Your Data and Privacy

CargoLint takes your privacy seriously. This guide explains what data we collect, how we use it, your rights under GDPR, and how to request a data export or account deletion.

What personal data we collect

CargoLint collects two types of personal data:

From your account:

• Your name and email address
• Password (encrypted)
• Account settings and preferences
• Billing information (name, address, payment method—handled by Stripe)
• Team invitations and role assignments
• Login history and IP addresses
• 2FA recovery codes (encrypted)

From your documents:

• The documents you upload (PDFs, PNGs, JPEGs, TIFFs)
• Extracted data from those documents (names, addresses, dates, amounts, etc.)
• Your corrections and edits to extractions
• Document metadata (upload date, file size, processing time)

We do not collect:

• Personal data from document contents beyond what’s needed for extraction
• Biometric data
• Special category data (health, racial/ethnic origin, political opinions, etc.) unless it appears in a trade document you upload

How we use your data

CargoLint uses your data to:

• Process your documents: Extract information and calculate confidence scores
• Improve our AI: Your corrections help train our models to improve accuracy (anonymized)
• Provide the service: Store your documents, manage your account, process payments
• Communicate with you: Send invoices, account notifications, and support messages
• Comply with law: Respond to legal requests or regulatory obligations

Your document contents are not used for marketing or advertising purposes.

Consent and settings

When you sign up for CargoLint, you consent to:

• Processing your personal data as described above
• Using Stripe for payment processing
• Sending you account and transactional emails

You can manage your communication preferences in Settings > Preferences:

• Marketing emails: Toggle on/off to receive product updates and announcements
• Weekly digest: Toggle on/off to receive a weekly summary of your activity

Data processing for account management, payments, and legal compliance cannot be disabled—they’re essential to the service.

Requesting a data export

Under GDPR, you have the right to request a copy of all personal data CargoLint holds about you.

To request a data export:

1. Go to Settings > Privacy.
2. Click Request Data Export.
3. Confirm your email address.
4. Click Submit Request.

We’ll process your request and send a download link to your email within 30 days. The exported data is in JSON format and includes:

• Your account information (name, email, account settings)
• Team membership history
• All documents you’ve uploaded
• All extracted data
• Your activity logs
• Billing history

You can download the file and import it to another system or keep it for your records.

Downloading your data export

After we generate your data export:

1. Check your email for a message from CargoLint with a download link.
2. The link is valid for 7 days.
3. Click the link to download your data as a JSON file.
4. Store the file securely—it contains sensitive information.

If your link expires, you can request a new export through Settings > Privacy.

Deleting your account

You have the right to request account deletion under GDPR. When you delete your account:

• All your documents are deleted from our servers
• Your account information is anonymized (we keep anonymized records for legal and billing purposes)
• Your team memberships are removed
• You can no longer log in

Important: This action is permanent and cannot be undone.

To delete your account:

1. Go to Settings > Privacy.
2. Scroll to “Delete Account”.
3. Click Delete My Account.
4. You’ll be asked to confirm by typing your email address.
5. Click Delete Account.

Your account will be deleted within 30 days. During this period, we’ll anonymize your data and remove your documents.

Data retention

CargoLint retains your data for as long as your account is active:

• Active accounts: Data is retained indefinitely unless you request deletion.
• Deleted accounts: Data is anonymized and retained for 3 years for legal and tax compliance, then deleted.
• Documents: Deleted documents are removed from our servers within 30 days.

If you’re on a paid plan, we keep billing records for 7 years (tax and legal compliance).

Sub-processors

CargoLint uses third-party services to deliver the platform. These “sub-processors” have access to some of your data:

Azure (Microsoft)

• Hosts our servers and document storage
• Processes documents during extraction
• Encrypts data in transit and at rest
• Data location: Multiple regions

Stripe

• Processes payments
• Stores tokenized payment information
• Sends invoices
• Does not access your documents
• Stripe’s privacy policy: https://stripe.com/en-us/privacy

SendGrid (Twilio)

• Sends emails (invoices, notifications, verification codes)
• Does not access your documents
• SendGrid’s privacy policy: https://www.twilio.com/en/legal/privacy

All sub-processors are contractually required to process data only on our instructions and to implement appropriate security measures.

Security measures

CargoLint implements industry-standard security practices:

In transit:

• All connections use HTTPS (TLS 1.2+)
• Data is encrypted during transmission to and from our servers
• API endpoints are secured with authentication tokens

At rest:

• Documents are encrypted using AES-256
• Sensitive account data (passwords, 2FA codes, recovery codes) is hashed with bcrypt
• Database access is restricted to authorized personnel only

Access controls:

• Only necessary employees can access your data
• All access is logged and audited
• Employees sign confidentiality agreements
• We use role-based access control (RBAC)

Incident response:

• CargoLint has a data breach response plan
• We notify users within 72 hours if personal data is compromised
• We work with regulators and law enforcement as required

Your GDPR rights

If you’re in the EU or covered by GDPR, you have the right to:

• Access: Request a copy of your data (see “Requesting a data export”)
• Rectification: Request corrections to your data (contact support@cargolint.com)
• Erasure: Request deletion of your account (see “Deleting your account”)
• Restrict processing: Request that we limit how we use your data (contact support)
• Data portability: Export your data in a structured format (automatic with data export)
• Object: Object to specific uses of your data (contact support)

To exercise any of these rights, visit Settings > Privacy or contact support@cargolint.com.

California privacy rights

If you’re in California, you have the right to:

• Know what personal data is collected, used, and shared
• Delete personal data CargoLint collects
• Opt-out of the sale or sharing of personal data

CargoLint does not sell your personal data.

To exercise these rights, contact support@cargolint.com or visit Settings > Privacy.

Contact and support

If you have questions about your privacy, data, or these practices:

• Email: support@cargolint.com
• Mailing address: Available upon request to support
• Data Protection Officer: Can be reached at dpo@cargolint.com

We aim to respond to all inquiries within 10 business days.

Updates to this policy

CargoLint may update this privacy guide to reflect changes in our practices or legal requirements. We’ll notify you of significant changes via email. Your continued use of CargoLint after changes indicates your acceptance of the updated practices.

Last updated: February 2025