Privacy Policy

This privacy policy explains how we collect, use, store and share personal data across our website and platform. It applies to supplier users, end customers, and website visitors. References to "Shipio", "we", "us" and "our" mean TOKONEY Limited trading as Shipio.

Supplier users

• Account and identity data: name, email address, job title, organisation name, and related account details.
• Organisational data: division assignments, user roles and permissions within the supplier organisation.
• Payment setup data: business details submitted during payment onboarding, including business name, entity type, country and bank or payout details, to the extent needed to manage the payment integration. We do not store full payment card details.
• Platform usage data: interactions with the platform, feature usage, quote creation and editing activity, pricing configuration changes, and workflow actions.
• Communications: emails and messages exchanged with us for support, onboarding, commercial or operational purposes.
• Terms acceptance records: date, time, user identity, method and version of terms accepted.

End customers

End-customer data is usually provided to us by the supplier you are dealing with, including where that supplier uploads information into the platform, sends it through an integration, or causes it to be processed through configured workflows. This typically includes:

• Contact data: name, email address, phone number, company name.
• Shipment data: collection and delivery addresses, inventory descriptions, declared values, customs information and special handling requirements.
• Payment data: payment transactions are processed on behalf of the supplier. We do not store end-customer payment card details. We may store invoice references, payment status and transaction amounts.

Website visitors

• Technical data: IP address, browser type, device information, pages visited and referral source.
• Analytics data: website and product interaction data used to understand how our website and platform are used.

As a processor

When processing end-customer data on behalf of suppliers, we act on the supplier's instructions as defined by their use of the platform and configured workflows. This may include generating quotes, creating bookings, producing invoices, sending payment requests and supporting payment flows. The supplier is responsible for having a lawful basis for this processing.

We share personal data only where necessary to operate the platform and provide our services. We do not sell personal data.

We may share personal data with the following categories of recipients:

• cloud hosting, infrastructure, database and storage providers;
• authentication and identity providers, including Clerk;
• payment processors and payment-services providers, including Stripe;
• transactional email and communications providers;
• analytics and product-usage providers, including PostHog;
• AI inference and document-processing providers;
• mapping, geolocation and address-validation providers;
• marketing communications providers;
• professional advisers, auditors, insurers and other business advisers;
• regulators, law enforcement, courts and other authorities where required.

A current list of our main service providers and subprocessors is available on request.

Partner suppliers

Where a supplier uses the platform to request pricing or services from a partner supplier, relevant shipment data such as inventory, addresses, packing details and customs information may be shared with that partner supplier through the platform. End-customer identity is not shared by default.

Legal and regulatory disclosures

We may disclose personal data where required by law, regulation, legal process or enforceable government request, or where necessary to protect the rights, property or safety of Shipio, our users or others.

Our service providers may operate in multiple jurisdictions. Where personal data is transferred outside the United Kingdom or European Economic Area, we will ensure that appropriate safeguards are in place as required by applicable data protection law, including approved standard contractual clauses or reliance on an adequacy decision where available.

When retention periods expire, we will delete or anonymise personal data unless further retention is required by law or reasonably necessary to establish, exercise or defend legal claims.

Shipio platform (app)

We use cookies and similar technologies for platform functionality, security, session management and limited analytics. We use PostHog for product analytics within the platform to help us understand how the platform is used and improve the product.

Shipio website (www.shipio.app)

We use cookies and similar technologies on our website for site functionality, security and limited analytics to understand website usage and improve our services. We do not currently use cookies for advertising or cross-site behavioural tracking.

Where consent is required for cookies or similar technologies, we will obtain it through an appropriate consent mechanism. You can also manage cookies through your browser settings, although disabling certain cookies may affect site or platform functionality.

Under UK data protection law, you have the following rights in relation to your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate or incomplete data.
• Erasure — request deletion of your data, subject to our legal retention obligations.
• Restriction — request that we restrict processing in certain circumstances.
• Data portability — request your data in a structured, commonly used, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — where processing is based on consent, withdraw it at any time.

Right to object

Where we process your personal data on the basis of legitimate interests, you have the right to object to that processing. You can do this by contacting us using the details in section 13.

Automated decision-making

We use AI-assisted processing to help suppliers extract information from documents, interpret quote requests and prepare draft workflow outputs. At present, these outputs are subject to supplier review and approval before they are acted on. If we introduce any feature that involves solely automated decision-making about individuals with legal or similarly significant effects, we will update this privacy policy and provide any additional information and safeguards required by applicable data protection law.

If you are an end customer

Your data is usually processed by Shipio on behalf of the supplier you are dealing with. To exercise your rights, please contact that supplier directly in the first instance. If you need further assistance, you can contact us and we will help direct your request where appropriate.

If you are a supplier user or website visitor

You can contact us directly using the details in section 13 below. We will respond to valid requests within one month, or notify you if we need an extension.

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, role-based permissions, database security controls, and regular security reviews of our infrastructure and third-party providers.

The Shipio platform is a B2B service for business users. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected personal data from a child, we will delete it promptly.

We may update this policy from time to time. If we make material changes, we will notify supplier users by email or in-product notice where appropriate. The updated policy will be published at https://www.shipio.app/privacy with the revised date shown above.