications will include relevant details about the breach, such as the nature of the incident, the type of data affected, potential risks, and steps users can take to protect themselves. Regulatory authorities will also be informed when necessary, following prescribed timelines and reporting requirements.
Following a breach, we will enhance our security measures to address any identified vulnerabilities and prevent similar incidents in the future. Our response plan undergoes regular reviews and updates to align with evolving industry standards and best practices.
If you suspect a security incident involving your personal data or need additional information about our response procedures, please contact us through the details provided in the Contact Us section of this Privacy Policy.DO NOT TRACK SIGNALS.
Our Platform currently does not respond to "Do Not Track" (DNT) signals from web browsers. DNT is a privacy preference that you can set in your web browser to indicate your preference regarding the tracking of your online activities.
While many web browsers support the DNT feature, there is no standard interpretation or industry consensus regarding the meaning of DNT signals. As a result, our Platform does not currently recognize or respond to DNT signals.
Please note that even if you have enabled the DNT feature in your web browser, certain third-party services integrated into our Platform may still collect and track your online activities in accordance with their own privacy policies. We encourage you to review the privacy policies of these third-party services for more information on their tracking practices.
MODIFICATION.
We reserve the right to modify or update this Privacy Policy at any time. Any changes we make will be effective immediately upon posting the revised Privacy Policy on our Platform. We encourage you to review this Privacy Policy periodically to stay informed about how we collect, use, and protect your information.
By continuing to use our Platform after any changes to this Privacy Policy, you acknowledge and agree to the updated terms. It is your responsibility to review this Privacy Policy periodically and ensure that you are aware of any modifications. If you disagree with any changes, you should discontinue your use of our Platform and contact us if you would like to request the deletion of your personal information.
Please note that any provision of this Privacy Policy that imposes an obligation on you or grants us a right will survive the termination or expiration of this Privacy Policy or your use of our Platform.
WEB BEACONS.
Web beacons are small graphic images or other web programming code that can be included in our web pages and e-mail messages. Invisible to the user, these beacons are typically as small as a single pixel and function in a similar manner to cookies. Web beacons are used to track online movements of web users or to access cookies. They help us understand how users interact with our Platform by transmitting information back to us or our partners. Web beacons track user behavior on our Platform, such as page views and email interaction. This information helps us understand user preferences and improve the content and functionality of our Platform.
In our email communications, web beacons allow us to determine whether our emails are opened and if the links within them are clicked. This data assists us in making our communications more relevant and informative for our users.
We use web beacons to gauge the effectiveness of our advertising campaigns. By understanding user interactions and responses to our marketing efforts, we can tailor our strategies to better meet user interests and needs.
While web beacons are inherently anonymous, you have the option to control their use through various browser settings and third-party tools. Disabling cookies in your browser will also limit the functionality of web beacons associated with those cookies.
CONTACT US.
We value open communication with our users and welcome any questions, concerns, or feedback regarding this Privacy Policy or our data handling practices. Our dedicated team is committed to addressing your inquiries and providing timely and clear responses. Please find below the various channels through which you can reach us:
Email Communication: For direct and convenient communication, you can email us at support@onsiterailsolutions.com. We aim to respond to all email inquiries within 48 hours during business days.
Accessibility: We are committed to ensuring that our communication channels are accessible to all our users, including those with disabilities. If you require any special accommodations, please let us know, and we will do our best to assist you.
Language Support: Our customer service team is capable of handling inquiries in multiple languages. If you require assistance in a language other than English, please indicate this in your communication, and we will endeavor to accommodate your needs.
We are dedicated to providing a prompt response to all inquiries. If your issue requires more in-depth investigation, we will keep you informed about the status of your query and provide a timeframe for resolution.