Privacy Policy

This Privacy Policy explains how CARGOWARD SERVIÇOS MARÍTIMOS LTDA (CNPJ 74.672.049/0001-27), trading as CARGOWARD® Maritime Limited (“CARGOWARD”, “we”, “us”, “our”), collects, uses, shares, stores, and protects personal data and certain operational information in connection with our websites, communications, and maritime/port services.

1. Scope and application

1.1. This Policy applies to personal data processed by CARGOWARD in connection with:
(a) our websites and digital channels;
(b) quotations, nominations, service orders, and operations;
(c) port access and boarding logistics;
(d) client support and communications;
(e) reporting, certificates, and evidence packs;
(f) recruitment and careers.

1.2. This Policy is designed to align with applicable data protection laws, including (where applicable):

• Brazil: Lei Geral de Proteção de Dados (LGPD, Law No. 13,709/2018)

• European Economic Area/UK: GDPR and UK GDPR

• United States: applicable federal and state privacy and security laws (including, where relevant, state privacy statutes)

• Other local laws at the Operation Location where the Service is performed.

1.3. If local mandatory rules conflict with this Policy, CARGOWARD will comply with applicable mandatory requirements to the extent they apply.

2. Key concepts (plain meaning)

• “Personal data”: information that identifies or can reasonably identify an individual (e.g., name, email, ID number).

• “Sensitive data”: data requiring higher protection (e.g., health data) as defined by applicable law.

• “Processing”: any use of data (collection, storage, sharing, deletion).

• “Controller”: party that decides purposes and means of processing.

• “Processor”: party that processes data on behalf of the Controller.

3. What data we collect

We collect only data reasonably necessary for legitimate operational, commercial, compliance, and security needs.

3.1 Website and digital interaction data

• IP address, device identifiers, browser type, pages viewed, referral source, approximate location, and similar analytics data.

• Cookie identifiers (where cookies are used).

3.2 Client and commercial contact data

• Names, job titles, company names, business email, phone numbers, office address, and communications content.

3.3 Operational and port access data (maritime services)

Depending on the operation, we may process:

• Crew lists, passports/IDs (or partial ID data), seafarer book references, visas, and boarding approvals;

• Vehicle and personnel access details required by terminals/authorities;

• Safety training records or access credentials (when required for entry);

• Timing and logistics data (ETA/ETD, port call sequences) linked to named individuals.

3.4 Financial and transactional data

• Billing contacts, invoice details, bank references for payments, and payment confirmations.

• We do not intentionally collect card payment data unless explicitly provided through a secure third-party payment processor.

3.5 Compliance, security, and audit data

• Sanctions/compliance checks (where required), KYC-related contact documentation, and communication logs supporting operational governance.

• Incident or safety documentation (where relevant), typically focused on operational facts rather than personal profiling.

3.6 Photos, video, and evidence packs

• Operational photos/videos may incidentally capture identifiable individuals (e.g., crew, contractors) as part of service evidence, safety documentation, or reporting.

3.7 Careers / recruitment data

• CVs/resumes, professional history, education, certifications, references, and contact information.

4. Sources of data

We collect data from:

• You directly (email, forms, messaging, contracts);

• Your employer/shipmanager/agent (service nominations, lists);

• Vessel/terminal/port stakeholders (access workflows);

• Service providers and platforms used for communications, storage, analytics, and security;

• Public or industry sources where permitted (e.g., corporate contact directories, regulatory lists) for legitimate business purposes.

5. Why we process data (purposes)

We process data to:

5.1. Provide and coordinate Services: scheduling, access, mobilization, execution, reporting, and close-out.
5.2. Manage port access and authority interfaces: submissions, approvals, and records.
5.3. Prepare quotations and contracts: scope confirmation, pricing, and communications.
5.4. Maintain operational traceability and governance: evidence packs, logs, and internal controls.
5.5. Safety and incident management: to protect people and operational integrity.
5.6. Billing and collections: invoicing, payment follow-up, reconciliation, and fraud prevention.
5.7. Security and abuse prevention: website security, access control, and threat detection.
5.8. Compliance obligations: legal obligations, audits, recordkeeping, sanctions screening where applicable.
5.9. Recruitment and talent management: hiring and onboarding.
5.10. Improve our services: performance analysis and service quality improvements.

6. Legal bases for processing (LGPD/GDPR-aligned)

Where required, we process personal data under one or more legal bases such as:

• Contract performance (to deliver services and manage operations);

• Legal obligation (recordkeeping, regulatory compliance, authority requirements);

• Legitimate interests (security, fraud prevention, service improvement, business communications), balanced against individual rights;

• Consent (where required, e.g., certain cookies, optional marketing communications);

• Protection of life/physical safety (in safety-critical contexts);

• Exercise of rights in legal or administrative proceedings (claims, disputes, audits).

7. Cookies and tracking

7.1. We may use cookies and similar technologies to operate the website, enhance security, and measure performance.

7.2. Where required by law, we will request consent for non-essential cookies. You can manage cookies through your browser settings and, where available, our cookie banner/preferences.

8. How we share data (recipients)

We do not sell personal data. We share data only as needed for legitimate purposes:

8.1. Operational stakeholders: vessel representatives, terminals, port/authority bodies, and logistics providers when necessary for access and service delivery.

8.2. Service providers (processors): IT hosting, cloud storage, cybersecurity tools, email providers, analytics providers, customer support platforms, and document management systems.

8.3. Professional advisors: lawyers, accountants, auditors, and insurers when required.

8.4. Legal and regulatory authorities: when required by law, legal process, or legitimate authority request.

8.5. Business transfers: if we reorganize, merge, or transfer assets, data may be transferred subject to appropriate safeguards and confidentiality.

All sharing is governed by confidentiality, security requirements, and (where required) data processing agreements.

9. International transfers (EU/UK, Brazil, US, and global operations)

9.1. Because maritime operations are international, data may be transferred and processed in Brazil and other countries where we operate or where our service providers are located.

9.2. When EU/UK personal data is transferred outside the EEA/UK, we use recognized safeguards where applicable, such as:

• Standard Contractual Clauses (SCCs) and/or UK International Data Transfer Addendum;

• Equivalent contractual and technical measures;

• Vendor risk assessments and access controls.

9.3. Transfers are limited to what is necessary for operations, compliance, security, and service performance.

10. Data retention

10.1. We retain personal data only for as long as necessary to fulfill the purposes described, including operational recordkeeping and legal obligations.

10.2. Retention periods vary depending on: contract duration, legal/regulatory requirements, port authority record expectations, dispute risk, and audit needs.

10.3. Where possible, data is deleted, anonymized, or minimized after the retention period.

11. Security measures

We implement administrative, technical, and organizational safeguards appropriate to the risk profile of maritime operations, including:

• Access controls and least-privilege principles;

• Segregation of sensitive operational documents;

• Encryption in transit and, where feasible, at rest;

• Logging/monitoring for security events;

• Secure backups and disaster recovery practices;

• Vendor due diligence and contractual security requirements;

• Incident response and escalation procedures.

No system is 100% secure; however, we maintain controls intended to prevent unauthorized access and minimize impact.

12. Confidentiality and operational evidence

12.1. Operational evidence packs (photos/videos/reports) may contain personal data incidentally. Such materials are processed strictly for operational verification, governance, safety documentation, and reporting.

12.2. Client-facing evidence is shared with authorized recipients only. We may redact or minimize personal data where reasonable without undermining operational meaning.

13. Children’s data

Our services and website are intended for business use and not directed at children. We do not knowingly collect personal data from children.

14. Your rights (LGPD/GDPR-style)

Subject to applicable law, you may have the right to:

• Confirm processing and access your data;

• Correct inaccurate data;

• Request deletion or anonymization (where applicable);

• Request portability (where applicable);

• Object to processing or request restriction;

• Withdraw consent (where processing is based on consent);

• Request information about data sharing and international transfers;

• Lodge a complaint with a relevant authority (e.g., ANPD in Brazil; EU/UK supervisory authorities).

Important: Some rights may be limited where data is required for legal obligations, safety-critical recordkeeping, or defense of legal claims.

15. How to exercise your rights

Send a request to contact@cargoward.com with:

• your full name;

• your role/company (if relevant);

• what data you’re requesting;

• sufficient information to verify identity.

We may request additional verification to protect your data and prevent unauthorized disclosure.

16. Marketing communications

16.1. We may send operational or service-related communications as part of a commercial relationship.

16.2. Where required by law, marketing communications are sent only with appropriate consent. You can opt out at any time using the unsubscribe mechanism or contacting us.

17. Automated decision-making

We do not use automated decision-making producing legal or similarly significant effects on individuals as a standard practice. If this changes for a specific context, we will provide appropriate notice where required.

18. Third-party platforms and external links

Our site may link to third-party platforms. Their privacy practices are governed by their own policies. We recommend reviewing them.

19. Updates to this Privacy Policy

We may update this Policy periodically. The updated version becomes effective upon posting, and the “Last Updated” date will be revised.