Skip to content
  • There are no suggestions because the search field is empty.

CartonCloud Privacy Policy

Effective: 1 March 2026

Introduction

When you use our services, we collect your personal data to support those services. Data privacy is important to us at CartonCloud. This Privacy Policy details our use of personal data and your privacy rights and choices available to you. CartonCloud is a Data Controller that is responsible for determining the purpose and means of personal data processing.

How we use personal data

Your data is collected to help us:

  • Deliver our services to you.
  • Provide support and troubleshooting when using our services.
  • Analyse and improve our services.
  • Market our services.
  • Meet our legal and compliance obligations.

Personal data we may collect

CartonCloud may collect one or more of the following types of data as a requirement for using our services:

  • Name
  • Contact information
  • IP address
  • Cookie ID
  • Usage Data
  • Location Data

When using the CartonCloud web application, your IP address will be collected and stored; however, it will not be utilised for purposes outside technical requirements.

In addition to the data above, which may be requested or required when using our services, additional unsolicited data may be processed that is not reviewed by CartonCloud as part of the services provided. We will apply the same security and privacy protections as the solicited data above, which may not recognise any additional privacy risks of this data.

Location Data

When using the CartonCloud transport mobile application and when location-sharing settings on your device are enabled, CartonCloud will utilise your location. We will use your location for certain functionality on the transport CartonCloud application (such as driver tracking, route optimisation, ETA text messages, map view, and sorting) and other services related to your account (such as the BI dashboard).

In addition, we may use anonymised aggregated location data for statistical analysis; however, this data is not identifiable to your account and will not be shared externally.

If you do not want to share your location for the above purposes, you can disable location-sharing settings on your device. However, please note you will not have access to the functionality of the CartonCloud transport application that relies on this location data.

When we share your personal data

Your personal data may be shared with third parties under one or more of the following scenarios:

With the sub-processors included in this policy who are subject to agreed terms of service with a basis of processing in line with this policy.

Your rights

Your privacy rights are outlined below. For further details of these rights or to make a request from us related to these rights, please see the Privacy Requests and Contacts section below and contact us accordingly.

The right to be informed. You have the right to be informed about the collection and use of your personal data when the data is obtained by us.

The right to access and amend your data. You can request a copy of your personal data through a data subject request. You can ask us to explain the means of collection, what data we are processing, and who we share it with.

The right to rectify your data. If your data is inaccurate or incomplete, you can ask us to rectify that.

The right to data erasure. You can request we erase your data within 30 days. We will notify you if that cannot be completed or if there are any implications of doing so for using our services.

The right to transfer your data. You can have your data transferred from one system to another safely and securely.

The right to restrict your data processing. You can request we restrict or suppress your personal data to limit its use.

The right to opt-in for sensitive data processing. For any highly sensitive personal data we may collect, we require your explicit consent to opt-in to process that data.

The right to opt-in by a parent or guardian. We do not collect data from minors. You are required to be over the age of 18 in order to use our services.

The right not to be subject to fully automated decisions. We do not apply automated processing activities that profile you or make fully automated decisions using your personal data.

These rights are subject to the relevant privacy regulations, legal requirements, and public interest clauses, and where the above rights may conflict with your use of our services. For any privacy concerns or to request further details of your rights, please see the Privacy Requests and Contacts section below.

Sub-processors and Locations

A subprocessor is a third-party service provider engaged by CartonCloud to process service data on our behalf. These subprocessors may receive personal information where required to deliver their services to us and to support the operation, functionality, and improvement of our platform and business (including customer support, analytics, communications, and marketing activities).

CartonCloud engages subprocessors to assist in providing our services, and these subprocessors may change from time to time. We maintain an up-to-date list of the subprocessors we use, including the countries in which they are located (which may be overseas), on our Trust Center. The Trust Center is the authoritative and always-current source of information about our subprocessors and is available at:  https://trust.cartoncloud.com/

Before engaging any subprocessor, CartonCloud undertakes a review of the provider’s privacy and security practices and assesses whether they implement appropriate technical and organisational measures to protect personal information. We enter into contractual arrangements with subprocessors that include privacy, confidentiality, and data protection obligations consistent with applicable legal requirements. We also take reasonable steps to monitor subprocessor performance and ongoing compliance.

Security

CartonCloud takes the security of personal information seriously and implements a range of technical and organisational measures designed to protect the information we hold from misuse, interference, loss, unauthorised access, modification, or disclosure.

These measures include, where appropriate:

  • Encryption in transit and at rest to safeguard data during transmission and storage.
  • Access controls to ensure that only authorised personnel can access personal information required for their role.
  • Multi-factor authentication for administrative and privileged access.
  • Logging and monitoring of system activity to detect and respond to potential security events.
  • Regular security testing, including vulnerability assessments and other assurance activities aimed at maintaining the security of our systems.
  • Vendor and subprocessor management controls, including due diligence and contractual requirements to ensure that third-party providers maintain appropriate security standards.
  • Incident response processes designed to identify, contain, investigate, and remediate security incidents, as well as comply with applicable data breach notification obligations.

While no method of electronic transmission or storage is completely secure, CartonCloud takes reasonable steps to ensure that personal information is protected.

Retention

The following types of data must be retained for the periods noted to support CartonCloud's services and compliance requirements effectively:

  • Account management: Supporting customers’ needs by maintaining a history of dealings with them. This includes the history of interactions, contact details, agreements, service information and key conversation records. This data is retained until deletion is requested.
  • Service information: Confidential information is shared during the course of providing CartonCloud’s services. This may include proprietary documentation and confidential data of customers' business activities. This is data retained as required for regulatory compliance purposes.
  • CartonCloud usage: User history and account activity for users of CartonCloud are tracked to support the debugging of issues and to improve the products and services. This data is anonymised where possible to reduce the sensitivity of the information. This data is retained until deletion is requested.
  • Private data: Personally Identifiable Data is collected, processed, and stored for the provision of CartonCloud’s services.  Data subjects have the right, subject to applicable law, to request access to, correction of, and deletion of their Personally Identifiable Data. We may decline or limit a request where permitted or required by applicable law, including where necessary to comply with legal or regulatory obligations or to protect CartonCloud’s legitimate interests. Where we are unable to comply with a request, we will communicate the reasons.  Where a deletion request is not made or cannot be fulfilled, subject to any applicable legal obligations, we will retain Personally Identifiable Data until:
    • Approximately 12 months after the associated account is deactivated; or
    • An earlier deletion timeframe required under applicable contractual obligations with third-party vendors or integration partners.

Privacy requests and contacts

Data Protection Officer

CartonCloud has appointed a Data Protection Officer to oversee our compliance with privacy laws and to act as the primary point of contact for privacy-related enquiries.

If you have any questions about this Privacy Policy, our handling of personal information, or wish to exercise your privacy rights, you can contact our Data Protection Officer using the following details:

Data Protection Officer

CartonCloud Pty Ltd

Email: privacy@cartoncloud.com

Contact Page: https://www.cartoncloud.com/contact-us

Address: Unit 5, 27-29 Dover Drive Burleigh Heads Queensland 4220 Australia