CARVO — Privacy Policy
Effective date: 4 March 2026
Issued by: Velsio Ltd (Company No. 17068824)
1. Who We Are
CARVO is operated by Velsio Ltd, a company registered in England and Wales (Company No. 17068824), with its registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ.
Velsio Ltd is the data controller for personal data processed through the Service. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For any privacy-related enquiries, contact us at contact@getcarvo.com.
2. What Personal Data We Collect
2.1 Account and Registration Data
When you create an account, we collect your name, email address, organisation name, and role within the organisation. If you subscribe to a paid plan, billing information is collected and processed by Stripe (we do not store your payment card details). We also store your preferences such as language, region, and notification settings.
2.2 Shipment and Operational Data
The Service stores shipment details, supplier contact information (names, emails, phone numbers), document references, and names associated with document requests and shares. Where you enter third-party personal data (e.g. supplier contact details), you are responsible for ensuring you have the appropriate legal basis to share that data with us.
2.3 Usage and Technical Data
We automatically collect technical data including IP address, browser type and version, pages visited, timestamps, and error logs. This data is used to maintain and improve the Service.
2.4 Communications
If you contact us via email or provide feedback through the Service, we retain the content of those communications to respond to your enquiries and improve the Service.
3. How We Use Personal Data
3.1 Providing the Service
We process your personal data to operate and deliver the Service, including account management, shipment tracking, document storage, and email notifications.
Lawful basis: Performance of a contract (Art. 6(1)(b) UK GDPR).
3.2 Improving the Service
We use usage data and error logs to identify bugs, improve performance, and develop new features.
Lawful basis: Legitimate interests (Art. 6(1)(f) UK GDPR) — improving our products and services.
3.3 Legal and Compliance
We may process personal data to comply with legal obligations, respond to lawful requests from authorities, or enforce our Terms of Service.
Lawful basis: Legal obligation (Art. 6(1)(c) UK GDPR).
3.4 Communications
We send transactional emails (welcome emails, morning briefings, document notifications) and may send product updates. You can manage your notification preferences in the Settings page.
Lawful basis: Legitimate interests (transactional communications) or consent (marketing communications).
4. AI-Assisted Document Extraction
CARVO offers an optional AI-assisted document extraction feature. When you use this feature, document content is sent to Anthropic, Inc. for processing. Anthropic processes the data solely to provide the extraction results and does not use your data for model training.
Extracted data is presented as suggested values only. It is not guaranteed to be accurate and must be reviewed and confirmed by you before use.
5. Sub-Processors and Data Sharing
We share personal data with the following sub-processors, each of which is bound by data processing agreements:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | USA (EU region — Frankfurt) |
| Vercel, Inc. | Application hosting | USA (EU region — Paris, CDG1) |
| Stripe, Inc. | Payment processing | USA |
| Resend | Transactional email delivery | USA |
| Anthropic, Inc. | AI document extraction | USA |
| Mapbox, Inc. | Map rendering and geocoding | USA |
We do not sell your personal data. We do not share your data with third parties for marketing purposes.
6. Data Retention
Active accounts: We retain your data for as long as your account is active. We do not auto-delete shipment or document records.
Account closure: Upon account closure, we provide a 30-day period during which you may export your data. After this period, all User Data is permanently deleted from our systems and backups.
Customs record-keeping: Many jurisdictions require importers to retain customs-related records for a statutory period (typically 3–7 years). You should maintain your own copies of any records required for regulatory compliance independently of the Service.
7. Your Rights
Under the UK GDPR, you have the following rights regarding your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — request correction of inaccurate or incomplete data.
- Erasure — request deletion of your personal data (“right to be forgotten”).
- Restriction — request that we restrict the processing of your data in certain circumstances.
- Portability — request your data in a structured, commonly used, machine-readable format.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, contact us at contact@getcarvo.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies and Tracking
CARVO uses essential cookies only. These are limited to authentication session tokens managed by Supabase. We do not use analytics cookies, advertising cookies, or third-party tracking scripts.
Because we only use strictly necessary cookies, no cookie consent banner is required under the UK Privacy and Electronic Communications Regulations (PECR).
9. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- TLS encryption for all data in transit.
- Row-Level Security (RLS) at the database level to ensure tenant isolation.
- Role-based access controls within organisations.
- Secure authentication via Supabase Auth with PKCE flow.
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay, in accordance with UK GDPR requirements.
10. Users in the European Union
Velsio Ltd is a UK-registered entity that serves users in the European Union. We are committed to GDPR compliance for all users, regardless of location.
Where required under Article 27 of the GDPR, we will appoint an EU representative. Details of our EU representative will be published on this page once appointed.
11. Children
The Service is intended for business use by individuals aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a minor, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification before they take effect. The “Effective date” at the top of this page indicates when the policy was last revised.
13. Contact
Velsio Ltd
Company No. 17068824
71-75 Shelton Street, Covent Garden
London, WC2H 9JQ
United Kingdom
Email: contact@getcarvo.com
© 2026 Velsio Ltd. All rights reserved.