Skip to main content
Legal Document

Privacy Policy

This Privacy Policy explains how EcoFreight collects, uses, and protects your information when you use our CO₂ emissions API services.

Last updated: May 22, 2026
Quick Summary
  • We collect only the data necessary to provide our CO₂ emissions API services
  • Shipment data is processed for calculations but not stored long-term (auto-deleted after 30 days)
  • We never sell your personal data or use it for advertising
  • All data is encrypted and we follow industry-standard security practices
  • You have full control over your data and can request deletion at any time
  • We are compliant with GDPR, CCPA, and other major privacy regulations
  • International data transfers are protected by Standard Contractual Clauses
Information We Collect

Account Information

When you create an account, we collect your name, email address, company name, and billing information. This information is necessary to provide our services and manage your account.

API Usage Data

We collect technical information about your API usage, including request patterns, response times, error rates, and endpoint usage. This data helps us improve our service and provide technical support.

Shipment Data

We temporarily process shipment information (origins, destinations, cargo details) to calculate emissions. This data is not stored long-term and is automatically deleted after 30 days unless you opt into analytics features.

Device and Log Information

We automatically collect device information, IP addresses, browser types, and server logs. This information is used for security, debugging, and service optimization purposes.

How We Use Your Information

Service Provision

We use your information primarily to provide CO₂ emission calculations and API services. This includes processing your requests, maintaining your account, and providing customer support.

Service Improvement

We analyze usage patterns and performance metrics to improve our algorithms, add new features, and optimize system performance. All analysis is done on aggregated, anonymized data.

Communication

We may send you service-related emails, security alerts, and important updates. Marketing communications are opt-in only and can be unsubscribed at any time.

Compliance and Security

We use your information to comply with legal obligations, prevent fraud, and maintain the security and integrity of our platform.

Information Sharing

No Sale of Personal Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Your data is not a revenue stream for our business.

Service Providers

We may share data with trusted service providers who help us operate our business (cloud hosting, payment processing, customer support). These providers are contractually bound to protect your data.

Legal Requirements

We may disclose information when required by law, court order, or to protect our rights and the safety of our users. We will notify you of such disclosures when legally permitted.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. You will be notified of any such change in ownership or control of your data.

Data Security

Encryption

All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption. API keys and sensitive data receive additional encryption layers.

Access Controls

We implement strict access controls and authentication mechanisms. Employee access to user data is limited, logged, and regularly audited.

Infrastructure Security

Our infrastructure is hosted on SOC 2 compliant cloud providers with regular security audits, penetration testing, and vulnerability assessments.

Incident Response

We have established procedures for detecting, investigating, and responding to security incidents. Users are notified of any breaches that may affect their data.

Your Rights and Choices

Access and Portability

You can request a copy of your personal data at any time. We provide data in common formats (JSON, CSV) for easy portability to other services.

Correction and Updates

You can update your account information and preferences through your dashboard. Contact us if you need help correcting any information we maintain about you.

Deletion

You can request deletion of your account and associated data. Some information may be retained for legal compliance or legitimate business purposes as described in this policy.

Opt-Out Options

You can opt out of non-essential communications, analytics features, and certain data processing activities through your account settings.

Data Retention

Account Data

We retain account information (name, email, company details) for as long as your account is active, plus 30 days after account deletion. Financial records and legal compliance data may be retained for up to 7 years as required by law.

API Usage Logs

Technical logs including API requests, response times, and error logs are retained for 90 days for debugging and support purposes, then automatically deleted unless required for legal compliance or ongoing investigations.

Shipment Calculation Data

Shipment details used for emissions calculations are automatically deleted after 30 days. If you enable analytics features, aggregated (anonymized) data may be retained for up to 2 years for service improvement purposes.

Billing and Payment Information

Payment transaction records are retained for 7 years from the transaction date as required by accounting standards and tax regulations. Credit card information is not stored by us directly but by our PCI-compliant payment processor.

Communication Records

Support tickets, email communications, and chat logs are retained for 3 years to provide continuity of service and comply with business record requirements.

Security and Audit Logs

Security incident logs, authentication records, and compliance audit trails are retained for 7 years or as required by applicable security and regulatory standards.

Data Deletion Procedures

User-Requested Deletions

Upon receiving a valid deletion request, we will permanently delete your personal data within 30 days, except where retention is required by law. You will receive confirmation once the deletion is complete.

Automated Deletion

Certain data types are automatically deleted according to our retention schedule: shipment calculation data after 30 days, API logs after 90 days, and temporary session data immediately after logout or expiration.

Backup and Recovery Systems

Data may persist in our backup systems for up to 90 days after deletion from active systems. Backup data is encrypted and inaccessible for normal operations, used only for disaster recovery purposes.

Legal Holds

In cases where we are legally required to preserve data (litigation holds, regulatory investigations), deletion may be delayed until the legal requirement is lifted. We will notify you of any such delays when legally permitted.

California Privacy Rights (CCPA)

Right to Know

California residents have the right to request information about the personal information we collect, use, disclose, and sell. This includes the categories of information, sources, business purposes, and third parties we share with.

Right to Delete

You have the right to request deletion of personal information we have collected from you, subject to certain exceptions such as legal compliance requirements or legitimate business needs.

Right to Opt-Out

We do not sell personal information to third parties. However, if our practices change, California residents will have the right to opt out of such sales.

Right to Non-Discrimination

We will not discriminate against you for exercising your CCPA rights. You will not be denied services, charged different prices, or provided different quality of service for exercising these rights.

Authorized Agents

You may designate an authorized agent to make CCPA requests on your behalf. The agent must provide written authorization from you, and we may require additional verification.

CCPA Request Process

To exercise your CCPA rights, email privacy@ecofreight.co with the subject line "CCPA Request" and a description of the right you want to exercise. We will verify your identity and respond within 45 days (extendable to 90 days if needed).

International Data Transfers

Global Operations

As a global service, your personal data may be transferred to, stored, and processed in countries other than your residence, including the United States and European Union member states.

Adequacy Decisions

When transferring data to countries outside the EU/EEA, we ensure transfers are made to countries with an adequacy decision from the European Commission, or we implement appropriate safeguards.

Standard Contractual Clauses

For transfers to countries without adequacy decisions, we use Standard Contractual Clauses (SCCs) approved by the European Commission to ensure appropriate data protection standards.

Transfer Impact Assessments

We regularly conduct Transfer Impact Assessments (TIAs) to evaluate the effectiveness of our international transfer mechanisms and implement additional safeguards when necessary.

Data Processing Agreements

All our international service providers and partners sign comprehensive Data Processing Agreements that include strict data protection requirements and audit rights.

Data Breach Notification

Incident Detection

We maintain continuous monitoring systems to detect potential security incidents and data breaches. Our security team responds to alerts 24/7 to minimize any potential impact.

Internal Response Process

Upon detecting a potential breach, we immediately activate our incident response team, secure affected systems, assess the scope of the breach, and begin containment procedures.

Regulatory Notification

For breaches likely to result in high risk to your rights and freedoms, we will notify relevant supervisory authorities within 72 hours of becoming aware of the breach, as required by GDPR and other applicable laws.

User Notification

If a breach is likely to result in high risk to your rights and freedoms, we will notify affected users without undue delay. Notifications will include the nature of the breach, likely consequences, and steps we are taking to address it.

Breach Documentation

We maintain detailed records of all data breaches, including facts surrounding the breach, its effects, and remedial actions taken. This documentation is available to supervisory authorities upon request.

Post-Breach Actions

After containing a breach, we conduct thorough forensic analysis, implement additional security measures to prevent recurrence, and may offer identity monitoring services to affected users when appropriate.

GDPR Compliance

We are committed to protecting the privacy rights of individuals in the European Union. Under GDPR, you have the following rights regarding your personal data:

Right to be informed about data processing
Right of access to your personal data
Right to rectification of inaccurate data
Right to erasure (right to be forgotten)
Right to restrict processing
Right to data portability
Right to object to processing
Rights in relation to automated decision making

To exercise any of these rights, please contact us at privacy@ecofreight.co. We will respond to your request within 30 days.

Cookies and Tracking

Essential Cookies

We use essential cookies to maintain your session, remember your preferences, and ensure the security of our platform. These cookies are necessary for the service to function properly.

Analytics

We use privacy-focused analytics to understand how our service is used and to improve performance. This data is aggregated and anonymized, with no personally identifiable information collected.

Third-Party Services

Some third-party services we use may set their own cookies (payment processors, support tools). We ensure these partners follow similar privacy standards and provide opt-out mechanisms where possible.

International Data Transfers

Our services operate globally, and your data may be processed in countries other than your residence. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Data Processing Agreements with all service providers
  • Regular audits of international data handling practices
  • Compliance with local privacy laws in operating jurisdictions
Contact Us About Privacy

If you have questions about this Privacy Policy or want to exercise your privacy rights, please contact us:

General privacy inquiries

privacy@ecofreight.co

GDPR / Data Protection

dpo@ecofreight.co

CCPA requests

ccpa@ecofreight.co

Postal address

Email privacy@ecofreight.co for postal correspondence address.

Response time

We respond to privacy inquiries within 30 days, or sooner when legally required.

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

  • We will notify you of significant changes by email and through our platform
  • Minor updates will be posted with an updated "Last Modified" date
  • Continued use of our services after updates constitutes acceptance
  • You can always find the current version at ecofreight.co/privacy
Contact privacy team

This policy is effective as of May 22, 2026 and applies to all users of EcoFreight services.