Privacy Policy

1. Introduction

Xpeditis ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our maritime freight booking platform.

This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

3. Information We Collect

3.1 Personal Information

We collect the following personal information:

• Account Information: Name, email address, phone number, company name, job title
• Authentication Data: Password (hashed), OAuth tokens, 2FA credentials
• Booking Information: Shipper/consignee details, cargo descriptions, container specifications
• Payment Information: Billing address (payment card data is processed by third-party processors)
• Communication Data: Support tickets, emails, chat messages

3.2 Technical Information

• Log Data: IP address, browser type, device information, operating system
• Usage Data: Pages visited, features used, time spent, click patterns
• Cookies: Session cookies, preference cookies, analytics cookies
• Performance Data: Error logs, crash reports, API response times

4. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

• Contract Performance: To provide booking and shipment services
• Legitimate Interests: Platform security, fraud prevention, service improvement
• Legal Obligation: Tax compliance, anti-money laundering, data retention laws
• Consent: Marketing communications, optional analytics, cookies

5. How We Use Your Information

• Provide, operate, and maintain the Platform
• Process bookings and manage shipments
• Communicate with you about your account and services
• Send transactional emails (booking confirmations, notifications)
• Provide customer support
• Detect and prevent fraud, abuse, and security incidents
• Analyze usage patterns and improve the Platform
• Comply with legal obligations
• Send marketing communications (with your consent)

6. Data Sharing and Disclosure

We may share your information with:

6.1 Service Providers

• Shipping Carriers: Maersk, MSC, CMA CGM, etc. (for booking execution)
• Cloud Infrastructure: AWS/GCP (data hosting)
• Email Services: SendGrid/AWS SES (transactional emails)
• Analytics: Sentry (error tracking), Google Analytics (usage analytics)
• Payment Processors: Stripe (payment processing)

6.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

7. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA). We ensure adequate protection through:

• Standard Contractual Clauses (SCCs)
• EU-US Data Privacy Framework
• Adequacy decisions by the European Commission

8. Data Retention

We retain your data for the following periods:

• Account Data: Until account deletion + 30 days
• Booking Data: 7 years (for legal and tax compliance)
• Audit Logs: 2 years
• Analytics Data: 26 months
• Marketing Consent: Until withdrawal + 30 days

9. Your Data Protection Rights (GDPR)

You have the following rights:

9.1 Right to Access

You can request a copy of all personal data we hold about you.

9.2 Right to Rectification

You can correct inaccurate or incomplete data.

9.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your data, subject to legal retention requirements.

9.4 Right to Data Portability

You can receive your data in a structured, machine-readable format (JSON/CSV).

9.5 Right to Object

You can object to processing based on legitimate interests or for marketing purposes.

9.6 Right to Restrict Processing

You can request limitation of processing in certain circumstances.

9.7 Right to Withdraw Consent

You can withdraw consent for marketing or optional data processing at any time.

9.8 Right to Lodge a Complaint

You can file a complaint with your local data protection authority.

10. Security Measures

We implement industry-standard security measures:

• Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
• Authentication: Password hashing (bcrypt), JWT tokens, 2FA support
• Access Control: Role-based access control (RBAC), principle of least privilege
• Monitoring: Security logging, intrusion detection, regular audits
• Compliance: OWASP Top 10 protection, regular penetration testing

11. Cookies and Tracking

We use the following types of cookies:

• Essential Cookies: Required for authentication and security (cannot be disabled)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use the Platform (optional)
• Marketing Cookies: Used for targeted advertising (optional, requires consent)

You can manage cookie preferences in your browser settings or through our cookie consent banner.

12. Children's Privacy

The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or platform notification. Continued use after changes constitutes acceptance.

14. Contact Us

For privacy-related questions or to exercise your data protection rights: