Privacy Policy

1. Introduction and Data Controller

Standard Tonnage Limited (“Standard Tonnage”, “we”, “us”, or “our”) is committed to protecting the privacy and security of all personal data we process. This Privacy Policy describes how we collect, use, store, share, and safeguard information when you use our container tracking and demurrage & detention prevention platform (the “Service”), visit our website at standardtonnage.com, or otherwise interact with us.

Standard Tonnage Limited is the data controllerfor the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”).

Please read this policy carefully. By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2. Data We Collect

We collect the following categories of data in connection with your use of the Service:

2.1 Account and Identity Data

When you register for or manage your account, we collect: your full name, job title, company name, company address, business email address, telephone number, industry sector, and account login credentials (password stored in hashed form only).

2.2 Shipping and Container Data

The core function of the Service requires us to collect and process operational shipping data, including: container reference numbers, booking references, bill of lading numbers, vessel names and voyage numbers, port of loading and port of discharge, estimated and actual arrival and departure dates (“ETAs” and “ATAs”), free time allowances granted by the shipping line, demurrage and detention tariff rates, return deadlines, container status events (e.g. vessel departure, port arrival, customs clearance, gate-out), commodity descriptions (as provided by you), and any notes or annotations you add to shipments within the platform.

This data is sourced directly from you, from booking confirmation emails you forward to us, and from shipping line tracking APIs (see Section 3).

2.3 Email Data (Booking Confirmation Forwarding)

If you use our email forwarding feature, you may forward shipping booking confirmation emails to a dedicated inbox address we provide. We process the content of those emails solely to extract structured shipping data (container numbers, booking references, vessel details, port pairs, and free time terms). We do not read, store, or use the content of forwarded emails for any other purpose. Raw email content is deleted within 90 days of processing. You must not forward emails that contain personal data unrelated to the shipment (for example, emails containing customer personal details beyond what is necessary for tracking).

2.4 Communication and Alert Preference Data

To deliver proactive demurrage and detention risk alerts, we collect: email addresses designated to receive alerts (which may differ from your account email), mobile telephone numbers for SMS alerts, and WhatsApp-enabled telephone numbers for WhatsApp Business alerts. We also store your notification preferences, including alert thresholds, preferred channels, and quiet hours.

2.5 Usage and Technical Data

We automatically collect certain technical data when you access the Service, including: IP address, browser type and version, operating system, device type, session start and end timestamps, pages and features accessed, actions taken within the platform (e.g. filters applied, reports viewed, alerts acknowledged), and error logs. This data is used for security, platform stability, and service improvement.

2.6 Payment and Billing Data

We use Stripe, Inc. as our payment processor. When you subscribe to a paid plan, we collect your billing contact name, billing email address, and billing address. Payment card details (card number, expiry date, CVV) are collected and processed directly by Stripe and are never transmitted to or stored on Standard Tonnage systems. We retain billing records (invoice amounts, dates, subscription tier) for accounting and legal compliance purposes.

2.7 Communications Data

If you contact us by email, through our website contact form, or by other means, we will retain a record of that correspondence, including the content of your message and any personal data you include, for as long as necessary to respond to and resolve your query.

3. How We Collect Data

We collect data through the following means:

3.1 Directly From You

Most data is provided by you when you register for an account, complete your company profile, manually enter shipment details, configure alert recipients and preferences, or contact us for support.

3.2 From Shipping Line APIs

We integrate with the tracking and vessel schedule APIs provided by major container shipping lines, including Maersk, CMA CGM, Hapag-Lloyd, MSC, and others. When you add a container to the Service, we use your booking reference or container number to query these APIs and retrieve live tracking events, terminal availability, and updated ETA/ATA data. The data returned from shipping line APIs is shipping and operational data — it does not typically contain personal data beyond reference numbers.

3.3 From Forwarded Emails (AI Processing)

When you forward a booking confirmation email to your assigned Standard Tonnage inbox address, we process the email using AI-assisted extraction (powered by Anthropic Claude — see Section 6.3) to identify and structure the relevant shipping data. This processing occurs automatically upon receipt of the forwarded email.

3.4 Automatically

Usage and technical data (Section 2.5) is collected automatically through server logs and session management mechanisms when you interact with the Service.

4. Lawful Basis for Processing (UK GDPR)

We rely on the following lawful bases under Article 6 of the UK GDPR:

4.1 Performance of a Contract (Article 6(1)(b))

The primary lawful basis for processing is performance of the contract between you (or your employer) and Standard Tonnage. We process account data, shipping data, email data, communication and alert data, and usage data insofar as this is necessary to deliver the Service you have subscribed to — including tracking your containers, calculating risk, and dispatching alerts before free time expires.

4.2 Legitimate Interests (Article 6(1)(f))

We process certain data on the basis of our legitimate interests (or those of a third party), where those interests are not overridden by your rights and freedoms. Legitimate interest processing includes: improving, testing, and securing the platform; fraud prevention and abuse detection; aggregated and anonymised analytics to understand feature usage; and communicating with you about material changes to the Service or this Policy. We have conducted legitimate interests assessments (LIAs) for these activities, available on request.

4.3 Consent (Article 6(1)(a))

Where we rely on consent — for example, for sending optional marketing communications about new features or industry reports — we will obtain your explicit consent before doing so. You may withdraw consent at any time by contacting us or using the unsubscribe link in any marketing email. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

4.4 Legal Obligation (Article 6(1)(c))

We process certain data to comply with legal obligations, including retention of financial records under the Companies Act 2006 and HMRC requirements (see Section 8).

5. How We Use Your Data

We use the data we collect for the following specific purposes:

• Account management: Creating, maintaining, and securing your account; authenticating logins; enabling password reset and multi-user access management.
• Container tracking: Querying shipping line APIs with your container and booking references to retrieve live tracking events, terminal status, and vessel ETAs.
• Free time calculation:Calculating how many free days remain against your container's free time allowance, based on arrival events and your contracted terms.
• Risk scoring: Generating a demurrage and detention risk score for each active container, taking into account remaining free days, vessel delay probabilities, and your historical clearance lead times.
• Email parsing: Extracting structured shipment data from booking confirmation emails you forward to us, reducing manual data entry.
• Alert generation and delivery:Sending proactive alerts via email, SMS (through Twilio), and WhatsApp (through Twilio's WhatsApp Business API) when containers reach configurable risk thresholds or critical deadlines.
• Dashboard and reporting: Displaying real-time and historical data in your account dashboard; generating reports on estimated and actual demurrage costs and savings.
• Billing and subscription management:Processing subscription payments via Stripe; issuing invoices; managing upgrades, downgrades, and cancellations.
• Customer support: Responding to your support requests, diagnosing issues, and providing technical assistance.
• Platform improvement: Using aggregated and anonymised usage data to identify bugs, improve features, and prioritise development.
• Security and fraud prevention: Monitoring for unauthorised access, suspicious activity, and abuse of the Service.
• Legal compliance: Retaining records as required by applicable law; responding to lawful requests from public authorities.
• Marketing communications (with consent):Sending product updates, feature announcements, or industry content where you have opted in.

6. Data Sharing with Third-Party Processors

We do not sell your data. We do not share your data with third parties for their own marketing purposes. We share data only with carefully selected sub-processors who act strictly on our documented instructions and under contractual data processing agreements (DPAs) in accordance with UK GDPR Article 28. Our current sub-processors are:

6.1 Supabase, Inc. — Database and Authentication

Supabase provides our primary database infrastructure (PostgreSQL), user authentication, and real-time data functionality. All account data, shipping data, alert history, and platform configuration data is stored in Supabase. Data is hosted in EU-based data centres (AWS eu-west-2, London) by default. Supabase is certified under the UK-US Data Bridge and provides SCCs where applicable.

6.2 Vercel, Inc. — Application Hosting

Vercel hosts the Standard Tonnage web application. Application code and server-side functions run on Vercel's infrastructure. Vercel processes request logs and usage telemetry. Data is processed in accordance with Vercel's DPA and the UK-US Data Bridge.

6.3 Anthropic, PBC — AI Processing (Email Parsing)

When you use the email forwarding feature, the content of forwarded booking confirmation emails is transmitted to Anthropic's Claude API for AI-assisted data extraction. Anthropic acts as a data processor and processes email content solely to return structured shipping data to us. Anthropic does not use API inputs to train its models. We transmit only the minimum data necessary for extraction. Anthropic is a US-based company; transfers are protected under the UK-US Data Bridge and Standard Contractual Clauses.

6.4 Twilio, Inc. — SMS and WhatsApp Alerts

Twilio provides our SMS and WhatsApp Business messaging infrastructure. When an alert is triggered, the recipient's telephone number and the alert message content are transmitted to Twilio for delivery. Twilio acts as a data processor under a DPA. Twilio is a US-based company; transfers are protected under the UK-US Data Bridge and Standard Contractual Clauses.

6.5 Stripe, Inc. — Payment Processing

Stripe processes subscription payments on our behalf. Stripe collects and processes payment card data directly from you; this data is never transmitted to or stored by Standard Tonnage. Stripe is PCI DSS Level 1 compliant. Stripe is a US-based company; transfers are protected under the UK-US Data Bridge and Standard Contractual Clauses. Stripe's privacy policy is available at stripe.com/privacy.

6.6 Shipping Line APIs

We transmit container reference numbers and booking references to the APIs of shipping lines including Maersk, CMA CGM, Hapag-Lloyd, and MSC to retrieve tracking data. These API queries contain only operational reference identifiers and do not include personal data about individuals. Shipping lines receive only the data necessary to process the tracking query.

6.7 Legal Disclosures

We may disclose personal data to law enforcement, regulators, courts, or other government authorities where we are required to do so by applicable law, or where disclosure is necessary to protect the rights, property, or safety of Standard Tonnage, our customers, or others.

7. International Data Transfers

Some of our sub-processors are based in the United States. The UK has not adopted a general adequacy decision in respect of the US; accordingly, we rely on the following transfer mechanisms to ensure an adequate level of protection for personal data transferred outside the UK:

• UK-US Data Bridge:Where a US processor is certified under the UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”), we rely on that certification as the transfer mechanism. Supabase, Vercel, Anthropic, Twilio, and Stripe are each certified or have committed to the Data Bridge as applicable.
• UK International Data Transfer Agreements (IDTAs) / Standard Contractual Clauses (SCCs):Where the Data Bridge is unavailable or insufficient, we rely on the ICO-approved International Data Transfer Agreement or, where applicable, the European Commission's Standard Contractual Clauses as adopted into UK law, supplemented by a UK Addendum.

You may request a copy of the relevant transfer safeguards by contacting us at info@standardtonnage.co.uk.

8. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. Our standard retention periods are:

Where data is retained beyond the immediate service purpose solely for legal compliance (e.g. financial records), it is stored in restricted-access archival storage and is not used for any other purpose.

When a retention period expires, data is securely deleted or anonymised so that it can no longer be attributed to an individual or organisation.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. Our security measures include:

• Encryption in transit: All data transmitted between your browser, the Standard Tonnage application, and our sub-processors is encrypted using TLS 1.2 or higher.
• Encryption at rest:Database storage is encrypted at rest via Supabase's AES-256 encryption.
• Access controls: Access to production systems and customer data is restricted to authorised personnel on a need-to-know basis. Administrative access requires multi-factor authentication.
• Password security: Account passwords are hashed using a strong one-way hashing algorithm and are never stored or transmitted in plaintext.
• Sub-processor vetting: We only engage sub-processors who can demonstrate adequate security certifications (e.g. SOC 2 Type II, ISO 27001) or equivalent assurance.
• Incident response: We maintain a data breach response procedure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, as required by UK GDPR Article 33 and 34.

Notwithstanding these measures, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security, and you transmit data to us at your own risk.

10. Your Rights Under UK GDPR

As a data subject, you have the following rights in relation to your personal data. Note that most rights apply to personal data relating to identified or identifiable natural persons; purely organisational or B2B data that does not relate to an individual may not qualify.

• Right of access (Article 15): You have the right to request a copy of the personal data we hold about you, along with information about how we use it.
• Right to rectification (Article 16): You have the right to request that we correct inaccurate personal data we hold about you, or complete incomplete data.
• Right to erasure (Article 17): You have the right to request that we delete your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent (and no other lawful basis exists), or in other specified circumstances. This right is subject to exceptions, including where we are required to retain data by law.
• Right to restrict processing (Article 18): You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while you contest its accuracy.
• Right to data portability (Article 20): Where processing is based on consent or contract and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to request that we transmit it directly to another controller where technically feasible.
• Right to object (Article 21): You have the right to object to processing based on legitimate interests or for direct marketing purposes. Where you object to legitimate interests processing, we will cease unless we can demonstrate compelling legitimate grounds that override your interests.
• Rights related to automated decision-making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. See Section 11 for how we use automated and AI-assisted processing.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time. This does not affect the lawfulness of prior processing.

To exercise any of these rights, please contact us at info@standardtonnage.co.uk. We will respond within one calendar month of receipt of your request. In complex cases we may extend this by a further two months, in which case we will inform you within the first month. We will not charge a fee for reasonable requests; however, we may charge a reasonable fee or refuse a request that is manifestly unfounded or excessive.

We may need to verify your identity before processing your request. We will ask you to provide sufficient information to confirm who you are before disclosing or amending any personal data.

11. Automated Decision-Making and AI Processing

Standard Tonnage uses automated processing and AI-assisted tools in the following ways:

11.1 Email Parsing

Forwarded booking confirmation emails are processed automatically using the Anthropic Claude API to extract structured shipment data. This is a document processing function — it does not produce decisions about individuals. The output is a structured data record (container number, vessel, port pair, dates) that is added to your account for your review.

11.2 Risk Scoring

Our platform calculates a demurrage and detention risk score for each active container based on a combination of: remaining free days, live vessel position and ETA data, historical port congestion indicators, and your account's historical clearance lead times. This score is informational — it is displayed on your dashboard and used to trigger threshold-based alerts. It does not constitute a legal or binding assessment. No automated decisions with legal or similarly significant effects are made solely on the basis of this score.

11.3 Alert Generation

Alerts are generated automatically when a container's calculated risk score or remaining free days breach a threshold you have configured. Alert content is templated and informational; no AI-generated content that could constitute a significant decision about an individual is included. You retain full control over all operational decisions arising from alerts received.

If you have questions about how a specific automated output was generated, or wish to request human review of a particular output, please contact us at info@standardtonnage.co.uk.

12. Cookies and Tracking Technologies

We use a limited number of cookies on the Standard Tonnage platform. Our cookie usage is as follows:

• Essential / strictly necessary cookies: We use session cookies issued by Supabase to manage your authenticated session after login. These cookies are required for the Service to function and cannot be disabled without affecting your ability to use the platform. They expire at the end of your browser session or when you log out.
• Security cookies: Short-lived cookies may be set for CSRF (cross-site request forgery) protection and similar security functions.

We do not use advertising cookies, behavioural tracking cookies, or third-party analytics cookies that share your data with external advertising networks. If we introduce optional analytics cookies in the future, we will obtain your prior consent via a cookie consent mechanism and update this Policy accordingly.

13. Children's Data

The Standard Tonnage Service is a business-to-business (B2B) platform intended solely for use by companies and their employees or authorised representatives in a professional capacity. It is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18. If you believe we have inadvertently collected data relating to a child, please contact us immediately at info@standardtonnage.co.uk and we will delete it without undue delay.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, applicable law, or regulatory guidance. When we make changes, we will update the “Last Updated” date at the top of this page.

Where changes are material — meaning they significantly affect how we process your personal data or your rights — we will notify you by email to your account email address and/or by a prominent notice within the Service at least 30 days before the changes take effect, giving you the opportunity to review them and, where the lawful basis is consent, to withdraw consent if you do not agree.

Your continued use of the Service after the effective date of any updated Policy constitutes your acceptance of the changes, to the extent permitted by applicable law.

15. Contact Us and ICO Complaints

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, please contact us:

We will acknowledge your contact within 5 business days and aim to provide a substantive response within 30 calendar days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (“ICO”) if you believe we have not handled your personal data in accordance with UK GDPR. The ICO can be contacted at:

• Website: ico.org.uk
• Telephone: 0303 123 1113
• Post:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns directly before you approach the ICO, and ask that you contact us in the first instance.

This Privacy Policy is governed by the laws of England and Wales. Any disputes arising under or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.