1. Controller and contact
CargoDuo ("CargoDuo", "we", "us", "our") is the data controller for personal data processed through the CargoDuo platform, websites operated under the cargoduo.com domain (including app.cargoduo.com), our APIs and SDKs (collectively the "Service"). For all privacy matters — including access requests, deletion requests, complaints, and questions about this notice — write to info@cargoduo.com. Postal correspondence may be sent to the address listed on cargoduo.com/contact. We respond to verifiable requests within 30 calendar days, extendable by a further 60 days for complex requests in line with Article 12(3) GDPR.
2. Scope of this notice
This notice applies to (a) visitors to our marketing site, (b) registered users of the application, (c) people who contact us via email or support channels, and (d) personal data contained in shipment, cargo, vehicle, project and roster records that our customers upload. Where you use the Service on behalf of an organization, that organization is the controller of the operational data it uploads and CargoDuo acts as processor pursuant to a Data Processing Agreement (DPA) available at /legal/dpa or on request.
3. Categories of personal data we process
Account and identity data: full name, work email, hashed password, organization name, role, locale and time zone preferences. Authentication and security data: session identifiers (HttpOnly cookies scoped to .cargoduo.com), IP address, user-agent, login timestamps, failed-login counters, device fingerprints used for anomaly detection. Billing data: billing contact, billing address, VAT/tax identifier, last four digits of payment instrument, invoice history. Full card numbers and bank account numbers are never seen or stored by CargoDuo — they are tokenized by our PCI-DSS Level 1 payment processor. Customer content: project, vehicle, cargo, shipment, route, group, template, and packing-result records you upload or generate. These records may incidentally contain personal data (e.g., driver names, contact names on a manifest) which you, the customer, are responsible for collecting lawfully. Communications: support tickets, emails, chat transcripts, and any documents you send us. Telemetry: anonymous product-usage events, error reports, and performance traces required to operate, debug and improve the Service. Cookies and similar technologies: see /legal/cookies for the full list.
4. Sources of personal data
We collect data (a) directly from you when you create an account, configure the workspace, upload data or contact us, (b) automatically from your browser or device when you interact with the Service (logs, telemetry, cookies), and (c) from third parties on your instruction — for example, an organization administrator who invites you, an SSO identity provider you authenticate against, or a payment processor that confirms a transaction.
5. Purposes and legal bases (EU/UK GDPR)
Performance of contract (Art. 6(1)(b) GDPR): creating and operating your account, providing the Service, processing payments, providing customer support, enforcing our Terms. Legitimate interests (Art. 6(1)(f) GDPR): securing the Service against fraud, abuse and unauthorized access; debugging and improving the product; conducting aggregated analytics; defending legal claims; managing corporate transactions. Where we rely on legitimate interests we have conducted a balancing test and you may object at any time (see Section 11). Compliance with legal obligations (Art. 6(1)(c) GDPR): retaining tax records, responding to lawful requests from authorities, complying with sanctions and export-control rules. Consent (Art. 6(1)(a) GDPR): non-essential cookies and direct marketing — withdrawable at any time without affecting prior processing.
6. Purposes (United States — CCPA/CPRA, VCDPA, CTDPA, UCPA, CPA and other state laws)
We collect the categories listed in Section 3 for the business purposes of (i) providing, supporting and securing the Service, (ii) managing customer relationships and billing, (iii) detecting and preventing fraud and abuse, (iv) complying with legal obligations, and (v) the business purposes enumerated in Cal. Civ. Code § 1798.140(e). We do NOT "sell" personal information and we do NOT "share" it for cross-context behavioral advertising as those terms are defined under the CPRA. We do not knowingly process the personal information of consumers under 16 for sale or sharing. We do not use sensitive personal information for purposes other than those permitted under § 1798.121 CPRA. California, Colorado, Connecticut, Utah, Virginia and other in-scope state-law residents have the right to know, access, correct, delete, port and opt out of targeted advertising / profiling — exercisable via info@cargoduo.com or the in-product privacy console.
7. Where your data is hosted (server locations)
Application servers, primary databases, queue workers and backups are hosted by Hetzner Online GmbH in Germany (Falkenstein and Nuremberg data centers, EU/EEA territory). Hetzner is an EU-headquartered processor and is bound to us by a DPA incorporating the Standard Contractual Clauses where any transfer outside the EEA could occur. The marketing site, the SPA static assets, the API edge proxy, DDoS protection, the WAF and the global CDN are operated by Cloudflare, Inc. (United States) and its affiliates including Cloudflare EU. Cloudflare offers EU data-residency options and Geo Key Manager, and is bound to us by a DPA incorporating the EU Standard Contractual Clauses (Module 2) and, where applicable, the UK International Data Transfer Addendum and the Swiss FDPIC variant. Customer content is processed in the EU; in-transit metadata may briefly traverse Cloudflare points of presence (which are globally distributed) for connection establishment, TLS termination, caching of public assets, and bot/abuse mitigation. We have implemented technical and organizational measures (TLS 1.2+ everywhere, AES-256 at rest, segmented networks, role-based access, audit logging) intended to satisfy the supplementary measures discussed in EDPB Recommendations 01/2020.
8. International data transfers
Where personal data leaves the EEA, the United Kingdom or Switzerland — for example to U.S. sub-processors such as Cloudflare, Stripe, Sentry or AWS SES — the transfer is governed by the European Commission's 2021 Standard Contractual Clauses (SCCs) plus, where required, the UK Information Commissioner's International Data Transfer Addendum (IDTA) and the Swiss FDPIC variant. We assess each importer's exposure to third-country surveillance laws (FISA 702, EO 12333, CLOUD Act) on a case-by-case basis and apply supplementary measures where appropriate. A copy of the SCCs covering a specific transfer is available on request to info@cargoduo.com.
9. Sub-processors
We rely on the following sub-processors, each bound by a written contract requiring confidentiality, security, and processing-on-instruction obligations equivalent to those in our DPA: Hetzner Online GmbH (Germany — primary infrastructure), Cloudflare, Inc. (United States / global edge — CDN, WAF, DDoS, DNS, edge proxy, Workers static assets), Stripe Payments Europe Limited (Ireland) and Stripe, Inc. (United States — billing and tax), Sentry (Functional Software, Inc., United States — error monitoring), Postmark / SendGrid (transactional email), and any future provider listed at /legal/security. We will give at least 30 days' advance notice of additions or replacements via the in-product change log and the security page; customers on Custom plans may object on reasonable grounds and, where the objection cannot be resolved, terminate the affected services.
10. Retention
Account records: kept for the lifetime of the account plus 30 days after deletion request (to allow restoration in case of accidental deletion). Customer content (projects, vehicles, cargo, shipments, packing results, share links): kept for the lifetime of the account; deleted within 30 days of account termination unless we are required to retain it under applicable law. Billing and tax records: 10 years from the relevant fiscal year (Turkish Tax Procedural Law No. 213; § 147 AO Germany; comparable rules in other jurisdictions). Audit logs and security events: 24 months. Backups: encrypted backups are rotated on a 30-day cycle; data already deleted from production is purged from the most recent backup within that window. Support correspondence: 36 months. Marketing data: until consent is withdrawn.
11. Your rights
Subject to applicable law you have the right to: access the personal data we hold about you (Art. 15 GDPR / § 1798.110 CCPA); rectify inaccurate or incomplete data (Art. 16 GDPR / § 1798.106 CCPA); request erasure (Art. 17 GDPR / § 1798.105 CCPA / "right to be forgotten"); restrict processing (Art. 18 GDPR); receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20 GDPR / § 1798.130(a)(3) CCPA); object to processing carried out under our legitimate interests, including profiling (Art. 21 GDPR); withdraw consent at any time without affecting the lawfulness of pre-withdrawal processing (Art. 7(3) GDPR); not be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22 GDPR — note: our packing algorithm is advisory and never produces such decisions about individuals); opt out of "sale" or "sharing" (CPRA — although we do neither); and lodge a complaint with the Turkish Personal Data Protection Authority (KVKK Kurumu, kvkk.gov.tr), your local EU/EEA Data Protection Authority, the UK Information Commissioner's Office, the Swiss FDPIC, or the California Privacy Protection Agency, depending on your residence.
12. Automated decisions and AI
The packing algorithm produces optimization suggestions for cargo placement; it is purely advisory and does not make decisions that produce legal or similarly significant effects on individuals within the meaning of Article 22 GDPR. We do not use customer content to train any third-party AI or large-language model. We do not enrich customer profiles by purchasing data from data brokers. Any internal product-quality models are trained exclusively on aggregated, de-identified telemetry and never on the contents of your shipments, vehicles or cargo records.
13. Children
The Service is a business-to-business product not directed to children. We do not knowingly collect personal data from anyone under 16 (EU/EEA), under 13 (United States — COPPA) or under the equivalent local age of consent. If you believe a child has provided us with personal data, write to info@cargoduo.com and we will delete it.
14. Security
We apply technical and organizational measures appropriate to the risk, including TLS 1.2+ encryption in transit, AES-256 encryption at rest for primary stores and backups, HttpOnly + Secure session cookies scoped to .cargoduo.com with strict SameSite policy, hashed and salted passwords (Argon2id), least-privilege access controls, segregated production / staging networks, mandatory code review, dependency scanning, vulnerability monitoring, and centralized audit logging. No system is impregnable; you are responsible for keeping your credentials confidential and notifying us immediately at info@cargoduo.com of any suspected compromise. In the event of a personal-data breach we will notify the competent supervisory authority within 72 hours where required and, where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Art. 33–34 GDPR).
15. EU representative and complaints authority
Until a formal Article 27 GDPR representative is designated, EU/EEA data subjects may contact our Data Protection Officer at info@cargoduo.com. The lead supervisory authority for inquiries originating in the EU/EEA is your local Data Protection Authority. Turkish data subjects may contact KVKK at kvkk.gov.tr.
16. Cookies and tracking technologies
We use a small set of strictly necessary cookies for authentication, CSRF protection and load balancing; a small set of functional cookies for locale, theme and last-viewed-route memory; and (opt-in only in the EU/EEA, UK and Switzerland) anonymous product analytics cookies. We do not run advertising cookies, we do not embed third-party social-media pixels, and we do not participate in cross-context behavioral advertising. Full details, including names, purposes, providers and lifetimes, are in /legal/cookies.
17. Changes to this notice
We may update this Privacy Policy to reflect changes in our practices, our sub-processor list, applicable law, or supervisory-authority guidance. We will indicate the "Last Updated" date above and, for material changes, notify registered users by email or in-product banner at least 30 days before they take effect.