CargoFlow
Terms DPA Sign in
Draft — pending legal review. This document has not been reviewed or approved by a licensed attorney and is not final. It describes, in good faith, what the CargoFlow codebase actually collects and processes as of this writing — but it is not a certified compliance statement, and must not be relied on as final until a qualified reviewer signs off and this banner is removed.

Legal · Draft

Privacy Policy

Draft version — last edited 2026-07-07. Not yet reviewed by counsel.

1. What this covers

This Privacy Policy describes how CargoFlow ("we", "the Service") collects, uses, and stores information when your organization ("client", "tenant") and its users use the Service. It is written to match what the current system actually does, not generic boilerplate.

2. Information we collect

  • Account information — username, role, password (stored as a salted bcrypt hash, never in plain text), and the client/tenant your account belongs to.
  • Uploaded manifests and documents — cargo manifests, aircraft configuration files, dangerous-goods declarations, and knowledge-base documents (manuals, procedures) you upload or paste for the agent to reference. These are parsed, chunked, and — where an embeddings provider is configured — converted into vector embeddings for search.
  • Chat messages — conversations with the CargoFlow agent, including any operational data referenced in them (weights, positions, shipper names), so the agent can route requests to the planning engine and so conversations can be reviewed for accuracy.
  • Audit and activity logs — a record of key actions (plan creation, sign-offs, last-minute changes, admin actions including support impersonation), tagged with the acting user and tenant, for accountability and troubleshooting.
  • Shipper weight-reconciliation records — declared vs. actual weight per shipment, used to compute a shipper reliability score for your organization; this data is tenant-scoped.
  • Demo-request form data — company name, contact name, work email, phone (optional), and fleet information submitted through the public homepage's demo-request form.
  • Marketing-site visit data — when you browse our public marketing/login pages (before signing in), we set a first-party cf_visitor cookie (a random identifier, no third-party analytics involved) and record which pages you viewed, which links/buttons you clicked, the referring page, your IP address, and browser user-agent string. If you later sign in, this anonymous browsing history is linked to your account so we know how visitors become clients. This is self-hosted — no data is sent to Google Analytics or any other third-party analytics provider.

3. How we use it

  • To operate the Service: compute load plans, run compliance checks, generate documents (Load & Trim Sheet, LDM, CPM, UCM, NOTOC), and power the conversational agent.
  • To maintain an audit trail of who did what, for your organization's own accountability and for troubleshooting support requests.
  • To compute the shipper reliability feature from weight-reconciliation data your organization records.
  • To respond to demo requests submitted through the homepage.
  • We do not use your organization's manifest, chat, or document data to train models, and we do not sell it to third parties.

4. Tenant isolation

CargoFlow is multi-tenant: every client organization is assigned a client_id, and operational records (manifests, plans, chat/knowledge-base chunks, audit-log entries, weight-reconciliation data) are scoped to that identifier at the database level. Application code filters queries by client_id so one tenant's data is not returned in another tenant's requests. Support impersonation by an admin is scoped to the target user's own tenant and is separately logged in the audit trail, not a bypass of tenant scoping.

5. Retention

Operational data (manifests, plans, documents, chat history, audit logs) is retained for the duration of your organization's active use of the Service, so plans and audit history remain available for historical reference. On request, or on termination of an account, your organization's data can be exported and then deleted within a reasonable period, subject to any log retention needed for security or legal purposes. Specific retention periods are not yet finalized in writing — treat this section as a placeholder pending the Terms/DPA being finalized with a client.

6. Third parties that process data today

This section lists processors actually wired into the current codebase — not a hypothetical future-state list:

  • OpenAI (text-embedding-3-small) — when an embeddings provider is configured, text from knowledge-base and client documents is sent to OpenAI's embeddings API to generate vector embeddings used for the agent's document search. If no provider is configured, this call does not happen and search falls back accordingly.
  • n8n workflow automation (self-hosted) — chat turns with the CargoFlow agent, and uploaded aircraft-configuration documents for admin review, are forwarded to a CargoFlow-operated n8n instance, which routes the request to an underlying language-model provider and back to the deterministic planning engine. n8n does not itself decide load numbers; it orchestrates the round trip.
  • Infrastructure providers — standard hosting/database infrastructure needed to run the application and its Postgres database. No other analytics, advertising, or marketing third parties are currently integrated into the authenticated application.

The marketing-site visitor tracking described in Section 2 is first-party and self-hosted — it runs on our own server and database, not a third-party analytics vendor. A cookie-consent banner is shown on first visit to any public marketing/legal page; the cf_visitor cookie is set, and tracking begins, only after you actively accept — declining means no analytics call is ever made and no cookie is ever set. Your choice is remembered in your browser's local storage.

If your organization requires a specific sub-processor list with regions/entities named for contractual purposes, request it directly — see the DPA for the sub-processor disclosure commitment.

7. Security measures

See the Data Processing Agreement for the current list of security measures actually implemented (password hashing, session-based authentication, tenant isolation, rate limiting). We do not claim a formal certification (e.g. SOC 2) at this time — that is an open item on our roadmap, not a completed control.

8. Your rights / data requests

To request a copy of your organization's data, correction, or deletion, contact the CargoFlow team through your normal point of contact, or via the demo-request form on the homepage. We will route the request to the account administrator for your organization where applicable, since most operational data belongs to the tenant, not an individual user.

9. Changes to this policy

Because this is a draft, expect revisions as legal review proceeds and as new processors are added. Material changes will be communicated to active clients before taking effect.

See also: Terms of Service · Data Processing Agreement (template).

CargoFlow · Load planning and weight & balance for your fleet. Terms · Privacy · DPA