Privacy Policy
Last updated: April 2026 · GDPR / AVG compliant
1. Data Controller
ClearanceGuard, registered in the Netherlands. Email: info@clearanceguard.nl
ClearanceGuard acts as a data controller for account, payment, usage, and communication data.
ClearanceGuard acts as a data processor (verwerker) for Customer Data containing personal data (e.g., carrier names, consignee details in T1 documents). In this capacity, the Customer is the data controller. Processing is governed by a Data Processing Agreement (verwerkersovereenkomst).
2. Legal Basis for Processing
Contract performance (Art. 6(1)(b)): Providing the Service, account management, payment processing, transactional emails.
Legitimate interest (Art. 6(1)(f)): Improving the Service, security, fraud prevention, product analytics.
Legal obligation (Art. 6(1)(c)): 7-year audit log retention (Art. 1:32 Algemene douanewet), tax record keeping.
Consent (Art. 6(1)(a)): Marketing communications (explicit opt-in only). Consent may be withdrawn at any time.
3. Personal Data We Collect
Account Data: Full name, email address, company name, password (stored only as a cryptographic hash; we never access plaintext passwords), role and permissions, timestamps.
Payment Data: Billing information processed by Stripe. We do NOT store credit card or bank account numbers. Stripe is PCI-DSS Level 1 certified.
Usage Data: IP addresses (for security/rate limiting), login timestamps, feature usage patterns, browser type.
Communication Data: Contact form submissions, support correspondence, email delivery status.
Audit Trail Data: User actions (imports, status changes, exports, alert dispatches), timestamps, system events.
4. Customs and Operational Data
The following data may be processed as Customer Data: T1 document numbers, MRN codes, consignee names/addresses, carrier names/emails, reference amounts, expiry dates, NCTS status data, branch names, HAWB/MAWB references, job numbers, shipper names, origin airports, goods descriptions, and weights.
This data is uploaded and controlled by the Customer. ClearanceGuard processes it solely on the Customer's behalf. The Customer is responsible for ensuring lawful basis to process this data.
5. Purposes of Processing
Service delivery: Compliance monitoring, document tracking, expiry calculations, report generation.
Communications: Carrier reminders on behalf of Customer, transactional emails (password resets, invitations, digests).
Security: Audit trails, rate limiting, error tracking, fraud prevention.
Improvement: Aggregated usage analytics, technical issue resolution.
We do NOT process data for advertising, sale to third parties, profiling, or automated decision-making with legal effects (Art. 22 GDPR).
6. Sub-Processors
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, auth, storage | EU (Ireland) |
| Vercel | Application hosting | EU edge; US builds |
| Stripe | Payment processing | EU (Ireland) |
| Resend | Email delivery | US (EU-US DPF) |
| PostHog | Product analytics | EU (Frankfurt) |
| Sentry | Error tracking | US (EU-US DPF) |
| Upstash | Cache, rate limiting | EU (Ireland) |
Data Processing Agreements are in place with all sub-processors. We will notify Customers of material changes to this list.
7. International Data Transfers
Primary database is in the EU (Supabase, Ireland). Some sub-processors process data in the US (Resend, Sentry, certain Vercel/Stripe operations).
Safeguards for US transfers: EU-US Data Privacy Framework (Adequacy Decision, July 2023); Standard Contractual Clauses (Commission Decision 2021/914); encryption in transit and at rest.
8. Data Retention
| Data | Retention | Basis |
|---|---|---|
| Account data | Active + 12 months | Contract |
| Operational data | Active + 30 days | Contract |
| Audit logs | 7 years | Legal (Art. 1:32 Adw) |
| Billing data | 7 years | Legal (fiscaal) |
| Analytics (aggregated) | 26 months | Legitimate interest |
| Support communications | 3 years after last contact | Legitimate interest |
| Error reports | 90 days | Legitimate interest |
Deletion-log retention. When you request account deletion, your customer data is irreversibly removed at the end of the 30-day grace window. We retain a minimal deletion event log (timestamp, idempotency key, no personal data) for an indefinite period. This supports our regulatory obligations under Dutch customs law (Algemene wet inzake rijksbelastingen, Art. 52). The exact retention period and statutory basis are pending final review by our legal counsel.
9. Your GDPR Rights
Under Articles 15–22 GDPR, you have the right to:
Access (Art. 15 — recht op inzage): Obtain a copy of your personal data.
Rectification (Art. 16 — recht op rectificatie): Correct inaccurate data.
Erasure (Art. 17 — recht op vergetelheid): Request deletion, subject to legal retention obligations (e.g., 7-year audit logs).
Restriction (Art. 18 — recht op beperking): Restrict processing in certain circumstances.
Portability (Art. 20 — recht op overdraagbaarheid): Receive data in a machine-readable format (CSV, JSON).
Object (Art. 21 — recht van bezwaar): Object to processing based on legitimate interest.
Contact: info@clearanceguard.nl. We respond within one (1) month. For carrier/consignee data in T1 documents, contact the relevant Customer (data controller).
10. Data Security
Technical measures: TLS encryption in transit; encryption at rest; Row Level Security for tenant data isolation; secure password hashing; rate limiting (Upstash Redis); CSRF protection; security headers (HSTS, X-Frame-Options, CSP); input validation (Zod).
Organizational measures: Principle of least privilege; security-conscious development; incident response procedures; sub-processor due diligence.
11. Cookies and Tracking
We use essential cookies for authentication sessions and security. We do NOT use advertising, marketing, or third-party tracking cookies.
PostHog analytics (EU-hosted, Frankfurt) is offered as optional analytics via our cookie consent banner. Analytics is opt-in, identifies authenticated users only, and never sets third-party tracking cookies.
You can review your choices or withdraw consent at any time via the "Cookie preferences" link in the footer. Our cookie banner complies with Dutch Telecommunicatiewet (Art. 11.7a) and GDPR Art. 7.
12. Data Breach Notification
In the event of a data breach (datalek), ClearanceGuard will: assess scope and impact; notify the Autoriteit Persoonsgegevens within 72 hours (Art. 33 GDPR); notify affected data subjects where required (Art. 34 GDPR); notify affected Customers; and take immediate remediation steps.
From 22 April 2026 (post-KvK registration), security-specific correspondence — including suspected breaches, vulnerability reports, and Art. 33 incident notifications — can be directed to security@clearanceguard.nl. Until then, use info@clearanceguard.nl.
13. Data Processing Agreement
Where ClearanceGuard processes personal data on behalf of the Customer, a separate Data Processing Agreement (verwerkersovereenkomst) governs the processing in accordance with Article 28 GDPR.
Customers requiring a DPA: contact info@clearanceguard.nl.
14. Children's Data
The Service is for professional business use only and is not directed at children under 16. We do not knowingly collect data from children.
15. Changes to This Policy
Material changes: thirty (30) days' notice via email or prominent website notice. Continued use constitutes acceptance.
16. Contact and Complaints
ClearanceGuard, registered in the Netherlands
Email: info@clearanceguard.nl
You may lodge a complaint with the Dutch Data Protection Authority:
Autoriteit Persoonsgegevens — Postbus 93374, 2509 AJ Den Haag
autoriteitpersoonsgegevens.nl