Data Protection & Privacy Policy

At TradeFlow SaaS, we understand that data security and privacy are paramount for businesses operating in logistics and cross-border trade. This policy outlines our commitment to protecting your data with enterprise-grade security measures and transparent practices.

Last Updated: November 2025

1. Introduction & Scope

TradeFlow SaaS ("we", "our", or "us") provides enterprise SaaS solutions for logistics and cross-border trade operations. This Privacy Policy explains how we collect, use, process, and protect information in connection with our platform and services.

As a B2B SaaS company handling sensitive trade data, we implement robust data protection measures compliant with the General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, and other applicable international data protection regulations relevant to cross-border trade operations.

Enterprise Data Responsibility: We recognize that trade data includes sensitive commercial information, customs declarations, shipment details, and financial data. We apply the highest standards of data protection appropriate for enterprise business operations.

2. Information We Collect and Process

As an enterprise SaaS platform for logistics and trade, we process several categories of data:

Business and User Information

  • Account Information: Company name, business registration details, VAT numbers, trade licenses
  • User Details: Employee names, email addresses, job titles, contact information
  • Authentication Data: Login credentials, access logs, authentication tokens
  • Billing Information: Payment details, subscription plans, invoice history

Trade and Logistics Data

For platform functionality, we process:

  • Shipment Information: Consignment details, cargo descriptions, values, weights, dimensions
  • Customs Data: Customs declarations, HS codes, duty calculations, export/import documentation
  • Logistics Data: Carrier information, tracking numbers, shipping routes, delivery schedules
  • Trade Partner Data: Supplier and customer information for cross-border transactions
  • Compliance Data: Sanction screenings, license verifications, regulatory compliance checks

Technical and Usage Data

  • System Logs: IP addresses, device information, browser types, access times
  • Usage Analytics: Feature usage patterns, API call logs, performance metrics
  • Integration Data: Data exchanged with connected systems (ERP, WMS, carrier APIs)

3. How We Use Your Information

We process data exclusively for providing and improving our trade logistics platform:

Purpose Legal Basis Data Categories
Platform operation and service delivery Performance of contract Account data, trade data, user information
Customs declaration processing and submission Performance of contract Customs data, shipment information, trade partner data
Logistics tracking and supply chain visibility Performance of contract Shipment data, carrier information, tracking data
Trade compliance and regulatory checks Legal obligation & legitimate interest Compliance data, sanction screenings, trade documentation
Billing and subscription management Performance of contract Billing information, usage data, account details
System security and fraud prevention Legitimate interest Authentication logs, access patterns, system logs
Platform improvement and feature development Legitimate interest Usage analytics, feature usage patterns, feedback data
Customer support and issue resolution Legitimate interest Contact information, support tickets, system data
Regulatory reporting and compliance Legal obligation Trade records, customs declarations, audit trails

4. Data Sharing and Third-Party Processing

As a logistics platform, we integrate with various systems and may share data for specific purposes:

Service Providers

  • Cloud Infrastructure: AWS EU data centers for secure hosting
  • Payment Processors: For subscription billing and payment processing
  • Communication Services: For notifications, alerts, and customer support
  • Analytics Providers: For platform performance monitoring

Regulatory and Government Entities

We may be required to share data with:

  • Customs Authorities: For electronic submission of customs declarations (EU ICS2, NCTS systems)
  • Tax Authorities: For VAT and duty reporting compliance
  • Trade Regulators: For compliance with international trade regulations
  • Legal Authorities: When required by law or legal process

Business Partners and Integrations

  • Carrier Systems: For shipment booking and tracking
  • ERP/WMS Systems: Based on customer-configured integrations
  • Trade Compliance Databases: For sanction screening and regulatory checks

Data Processing Agreements: All third-party service providers processing data on our behalf are bound by Data Processing Agreements (DPAs) that enforce GDPR compliance and appropriate security measures.

5. Data Security and Protection Measures

We implement enterprise-grade security measures appropriate for handling sensitive trade data:

Technical Security

  • Encryption: End-to-end encryption for data in transit (TLS 1.3+) and at rest (AES-256)
  • Access Controls: Role-based access controls (RBAC), multi-factor authentication (MFA)
  • Network Security: Firewalls, intrusion detection systems, DDoS protection
  • Data Segregation: Logical separation of customer data within multi-tenant architecture
  • Audit Logging: Comprehensive audit trails for all data access and modifications

Operational Security

  • SOC 2 Compliance: Regular security audits and compliance certifications
  • Employee Training: Security awareness training for all staff
  • Incident Response: Documented incident response procedures
  • Backup and Recovery: Regular encrypted backups with tested recovery procedures
  • Vulnerability Management: Regular security assessments and penetration testing

Trade Data Specific Protections

  • Data Minimization: Collecting only necessary data for trade operations
  • Retention Policies: Defined retention periods for different data categories
  • Export Controls: Controls on data transfers outside the EU/EEA
  • Customs Data Protection: Additional safeguards for sensitive customs information

6. Your Rights and Data Subject Requests

Under GDPR and applicable data protection laws, your organization and users have the following rights:

  • Right of Access: Request access to personal data we process
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of personal data under certain conditions
  • Right to Restrict Processing: Request restriction of data processing
  • Right to Data Portability: Receive data in a structured, machine-readable format
  • Right to Object: Object to certain types of data processing
  • Right to Withdraw Consent: Withdraw consent for processing based on consent
  • Right to Lodge Complaints: File complaints with supervisory authorities

Business Data Considerations: Certain trade and logistics data may be subject to legal retention requirements for customs, tax, and regulatory compliance. We will inform you of any such requirements when responding to data subject requests.

Enterprise Contact: For enterprise customers, we recommend designating a primary administrative contact for data protection matters to ensure efficient handling of data subject requests affecting multiple users within your organization.

7. International Data Transfers

As a platform serving cross-border trade operations, data may be transferred internationally:

Data Processing Locations

  • Primary Processing: EU/EEA data centers (Estonia, Germany)
  • Backup Locations: Within EU-approved jurisdictions
  • Integration Points: Data may flow to integrated systems based on customer configuration

Transfer Mechanisms

  • Adequacy Decisions: Transfers to countries with EU adequacy decisions
  • Standard Contractual Clauses: EU-approved SCCs for transfers to third countries
  • Additional Safeguards: Technical and organizational measures for all international transfers

Trade-Specific Transfers

For trade operations, data may be transferred to:

  • Customs authorities in destination countries
  • Carriers and logistics partners internationally
  • Trade partners in transaction countries
  • Regulatory databases for compliance checks

Such transfers are necessary for the performance of trade operations and are conducted with appropriate legal bases and safeguards.

8. Data Retention and Deletion

We retain data based on operational needs and legal requirements:

Retention Periods

  • Active Customer Data: Retained for the duration of the service agreement
  • Trade and Customs Records: 10 years (EU customs record-keeping requirements)
  • Financial Records: 7 years (Estonian tax and accounting requirements)
  • System Logs: 1 year for security and troubleshooting
  • Backup Data: 30 days with regular rotation

Deletion Procedures

  • Account Termination: Data deletion or anonymization upon contract termination
  • Secure Deletion: Certified data deletion methods for sensitive information
  • Legal Holds: Data preservation when required by legal proceedings
  • Archival: Historical trade data may be archived for compliance purposes

Trade Data Archival: Due to legal requirements for customs and trade record-keeping, certain trade data may be retained in archival systems beyond the termination of service agreements to comply with EU and international trade regulations.

Contact Our Data Protection Team

For data protection inquiries, data subject requests, or security concerns:

TradeFlow SaaS

Lina tn 5, 10314 Tallinn, Estonia

Contact Person: Lev Brodski

Phone: +372 5850 2424

Email: privacy@tradeflowsaas.ee

Data Protection Officer: dpo@tradeflowsaas.ee

Security Team: security@tradeflowsaas.ee

We respond to all data protection inquiries within 72 hours during business days.