ChillLedger
⚖️ REGULATORY COMPLIANCE DOCUMENTS

Privacy Policy

How ChillLedger by Systemores LLC secures, isolates, and cryptographically safeguards cold chain regulatory data.

Effective Date: May 27, 2026

🛡️

Local-First Data

All logs stay secure in your local SQLite sandbox. Zero network egress occurs unless cloud sync is explicitly enabled.

📷

Transient Camera OCR

OCR photos are parsed in-memory via the Gemini Flash API to extract temperatures. Images are immediately discarded, never stored.

🛑

Immutable Storage

To prevent fraud, logs are architecturally write-only. PostgreSQL triggers block all UPDATE or DELETE statements.

1. Local-First Architecture Principle

ChillLedger is designed upon the architectural principle of data minimization and local sovereignty. By default, when using our mobile client application under the Local Sandbox tier, all logged temperature entries, equipment label descriptors, and timestamp matrices are saved exclusively inside your device's native, isolated SQLite database.

We do not transfer, back up, or lease your cold chain records to central servers. Data is encrypted using native operating system storage sandboxes. Cloud data synchronization and off-site backup pipelines are entirely opt-in, activated only if the user initiates a Proactive or Enterprise level store subscription.

2. Telemetry & Core Data Types

If you elect to authorize corporate cloud backup or subscribe to proactive regulatory sync services, ChillLedger transfers the following public compliance indices to our secure databases:

  • Location Meta-Tags: Geographic public location labels (e.g., city, state) used for compliance reporting pages.
  • Temperature Logs: Floating-point Celsius or Fahrenheit values, equipment classifications, and shift names.
  • Compliance State Indexes: Status flags (Safe Range, Boundary Warning, Thermal Violation, Low-Limit Defrost Bypass) automatically evaluated based on local thermometer thresholds.

Identity Privacy: We strictly isolate multi-tenant data using Postgres Row-Level Security (RLS) filters. Individual line operator accounts, employee profiles, or user-specific directory access tokens are never leaked to public audit pages.

3. Camera & OCR Processing Privacy

The ChillLedger mobile client includes an intelligent, camera-assisted Optical Character Recognition (OCR) scanner to simplify logging for busy kitchen crews. When an operator triggers a camera temperature check:

The system captures a transient base64 image slice of the physical refrigerator display thermometer and transmits it securely via HTTPS to our isolated Supabase Deno Edge Function (`ocr-temperature`). The function executes a secure in-memory extraction routine using the **Gemini 2.5 Flash API** under a strict, structured JSON schema to parse digits.

⚠️ CRITICAL SECURITY STATEMENT: The captured photo is processed entirely in transient random-access memory (RAM) and is immediately discarded. We do not write the image file to disk, we do not store visual assets inside our Supabase storage buckets, and we do not use your kitchen photos for model training. The photo ceases to exist milliseconds after temperature digits are successfully extracted.

4. Architectural Immutability & Trust Integrity

ChillLedger serves as an official safety verification framework designed to satisfy strict municipal health audits and corporate risk compliance protocols. Because auditing relies entirely on absolute, tamper-proof record authenticity:

Our database structure enforces complete write-only ledger storage. A custom database trigger `check_immutability` enforces immutability at the physical table layer inside PostgreSQL, strictly rejecting any client-side queries containing `UPDATE` or `DELETE` statements on verified temperature records.

If a correction is required due to typographical mistakes, operators must issue a new "Correction Lock Log" referencing the original record's UUID. This creates an unalterable audit trail where the history of both the mistake and the adjustment remain visible to safety inspectors.

5. Geofence & Location Analytics

To prevent compliance fraud (e.g. operators writing mock logs from off-site locations or home residences), the mobile client requests localized background location coordinates at the exact moment a temperature log is submitted.

Our system compares these parameters against the geofence boundary coordinates registered for your store location. Once verified, the location verification tag is saved as a simple success boolean flag (*Geofence Verified*). The raw numeric latitude and longitude coordinates are immediately purged or locked behind encryption keys, ensuring employee off-shift movements are completely unmonitored.

6. Stripe Payment Sheet Financial Security

Payments for emergency inspector compliance passes ($99 one-time PDF download) and monthly active proactive store subscriptions are handled exclusively through integrated **Stripe Native Payment Sheets** or web hooks.

Systemores LLC does not store, capture, or witness card numbers, expiration dates, or CVV security codes. Stripe manages all transactions under standard PCI-DSS Level 1 compliance rules. Our server receives only secure, decoupled tokens confirming payment completion via webhook handlers, which then immediately upgrade organization tiers in PostgreSQL.

7. Data Retention, User Rights & Corporate Contact

For local offline data, users hold complete sovereignty and can clear their local SQLite storage by deleting the application from their hardware device at any time.

For organization cloud sync platforms, records are retained for the active duration of the corporate store subscription, or for a standard 5-year retention window to comply with general food safety laws. If you need to request database exports, coordinate access privileges, or seek further compliance clarification, please contact:

SYSTEMORES LLC
📧 Security Compliance Desk: compliance@systemores.com
📍 Regulatory Operations Dept.