CARVO — Privacy Policy
Effective date: 4 March 2026
Issued by: Velsio Ltd (Company No. 17068824)
1. Who We Are
CARVO is operated by Velsio Ltd, a company registered in England and Wales (Company No. 17068824), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ. ICO registration number: ZC101688.
Velsio Ltd is the data controller for personal data processed through the Service. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For any privacy-related enquiries, contact us at contact@getcarvo.com.
2. What Personal Data We Collect
2.1 Account and Registration Data
When you create an account, we collect your name, email address, organisation name, and role within the organisation. If you subscribe to a paid plan, billing information is collected and processed by Stripe (we do not store your payment card details). We also store your preferences such as language, region, and notification settings.
2.2 Shipment and Operational Data
The Service stores shipment details, supplier contact information (names, emails, phone numbers), document references, and names associated with document requests and shares. Where you enter third-party personal data (e.g. supplier contact details), you are responsible for ensuring you have the appropriate legal basis to share that data with us.
2.3 Usage and Technical Data
We automatically collect technical data including IP address, browser type and version, pages visited, timestamps, and error logs. This data is used to maintain and improve the Service.
2.4 Communications
If you contact us via email or provide feedback through the Service, we retain the content of those communications to respond to your enquiries and improve the Service.
3. How We Use Personal Data
3.1 Providing the Service
We process your personal data to operate and deliver the Service, including account management, shipment tracking, document storage, and email notifications.
Lawful basis: Performance of a contract (Art. 6(1)(b) UK GDPR).
3.2 Improving the Service
We use usage data and error logs to identify bugs, improve performance, and develop new features.
Lawful basis: Legitimate interests (Art. 6(1)(f) UK GDPR) — improving our products and services.
3.3 Legal and Compliance
We may process personal data to comply with legal obligations, respond to lawful requests from authorities, or enforce our Terms of Service.
Lawful basis: Legal obligation (Art. 6(1)(c) UK GDPR).
3.4 Communications
We send transactional emails (welcome emails, morning briefings, document notifications) and may send product updates. You can manage your notification preferences in the Settings page.
Lawful basis: Legitimate interests (transactional communications) or consent (marketing communications).
4. AI-Assisted Document Extraction
CARVO offers an optional AI-assisted document extraction feature. When you use this feature, document content is sent to Anthropic, Inc. for processing. Anthropic processes the data solely to provide the extraction results and does not use your data for model training.
Extracted data is presented as suggested values only. It is not guaranteed to be accurate and must be reviewed and confirmed by you before use.
The AI extraction feature assists with data entry by suggesting values extracted from uploaded documents. It does not make automated decisions that produce legal effects or similarly significant effects concerning you. All extracted data is presented as suggestions and must be reviewed, edited, and confirmed by you before it is saved. No decisions regarding your account, access, or service are made solely on the basis of automated processing.
5. Sub-Processors and Data Sharing
We share personal data with the following sub-processors, each of which is bound by data processing agreements:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | USA (EU region — Frankfurt) |
| Vercel, Inc. | Application hosting | USA (EU region — Paris, CDG1) |
| Stripe, Inc. | Payment processing | USA |
| Resend | Transactional email delivery | USA |
| Anthropic, Inc. | AI document extraction | USA |
| Mapbox, Inc. | Map rendering and geocoding | USA |
| Google LLC | Analytics (website usage analysis via Google Analytics 4) | USA |
| LinkedIn Corporation | Advertising analytics (LinkedIn Insight Tag) | USA |
Where personal data is transferred to sub-processors located in the United States, we rely on the following safeguards as applicable to each provider: Stripe and Google participate in the EU-US Data Privacy Framework (including the UK Extension), as certified with the US Department of Commerce. For Resend, Anthropic, Mapbox, and LinkedIn, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or the UK International Data Transfer Agreement (UK IDTA), as applicable. We verify that each sub-processor maintains appropriate certifications or contractual safeguards before any personal data is transferred.
We do not sell your personal data. We do not share your data with third parties for marketing purposes.
6. Data Retention
We retain different categories of personal data for different periods, depending on the purpose and any legal obligations:
- Account and profile data: retained for the duration of the account plus 30 days after deletion (to allow recovery).
- Shipment and trade data: retained for the duration of the account plus 6 years after account deletion (to comply with UK tax and customs record-keeping requirements under HMRC guidelines).
- Usage and technical data (IP addresses, page views, error logs): retained for 24 months from collection, then anonymised or deleted.
- Communications (support emails, feedback submissions): retained for 36 months from the date of last correspondence.
- Billing and payment records: retained for 6 years after the last transaction (HMRC tax record-keeping requirement).
- AI extraction data: document content processed for data extraction is processed in real time and not stored by the AI sub-processor beyond the duration of the API request. Extracted results are stored as part of your shipment data and subject to the shipment data retention period above.
Account closure: Upon account closure, we provide a 30-day period during which you may export your data. After this period, User Data is permanently deleted from our systems, subject to the retention periods above where a longer period is required by law.
Customs record-keeping: Many jurisdictions require importers to retain customs-related records for a statutory period (typically 3–7 years). You should maintain your own copies of any records required for regulatory compliance independently of the Service.
7. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data (“right to be forgotten”).
- Restriction — request that we restrict the processing of your data in certain circumstances.
- Portability — request your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where we rely on your consent as the legal basis for processing (for example, analytics cookies or marketing communications), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent for cookies, see Section 8. To unsubscribe from marketing communications, use the unsubscribe link in any marketing email.
To exercise any of these rights, contact us at contact@getcarvo.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies and Tracking
CARVO uses essential cookies for authentication and session management. These are strictly necessary and do not require consent.
If you accept analytics cookies via the cookie banner, CARVO also uses:
- Google Analytics 4 — to understand how visitors use the site (pages visited, traffic sources, time on site). Google Analytics uses cookies to distinguish users. Data is processed by Google in accordance with their privacy policy.
- LinkedIn Insight Tag — to measure the effectiveness of LinkedIn advertising campaigns and understand professional demographics of site visitors. Data is processed by LinkedIn in accordance with their privacy policy.
You can manage your cookie preferences at any time. When you first visit our website, a consent banner allows you to accept or decline non-essential cookies. To change your preferences after your initial choice, clear your browser data for getcarvo.com, which will cause the consent banner to reappear on your next visit. If you decline or withdraw consent, analytics and advertising cookies will not be loaded and no further data will be collected through those cookies. Data collected lawfully under your previous consent is not affected by withdrawal.
For information on how Google processes data, see Google’s Privacy Policy. For LinkedIn, see LinkedIn’s Privacy Policy.
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- TLS encryption for all data in transit.
- Row-Level Security (RLS) at the database level to ensure tenant isolation.
- Role-based access controls within organisations.
- Secure authentication via Supabase Auth with PKCE flow.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with UK GDPR requirements.
10. Users in the European Union
Velsio Ltd is a UK-registered entity that serves users in the European Union. We are committed to GDPR compliance for all users, regardless of location.
Under Article 27 of the EU GDPR, we are required to appoint a representative in the EU. We are in the process of appointing an EU representative and will update this policy with their contact details once appointed. In the meantime, EU data subjects may exercise their rights and direct any enquiries to us at contact@getcarvo.com.
11. Children
The Service is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification before they take effect. The “Effective date” at the top of this page indicates when the policy was last revised.
13. Contact
Velsio Ltd
Company No. 17068824
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ
United Kingdom
Email: contact@getcarvo.com
© 2026 Velsio Ltd. All rights reserved.