Privacy Policy

Privacy Policy — Chiko Cargo

Privacy Policy

Last updated: April 2025.

1. Introduction and identity of the controller

This Privacy Policy describes how Chiko Cargo collects, uses, stores, and protects your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, GDPR) and applicable Croatian data protection legislation.

Data controller:
Chiko Cargo
Email: privacy@chicocargo.com

If you have any questions about the processing of your personal data, please contact us at the email address above.

2. Personal data we collect

2.1 Data you provide directly

  • Account data: first and last name, email address, phone number, password (stored as a hash), user role (shipper or transporter), date and IP address of acceptance of the Terms of Service and Privacy Policy, age declaration.
  • Transporter data — individuals: tax ID number (OIB), residential address, copy of national ID or passport, copy of driving licence, vehicle details (make, model, registration plate, type), copy of vehicle registration document, copy of insurance certificate.
  • Transporter data — companies: company name, company tax ID (OIB), VAT number (if applicable), registered address, copy of company registration document, copy of fleet insurance certificate, contact person name.
  • Shipment data: item description, pickup and delivery addresses (stored privately; only an obscured location is shown publicly), dimensions and weight, shipment photos, special requirements.
  • Communications: messages exchanged between shippers and transporters via the Platform\'s internal chat.
  • Ratings and reviews: written reviews and numerical ratings left by users for each other.

2.2 Data collected automatically

  • GPS location: collected at the moment of pickup and delivery confirmation (including each stop for multi-stop jobs). Used solely to verify the location for transport confirmation purposes.
  • Photos: photos of goods at pickup and delivery, stored with a timestamp and GPS coordinates.
  • Signatures: digital signatures of goods recipients, stored as images.
  • Technical data: IP address, browser type and version, operating system, access timestamp, session cookies.
  • Stripe payment data: payment intent identifier, transaction amount, Stripe fee, transaction status. The Platform does not store card details — these are processed exclusively by Stripe.

3. Legal basis for processing

We base the processing of your personal data on the following legal grounds under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)): processing is necessary to provide the Platform service, manage your account, process transactions, coordinate transport, and pay out transporters.
  • Legal obligation (Art. 6(1)(c)): processing is necessary to comply with fiscalization obligations under Croatian law, retain financial records, and respond to requests from competent authorities.
  • Legitimate interests (Art. 6(1)(f)): fraud prevention, Platform security, transporter verification, dispute resolution, and service improvement. Legitimate interests are assessed against the rights of data subjects through a balancing test.
  • Consent (Art. 6(1)(a)): for sending marketing communications where applicable. Consent may be withdrawn at any time.

4. Special categories of data

Copies of transporter identity documents (national IDs, passports, driving licences) may contain biometric data constituting a special category of personal data under Article 9 GDPR. We process these data solely for the purpose of verifying transporter identity and document validity, on the basis of the transporter\'s explicit consent given at registration (Art. 9(2)(a) GDPR).

5. Purposes of processing and retention periods

Data categoryPurposeRetention period
Account dataAccount management, authentication, communicationUntil account deletion + 30 days
Transporter documentsVerification, validity checksDuration of account + 5 years (legal obligation)
Shipment and job dataService performance, dispute resolution5 years from job completion
GPS location (pickup/delivery)Transport verification, proof of delivery5 years from job completion
Goods photosEvidence of goods condition, dispute resolution5 years from job completion
Digital signaturesLegal proof of delivery acceptance5 years from job completion
Chat messagesCommunication, dispute resolution, safety5 years from job completion
Financial and fiscal recordsFiscalization, accounting, legal obligations11 years (Croatian Accounting Act)
Payment data (Stripe references)Payment processing, refunds, audit5 years from transaction
Ratings and reviewsPlatform transparency, user trustDuration of account
Technical data (logs, IP addresses)Security, fraud prevention, diagnostics12 months

6. Recipients of personal data

We do not sell or rent your personal data to third parties. We may share data with:

  • Stripe Inc.: payment processor for transaction processing and transporter payouts via Stripe Connect. Stripe acts as an independent data controller for payment data. Stripe is PCI DSS certified. Further information: stripe.com/privacy.
  • Fixit Sistem: fiscalization software that processes commission data to fulfil obligations to the Croatian Tax Administration.
  • SMTP service providers: for sending transactional emails (notifications, confirmations, reminders). They process only email address and message content.
  • Competent authorities: only where required by law or court order.
  • Shipper/Transporter: full name and transport address are disclosed to the other party only upon payment confirmation and job acceptance.

All processors we work with are bound by a data processing agreement in accordance with Article 28 GDPR and apply appropriate technical and organisational security measures.

7. Transfers outside the EEA

Stripe Inc. is headquartered in the United States. Data transfers take place on the basis of the European Commission\'s Standard Contractual Clauses (SCCs) and the EU–US Data Privacy Framework. Stripe provides an adequate level of data protection in accordance with Article 46 GDPR.

All other data is stored on servers within the European Economic Area.

8. Your rights under GDPR

As a data subject you have the following rights, which you may exercise by contacting us at privacy@chicocargo.com:

  • Right of access (Art. 15 GDPR): you have the right to request a copy of all personal data we process about you.
  • Right to rectification (Art. 16 GDPR): you have the right to request correction of inaccurate or incomplete data.
  • Right to erasure (\"right to be forgotten\") (Art. 17 GDPR): you have the right to request deletion of your personal data. Please note that financial and fiscal records must be retained under legal obligations and cannot be deleted upon request.
  • Right to restriction of processing (Art. 18 GDPR): you have the right to request temporary restriction of processing of your data while a rectification request or objection is being resolved.
  • Right to data portability (Art. 20 GDPR): you have the right to receive your personal data in a machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21 GDPR): you have the right to object to processing based on legitimate interests.
  • Right to withdraw consent: where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with the Croatian Personal Data Protection Agency (AZOP), Martićeva 14, 10 000 Zagreb, azop.hr. You may also contact the supervisory authority in your country of residence.

We respond to requests within 30 days. For complex requests this period may be extended by a further 60 days with notice.

9. Data export and deletion

You may request an export of all your personal data via your account settings or by contacting privacy@chicocargo.com. The export is provided in a structured, machine-readable format (JSON or CSV) within 30 days.

A request to delete your account results in anonymisation of your personal data (name, email, phone, address). Transaction data, fiscal records, and delivery evidence are retained in anonymised form to fulfil legal obligations.

10. Data security

We implement appropriate technical and organisational security measures in accordance with Article 32 GDPR, including:

  • Encryption of data in transit (HTTPS/TLS)
  • Password hashing (bcrypt)
  • Access control for protected files (documents, photos, signatures accessible only to authorised users)
  • Logging and auditing of administrative actions
  • Regular data backups
  • Least-privilege access controls for personal data

In the event of a personal data breach that is likely to result in a high risk to the rights and freedoms of individuals, we will notify affected users and the AZOP within 72 hours of becoming aware of the breach, in accordance with Articles 33 and 34 GDPR.

11. Cookies

The Platform uses only strictly necessary cookies required for the service to function (session cookies for authentication). We do not use analytics, marketing, or third-party cookies without your explicit consent.

12. Automated processing and profiling

The Platform does not carry out automated processing that produces legal effects for users, nor does it engage in automated individual decision-making within the meaning of Article 22 GDPR.

13. Inactive accounts

Accounts that have not been used for 3 years will be considered inactive. The user will be notified by email and will have 30 days to reactivate their account. If there is no response, personal data will be anonymised and financial records retained in accordance with legal obligations.

14. Changes to the Privacy Policy

We reserve the right to amend this Policy. We will notify you of any changes by email. Continued use of the Platform following notification constitutes acceptance of the amended Policy. All previous versions are permanently stored and available on request.

15. Contact and complaints

For all questions, requests to exercise rights, or complaints relating to the processing of personal data, please contact us:

Email: privacy@chicocargo.com

Supervisory authority: Croatian Personal Data Protection Agency (AZOP), Martićeva 14, 10 000 Zagreb, azop.hr

Log In

Forgot your password? Don't have an account? Register

Register

Step 1 of 2: Choose your role

Already have an account? Log in