Privacy Policy

CargoBeacon AB (“CargoBeacon”, “we”, “us”, or “our”) is a Swedish company specializing in industrial IoT solutions for asset tracking, temperature monitoring, and cold chain compliance.

This privacy policy covers the following services operated by CargoBeacon AB:

• cargobeacon.com — our corporate website
• CargoBeacon Admin — our mobile application for configuring and managing EverTag devices via NFC (available on Google Play and Apple App Store)
• TagFinder — our cloud-based IoT platform for real-time asset tracking, temperature monitoring, and cold chain compliance (tagfinder.com)

3.1 CargoBeacon Website (cargobeacon.com)

• Contact form submissions: name, email address, company name, phone number (optional), and your message.
• Analytics data: anonymized usage statistics collected via Vercel Analytics and Google Analytics, including pages visited, referral source, device type, and browser. No personally identifiable information is tracked.
• Cookies: we use essential cookies for site functionality and optional analytics cookies. No advertising or third-party tracking cookies are used.

3.2 CargoBeacon Admin Mobile App

• Account credentials: email address and password used to authenticate with the CargoBeacon / TagFinder backend.
• NFC data: when you tap an EverTag device, the app reads and writes configuration data (tag ID, firmware version, network settings, sensor thresholds) via NFC. This data is transmitted to our backend to register and manage your devices.
• Device information: device model, operating system version, and app version, used for debugging and compatibility purposes.
• Camera (optional): if you choose to scan QR codes for device pairing, the app requests camera access. Images are processed locally and are never stored or transmitted.
• Bluetooth (optional): used for Bluetooth Low Energy communication with EverTag devices when NFC is not available.

The CargoBeacon Admin app does not collect location data, contacts, call logs, SMS messages, or any data unrelated to EverTag device management.

3.3 TagFinder Platform (tagfinder.com)

• Account information: name, email address, organization name, and role.
• IoT sensor data: data transmitted by EverTag devices, including tag positions, temperature readings, accelerometer data, and battery status. This data is associated with your organization account, not with individual persons.
• Usage logs: actions performed in the platform (logins, configuration changes, report generation) for audit and security purposes.
• API access logs: API requests including timestamps, endpoints accessed, and authentication tokens (hashed).

We use the data we collect to:

• Provide and operate our services — display asset positions, generate temperature reports, trigger alerts, and manage devices.
• Authenticate and secure accounts — verify your identity when logging in, enforce role-based access control, and protect against unauthorized access.
• Improve our products — analyze aggregated, anonymized usage patterns to improve the user experience, fix bugs, and prioritize features.
• Communicate with you — respond to support inquiries, send critical service notifications (e.g., temperature alerts), and provide account-related updates.
• Comply with legal obligations — maintain records as required by applicable law, including tax regulations and data retention requirements.

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

Under the EU General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• Contract performance: processing necessary to provide you with our services (Articles 6(1)(b) GDPR).
• Legitimate interest: improving our products, ensuring security, and preventing fraud (Article 6(1)(f) GDPR).
• Consent: where you have explicitly opted in, such as for analytics cookies or marketing communications (Article 6(1)(a) GDPR).
• Legal obligation: where required by applicable law (Article 6(1)(c) GDPR).

We may share your data with the following categories of recipients:

• Cloud infrastructure providers: Google Cloud Platform (data hosted in European regions) for hosting the TagFinder platform and storing sensor data.
• Analytics providers: Vercel Analytics and Google Analytics for anonymized website usage statistics.
• Payment processors: Shopify Payments for processing hardware purchases on cargobeacon.com.
• Email services: for sending transactional emails such as alerts, password resets, and support replies.

All third-party processors are bound by data processing agreements (DPAs) and process data only on our instructions. We do not transfer personal data outside the European Economic Area (EEA) unless adequate safeguards are in place (e.g., Standard Contractual Clauses).

• Account data: retained for as long as your account is active, plus 12 months after deletion to comply with legal retention requirements.
• IoT sensor data: retained according to your organization's plan (1 year for Pro, custom for Enterprise). Compliance-related data (e.g., HACCP temperature logs) may be retained for up to 5 years as required by regulation.
• Contact form submissions: retained for 24 months, then deleted.
• Analytics data: anonymized and aggregated data has no personal data retention period.
• App usage logs: retained for 12 months for debugging and security purposes.

We implement appropriate technical and organizational measures to protect your data, including:

• Encryption in transit (TLS 1.2+) and at rest for all stored data.
• OAuth2/OIDC-based authentication with JWT tokens.
• Role-based access control and multi-tenant data isolation.
• Regular security reviews and vulnerability assessments.
• Automated backups with encrypted storage.
• Infrastructure hosted on Google Cloud with ISO 27001 and SOC 2 compliance.

Under the GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your personal data (“right to be forgotten”).
• Restriction — request that we limit how we process your data.
• Data portability — receive your data in a structured, machine-readable format.
• Object — object to processing based on legitimate interest.
• Withdraw consent — withdraw any consent you have previously given, at any time.

To exercise any of these rights, please contact us at support@cargobeacon.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) at www.imy.se.

Our services are not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe that a child has provided us with personal data, please contact us at support@cargobeacon.com and we will promptly delete it.

We may update this privacy policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you by email or through our services. We encourage you to review this policy periodically.

If you have any questions about this privacy policy or our data practices, contact us: