Privacy Policy

Effective Date: July 6th 2025

Data Controller: Nicolas Kauffmann, SapioChain, France
Contact: privacy@sapiochain.io

1. Introduction

At SapioChain, we are committed to protecting your privacy and handling your personal data with transparency and care. This Privacy Policy explains what personal data we collect, why we collect it, how it is used, shared, and protected, and details your rights regarding this information in compliance with the General Data Protection Regulation (GDPR).

2. Data We Collect

We collect data that is necessary to provide and improve our services.

  • Account Data: When you create an account, we collect your name, email address, organization name, and login credentials (username and encrypted password).
  • Device and Shipment Data: This includes data from the temperature dataloggers and information you provide about a shipment.
    • Temperature readings and timestamps.
    • Device identifiers (e.g., serial number, device ID).
    • GPS position of the device at the time of data download.
    • Technical device data (e.g., battery level, firmware version).
  • Usage Data: We collect information about how you interact with our platform, such as activity logs, feature usage, and technical performance data.
  • Communications: If you contact us directly (e.g., via email), we may keep a record of that correspondence.

We do not collect other personal information unless you explicitly provide it to us.

3. How and Why We Use Your Data (Our Lawful Bases)

We only process your personal data when we have a lawful basis to do so under GDPR.

  • A. To Provide Our Service (Performance of a Contract)
    We use your data to fulfill our contractual obligations to you. This includes:
    • Creating and managing your user account.
    • Processing and displaying temperature and location data from your dataloggers.
    • Generating analytics, reports, and stability assessments for your shipments.
    • Sending you essential service-related communications (e.g., alerts, billing information).
  • B. For Our Legitimate Interests
    We use data to pursue our legitimate interests in a way that might reasonably be expected as part of running our business and which does not materially impact your rights, freedom, or interests. This includes:
    • Improving and developing our services by analyzing how our platform is used.
    • Ensuring the security and integrity of our platform by monitoring for threats, preventing fraud, and debugging issues.
    • Maintaining auditable logs of platform activity for operational integrity.
  • C. To Comply with a Legal Obligation
    In certain circumstances, we may need to process your data to comply with our legal and regulatory obligations, such as for tax purposes or responding to a lawful request from a public authority.

4. Data Sharing and Disclosure

We do not sell your personal data. We only share it in the following limited circumstances:

  • With Shipment Stakeholders: At your direction, we share shipment reports and stability data with parties you identify, such as shippers, receivers, forwarders, and carriers involved in the logistics chain.
  • With Third-Party Service Providers: We use trusted third-party companies to help us operate and improve our service. These providers are our “data processors” and are contractually obligated to protect your data. Categories include:
    • Cloud Hosting Providers: For data storage and computing services.
    • Analytics Services: To help us understand platform usage.
    • Email Delivery Services: For sending service communications.
  • For Legal Reasons: We may disclose your information if we believe it is reasonably necessary to comply with a law, regulation, or legal process.
  • International Data Transfers: Our service providers are by default located in Europe. If you request deployment in another region, or if one of our subprocessors is located outside the European Economic Area (EEA), we ensure that the transfer is lawful and that your data is protected through mechanisms such as the European Commission’s Standard Contractual Clauses (SCCs).

5. Data Storage and Security

We take the security of your data very seriously.

  • Data is stored in secure virtual environments, by default located in Europe.
  • We use encryption for data in transit (TLS) and at rest.
  • Access to databases and systems is protected by strong passwords and strict access controls, limited to authorized personnel only.
  • All access to your data is logged and traceable.
  • We perform regular data backups to prevent data loss.

6. Data Retention

  • Service Data: Retained for five (5) years to provide you with historical reporting and to meet potential legal and commercial record-keeping requirements in the logistics industry. After this period, it is automatically and securely deleted.
  • Deleted Accounts: If you delete your user account, your personal profile information will be removed. However, we will retain an anonymized or pseudonymized trace of your activity (e.g., “User ID 123 downloaded data”) for five years for security, audit, and operational integrity purposes.
  • Client Termination: If a corporate client terminates their service, we will coordinate with them to export their data before deleting all related information from our active servers according to an agreed-upon schedule.

7. Authentication security and Cookies management

To provide secure and convenient access to our services, we utilize OpenID Connect (OIDC) for authentication. We may leverage third-party identity providers to handle authentication, including, but not limited to, Microsoft services and Google services, at the choice of the user. These services may handle your authentication credentials according to their own privacy policies, which we encourage you to review.

To facilitate your login and maintain your session, we use HTTP-only cookies. These cookies store authentication tokens issued by our authentication provider, enabling us to verify your identity without requiring you to repeatedly enter your login credentials. These cookies are marked as “HTTP-only,” meaning they can only be accessed by our servers and cannot be read by JavaScript code running in your browser, mitigating the risk of certain security vulnerabilities.

8. Your Data Protection Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right to Access: You can request a copy of the personal data we hold about you.
  • Right to Rectification: You can update your name, organization, and password directly in your account settings. For other corrections, you can contact us.
  • Right to Erasure (‘Right to be Forgotten’): You can request the deletion of your personal data by emailing privacy@sapiochain.io. Please note that we may need to retain certain information for legal or legitimate operational purposes.
  • Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances.
  • Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Object: You have the right to object to the processing of your personal data where we are relying on a legitimate interest as our lawful basis.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. In France, the relevant authority is the Commission Nationale de l’Informatique et des Libertés (CNIL).

To exercise any of these rights, please use contact page.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on our website and, where appropriate, through email.

10. Contact

For any questions about this Privacy Policy or our data practices, please use contact page.