Legal · Draft
Privacy Policy
1. What this covers
This Privacy Policy describes how CargoFlow ("we", "the Service") collects, uses, and stores information when your organization ("client", "tenant") and its users use the Service. It is written to match what the current system actually does, not generic boilerplate.
2. Information we collect
- Account information — username, role, password (stored as a salted bcrypt hash, never in plain text), and the client/tenant your account belongs to.
- Uploaded manifests and documents — cargo manifests, aircraft configuration files, dangerous-goods declarations, and knowledge-base documents (manuals, procedures) you upload or paste for the agent to reference. These are parsed, chunked, and — where an embeddings provider is configured — converted into vector embeddings for search.
- Chat messages — conversations with the CargoFlow agent, including any operational data referenced in them (weights, positions, shipper names), so the agent can route requests to the planning engine and so conversations can be reviewed for accuracy.
- Audit and activity logs — a record of key actions (plan creation, sign-offs, last-minute changes, admin actions including support impersonation), tagged with the acting user and tenant, for accountability and troubleshooting.
- Shipper weight-reconciliation records — declared vs. actual weight per shipment, used to compute a shipper reliability score for your organization; this data is tenant-scoped.
- Demo-request form data — company name, contact name, work email, phone (optional), and fleet information submitted through the public homepage's demo-request form.
- Marketing-site visit data — when you browse our public marketing/login pages
(before signing in), we set a first-party
cf_visitorcookie (a random identifier, no third-party analytics involved) and record which pages you viewed, which links/buttons you clicked, the referring page, your IP address, and browser user-agent string. If you later sign in, this anonymous browsing history is linked to your account so we know how visitors become clients. This is self-hosted — no data is sent to Google Analytics or any other third-party analytics provider.
3. How we use it
- To operate the Service: compute load plans, run compliance checks, generate documents (Load & Trim Sheet, LDM, CPM, UCM, NOTOC), and power the conversational agent.
- To maintain an audit trail of who did what, for your organization's own accountability and for troubleshooting support requests.
- To compute the shipper reliability feature from weight-reconciliation data your organization records.
- To respond to demo requests submitted through the homepage.
- We do not use your organization's manifest, chat, or document data to train models, and we do not sell it to third parties.
4. Tenant isolation
CargoFlow is multi-tenant: every client organization is assigned a client_id, and
operational records (manifests, plans, chat/knowledge-base chunks, audit-log entries, weight-reconciliation
data) are scoped to that identifier at the database level. Application code filters queries by
client_id so one tenant's data is not returned in another tenant's requests. Support
impersonation by an admin is scoped to the target user's own tenant and is separately logged in the audit
trail, not a bypass of tenant scoping.
5. Retention
Operational data (manifests, plans, documents, chat history, audit logs) is retained for the duration of your organization's active use of the Service, so plans and audit history remain available for historical reference. On request, or on termination of an account, your organization's data can be exported and then deleted within a reasonable period, subject to any log retention needed for security or legal purposes. Specific retention periods are not yet finalized in writing — treat this section as a placeholder pending the Terms/DPA being finalized with a client.
6. Third parties that process data today
This section lists processors actually wired into the current codebase — not a hypothetical future-state list:
- OpenAI (text-embedding-3-small) — when an embeddings provider is configured, text from knowledge-base and client documents is sent to OpenAI's embeddings API to generate vector embeddings used for the agent's document search. If no provider is configured, this call does not happen and search falls back accordingly.
- n8n workflow automation (self-hosted) — chat turns with the CargoFlow agent, and uploaded aircraft-configuration documents for admin review, are forwarded to a CargoFlow-operated n8n instance, which routes the request to an underlying language-model provider and back to the deterministic planning engine. n8n does not itself decide load numbers; it orchestrates the round trip.
- Infrastructure providers — standard hosting/database infrastructure needed to run the application and its Postgres database. No other analytics, advertising, or marketing third parties are currently integrated into the authenticated application.
The marketing-site visitor tracking described in Section 2 is first-party and self-hosted
— it runs on our own server and database, not a third-party analytics vendor. A cookie-consent banner is
shown on first visit to any public marketing/legal page; the cf_visitor cookie is set, and
tracking begins, only after you actively accept — declining means no analytics call is ever made and no
cookie is ever set. Your choice is remembered in your browser's local storage.
If your organization requires a specific sub-processor list with regions/entities named for contractual purposes, request it directly — see the DPA for the sub-processor disclosure commitment.
7. Security measures
See the Data Processing Agreement for the current list of security measures actually implemented (password hashing, session-based authentication, tenant isolation, rate limiting). We do not claim a formal certification (e.g. SOC 2) at this time — that is an open item on our roadmap, not a completed control.
8. Your rights / data requests
To request a copy of your organization's data, correction, or deletion, contact the CargoFlow team through your normal point of contact, or via the demo-request form on the homepage. We will route the request to the account administrator for your organization where applicable, since most operational data belongs to the tenant, not an individual user.
9. Changes to this policy
Because this is a draft, expect revisions as legal review proceeds and as new processors are added. Material changes will be communicated to active clients before taking effect.
See also: Terms of Service · Data Processing Agreement (template).