LegalLT

Privacy Policy

Last updated: May 1, 2026

This policy explains how eCMR Capture processes personal data about you and the data subjects appearing on the documents you upload, in accordance with Regulation (EU) 2016/679 (the “GDPR”) and the Lithuanian Law on Legal Protection of Personal Data (“ADTAĮ”).

1. Controller

Name
Karolis Paulikas
Form
Sole trader (LT “individuali veikla”)
Reg. no.
848907
Address
Vilnius, Lietuva (tikslus adresas pateiktas pagal pareikalavimą)
Email
info@ecmrcapture.com
DPO
No DPO appointed — the activity does not trigger mandatory appointment under GDPR Art. 37. The controller handles requests directly.

2. Categories of personal data

We process only what we need to deliver the service.

2.1 Account data

Name, business name, email, billing data, sole-trader / VAT number, last four digits of the payment card (held by Stripe — we never see or store the full PAN).

2.2 CMR document content

Data appearing in CMR waybill photos uploaded to the platform — sender and consignee names and addresses, driver name, signature image, vehicle plate numbers, and route GPS coordinates where present on the document.

2.3 Telemetry

IP address, browser type, session events, error traces — collected only to the extent needed for service security and operation.

3. Legal bases under GDPR Art. 6(1)

  • Contract (b): to provide the service — create your account, process documents, issue invoices.
  • Legitimate interest (f): targeted B2B outreach to publicly listed business contacts (legitimate interest assessment kept on file by the controller; scope is narrow; opt-out included in every email).
  • Legal obligation (c): accounting and tax records under the Lithuanian Tax Administration Law (MAĮ) and VAT Law.

4. Sub-processors and international transfers

We rely on the following sub-processors. All are bound under GDPR Art. 28.

Processor          Role                          Region            Transfer mechanism
─────────────────────────────────────────────────────────────────────────────────────────
Vercel             Hosting, static delivery      EU (Frankfurt)    Intra-EU
Supabase           DB + auth                     EU (eu-central-1) Intra-EU
Stripe Payments    Payment processing            EEA               Intra-EEA + SCCs
Europe Ltd.
OpenAI             Vision extraction             USA               SCCs (M2) + DPA
Resend             Transactional email           EU                Intra-EU
Cal.com            Booking                       EU                Intra-EU
Cloudflare         DNS, CDN, email routing       Anycast           SCCs + supplementary
                                                                   measures

Transfer impact note. OpenAI transfers data to the United States. We rely on Standard Contractual Clauses (Module 2), the OpenAI Enterprise DPA, and technical measures (no model training on your data, 30-day retention at the provider). An EU-only extraction tier is on the roadmap and will eliminate this transfer.

New sub-processors are introduced only after 30 days’ prior email notice. You may object and terminate the contract without penalty.

5. Retention

Category                            Retention
──────────────────────────────────────────────────────────────────────────
Account data                        Subscription term + 6 months
CMR document originals              90 days by default
                                    (configurable down to 24 hours)
Extracted JSON fields               Subscription term,
                                    unless deleted earlier by customer
Invoices and tax records            10 years (LT MAĮ Art. 39)
Telemetry and security logs         12 months
Cold-outreach contacts              24 months or until opt-out

6. Your rights under GDPR Art. 12–22

  • Access (Art. 15)
  • Rectification (Art. 16)
  • Erasure (“right to be forgotten”, Art. 17)
  • Restriction of processing (Art. 18)
  • Data portability (Art. 20)
  • Objection to processing under legitimate interest (Art. 21)
  • Not to be subject to a solely automated decision producing legal effects (Art. 22) — see section 8.

Send requests to info@ecmrcapture.com. We respond within 30 days. If you believe your rights have been infringed, you may lodge a complaint with the State Data Protection Inspectorate (VDAI):

State Data Protection Inspectorate (VDAI)
L. Sapiegos g. 17, 10312 Vilnius, Lithuania
ada@ada.lt
https://vdai.lrv.lt

7. Cookies

We use only strictly necessary cookies — an authentication session identifier and a CSRF token. No analytics cookies and no third-party tracking pixels in v1. If we add analytics later, we will deploy an ePrivacy-compliant consent banner.

8. AI and automated decisions

We do not make solely automated decisions producing legal or similarly significant effects on you (GDPR Art. 22). The vision model extracts 24 fields from a CMR photo; any field with a confidence score below 0.9 is routed to human review in your dashboard.

Under EU AI Act Art. 50, this extraction is a non-high-risk, transparency-bound use; all extracted fields are labelled as AI-generated, and the user determines their final legal validity.

9. Changes to this policy

We notify you by email at least 30 days before material changes take effect. The revision date appears at the top of this page.

10. Contact

Questions about this policy or requests to exercise GDPR rights — info@ecmrcapture.com.