Data Collection & Processing

Overview

This document provides detailed information about what data FreightTender collects, how it is processed, and why it is necessary for the operation of our closed freight tender platform.

1. Categories of Data Collected

Company & User Account Data

• Company name, country, timezone, and company type (Trader/Broker)
• User email addresses, names (first and last), and role assignments
• Encrypted password hashes (bcrypt, one-way encryption)
• Account status (active/inactive) and email verification status
• Last login timestamps

Tender Data

• Cargo type and specifications
• Quantities (in metric tons)
• Load and discharge port information
• Laycan dates (from/to)
• Vessel size requirements
• Additional terms and conditions
• Submission deadlines
• Tender status (Draft, Open, Closed, Awarded)

Invitation Data

• Broker email addresses and company names
• Invitation tokens (secure, time-limited)
• Invitation status (Pending, Accepted, Expired)
• Invitation expiration dates
• Acceptance timestamps

Offer Data

• Freight rates (per metric ton)
• Vessel names and specifications
• Laycan confirmation status and comments
• Technical compliance statements
• Additional comments from brokers
• Offer submission timestamps
• Offer status (Submitted, Awarded, Rejected)

Audit Log Data

• Action types (TENDER_CREATED, OFFER_SUBMITTED, TENDER_AWARDED, etc.)
• User identifiers (who performed the action)
• Company identifiers
• Entity references (tender ID, offer ID, invitation ID)
• IP addresses and user agents
• Precise timestamps (UTC)
• Action metadata (JSON format)

2. Purpose of Data Collection

Platform Operation

Data is collected to enable core platform functionality: creating tenders, inviting brokers, submitting offers, and managing the tender lifecycle.

Closed Tender Logic

Email addresses and invitation data are essential for implementing closed, invitation-only tenders. Only invited brokers can participate, ensuring controlled competition.

Audit Trail & Compliance

Audit logs create an immutable record of all platform actions. This is critical for:

• Regulatory compliance and governance
• Internal audit and risk management
• Dispute resolution
• Proving due diligence in freight procurement decisions

Security & Fraud Prevention

IP addresses and user agents help detect and prevent unauthorized access, fraud, and security incidents.

3. Data Processing Legal Basis

• Contract Performance: Processing is necessary to provide the FreightTender platform services under your service agreement
• Legitimate Interests: Audit logging, security, and fraud prevention serve legitimate business interests
• Legal Obligations: Compliance with applicable laws and regulatory requirements
• Consent: Where explicitly required by applicable law, we obtain consent for specific processing activities

4. Data Minimization

We collect only the data necessary for platform operation. For example:

• We do not collect personal information beyond what is needed for account management
• Audit logs contain only action metadata, not full data copies
• Passwords are stored as one-way hashes, never in plain text

5. Data Visibility & Access Control

FreightTender implements strict access controls:

• Traders (Company Admins/Operators): See all tenders created by their company and all offers submitted to those tenders
• Brokers: See only tenders where they have been invited and accepted. See only their own offers. Cannot see other brokers' offers.
• Audit Logs: Visible only to Company Admins within their company. Brokers cannot access audit logs.

6. Data Retention

• Active Account Data: Retained while accounts are active
• Tender & Offer Data: Retained for the duration required by business needs and legal obligations
• Audit Logs: Retained indefinitely as immutable records required for compliance
• Deactivated Accounts: Data may be retained for a grace period to allow account reactivation, then anonymized or deleted per applicable law

7. Third-Party Data Sharing

We share data only with:

• Cloud Infrastructure Providers: For hosting and data storage (e.g., AWS RDS for database, AWS S3 for backups). Data remains encrypted and subject to strict access controls.
• Email Service Providers: For sending invitation emails and notifications (e.g., SendGrid, AWS SES). Only email addresses and message content are shared.
• Legal & Regulatory Authorities: When required by law, court order, or regulatory inquiry.

We do not sell, rent, or share data with third parties for marketing purposes.

8. Data Subject Rights

You have the right to:

• Request access to your personal data
• Request correction of inaccurate data
• Request deletion (subject to legal and contractual obligations)
• Object to processing (where applicable)
• Data portability (receive your data in a structured format)
• Lodge a complaint with a data protection authority

Note: Audit logs are immutable and cannot be modified or deleted, as they serve legal compliance purposes.

9. Security Measures

• HTTPS/TLS encryption for all data in transit
• Database encryption at rest
• Bcrypt password hashing (industry standard, one-way)
• Role-based access control (RBAC)
• Secure invitation tokens (cryptographically random, time-limited)
• Regular security assessments and penetration testing
• Immutable audit logs to detect unauthorized access

10. International Transfers

Your data may be processed in servers located in different countries. We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) where required
• Compliance with applicable data protection frameworks
• Encryption and access controls regardless of location

11. Questions or Concerns

For questions about data collection or to exercise your rights, contact: