Privacy Policy
Last updated: 2026-04-07
1. Identity of the Data Controller
The data controller responsible for your personal data is [COMPANY LEGAL NAME], registered at [REGISTERED ADDRESS], Lithuania. Contact: privacy@[yourdomain.com].
2. What Personal Data We Collect
- Account data: name, email address, profile picture (from Google / Microsoft OAuth).
- Company assignment: which company account you belong to.
- Login records: timestamp, login method (OAuth or admin), IP address.
- Technical data: browser user-agent string collected at admin login.
3. How We Collect It
- Directly from you: when you sign in via Google or Microsoft OAuth.
- Automatically: IP address and user-agent are recorded on each login for security purposes.
- From third parties: Google and Microsoft provide your name, email, and profile picture during authentication.
4. Why We Process It (Purpose & Lawful Basis)
| Purpose | Lawful Basis |
|---|---|
| Authenticating you and maintaining your session | Contract performance |
| Assigning you to a company and controlling access to trailers/data | Contract performance |
| Recording logins to detect abuse and protect the platform | Legitimate interests (security) |
| Sending status notifications (account approved / rejected) | Contract performance |
5. Who We Share Data With
We do not sell your personal data. We share it only with:
- Google LLC — OAuth authentication provider (Google Sign-In). Google Privacy Policy.
- Microsoft Corporation — OAuth authentication provider (Microsoft Entra ID). Microsoft Privacy Statement.
- Hosting infrastructure: our VPS provider processes data as a data processor under a Data Processing Agreement.
6. International Transfers
Google and Microsoft may process data outside the EEA. Both companies participate in the EU–US Data Privacy Framework and provide Standard Contractual Clauses (SCCs) as a transfer safeguard. All other data is stored on servers located within the EU.
7. Retention Periods
| Data category | Retention period |
|---|---|
| User account (name, email, status) | For the duration of the contract + 30 days after account deletion |
| Login logs (IP, timestamp, user-agent) | 90 days |
| Cookie consent record | 12 months |
8. Your Rights
Under GDPR you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data.
- Erasure — request deletion of your data ("right to be forgotten").
- Restriction — ask us to pause processing while a dispute is resolved.
- Portability — receive your data in a machine-readable format.
- Object — object to processing based on legitimate interests.
To exercise any right, email privacy@[yourdomain.com]. We will respond within 30 days.
9. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Access approval and company assignment are performed manually by an administrator.
10. How We Protect Your Data
- All data is transmitted over HTTPS (TLS 1.2+).
- Session tokens are cryptographically signed (HMAC-SHA256).
- Admin login is protected by password + TOTP two-factor authentication.
- Rate limiting and IP-based abuse detection are active on all authentication endpoints.
- The database is not publicly accessible; it is bound to the internal Docker network only.
11. How to Lodge a Complaint
You have the right to lodge a complaint with the Lithuanian supervisory authority:
State Data Protection Inspectorate (VDAI)
L. Sapiegos g. 17, LT-10312 Vilnius, Lithuania
vdai.lrv.lt
12. Changes to This Policy
Material changes will be notified by email to registered users at least 14 days before taking effect. The "Last updated" date at the top of this page will always reflect the current version.
13. Contact
For any privacy-related questions: privacy@[yourdomain.com]