Skip to main content
nfors.ai
Start free

Privacy Policy

Version v1-2026-04-30 · Effective June 2, 2026

This Privacy Policy explains how NFORSAI LLC, a Florida limited liability company doing business as nfors.ai (“nfors,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information in connection with the nfors.ai parking-enforcement management platform, the parkingcharge.ai parker payment portal, the agent.nfors.ai field-agent application, our marketing website, and any related services we provide (collectively, the “Platform”).

Please read this Policy carefully. By accessing or using the Platform you acknowledge the practices described here. If you do not agree, do not use the Platform.

1. Who this policy covers

We collect information from three distinct groups of people who interact with the Platform:

  • Operators — businesses that license the Platform to manage parking enforcement on private property, and the owner/admin who registers an operator account.
  • Operator staff and agents — supervisors and field agents added to an operator account by their employer.
  • Parkers — individuals who park a vehicle on property managed through the Platform and who may receive, look up, pay, or dispute a parking charge notice.

For Operators and their staff, nfors is the “data controller” of the account information we hold. For Parker information collected through an operator’s use of the Platform, the Operator is the controller and nfors acts as a processor performing services on the Operator’s behalf.

2. Information we collect

2.1 Information you provide directly

  • Operator account information — legal business name, business type, owner name, owner email, mailing address, phone number, branding assets (logo, colors), Stripe Connect onboarding information, default mailing settings, and any attestation records (e.g., DPPA permissible-purpose attestation, signage attestation).
  • Operator staff and agent information — name, email address, phone number (for SMS sign-in), assigned role, assigned zones, and any device identifier required to enable push notifications for the agent portal.
  • Parker information submitted during a dispute or inquiry — name, contact information, written statement, and any photos or documents you choose to upload as evidence.
  • Support communications — the contents of any email, web-form, or other message you send to our support channels.

2.2 Information collected automatically

  • Authentication and session information — encrypted session cookies, sign-in timestamps, and last-active timestamps used to keep you signed in and to detect unusual activity.
  • Device and connection information — IP address, user-agent string, browser language, and platform. We use this for security monitoring, rate-limiting, and abuse prevention.
  • Usage and audit logs — records of significant actions taken inside the Platform, including the actor, action type, target object, and timestamp. These records are retained to support security monitoring, dispute investigation, and regulatory compliance.
  • Field-agent location— when a field agent opens the agent portal’s issuance flow, the device may request a single GPS reading to confirm that the agent is physically inside an assigned zone at the time a parking charge notice is issued. We do not continuously track agent location.

2.3 Information generated through enforcement activity

  • License plate, plate state, and vehicle make/model — captured by an agent on the field application or received from a license-plate-recognition (LPR) camera or third-party permit provider.
  • Vehicle photographs— including images of plates, the vehicle, the parking location, and any posted signage. Photographs are taken by an Operator’s field agents using their own device camera, or are received from LPR systems integrated with the Platform.
  • Geographic and time-of-observation data — the zone in which the vehicle was observed, the start and end times of the observation, and the enforcement reason selected.
  • Payment and dispute records — the amount charged, payment status, refund history, and any dispute or appeal filings, including evidence the parker uploaded.

2.4 Information from third parties

  • Permit and parking-rights providers — when an Operator enables a third-party permit integration (for example, Level Parking, ParkLync, Parkmobile, or PayByPhone), we receive lists of active permits, whitelist entries, and parking-rights records used to determine whether a vehicle is authorized.
  • Payment processor — Stripe provides us with payment status, payout status, and refund information for charges processed through the Platform. We do not receive or store full payment-card numbers.
  • DMV / registered-owner lookups— when an Operator advances an unpaid charge into the mailed-collections pipeline and has attested to a permissible purpose under the Driver’s Privacy Protection Act, the Platform may obtain the registered owner’s name and mailing address from a motor-vehicle-records vendor (currently LexisNexis, with a deferred-lookup option through our mailing partner). Every such lookup is recorded in an immutable DPPA audit log.
  • Mailing partner — when an Operator generates a physical letter for a parker, we receive delivery confirmation metadata from our mailing vendor (currently LOB and, for certain workflows, ParkPliant).

3. How we use information

We use the information described above to:

  • provide, operate, secure, monitor, and improve the Platform;
  • authenticate users, including by sending one-time verification codes via SMS or email;
  • allow Operators to enforce parking rules on their managed properties, including issuing charges, processing payments, managing disputes, and producing letters;
  • enable third-party integrations selected by the Operator (permit providers, payment processing, mail delivery, motor-vehicle-records lookups);
  • generate aggregate, de-identified analytics to help Operators measure their own enforcement programs and to help us improve the Platform;
  • detect, investigate, and prevent fraud, abuse, and security incidents;
  • comply with applicable law and respond to lawful legal process; and
  • enforce our Terms of Service and protect the rights, property, and safety of nfors, our Operators, parkers, and the public.

We do not sell personal information, and we do not use parker personal information for our own marketing.

4. How we share information

4.1 Within the Operator’s account

Information generated by or about an Operator’s enforcement activity is visible to that Operator’s authorized administrators, supervisors, and (for the records they themselves issue) field agents. Tenant data is logically isolated at the database layer using row-level security so that one Operator cannot access another Operator’s records.

4.2 Service providers

We share information with vendors that help us operate the Platform, under written contracts that limit their use to providing services to us. Our principal service providers include:

  • Supabase — managed PostgreSQL database, authentication, file storage.
  • Vercel — application hosting and content delivery.
  • Stripe— payment processing, payout management, fraud prevention. Stripe’s privacy practices are governed by Stripe’s Privacy Policy.
  • Twilio — delivery of SMS verification codes and operational shift notifications.
  • Resend — delivery of transactional email (receipts, dispute notifications, account messages).
  • Mapbox— map rendering and geocoding inside the Platform’s map views.
  • LOB — printing and physical-mail delivery of collection letters, when an Operator opts to use mailed collections.
  • ParkPliant — when selected by an Operator as the mailing provider, ParkPliant performs registered-owner lookups and delivers physical mail under its own DPPA attestation.
  • LexisNexis Risk Solutions — registered-owner lookups for mailed-collections workflows, when an Operator has a current DPPA attestation on file.
  • Plate Recognizer (and similar OCR providers) — machine reading of license plates from images, when enabled by an Operator.

4.3 Legal disclosures

We may disclose information when we believe in good faith that disclosure is required by law, regulation, legal process, or enforceable governmental request; to enforce our Terms of Service; to detect, prevent, or address fraud, security, or technical issues; or to protect against harm to the rights, property, or safety of nfors, our users, or the public.

4.4 Business transfers

If nfors is involved in a merger, acquisition, financing, or sale of all or part of its assets, personal information may be transferred as part of that transaction, subject to standard confidentiality protections and any obligations imposed by applicable law.

4.5 Aggregate and de-identified information

We may share aggregate or de-identified information that does not identify any individual, Operator, or parker for any lawful purpose, including product improvement, benchmarking, and research.

4.6 What we do not do

We do not sell personal information. We do not rent personal information to data brokers. We do not share parker personal information with third parties for those third parties’ own marketing or promotional purposes. We do not use parker information to target advertising on or off the Platform.

5. SMS communications

nfors.ai sends two kinds of text message, both only to operator staff and field agents — never to parkers or the general public, and never for marketing or promotional purposes.

(a) Sign-in verification codes.When operator staff or a field agent signs in by phone number, we text a one-time verification code to that number. By entering your phone number on a sign-in screen and requesting a code, you consent to receive that transactional message. These codes are delivered through Twilio’s verification service; message frequency is typically one message per sign-in attempt.

(b) Operational shift digests and alerts.If you opt in to the daily SMS program (see below), you may receive low-volume operational notifications about your enforcement work: a once-per-day end-of-shift summary of your prior-day activity (for field agents), and queue or coverage alerts when enforcement items remain unattended past a threshold your operator sets (for supervisors). These are strictly internal, operational, transactional messages — never marketing or promotional. Volume is roughly one message per enrolled agent per working day, plus occasional supervisor alerts.

How you opt in to the daily SMS program. Enrollment is off by default and is your own choice— your operator cannot turn it on for you. A field agent opts in from their own account screen in the nfors.ai app; an operator who wants queue alerts enters their on-call number in the dashboard. In both cases we then send a one-time confirmation text, and no operational messages are sent until you reply YES to that confirmation (a double opt-in). We keep a record of when you opted in and the consent language you saw at that time. You can withdraw consent at any time by replying STOP.

Opting out. You can stop any nfors.ai SMS at any time by replying STOP to a message we send; reply START to resume, or HELP for help. Replying STOP turns your “Daily SMS” flag off in nfors.ai and unsubscribes the number at the carrier level; opting out of verification-code messages will disable phone-based sign-in for your account. Standard message and data rates from your wireless carrier may apply.

Phone numbers and SMS opt-in consent collected by nfors.ai are never shared with third parties or affiliates for marketing or promotional purposes. We disclose mobile numbers only to the messaging carriers and service providers (e.g., Twilio) strictly necessary to deliver these messages, and only as necessary for that delivery.

6. Cookies and similar technologies

We use a small number of strictly necessary cookies to keep you signed in and to remember your preferences (for example, theme choice in the agent portal). We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking technologies. Server-side analytics are limited to aggregate request counts used to monitor uptime and capacity.

7. Driver’s Privacy Protection Act (DPPA) and motor-vehicle records

The Driver’s Privacy Protection Act, 18 U.S.C. §2721 et seq., restricts the disclosure and use of personal information contained in motor-vehicle records. Where the Platform performs a registered-owner lookup as part of a mailed-collections workflow, the Operator must first attest that it has a permissible purpose under the DPPA and any applicable state law. Each lookup is recorded in an immutable audit log containing the requesting Operator, requesting user (or cron process), permissible-purpose category, vendor, request timestamp, and outcome.

nfors does not use motor-vehicle-record information for any purpose other than enabling the Operator’s authorized collections workflow, and does not sell, license, or share motor-vehicle-record information with any third party except the Operator that originated the lookup and the mail-delivery vendor strictly necessary to fulfill the Operator’s mailing request.

8. Data retention

We retain personal information for as long as it is reasonably necessary to provide the Platform, comply with our legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Operator account information is retained for the life of the account and for seven (7) years afterward to satisfy tax, accounting, and recordkeeping obligations.
  • Charge records, payments, and disputes are retained for the life of the account and for seven (7) years afterward.
  • Vehicle photographs are retained as long as the corresponding charge record is retained.
  • DPPA access audit logs are retained for a minimum of seven (7) years.
  • Authentication logs and security telemetry are retained for at least one (1) year.

Operators may request earlier deletion of specific records where permitted by law. Where deletion would conflict with a legal obligation, an active dispute, or an open regulatory matter, we will retain only the information reasonably necessary for that purpose.

9. Data security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These safeguards include encryption of data in transit (TLS 1.2+) and at rest, role-based access controls enforced both at the application layer and at the database layer through row-level security, hashed storage of API keys and webhook signing secrets, secret-management for third-party credentials, and continuous monitoring for unusual activity.

No system can be guaranteed to be completely secure. If we become aware of a security incident affecting personal information, we will notify affected Operators without unreasonable delay and in any event no later than 72 hours after our confirmation of a reportable incident, and we will cooperate in investigating and remediating the incident.

10. Your rights and choices

10.1 General

Subject to applicable law, you may have the right to:

  • access the personal information we hold about you;
  • request correction of inaccurate or incomplete information;
  • request deletion of your information;
  • object to or restrict certain processing;
  • receive a portable copy of certain information;
  • withdraw consent where processing is based on consent (including SMS consent, by replying STOP); and
  • lodge a complaint with a data-protection authority.

Operators can exercise most of these rights directly inside the Platform via account settings, the data-export tools, or by contacting their Operator administrator. Parkers may exercise these rights through the charge-record page on their Operator’s parkingcharge.ai subdomain or by emailing us at the address in Section 14; because the Operator is the controller of parker information, we may forward such requests to the relevant Operator for fulfillment.

10.2 California residents

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you the right to know what personal information we collect about you, to request deletion or correction of that information, to opt out of the sale or sharing of personal information, and to limit the use of sensitive personal information. nfors does not sell or share personal information as those terms are defined under the CCPA/CPRA. To exercise your rights, contact us at the address in Section 14. We will not discriminate against you for exercising your rights under California law.

10.3 Other U.S. state privacy laws

Residents of states with comprehensive privacy laws — including Colorado, Connecticut, Virginia, Utah, Texas, and others — have rights similar to those described above. To exercise those rights, contact us using the information in Section 14. You may appeal a denial of a rights request by replying to our response and clearly indicating that you wish to appeal.

10.4 Authorized agents

You may use an authorized agent to submit a privacy-rights request on your behalf. We may require written authorization and verification of your identity and the agent’s authorization before fulfilling such a request.

10.5 In-app account deletion (agent.nfors.ai mobile app)

Field agents who use the agent.nfors.ai mobile app (web, iOS, or Android) can self-delete their account at any time from the in-app Account screen by tapping Delete account and confirming. When you delete your account:

  • your name and phone number are removed from your profile,
  • your phone number is freed and can be registered to a new account on the Platform,
  • your active session on every device you’re signed in on is invalidated, and
  • push-notification subscriptions tied to your account are deactivated.

Records of parking-charge notices you issued, shift records, zone-visit history, and audit-log entries are retained in your operator’s account because they document business actions taken on the Platform and may be needed for dispute defense, legal hold, regulatory inquiry, or operator audit. These records are referenced by your user ID rather than by name or phone number after deletion. Operators who need full purge of a deleted profile (for example, after a legal-hold period ends) can request it from us through the contact information in Section 14.

11. Children’s privacy

The Platform is intended for use by adults operating, working for, or parking on commercial property. It is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child under 16 has provided personal information to us, please contact us and we will take reasonable steps to delete it.

12. Geographic scope and international users

nfors is based in the United States, and the Platform is operated and hosted in the United States. If you access the Platform from outside the United States, you understand and consent to the transfer of your information to, and processing of your information in, the United States, which may have data protection laws that differ from those of your country.

13. Changes to this Policy

We may update this Policy from time to time. When we do, we will revise the “Effective” date at the top of the Policy. If we make material changes, we will provide Operators with reasonable advance notice through the Platform, by email, or by other means we consider appropriate. Continued use of the Platform after the effective date of any update constitutes acceptance of the updated Policy.

14. Contact us

For questions about this Policy or to exercise any of the rights described above, please contact:

NFORSAI LLC
Attn: Privacy
101 Palafox Pl #723
Pensacola, FL 32591
Email: privacy@nfors.ai
Support: support@nfors.ai

For SMS-related questions or to opt out of SMS messages from nfors, reply STOP to any message we send, or contact us at the email above.