Privacy Policy

How we collect, use, and protect your information

Effective Date: February 15, 2026

1. Introduction

TestLedger LLC, referred to as "TestLedger," "we," "us," or "our," provides documentation infrastructure software for non-DOT workplace drug testing programs.

This Privacy Policy describes how we collect, use, disclose, and protect information when you access or use the TestLedger platform and related services, collectively referred to as the "Service."

By using the Service, you acknowledge and agree to the practices described in this Privacy Policy.

2. Information We Collect

2.1 Information You Provide

We may collect information you provide directly, including:

Account Information: name, email address, organization name, job title, and account credentials.

Billing Information: billing name and address, subscription details, and payment information processed by our third-party payment processor. TestLedger does not store full payment card numbers.

Workplace Drug Test Documentation Data: information entered into the Service by you or your organization, which may include test documentation details, specimen identifiers, operator or collector identifiers, timestamps, chain-of-custody records, evidence attachments, audit logs, and any additional data your organization chooses to enter. TestLedger does not independently verify or classify the nature of the data entered.

Communications: information provided through support requests, inquiries, or other communications.

2.2 Information Collected Automatically

When you use the Service, we may automatically collect: IP address, browser type and version, device type and operating system, access times, log files, and feature usage and interaction data.

This information is used for system administration, security monitoring, and service improvement.

2.3 Information from Third Parties

We may receive information from: payment processors, identity or authentication providers, single sign-on providers configured by your organization, and analytics service providers.

3. How We Use Information

We use collected information to:

  • Provide, operate, and maintain the Service
  • Generate documentation records, audit trails, and verification functionality
  • Authenticate users and manage accounts
  • Process subscription payments
  • Monitor and enhance system security
  • Detect fraud, abuse, or unauthorized access
  • Respond to support requests
  • Comply with legal obligations
  • Improve the Service using aggregated or de-identified analytics

We do not sell personal information.

4. How We Share Information

We may disclose information in the following circumstances:

4.1 Service Providers

We share information with vendors who assist in providing the Service, including cloud hosting, payment processing, and analytics providers. These vendors are contractually obligated to maintain confidentiality and appropriate security safeguards.

4.2 Within Your Organization

If you access the Service through an enterprise or multi-user account, administrators designated by your organization may access documentation records and usage data within that account.

4.3 Legal Requirements

We may disclose information if required by law, subpoena, court order, regulatory inquiry, or to protect the rights, safety, or property of TestLedger or others.

4.4 Business Transfers

Information may be transferred in connection with a merger, acquisition, restructuring, or sale of assets.

4.5 With Your Consent

We may disclose information when you direct or authorize us to do so.

5. Workplace Drug Test Record Confidentiality

5.1 Sensitivity of Documentation

Workplace drug testing documentation may be subject to confidentiality obligations under federal and state law. The Service includes role-based access controls, encryption, and audit logging to support secure documentation practices.

5.2 Your Responsibilities

You are solely responsible for:

  • Determining applicable confidentiality laws
  • Configuring access controls within the Service
  • Limiting access to authorized personnel
  • Complying with ADA requirements regarding medical information confidentiality
  • Complying with state-specific drug testing confidentiality statutes
  • Managing retention periods consistent with your legal obligations

TestLedger does not determine who is legally permitted to access drug testing documentation within your organization.

6. Data Retention

Account Information: retained for the duration of your subscription and for a reasonable period thereafter for legal, audit, and operational purposes.

Documentation Records: retained according to your configured retention settings, subject to legal requirements.

Sealed Records: sealed records are tamper-evident and append-only by design. Retention may continue as required by system integrity controls or applicable legal obligations.

Usage Logs: typically retained for security and system integrity monitoring.

Trial Accounts: trial data is retained for a limited lifecycle and may be automatically deleted in accordance with trial program terms.

You are responsible for ensuring retention periods align with your regulatory requirements.

7. Data Security

We implement commercially reasonable technical and organizational safeguards, including:

  • Encryption in transit using TLS
  • Encryption at rest
  • Access controls and authentication requirements
  • Tenant-based data isolation
  • Logging and monitoring
  • Incident response procedures

No system can guarantee absolute security. You acknowledge that electronic storage and transmission involve inherent risk.

8. Protected Health Information

8.1 PHI Not Enabled by Default

The Service is not intended for processing Protected Health Information as defined by HIPAA unless a Business Associate Agreement is executed.

PHI functionality is disabled by default.

8.2 BAA Requirement

If you intend to enter PHI into the Service:

  • A fully executed Business Associate Agreement is required prior to entry
  • BAA availability may be limited to certain subscription tiers

Contact legal@testledger.io to initiate a BAA request.

8.3 Customer Responsibility

TestLedger does not monitor, identify, or classify PHI within customer records. You are solely responsible for:

  • Determining whether data constitutes PHI
  • Executing a BAA before PHI entry
  • Implementing required safeguards under HIPAA or other laws

9. Shared Responsibility Model

Data protection within the Service operates under a shared responsibility framework.

TestLedger Responsibilities: securing infrastructure, maintaining encryption controls, providing system-level access management capabilities, and maintaining internal security procedures.

Customer Responsibilities: configuring user permissions, classifying data, managing retention settings, training personnel, and ensuring compliance with workplace drug testing laws and privacy statutes.

10. Your Privacy Rights

Depending on your jurisdiction, you may have rights to:

  • Access personal information
  • Request correction
  • Request deletion, subject to legal retention requirements
  • Receive a portable copy of your data
  • Opt out of marketing communications

To exercise rights, contact privacy@testledger.io.

Requests related to sealed documentation records may be limited where retention is required by law or by the integrity architecture of the Service.

11. California Privacy Rights

California residents may have additional rights under the California Consumer Privacy Act and California Privacy Rights Act, including:

  • Right to know
  • Right to delete
  • Right to correct
  • Right to limit use of sensitive personal information
  • Right to non-discrimination

TestLedger does not sell personal information.

Employers remain responsible for their obligations under employment-related privacy laws.

12. International Data Transfers

The Service is hosted in the United States. By using the Service, you acknowledge that information may be processed and stored in the United States.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect information from minors.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated through the Service or by other appropriate means. Continued use constitutes acceptance of the updated policy.

15. Contact Information

TestLedger LLC
8447 Miramar Mall
San Diego, CA 92121

Privacy inquiries: privacy@testledger.io

BAA requests: legal@testledger.io