Section 01Who we are
This Privacy Policy explains how Effective Supply Chain Sweden AB, organization number 559497-4668, operating under the brand "Carriora" ("we", "us", or "our"), processes personal data.
We are the data controller for personal data we collect about visitors to our website, prospective customers, users of the Carriora platform, and recipients of shipments processed through our Service — except where we act as a processor on behalf of a customer (see Section 13).
Section 02Scope of this policy
This policy covers personal data we process when you:
- Visit carriora.com or related websites.
- Create a Carriora account or use the Service.
- Contact us by email, phone, or through our support channels.
- Are named as a sender, receiver, or contact in a shipment processed through Carriora.
Section 03Data we collect
| Category | Examples |
|---|---|
| Account data | Name, email, phone, job title, organization, password hash, two-factor authentication settings. |
| Usage data | Pages visited, features used, IP address, browser, device, session timestamps, activity logs. |
| Shipment data | Sender and receiver names, addresses, phone numbers, email, package details, tracking events, carrier quotes, customs information. |
| Billing data | Company billing address, VAT number, payment method details (tokenized by our payment provider), invoice history. |
| Communications | Support tickets, emails, chat transcripts, meeting notes. |
| Cookies | Session cookies, authentication tokens, analytics identifiers. See Section 10. |
We do not intentionally collect special categories of personal data (e.g., health, ethnicity, religion). If such data appears in shipment content descriptions or customs declarations, we process it only as needed to deliver the Service.
Section 04How we use data
We use personal data to:
- Create and operate your account, authenticate users, and secure access.
- Provide the Service: booking shipments, calculating rates, tracking parcels, auditing invoices, sending notifications.
- Transmit data to carriers and integration partners strictly as required to execute your requests.
- Provide customer support and respond to inquiries.
- Invoice you and collect payment.
- Improve the Service through usage analytics and feedback.
- Detect, investigate, and prevent fraud, abuse, and security incidents.
- Comply with legal obligations (e.g., accounting, tax, sanctions screening).
- Send service-related communications and, with your consent or where permitted, marketing communications.
Section 05Legal basis
We rely on the following legal bases under GDPR Article 6:
- Contract — to provide the Service to you or your organization.
- Legitimate interest — to operate, secure, and improve the Service; to contact prospective customers in a B2B context; to analyze usage.
- Consent — for non-essential cookies and marketing where required.
- Legal obligation — for accounting, tax, and compliance with lawful requests from authorities.
You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.
Section 06Who we share data with
We share personal data only where necessary:
- Carriers and logistics partners — to obtain rate quotes, book shipments, produce labels, track parcels, and handle customs (e.g., PostNord, DHL, DB Schenker, UPS, FedEx, and other carriers you choose to use).
- Infrastructure providers — cloud hosting, databases, email delivery, monitoring, and backups (bound by data processing agreements).
- Payment providers — to process subscription fees.
- Professional advisors — auditors, accountants, and lawyers bound by confidentiality.
- Authorities — where required by law or to protect our rights.
- Successors — in connection with a merger, acquisition, or sale of assets, subject to equivalent protections.
We do not sell personal data.
Section 07International transfers
We primarily host data in the EU/EEA. Some sub-processors or carriers may process data outside the EU/EEA. In those cases, we rely on:
- Adequacy decisions issued by the European Commission, where available.
- EU Standard Contractual Clauses with supplementary measures where needed.
- Other lawful transfer mechanisms under GDPR Chapter V.
A current list of sub-processors is available on request.
Section 08How long we keep data
| Data | Retention period |
|---|---|
| Account data | Until account deletion, then up to 90 days in backups. |
| Shipment records | 7 years (Swedish Accounting Act, bokföringslagen). |
| Invoices and financial records | 7 years. |
| Support communications | 3 years after last contact. |
| Marketing data | Until you unsubscribe or object, then promptly deleted. |
| Security and audit logs | 12–24 months. |
Section 09Your rights
Under GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erasure ("right to be forgotten") where applicable.
- Restrict processing in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interest or direct marketing.
- Withdraw consent at any time.
- Lodge a complaint with a supervisory authority (see Section 15).
To exercise your rights, contact privacy@carriora.com. We will respond within one month. If you are a user of Carriora, many of these rights can be exercised directly from your account settings.
If we process your personal data on behalf of a Carriora customer (for example, because you are a recipient of a shipment), please direct your request to that customer. We will assist them in responding.
Section 10Cookies and tracking
We use cookies and similar technologies to:
- Strictly necessary — authenticate users, keep you signed in, and secure the Service. These cannot be disabled.
- Functional — remember preferences like language and display settings.
- Analytics — understand how the Service is used so we can improve it. We use privacy-respecting analytics where possible.
You can manage cookies through your browser settings. A cookie consent banner is shown on first visit where required.
Section 11Security
We apply appropriate technical and organizational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest for sensitive data.
- Strict access controls, least-privilege principles, and audit logging.
- Multi-factor authentication for administrative access.
- Regular backups and disaster recovery procedures.
- Vendor due diligence and data processing agreements.
- Vulnerability management, security testing, and employee training.
No system is perfectly secure. If we become aware of a personal data breach affecting you, we will notify you and the supervisory authority as required by GDPR.
Section 12Children
The Service is intended for business use. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.
Section 13Data controller vs processor
For data you upload to the Carriora platform as part of using the Service (e.g., your contacts, shipment data), Carriora acts as a data processor and your organization is the controller. Our processing is governed by the Data Processing Agreement ("DPA") that forms part of your subscription.
For account registration data, website visits, billing, support, and marketing, Carriora acts as the controller, and this Privacy Policy applies directly.
Section 14Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or in-app notice at least 30 days before the change takes effect. The "Effective" date at the top of this page shows when the policy was last updated.
Section 15Contact and complaints
For privacy questions, requests, or concerns:
Effective Supply Chain Sweden AB
Email: privacy@carriora.com
Organization number: 559497-4668
If you are not satisfied with our response, you may lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY):