Privacy Policy

1. Introduction and Scope

CargoLint Inc. ("CargoLint", "we", "us", or "our") is a corporation incorporated under the laws of Canada with its principal place of business in Toronto, Ontario. We operate an AI-powered platform that analyzes international trade documents for potential compliance issues (the "Platform").

This Privacy Policy explains how CargoLint collects, uses, discloses, stores, and protects personal information in connection with the Platform and our related services (collectively, the "Services"). It also describes your rights regarding your personal information and how to exercise those rights.

This Privacy Policy applies to:

• individuals who register for or use the Platform as account holders or authorized users;
• individuals whose personal information may appear in trade documents uploaded to the Platform by Users; and
• visitors to our public marketing website at www.cargolint.com.

This Privacy Policy is incorporated by reference into CargoLint's Terms of Service. By using the Services, you acknowledge that you have read and understood this Privacy Policy.

2. Personal Information We Collect

2.1 Account Registration Information. When you create an Account, we collect: first name and last name; email address; and organization name. For users registering for the Enterprise plan, we require a valid organizational email address.

2.2 Personal Information in Documents. The trade documents you upload to the Platform ("Documents") may contain personal information about third parties, including: names of individuals (e.g., shippers, consignees, signatories, contacts, and employees); physical and mailing addresses; signatures (wet-scan or digital); email addresses and telephone numbers; and other personally identifiable information included in commercial invoices, bills of lading, certificates of origin, packing lists, customs declarations, and related trade documents.

CargoLint's Role. When processing Documents for the purpose of delivering Output, CargoLint acts as a data processor on behalf of the User. The User - as the party that collected the Documents from its own commercial relationships and instructed CargoLint to process them - is the data controller in respect of personal information contained in those Documents.

CargoLint does not independently use personal information extracted from Documents for purposes beyond providing the Services, except as described in Section 3.2 (AI model improvement and organizational templates) and Section 6. Where CargoLint uses data derived from Document processing for its own model improvement purposes, it acts as a data controller for those limited purposes only, subject to the legal bases and safeguards described in Sections 4 and 6.

Notice to Third Parties. If you are an individual whose personal information appears in a trade document submitted to the CargoLint Platform by one of our Users, this Privacy Policy is our transparency notice to you. We process your personal information solely because it appears in a document submitted to us by our User in the ordinary course of their trade and logistics operations. We do not collect your personal information directly, we do not sell it, and we do not use it to contact you or to make decisions about you individually. You may exercise your privacy rights by contacting our Privacy Officer at privacy@cargolint.com.

2.3 Payment Information. Payment for Subscriptions is processed by Stripe, Inc., a third-party payment processor. CargoLint does not collect or store payment card numbers, bank account details, or other financial data on its servers. Your payment information is governed by Stripe's Privacy Policy.

2.4 Usage Data and Audit Logs. We automatically collect the following data in connection with your use of the Platform: audit log data (document uploads, processing events, corrections approved or rejected, deletions, along with timestamps and the Account associated with each operation); application performance data via Microsoft Azure Application Insights; and IP address and device identifiers.

2.5 Marketing Website Analytics. Our public marketing website uses Google Analytics to collect aggregated, anonymized data about website visitors. This analytics data relates to the marketing website only and is separate from data processed within the Platform. You may opt out using the Google Analytics Opt-out Browser Add-on.

2.6 Communications Data. If you contact us by email or through our support channels, we retain records of those communications and any personal information you include in them.

2.7 Information We Do Not Collect. CargoLint does not intentionally collect government-issued identification numbers, health or medical information, financial account credentials, or biometric data. If you believe a Document contains sensitive personal information of this type, you should redact or remove it before uploading where possible.

3. How We Use Your Personal Information

3.1 Providing and Operating the Services. We use Account registration information, Document content, and usage data to: create and manage your Account; process Documents and generate Output; enable document correction, regeneration, and export functionality; process Subscription payments and manage billing; provide customer support; and communicate with you regarding your Account, Subscription, and the Services.

3.2 Improving the Platform and AI Models. We use data derived from your use of the Services - including corrections you approve or reject, document processing patterns, and feedback you submit - to: generate organization-specific document templates that improve the accuracy of Output for your organization over time; identify and correct errors and inaccuracies in the Platform's compliance rules and AI models; and improve the overall functionality, accuracy, and performance of the Platform.

This use is conducted on an organization-by-organization basis. Corrections and patterns derived from your Account are not shared with other organizations or used to train CargoLint's general AI models. We use aggregated, de-identified data to improve the Platform more broadly. See Section 6 for further detail.

3.3 Security, Fraud Prevention, and Legal Compliance. We use personal information to: maintain the security and integrity of the Platform; detect, investigate, and prevent unauthorized access, fraud, and abuse; comply with applicable legal obligations and respond to lawful requests from regulatory authorities; and establish, exercise, or defend legal claims.

3.4 Marketing Communications. With your consent (where required by law) or on the basis of our legitimate interest, we may send you information about product updates, new features, and relevant industry content. You may opt out at any time by following the unsubscribe instructions in any marketing email or by contacting us at privacy@cargolint.com.

4. Legal Bases for Processing (GDPR)

This section applies to individuals located in the European Economic Area ("EEA") or whose personal information is subject to the GDPR. CargoLint processes personal information under the following legal bases:

• Contract performance (Art. 6(1)(b)): Account registration and management, processing Documents to provide Output, billing and payment processing.
• Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, and audit logging; AI model improvement and organizational templates (opt-out available).
• Consent (Art. 6(1)(a)): Marketing communications (opt-out available at any time).
• Legal obligation (Art. 6(1)(c)): Legal compliance and regulatory requests.

5. How We Share Your Personal Information

CargoLint does not sell personal information. We do not share personal information with third parties except in the circumstances described below.

5.1 Sub-Processors. We share personal information with the following third-party sub-processors:

• Microsoft Azure: Cloud infrastructure, blob storage, and queue services (United States - East US)
• OpenAI (via Microsoft Azure): AI model inference for document analysis and Output generation (United States)
• Microsoft Azure Application Insights: Application performance monitoring and error tracking (United States)
• Stripe, Inc.: Payment processing for Subscriptions (United States)
• SendGrid (Twilio): Transactional email delivery (United States)
• Google Analytics: Marketing website analytics only (United States)
• Google: OAuth single sign-on (United States)
• Microsoft: OAuth single sign-on (United States)

An updated list of sub-processors is maintained at cargolint.com/subprocessors.

5.2 Legal Requirements and Regulatory Disclosure. We may disclose personal information if we believe in good faith that disclosure is necessary to comply with a legal obligation, enforce our Terms of Service, protect rights, property, or safety, or detect and prevent fraud or security issues.

5.3 Business Transfers. If CargoLint undergoes a merger, acquisition, or sale of assets, personal information may be transferred. We will provide notice and require the successor entity to honour this Privacy Policy.

5.4 With Your Consent. We may share your personal information with third parties in other circumstances with your prior express consent.

6. AI Model Improvement and Organizational Templates

6.1 As you use CargoLint, the Platform learns from your interactions. Corrections you approve or reject are recorded and used to generate organization-specific document templates. Document processing patterns are used to tune the Platform's analysis for your organization. Feedback you submit is used to identify and correct errors in the Platform's compliance rules.

6.2 Organizational Siloing. Organization-specific templates and improvements are not shared with other organizations or Users. They are maintained separately for each organization.

6.3 General Model Improvement. CargoLint uses aggregated and de-identified data derived from usage across all Users to improve the Platform's overall accuracy. This data does not identify any individual User, organization, or document.

6.4 Your Right to Object. You have the right to object to the use of data derived from your Account for model improvement and template generation purposes. To exercise this right, adjust your preferences in your Account settings under Privacy & Data. Your objection will be given effect prospectively and will not affect processing that has already occurred.

6.5 Future Model Development. CargoLint may in the future develop additional AI capabilities using data collected through the Services. Any material new use of personal data for such purposes will be disclosed in an updated Privacy Policy, and where required by law, we will seek your consent before implementing such new use.

7. International Data Transfers

7.1 Storage Location. All data processed through the Platform is stored on Microsoft Azure infrastructure located in the United States (East US and East US 2 regions). CargoLint does not currently operate data storage in Canada, the European Economic Area, or any other region.

7.2 Canadian Users. If you are located in Canada, your personal information will be transferred to and stored in the United States. CargoLint has entered into data processing terms with Microsoft Azure and OpenAI that provide contractual protections for your data. CargoLint is in compliance with its obligations under the Personal Information Protection and Electronic Documents Act (PIPEDA) with respect to cross-border transfers.

7.3 EEA and UK Users. If you are located in the European Economic Area or the United Kingdom, your personal information will be transferred to and processed in the United States. CargoLint relies on Standard Contractual Clauses as the legal basis for such transfers.

7.4 Chinese Users. If you are located in the People's Republic of China, or if Documents you upload contain data relating to Chinese data subjects or operations, your data will be processed on servers located in the United States. CargoLint does not currently have data localization or cross-border transfer mechanisms in place specific to Chinese law.

8. Data Retention

8.1 Documents and Output. CargoLint retains Documents uploaded to the Platform and associated Output for up to ten (10) years from the date of upload, unless you delete them earlier or your Account is terminated.

8.2 Account Data. We retain your Account registration data for as long as your Account is active and for a reasonable period thereafter.

8.3 Audit Logs. We retain audit log data for ten (10) years to support security monitoring, debugging, and legal compliance.

8.4 Post-Termination Retention. Following termination of your Account, CargoLint will delete or anonymize your Documents and personal Account data within ninety (90) days, subject to any longer retention period required by applicable law.

8.5 Your Right to Delete. You may delete individual Documents or request deletion of all data associated with your Account at any time through the Account management settings or by contacting us at privacy@cargolint.com.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights. To exercise any of these rights, contact us at privacy@cargolint.com or through your Account settings.

9.1 Rights Under PIPEDA (Canadian Users). Access, correction, withdrawal of consent, and the right to challenge compliance.

9.2 Additional Rights Under Quebec Law 25 (Quebec Residents). Right to de-indexing, right to data portability, and right to refuse automated decision-making.

9.3 Rights Under GDPR (EEA and UK Users). Access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), portability (Art. 20), right to object (Art. 21), withdrawal of consent (Art. 7(3)), and the right to lodge a complaint with your supervisory authority.

9.4 Rights Under CCPA/CPRA (California Residents). Right to know, right to delete, right to correct, right to opt out of sale or sharing (CargoLint does not sell or share personal information for cross-context behavioural advertising), and right to non-discrimination.

9.5 How to Exercise Your Rights. Email our Privacy Officer at privacy@cargolint.com with the subject line "Privacy Rights Request". Include your name, email address, Account information, and a description of the right you wish to exercise. We will respond within the timeframes required by applicable law (generally 30 days).

10. Security

10.1 Security Measures. CargoLint implements encryption in transit (TLS), encryption at rest (AES-256 via Microsoft Azure), role-based access controls, comprehensive audit logging, and relies on Microsoft Azure's infrastructure security.

10.2 Limitations. No method of electronic transmission or storage is 100% secure. While we take commercially reasonable measures, we cannot guarantee absolute security.

10.3 Breach Notification. In the event of a data breach, CargoLint will notify affected individuals and relevant regulatory authorities as required by applicable law.

11. Cookies and Tracking Technologies

11.1 Platform. The CargoLint Platform uses session cookies and similar technologies necessary for authentication and secure operation. These are strictly necessary and cannot be disabled without impairing the Services.

11.2 Marketing Website. Our marketing website uses Google Analytics cookies. You may opt out using your browser's cookie settings or the Google Analytics Opt-out Browser Add-on.

11.3 No Tracking for Advertising. CargoLint does not use tracking technologies for behavioural advertising or third-party ad targeting.

12. Children's Privacy

The Services are not directed at individuals under the age of eighteen (18). CargoLint does not knowingly collect personal information from minors. If you believe a minor has provided personal information to CargoLint, please contact us at privacy@cargolint.com.

13. Third-Party Links and Services

The Platform and our marketing website may contain links to third-party websites or services. This Privacy Policy does not apply to any third party. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Privacy Policy

CargoLint may update this Privacy Policy from time to time. When we make material changes, we will: update the "Effective Date"; post the updated Privacy Policy on our website; and send an email notification at least thirty (30) days before the changes take effect. Your continued use of the Services after the revised Privacy Policy becomes effective constitutes your acceptance of the updated terms.

15. Privacy Officer and How to Contact Us

CargoLint has designated a Privacy Officer who is responsible for overseeing compliance with this Privacy Policy and applicable privacy laws.

Privacy Officer - CargoLint Inc.
Email: privacy@cargolint.com
Address: 895 Don Mills Rd, Two Morneau Shepell Centre, Suite 900, Toronto ON M3C 1W3, Canada
Website: cargolint.com/privacy

If you are located in Canada and are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca. If you are a Quebec resident, you may also contact the Commission d'acces a l'information du Quebec at www.cai.quebec.ca. If you are located in the EEA, you have the right to lodge a complaint with the data protection supervisory authority in your Member State of residence.