Privacy Policy.

This Privacy Policy explains how Trusted Carrier Logistik GmbH (hereinafter referred to as Trusted Carrier) processes personal data in connection with its verification and trust infrastructure for logistics, transport, insurance, and public sector workflows.

Trusted Carrier acts as the controller for personal data processed for its own purposes, including account administration, platform security, fraud prevention, biometric verification and authentication, AI assisted verification, audit logging, and compliance.

Where Trusted Carrier processes personal data on behalf of a customer that determines the purpose and requirements of a verification workflow, Trusted Carrier acts as a processor. Where Trusted Carrier and one or more participating organizations jointly determine the essential purposes and means of processing, particularly in reusable verification, subcontractor authorization, or shared trust workflows, the parties act as joint controllers in accordance with Article 26 GDPR.

Where required under applicable law, Trusted Carrier will designate a representative within the European Union.

Trusted Carrier provides a verification and trust infrastructure that enables organizations to confirm the identity, authority, and operational readiness of companies and individuals without requiring changes to existing workflows.

Verification may be initiated either by an organization or by an individual acting in a professional context. Individuals such as drivers, employees, subcontractors, or representatives may initiate or participate in verification processes, including by linking themselves to an organization or operational workflow.

In all cases, processing occurs within a defined organizational or operational context and is necessary to enable identity verification, authorization, fraud prevention, and secure interaction between parties.

Verification is typically initiated within ordinary business communication, such as an email thread or a message based interaction. A request for verification may result in either the approval of an existing verified profile or the completion of a verification process, after which information can be shared and reused.

Trusted Carrier operates as a verification and trust infrastructure and does not replace the independent decision making responsibilities of participating parties.

Trusted Carrier processes personal data necessary to verify identity, authority, and operational readiness. This includes:

• identification data (e.g. name, contact details)
• professional and company related data
• identity document data
• driver credentials, licenses, certifications
• insurance and compliance related information
• assignment, shipment, and access related data
• verification results and status
• authentication and access data
• audit logs and system activity

Where required, biometric data may be processed, including facial images, liveness signals, and biometric templates.

Communication metadata may be processed where verification is initiated through messaging or email.

Personal data is obtained from individuals, organizations, customers, counterparties, verification providers, and public or official sources.

Personal data is processed to verify identity and authority, confirm operational readiness, enable controlled sharing of verified information, support onboarding and access workflows, maintain auditability, prevent fraud and impersonation, and support insurance, claims, and public sector processes.

Provision of personal data required for verification is necessary to participate in relevant workflows. Where such data is not provided, Trusted Carrier may not be able to complete verification, which may affect the ability to access services, perform assignments, or participate in operational processes.

Trusted Carrier processes personal data on the basis of Article 6 GDPR and, where applicable, Article 9 GDPR.

Processing is carried out on different legal bases depending on the specific purpose and context:

• Verification, fraud prevention, and operational security. Processing is primarily based on legitimate interests under Article 6(1)(f) GDPR. These interests include ensuring that companies and individuals involved in logistics and related workflows can be reliably identified, authorized, and verified, and that fraud, impersonation, and misuse are prevented.
• Provision of the service and account related processing. Where individuals or organizations directly use the service, processing may be necessary for the performance of a contract or to take steps prior to entering into a contract under Article 6(1)(b) GDPR.
• Legal and regulatory obligations. Where applicable, processing may be carried out to comply with legal obligations under Article 6(1)(c) GDPR or to perform tasks in the public interest under Article 6(1)(e) GDPR.
• Biometric data. Where biometric data is used to uniquely identify an individual, processing is carried out in accordance with Article 9 GDPR. This may include processing necessary for the establishment, exercise, or defence of legal claims or for substantial public interest where applicable. Biometric processing is limited to what is necessary for identity verification and fraud prevention.
• Consent. Where consent is required, it is obtained and managed in accordance with Article 6(1)(a) and Article 7 GDPR. Consent is not relied upon where it cannot be freely given.

Trusted Carrier ensures that processing is proportionate and limited to what is necessary for the intended purpose.

Trusted Carrier processes personal data in accordance with the principles set out in Article 5 GDPR.

Processing is carried out lawfully, fairly, and transparently. Personal data is collected for specified and legitimate purposes and is not further processed in a manner incompatible with those purposes.

Trusted Carrier limits the personal data processed to what is necessary for verification, authorization, fraud prevention, and operational security, taking into account the specific context and risk level of each workflow.

Measures are implemented to ensure that personal data is accurate and, where necessary, kept up to date. Data is retained only for as long as necessary and is protected through appropriate technical and organizational safeguards.

These principles are applied throughout the design and operation of the service, including in biometric verification, AI assisted processing, and data sharing mechanisms, to ensure that processing remains proportionate and aligned with its intended purpose.

Trusted Carrier uses biometric data for identity verification and authentication where a high level of assurance is required.

Biometric processing may include facial comparison, liveness detection, and similar methods to confirm identity.

Such processing is applied only where necessary and cannot reasonably be replaced by less intrusive methods.

Biometric data is:

• not used for profiling or tracking
• not used across unrelated contexts
• not stored in a general purpose biometric database

Where biometric verification cannot be completed, alternative procedures may be used where reasonably feasible.

Biometric data is retained only for the shortest period necessary for verification, authentication, fraud prevention, or legal obligations.

Trusted Carrier uses artificial intelligence to support identity verification, document validation, fraud detection, and anomaly detection.

AI may perform initial assessments or flag risks. Where outcomes may influence access or participation, human review is actively integrated into the workflow.

Individuals are not subject to decisions with legal or similarly significant effects solely based on automated processing in accordance with Article 22 GDPR.

AI systems are designed to comply with applicable European AI regulation, including Regulation (EU) 2024/1689 (EU AI Act), where applicable.

Trusted Carrier processes data relating to individuals acting in a professional capacity.

Processing is limited to identity verification, authorization, fraud prevention, and operational security. It is not used for employee monitoring, productivity tracking, or behavioral analysis.

Audit logs and verification records are not used to evaluate individual performance and are accessed only where necessary for security, compliance, or dispute resolution.

Verified information is shared only where necessary and authorized.

Trusted Carrier does not control how independent parties use data after lawful sharing.

Trusted Carrier does not sell personal data or use it for advertising.

Verification may be initiated through email, SMS, or messaging platforms.

Trusted Carrier does not send personal data through such platforms beyond what is necessary to initiate verification.

Where third party messaging platforms are used, Trusted Carrier is not responsible for how those platforms process, store, or share data transmitted through their services. Users should refer to the relevant platform's privacy policy for further information.

Trusted Carrier may be used to confirm that subcontractors are authorized to perform activities.

Trusted Carrier takes reasonable steps to ensure that personal data is accurate and up to date.

Verification results may be corrected, restricted, or invalidated where necessary.

Personal data is retained only as long as necessary based on operational requirements, legal obligations, fraud risk, and auditability.

Retention periods are regularly reviewed.

Trusted Carrier implements appropriate technical and organizational measures in accordance with Article 32 GDPR.

Trusted Carrier uses cookies and similar technologies to maintain secure sessions, prevent fraud, and ensure system reliability.

Further details are available in the Cookie Policy.

Personal data may be shared with customers, counterparties, insurers, brokers, public authorities, and service providers.

Subprocessors are contractually bound in accordance with Article 28 GDPR.

Where personal data is transferred outside the European Economic Area, appropriate safeguards are implemented in accordance with Articles 44 to 46 GDPR.

Individuals have rights under Articles 15 to 22 GDPR, including:

• access
• rectification
• erasure
• restriction
• objection
• portability
• human review

Requests may be submitted to ten.reirracdetsurt@ycavirp.

Where multiple parties act as joint controllers, responsibilities are allocated in accordance with Article 26 GDPR.

Trusted Carrier handles breaches in accordance with Articles 33 and 34 GDPR.

Trusted Carrier implements data protection by design and by default in accordance with Article 25 GDPR.

Trusted Carrier conducts DPIAs in accordance with Article 35 GDPR.

Where national laws impose additional requirements, those requirements apply.

This Privacy Policy may be updated as required.