Privacy Policy
Last updated: April 2026
This Privacy Policy explains how ClaimCMR (“we,” “our,” or “us”) collects, uses, stores, and shares personal data when you use our freight claims management software (the “Service”). We are committed to processing your data lawfully, transparently, and in accordance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679).
Questions about this policy? Contact us at privacy@claimcmr.com. For general inquiries: hello@claimcmr.com.
1. Who We Are
ClaimCMR is a sole proprietorship registered in Kaunas, Lithuania, European Union. We operate the ClaimCMR SaaS platform for EU freight damage claim management.
- Data Controller: ClaimCMR (Egor, founder) — for account and user data
- Data Processor: ClaimCMR — for freight claim data uploaded by customers (who act as Data Controllers)
- Privacy contact (DPO): privacy@claimcmr.com
- Location: Kaunas, Lithuania, EU
When you use ClaimCMR, you are a business customer (Data Controller) uploading your freight claim data. We process that data solely to provide you with the Service, acting as your Data Processor. A formal Data Processing Agreement (DPA) is available.
2. Legal Basis for Processing
We process personal data only where we have a valid legal basis under GDPR Article 6:
| Data Type | Legal Basis | GDPR Article |
|---|---|---|
| Account registration data | Performance of contract | 6(1)(b) |
| CMR / freight documents uploaded | Performance of contract | 6(1)(b) |
| Billing and payment data | Performance of contract | 6(1)(b) |
| Usage analytics (PostHog) | Legitimate interests (product improvement) | 6(1)(f) |
| Security and fraud prevention | Legitimate interests (protecting the Service) | 6(1)(f) |
| Marketing emails (if opted in) | Explicit consent | 6(1)(a) |
We do not rely on vague “by using our service you consent” language. Consent is only used where legally required and is always freely given, specific, and withdrawable.
3. What Data We Collect
Account Data
Name, company name, email address, and job title — collected when you register.
Freight Claim Data
CMR consignment notes, proof of delivery documents, carrier correspondence, cargo damage photographs, commercial invoices, claim amounts, and any other documents you upload to the Service. This data is owned by you and processed by us solely on your instructions.
Payment Data
All payment processing is handled entirely by Stripe. We never store, see, or process your card numbers or banking details. We receive only a transaction reference and subscription status from Stripe.
Usage Data
Page views, feature usage, session duration, and click paths collected via PostHog product analytics. Data is anonymized and used solely to improve the Service.
Technical Data
IP addresses, browser type, device type, and anonymized crash logs collected by Sentry for security monitoring and error resolution.
AI Processing Data
When you explicitly click “Extract” on a document, its content is transmitted to Google Gemini via OpenRouter for OCR extraction. This happens only on your explicit instruction — never automatically. See Section 5 for full AI disclosure.
Communication Data
Emails sent to hello@claimcmr.com or privacy@claimcmr.com are retained to respond to your inquiry and for our legitimate business records.
4. How We Use Your Data
We process your data exclusively to:
- Provide and maintain the ClaimCMR Service
- Calculate CMR legal deadlines and send deadline alert notifications
- Process AI document extraction (only on your explicit instruction)
- Manage your billing, subscription status, and payment records
- Monitor security, detect fraud, and protect the integrity of the Service
- Improve the product through anonymized usage analytics
- Respond to support requests and inquiries
- Meet our legal and regulatory obligations under Lithuanian and EU law
We never sell your data. We never use your data for advertising. We never use your freight claim data to train AI models without your explicit written consent.
5. AI Processing Disclosure
When you upload a document and click “Extract”, the document content is securely transmitted to Google's Gemini API via OpenRouter for optical character recognition (OCR) and structured data extraction. This transfer occurs only on your explicit action — never automatically in the background.
- Google Gemini API: processes document content under Google's API Terms of Service. Google does not use API-submitted data to train foundational models.
- OpenRouter: routes the API call and does not retain your document content after transmission.
- Transfer safeguard: Standard Contractual Clauses (SCCs) and/or EU-US Data Privacy Framework (DPF) apply to this US transfer.
- Your choice: You may disable OCR entirely and use our manual data entry forms at any time with no loss of functionality.
6. Data Storage and Security
- Database: All production data stored in Supabase infrastructure in Frankfurt, Germany (EU Central region)
- Encryption at rest: AES-256
- Encryption in transit: TLS 1.3
- Access controls: Role-based access with multi-factor authentication required for administrative access
- Backups: Daily automated backups, stored in EU region
- Application hosting: Vercel (US company, EU region deployment where available)
- CDN / DNS: Cloudflare processes request metadata globally for DDoS protection and performance
7. International Data Transfers
Some of our sub-processors are located outside the European Economic Area (EEA). In all cases, we ensure appropriate transfer safeguards are in place as required by GDPR Chapter V and the Schrems II ruling:
| Sub-Processor | Location | Safeguard |
|---|---|---|
| Stripe | US / EU | SCCs + Data Privacy Framework |
| Supabase | Germany (EU) | EU region — no transfer |
| Vercel | US / EU | SCCs |
| Resend | US | SCCs |
| Google (Gemini) | US | SCCs + Data Privacy Framework |
| OpenRouter | US | SCCs |
| Sentry | US | SCCs |
| PostHog | EU region | EU region — no transfer |
| Cloudflare | Global | SCCs + Data Privacy Framework |
8. Data Retention
- Active account data: retained for the duration of your subscription
- Post-cancellation: data retained for 90 days to allow reactivation or export, then permanently hard-deleted
- Immediate deletion: available on request at any time before the 90-day window expires — email privacy@claimcmr.com
- Backup data: deleted within 30 days of primary deletion
- Anonymized analytics: retained indefinitely (cannot identify individuals)
- Payment/billing records: retained for 7 years as required by Lithuanian accounting and tax law
9. Your GDPR Rights
Under GDPR Articles 15–22, you have the following rights:
- Right of Access (Article 15) — request a copy of all personal data we hold about you
- Right to Rectification (Article 16) — correct any inaccurate or incomplete personal data
- Right to Erasure (Article 17) — “right to be forgotten” — request deletion of all your personal data
- Right to Restriction of Processing (Article 18) — restrict how we process your data in certain circumstances
- Right to Data Portability (Article 20) — receive your data in a structured, machine-readable CSV or JSON format. Also available under EU Data Act (Regulation 2023/2854).
- Right to Object (Article 21) — object to processing based on legitimate interests
- Right to Withdraw Consent (Article 7) — where processing is based on consent (e.g., marketing emails), withdraw at any time without affecting prior processing
- Right to Lodge a Complaint (Article 77) — you may file a complaint with the Lithuanian Data Protection Authority:
VDAI (Valstybinė duomenų apsaugos inspekcija)
vdai.lrv.lt · ada@ada.lt
To exercise any right, email privacy@claimcmr.com. We will respond within 30 days of receiving your request.
10. Cookies
- Strictly necessary cookies: session authentication and CSRF security — no consent required
- Analytics cookies (PostHog): placed only after you provide explicit consent via our cookie banner
- No advertising cookies: we do not use any third-party ad-tech, tracking pixels, or remarketing cookies
- You can manage cookie preferences at any time via the cookie settings link in the footer
See our full Cookie Policy for complete details.
11. Data Breach Notification
In the event of a personal data breach:
- We will notify the Lithuanian Data Protection Authority (VDAI) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
- Affected users will be notified without undue delay if the breach poses a high risk to their rights and freedoms (GDPR Article 34)
- We maintain an internal breach response plan and incident log
12. Sub-Processors
We use the following third parties to deliver the Service. All are bound by data processing agreements:
| Sub-Processor | Purpose | Location | Privacy |
|---|---|---|---|
| Stripe | Payment processing | US / EU | View |
| Supabase | Database infrastructure | Germany (EU) | View |
| Vercel | Application hosting | US / EU | View |
| Resend | Transactional email | US | View |
| Google (Gemini) | AI document extraction | US | View |
| OpenRouter | AI API routing | US | View |
| Sentry | Error monitoring | US | View |
| PostHog | Product analytics | EU region | View |
| Cloudflare | DNS, CDN, DDoS protection | Global | View |
13. Changes to This Policy
We will notify active account holders by email at least 30 days before any material changes to this Privacy Policy take effect. Minor updates (such as adding a sub-processor or updating contact details) may be made without advance notice. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
Questions about this policy: privacy@claimcmr.com
Related: Terms of Service · Data Processing Agreement · Cookie Policy
© 2026 ClaimCMR. All rights reserved.