Privacy Policy

Effective 24 April 2026

KARG is a B2B SaaS used by road-freight carriers to automate dispatching, tracking, driver communication and customs declarations. This Privacy Policy explains what personal data we process, why, on what legal basis, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. Who we are

The data controller for this website (karg.to) and for personal data processed about prospects, customer administrators and visitors is:

  • Legal name: DANS ONLINE SRL
  • Commercial Registry No.: J16/737/2021
  • Tax ID (CUI): 43898240
  • Registered address: Str. Independenței, Bl. 6F, Ap. 9, Craiova, Dolj, Romania 200333
  • Email: privacy@karg.to

For personal data processed inside a customer's KARG workspace (drivers, dispatchers, freight-exchange contacts, end customers), the carrier that owns the workspace is the data controller and KARG acts as a data processor under a Data Processing Agreement.

2. What we collect

Account & billing

  • Name, work email, phone, role, company name, VAT/CUI.
  • Authentication identifiers (Supabase user ID, hashed password, sessions).
  • Billing details and invoice history.

Operational data inside the workspace

  • Driver records: name, mobile phone, Telegram handle, language.
  • Vehicle records: registration plate, VIN, fuel type, telematics IDs.
  • Loads, routes, GPS positions, ETAs, proof-of-delivery files, invoices.
  • Customs documents (CMR, T1, road documents) including PDF attachments and structured data extracted from them.

Integrations

  • OAuth tokens you grant for freight exchanges (FomCo, TimoCom, future providers) so the platform can act on your behalf.
  • HMRC tokens for UK border declarations (encrypted at rest).
  • Telegram chat IDs for driver notifications.

Usage & technical

  • Server-side request logs (IP, user-agent, timestamp, route).
  • Audit logs of sensitive actions (login, role change, data export).
  • Crash and performance traces collected by our error monitor.

3. Why we process it (purposes & legal bases)

PurposeLegal basis
Provide the service to the carrier (dispatching, tracking, notifications, customs)Performance of contract — Art. 6(1)(b) GDPR
Account administration, billing, supportPerformance of contract — Art. 6(1)(b)
Security monitoring, fraud and abuse prevention, audit logsLegitimate interests — Art. 6(1)(f)
Statutory accounting, tax and customs record-keepingLegal obligation — Art. 6(1)(c)
Product improvement using aggregated, non-identifying metricsLegitimate interests — Art. 6(1)(f)
Marketing communications to existing customers (service updates)Legitimate interests — Art. 6(1)(f), with opt-out

We do not sell personal data and we do not use it to train third-party AI models.

4. Sub-processors

We rely on the providers listed below to operate KARG. The current, authoritative list is at karg.to/sub-processors and is updated when we add or replace a provider.

  • Supabase — primary database, authentication and file storage (EU region).
  • Vercel — frontend and API hosting (EU edge regions).
  • Upstash — Redis cache and QStash scheduled jobs (EU region).
  • Telegram Bot API — driver notifications and inbound messages (operated by Telegram Messenger Inc.).
  • Twilio — optional WhatsApp channel for driver notifications (US, with EU SCC).
  • Google Gemini API — extraction of structured data from PDF road documents; inputs are not used to train Google models per Gemini API terms.
  • Sentry — application error monitoring (EU region).
  • FomCo, TimoCom and other freight exchanges — only when you connect an account; we send the queries required to fulfil the integration you configured.
  • HMRC (UK) — UK customs APIs, used only for tenants enabling border declarations.

5. International transfers

Our primary processing region is the European Union. Where a sub-processor operates outside the EEA (for example Twilio or Google), we rely on the Standard Contractual Clauses (SCC) approved by the European Commission, supplemented by the technical and organisational measures described in our Security page.

6. Retention

  • Account & workspace data: for the duration of your subscription, plus 30 days after termination during which the workspace can be reactivated, after which it is deleted within 90 days.
  • Invoices and accounting records: 10 years, as required by Romanian tax law.
  • Customs declarations: 4 years from acceptance, as required by EU customs law (UCC).
  • Server access and audit logs: 12 months.
  • Backups: rolling, deleted within 35 days.

7. Your rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate data.
  • Erase your data (subject to retention obligations above).
  • Restrict or object to processing based on legitimate interests.
  • Data portability for data you provided to us.
  • Withdraw consent at any time, where consent is the basis.
  • Lodge a complaint with the Romanian supervisory authority (ANSPDCP, dataprotection.ro) or with the supervisory authority in your country of residence.

If you are a driver or end-customer of one of our carrier customers, please direct your request first to that carrier. KARG will assist them in fulfilling it.

To exercise any right against KARG directly, write to privacy@karg.to. We respond within 30 days.

8. Security

We apply the technical and organisational measures described in our Security & Trust page, including TLS in transit, encryption at rest, multi-tenant isolation enforced both at the application layer and via PostgreSQL Row-Level Security, encrypted storage of integration credentials, audit logging and tested backups.

9. Cookies

The marketing site uses only strictly necessary cookies (session, CSRF). The product (the authenticated app) uses cookies needed to keep you signed in and to operate the dashboard. We do not use third-party advertising or cross-site tracking cookies.

10. Changes

We will post any material change to this Policy at this URL and notify customer administrators by email at least 30 days before it takes effect.

11. Contact

Privacy and data protection: privacy@karg.to
Security disclosures: security@karg.to
General: hello@karg.to

Cookies

We use strictly necessary cookies to keep you signed in and to operate the dashboard. With your consent we also use anonymous analytics to understand which features get used. Read our Cookie Policy.