Privacy Policy

1. Data Controller

The controller of your personal data is PIKAP2 EOOD, trading as PickUp2, located at Stara Planina 1, 7900 Omurtag, Municipality of Omurtag, Region of Targovishte, Bulgaria, VAT ID: BG207937426. For further information, please refer to our Legal Notice.

2. Data Protection Officer

Our appointed Data Protection Officer (DPO) is Dobromir Ivanov. The DPO ensures compliance with data protection regulations and is available to address any questions regarding your personal data. You can contact our DPO at:

1. Email: [email protected]
2. Address: str. Stara Planina 1, Omurtag, 7900, Municipality of Omurtag, Region of Targovishte, Bulgaria

3. Personal Data We Collect

We collect the following categories of personal data depending on how you interact with our Platform: (a) Account Registration Data: email address, password (stored only as a bcrypt hash — we never store passwords in readable form), first name, last name, phone number, salutation, user type (shipper, carrier, or forwarder), and the date you agreed to our terms. (b) Company Data: company name, VAT number, country, street address, postal code, city, phone number, and company activity type. (c) Verification Data: VAT validation results (via EU VIES and, for UK companies, UK Companies House), uploaded documents (business registration certificates, VAT certificates, transport licenses, insurance certificates), owner name, and the results of AI-assisted document analysis. A one-time verification payment of EUR 1 is processed via Stripe. (d) Service Usage Data: freight orders (pickup/delivery locations including GPS coordinates, dates, times, cargo descriptions, weight, dimensions, vehicle requirements, pricing, contact persons), fleet offers, bids and offers, deal records, and vehicle registrations (including license plate numbers). (e) Communication Data: chat messages exchanged between users, file attachments, price offers, read receipts, and typing indicators. (f) Rating & Review Data: star ratings (1-5), comments, and payment status assessments. Ratings are visible to all registered users. (g) Payment & Transaction Data: subscription status, plan name, transaction history, payment amounts, currency, payment method type, and Stripe invoice references. We do not store credit card numbers or payment card details — all card processing is handled by Stripe. (h) Technical Data: IP addresses, browser type and version, operating system, device type, platform (web, iOS, or Android), login timestamps, and approximate geographic location based on IP address. (i) Employee & Team Data: when company owners invite employees — email address, assigned role, position, and permission settings. (j) Feedback Data: feedback type, message text, optional contact email, and optional screenshots. (k) Biometric Data (Mobile Only): if you enable biometric login (Face ID or Touch ID) on a supported mobile device, biometric authentication is processed entirely on your device using the device's secure enclave. We do not receive, transmit, or store any biometric templates. (l) Newsletter Data: email address, subscription date, consent timestamp, and language preference.

4. Third-Party Service Providers

We engage the following third-party service providers who process personal data on our behalf under Data Processing Agreements: (a) Stripe (stripe.com) — Payment processing. Stripe processes your payment card data securely. We only receive transaction confirmations and do not store card details. Privacy: https://stripe.com/privacy (b) Amazon Web Services (AWS) — Cloud infrastructure, file storage (S3), and email delivery (SES). Data is stored in EU regions (eu-north-1, Stockholm). Privacy: https://aws.amazon.com/privacy (c) Sentry (sentry.io) — Error monitoring and performance tracking. Session replay is only enabled after you consent to Statistics cookies. Privacy: https://sentry.io/privacy (d) Google Analytics — Website analytics (only after Statistics consent via Cookiebot). We use Google Analytics 4 with Google Consent Mode v2. IP addresses are anonymized. Privacy: https://policies.google.com/privacy (e) Meta Pixel (Facebook) — Conversion tracking (only after Marketing consent). Privacy: https://www.facebook.com/privacy (f) Cookiebot (Cybot A/S) — Cookie consent management in compliance with GDPR. Privacy: https://www.cookiebot.com/en/privacy-policy (g) OpenAI Inc. — AI-assisted document analysis for company verification. Extracted document text (company name, address, VAT number, director names) is processed to verify business registrations. Privacy: https://openai.com/privacy (h) DeepL SE — Machine translation of user-generated content (freight orders, fleet offers, bids, messages, ratings) to support our multilingual platform. Data processed in Germany (EU). Privacy: https://www.deepl.com/privacy (i) IPInfo Inc. — IP geolocation to provide localized content and language detection. Privacy: https://ipinfo.io/privacy (j) Google Maps (Google LLC) — Address autocomplete and geocoding for location search. Privacy: https://policies.google.com/privacy (k) Apple Push Notification Service (APNs) — Push notifications for iOS mobile app. (l) Cloudflare Inc. — CDN, DDoS protection, and DNS services. Privacy: https://www.cloudflare.com/privacypolicy/ (m) Google Firebase Storage — Video content delivery on our website. Privacy: https://firebase.google.com/support/privacy

5. Automatic Data Collection

When you visit our website or use our applications, we automatically collect: (a) Technical information: IP address, browser type/version, operating system, device type, screen resolution, and language preferences. (b) Usage data: pages visited, time spent on pages, click patterns, and referral sources. (c) Location data: approximate geographic location based on IP address (via IPInfo service) for providing localized content. This data is collected for legitimate interests including ensuring website security, preventing fraud, improving user experience, and maintaining service quality. The legal basis for this processing is Article 6(1)(f) GDPR.

6. Contact Forms and Service Requests

When you use our contact form, transport request form, or subscribe to our newsletter, we collect: (a) Contact Form: name, email, phone (optional), inquiry type, and message content. This data is processed to respond to your inquiry (legal basis: Article 6(1)(b) GDPR — pre-contractual measures). (b) Transport Request Form: full name, email, phone, country, pickup/dropoff locations, goods description, weight, dimensions, and preferred dates. This data is used to provide you with transport quotes and connect you with suitable carriers or forwarders. (c) Newsletter: email address and language preference. We send newsletters only with your explicit consent (Article 6(1)(a) GDPR). You can unsubscribe at any time using the link in each newsletter email.

7. Data Sharing with Platform Users

As a freight logistics marketplace, certain data is shared between users to enable the service: (a) When you publish a freight order or fleet offer, your company name, contact person name, and listing details are visible to other registered users. (b) When you submit a price offer via chat, your company details and offer terms are shared with the recipient. (c) Chat messages are visible only to conversation participants. (d) Ratings and reviews are visible to all registered users. (e) Company verification status (verified/unverified) is displayed to other users. We do not sell personal data to third parties. Data sharing with other users is essential for the platform's core functionality (legal basis: Article 6(1)(b) GDPR — contract performance).

8. Employee Invitation and Team Management

Company owners and administrators can invite employees to join their company account on PickUp2. When inviting an employee, we collect: email address, assigned role, position, and permission settings. Invitation emails contain secure, time-limited tokens. Employee accounts are linked to the company account, and company administrators can manage employee permissions for accessing freight orders, fleet offers, deals, chat, ratings, and fleet management. If an employee leaves the company, their account can be deactivated by the company administrator.

9. Cookies and Tracking Technologies

We use cookies and similar technologies in accordance with your consent preferences. Cookie categories: (a) Strictly Necessary Cookies: Essential for website functionality, including authentication tokens (JWT in HTTP-only cookie), language preferences (i18n_redirected), Cookiebot consent state, and security features. These do not require consent. (b) Preference Cookies: Store your settings like theme mode (dark/light) and saved search filters. Enabled with your Preferences consent. (c) Statistics Cookies: Google Analytics tracking and Sentry session replay for understanding user behavior and improving our services. Enabled only with your Statistics consent via Cookiebot. (d) Marketing Cookies: Meta Pixel for advertising measurement. Enabled only with your Marketing consent. We implement Google Consent Mode v2, which means all analytics and marketing tracking is blocked by default until you provide consent. You can manage your cookie preferences at any time by clicking the cookie settings link in our footer. We also use browser localStorage for functional purposes: language preference, theme setting, and search filter memory. These do not track you across websites.

10. Newsletter and Marketing Communications

When you subscribe to our newsletter, we store your email address, subscription date, agreed timestamp, and language preference. We use this data to send you updates about our services, industry news, and platform features. Legal basis: Your explicit consent (Article 6(1)(a) GDPR). You can withdraw consent and unsubscribe at any time by: (1) clicking the unsubscribe link in any newsletter email, (2) contacting us at [email protected], or (3) managing your preferences in your account settings. After unsubscription, we retain a record of your email address in our suppression list to ensure we do not contact you again, unless you re-subscribe.

11. Analytics and Error Monitoring

We use the following analytics and monitoring tools: (a) Google Analytics 4: Tracks website usage including page views, user journeys, and conversion events. We have implemented Google Consent Mode v2, which means tracking only begins after you provide Statistics consent. IP addresses are anonymized. Data is retained for 14 months. (b) Sentry: Monitors application errors and performance issues. For error tracking (essential for service stability), we rely on legitimate interest. For session replay (recording user interactions to understand bugs), we require your Statistics consent. Sensitive data (passwords, tokens, payment details) is automatically filtered before any data is sent to Sentry. (c) Meta Pixel: Tracks conversion events for advertising optimization. Only activated after Marketing consent. You can opt-out at any time by withdrawing your consent via the cookie settings.

12. Social Media Integration

We maintain profiles on LinkedIn, Facebook, Instagram, and X (Twitter). When you interact with us through these platforms: (a) Social Media Links: Clicking links to our social media profiles may transfer your IP address to the platform. (b) Share Features: Using share buttons on blog articles creates a connection to the respective platform. (c) Platform Privacy: Each platform has its own privacy policy. We recommend reviewing: Facebook (https://www.facebook.com/privacy), LinkedIn (https://www.linkedin.com/legal/privacy-policy), Instagram (https://help.instagram.com/519522125107875), X/Twitter (https://twitter.com/en/privacy).

13. Your Data Protection Rights

Under the GDPR, UK GDPR, and Swiss FADP, you have the following rights regarding your personal data:

1. Right of Access (Article 15 GDPR): Request a copy of the personal data we hold about you
2. Right to Rectification (Article 16): Request correction of inaccurate or incomplete data. You can update most data directly in your account settings
3. Right to Erasure (Article 17): Request deletion of your data. You can delete your account from Settings > Danger Zone, which triggers a 30-day grace period followed by permanent deletion
4. Right to Restrict Processing (Article 18): Request that we limit how we process your data in certain circumstances
5. Right to Data Portability (Article 20): Request your data in a structured, machine-readable format
6. Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing. You can unsubscribe from newsletters at any time

To exercise these rights, please contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority. For Bulgaria: Commission for Personal Data Protection (CPDP) — https://www.cpdp.bg. For the UK: Information Commissioner's Office (ICO) — https://ico.org.uk. For Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — https://www.edoeb.admin.ch. [email protected]

14. Data Security Measures

We implement the following security measures to protect your data: (a) Encryption in Transit: All data transmitted between your device and our servers uses TLS/SSL encryption (HTTPS). (b) Password Security: Passwords are hashed using bcrypt with 10 rounds of salting before storage. We never store passwords in readable form. (c) Access Control: Role-based permissions with four preset levels plus custom configurations. (d) Authentication: Short-lived JWT access tokens (30 minutes) with HTTP-only, secure, SameSite=strict refresh token cookies (7 days). Refresh tokens can be individually revoked. (e) OTP Security: One-time passwords for email verification and password reset are hashed and expire after 15 minutes with a maximum of 3 attempts. (f) File Security: Uploaded documents are stored in AWS S3 with private access controls and time-limited presigned URLs. Verification documents are watermarked. (g) Payment Security: We are PCI-DSS compliant through Stripe — we never store, process, or transmit credit card data on our servers. (h) Mobile Security: On iOS devices, sensitive credentials are stored in the hardware-backed iOS Keychain. (i) Abuse Detection: Automated monitoring for brute-force login attempts, suspicious access patterns, and rate limiting across multiple tiers. (j) Login Lockout: Escalating lockout durations after failed login attempts.

15. Data Retention

We retain your data for the following periods: (a) Account Data: Retained for the duration of your account. After a deletion request, your account enters a 30-day recovery grace period, after which your data is permanently deleted. (b) Transaction Records: Payment records are retained for 7 years for tax and accounting purposes as required by law. (c) Chat Messages: Retained for the duration of your account. Deleted messages are soft-deleted (marked as deleted but retained for dispute resolution during the account lifetime). (d) Ratings: Retained for the duration of your account. Deleted when your account is permanently removed. (e) Server Logs: Technical logs are retained for up to 90 days for security monitoring. (f) Session Data: Refresh tokens expire after 7 days. Sessions are deleted upon logout or token expiry. (g) Newsletter Subscription: Email address retained until you unsubscribe, then moved to suppression list. (h) Contact Form Submissions: Retained for up to 2 years, then deleted. (i) Verification Documents: Retained for the duration of your account. (j) Cookie Consent Records: 12 months (managed by Cookiebot). After the 30-day account deletion grace period, permanent deletion cascades to: user profile, sessions, messages, ratings, freight orders, fleet offers, bids, chat rooms, company documents, company verification data, and vehicles. Payment records and transaction history are preserved for legal compliance.

16. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), the UK, or Switzerland. We ensure appropriate safeguards through: (a) EU-US Data Privacy Framework: Stripe. (b) Standard Contractual Clauses (SCCs): Google (Analytics, Maps, Firebase), Meta, OpenAI, IPInfo, Apple (APNs), Cloudflare. (c) EU-based processing (no transfer required): AWS (eu-north-1, Stockholm), Sentry (de.sentry.io, Germany), DeepL (Germany), Cookiebot (Denmark). We have entered into Data Processing Agreements (DPAs) with all processors listed in Section 4.

16.1 Automated Decision-Making

Our company verification process uses AI-assisted document analysis (powered by OpenAI) to extract and compare information from uploaded verification documents against your registration data. This automated analysis produces a match assessment that influences your verification status. However, no fully automated decision results in account rejection without human review. Our team reviews all verification submissions. You have the right to request human review of any automated assessment, express your point of view, and contest the decision by contacting us at [email protected].

16.2 Third-Party Privacy Policies

For detailed information about how our service providers handle your data, please review their privacy policies:

1. Facebook: https://www.facebook.com/about/privacy
2. Instagram: https://help.instagram.com/519522125107875
3. X (Twitter): https://twitter.com/en/privacy
4. YouTube: https://policies.google.com/privacy
5. LinkedIn: https://www.linkedin.com/legal/privacy-policy

17. Children's Data & Changes to This Policy

Our Platform is a B2B service for businesses in the freight logistics industry. We do not knowingly collect personal data from anyone under the age of 18. If we learn that we have collected personal data from a person under 18, we will delete it promptly. We may update this Privacy Policy to reflect changes in our practices, legal requirements, or services. For material changes, we will: (1) Update the "Last updated" date at the top of this policy. (2) Notify registered users via email for significant changes. (3) Display a prominent notice on our website. Your continued use of the Platform after changes take effect constitutes acceptance of the updated policy.

If you have any questions about this Privacy Policy or our data practices, please contact us at [email protected] or write to: PIKAP2 EOOD, Stara Planina 1, 7900 Omurtag, Bulgaria.