1. Who We Are (Data Controller)

Cloudjod is the data controller responsible for your personal data under this Privacy Policy. We are incorporated in the State of Wyoming, USA, with our registered office at:

Cloudjod
30 N Gould St, Suite R
Sheridan, Wyoming 82801
United States of America
Email: support@cloudjod.com

For EU/EEA data protection matters, you may contact us at support@cloudjod.com with the subject line "GDPR Inquiry."

2. What Data We Collect

We collect data in three ways: information you provide directly, information collected automatically when you use the Service, and information we receive from third parties.

2.1 Information You Provide

Category	Specific Data Points	Why Collected
Account Information	Full name, work email address, company name, EORI number (EU Economic Operators Registration and Identification), member state, estimated annual import volume (tonnes)	Account creation and service delivery
Authentication	Email address, bcrypt-hashed password (we never store the plain-text password), session tokens (stored as SHA-256 hashes only)	Identity verification and account security
Compliance Data	Embedded emission factors, import quantities, product categories, supplier names and contact details, GPS coordinates (for EUDR), due diligence responses, carbon footprint figures, material declarations	Generating regulation-compliant calculations, declarations, and reports
Payment Information	Billing contact name, billing address, subscription tier selected. Note: full credit card numbers, CVV codes, and bank account details are collected and stored exclusively by Stripe, Inc. We receive only a non-sensitive Stripe Customer ID and subscription status confirmation.	Subscription billing via Stripe
Sensitive Financial Fields	IBAN numbers (for broker payout configuration) and PayPal email addresses are encrypted at rest using AES-256-GCM field-level encryption. They are not accessible to Cloudjod staff in plain text.	Broker commission payout processing
Communications	Email content from support requests sent to support@cloudjod.com	Customer support

2.2 Information Collected Automatically

Category	Specific Data Points	Purpose
IP Addresses	IPv4 and IPv6 addresses of connecting clients. If a trusted reverse proxy is configured (Caddy/Nginx), the X-Forwarded-For header is used. Raw IPs are hashed using SHA-256 in application logs (only the first 8 hex characters are retained for correlation purposes).	Rate limiting, fraud prevention, security audit logging
Request Logs	API endpoint accessed, HTTP method, response status code, response time, timestamp. Email addresses in log lines are replaced with a short SHA-256 hash for GDPR compliance.	Debugging, performance monitoring, security incident investigation
Session Tokens	JWT tokens issued on login. Token values are stored in your browser's localStorage. On our server, only the SHA-256 hash of the token is stored — the raw token is never persisted server-side.	Maintaining authenticated sessions
Browser/Device Information	User-Agent string (browser type, operating system), screen resolution (for the web application only)	Security anomaly detection
Last Login Timestamp	The date and time of the most recent successful login	Security notifications, session management, broker client health scoring

2.3 Information We Do Not Collect

We do not collect: social media profiles, government-issued identification documents, biometric data, precise geolocation of your device (EUDR GPS coordinates are property coordinates provided voluntarily for regulatory compliance, not device location data), or any data about minors.

3. How We Use Your Data

We use your data only for the following purposes, on the legal bases noted:

• Service Delivery (Contract performance): Providing calculations, generating declarations, managing your account, and operating the platform as described in our Terms of Service.
• Security and Fraud Prevention (Legitimate interest): Rate limiting, detecting unauthorized access attempts, preventing fraudulent declaration submissions, and maintaining audit trails.
• Legal Compliance (Legal obligation): Retaining CBAM-related compliance data for the 7-year mandatory period under Art. 7, Reg. (EU) 2023/956; responding to lawful requests from regulatory or law enforcement authorities.
• Service Improvement (Legitimate interest): Using aggregated, anonymized, non-identifiable usage patterns to improve calculation accuracy and platform performance. No personal data is included in these analyses.
• Transactional Email (Contract performance / Legitimate interest): Sending account verification emails, password reset links, subscription billing notifications, and compliance deadline alerts you have configured.
• Marketing (Consent): We will only send you marketing communications if you have explicitly opted in. You may opt out at any time via the unsubscribe link in any email or by contacting support@cloudjod.com.

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects, as defined in Art. 22 GDPR.

4. Third-Party Data Processors

4.1 Stripe, Inc. — Payment Processing

Stripe, Inc. (1 Global Payments, San Francisco, CA 94105, USA) processes all subscription payments on our behalf. Stripe is the exclusive payment processor for Cloudjod. When you enter payment card information, that information is transmitted directly to Stripe's servers using TLS encryption and is governed by Stripe's Privacy Policy. Cloudjod never transmits your full card number, CVV, or bank account details to our own servers — we receive only a non-sensitive Stripe Customer ID and a subscription status indicator. Stripe is PCI-DSS Level 1 certified. For questions about how Stripe handles your payment data, contact Stripe directly at privacy@stripe.com.

4.2 Email Service Providers

Transactional emails (account verification, password resets, compliance alerts, broker invitations) are sent via one of the following providers, depending on configuration:

• Postmark (Wildbit LLC, Philadelphia, PA, USA): Privacy Policy
• Resend (Resend, Inc., San Francisco, CA, USA): Privacy Policy
• SMTP relay (using your configured SMTP provider): governed by your provider's policy

We share only the recipient email address, sender name, and email content necessary to deliver the message. Email providers are prohibited from using this data for any purpose other than message delivery.

4.3 Infrastructure Provider

The Cloudjod platform is hosted on Vultr Holdings LLC (formerly Constant LLC) servers located in the European Union (Amsterdam and/or Frankfurt). Vultr acts as a data processor under a Data Processing Agreement. Server infrastructure access is restricted to authorized personnel. Vultr's privacy practices: vultr.com/legal/privacy.

4.4 Google Fonts

Our landing page loads fonts from Google Fonts APIs. When you visit cloudjod.com, your browser makes a request to Google's servers to download font files. Google may log your IP address as part of this request. This is governed by Google's Privacy Policy. The platform application itself (post-login) does not make external font requests — fonts are served from our own infrastructure.

4.5 No Other Third Parties

We do not use: Google Analytics, Facebook Pixel, Intercom, HubSpot, Salesforce, Mixpanel, Amplitude, or any other third-party analytics, advertising, or tracking services. We do not sell, rent, or share your data with any entity not listed in this Section 4.

5. Cookies and Tracking

5.1 Cookies We Use

We use a minimal set of cookies strictly necessary to operate the Service:

Cookie Name	Type	Duration	Purpose
cbam_ref	First-party, HttpOnly, Secure, SameSite=Lax	30 days	Tracks referral attribution for the referral rewards program. Contains only a referral code, not personal data. Set only when you arrive via a referral link.

5.2 localStorage

After login, your authenticated JWT token is stored in localStorage in your browser. This is not a cookie — it is not transmitted automatically with every request, reducing CSRF risk. The token is removed from localStorage when you log out.

5.3 No Third-Party Cookies

We do not use any advertising cookies, tracking pixels, or third-party analytics cookies. There is no retargeting, behavioral profiling, or cross-site tracking on our platform.

6. Data Retention

Data Type	Retention Period	Basis
Account information (name, email, company)	Duration of account + 90 days after deletion	Contract performance; fraud prevention
CBAM compliance declarations and calculations	7 years minimum (anonymized after account deletion)	Legal obligation — Art. 7, Reg. (EU) 2023/956
Application logs (hashed IPs, endpoints, status codes)	90 days	Security and operational monitoring
Payment records (Stripe Customer ID, subscription history)	7 years	Financial record-keeping obligations
Session tokens (hashed)	Until logout or 30-day session expiry	Contract performance
Email communications (support)	3 years from last interaction	Legitimate interest (dispute resolution)
Backup archives	30 days (then deleted)	Business continuity

7. Data Security

We implement the following technical and organizational security measures:

• Encryption in transit: All connections use TLS 1.2 or higher. HTTP requests are automatically redirected to HTTPS.
• Encryption at rest: Sensitive fields (IBAN, PayPal details) are encrypted using AES-256-GCM with a server-side master key. Passwords are hashed using bcrypt with a work factor calibrated to ≥100ms per verification.
• Field-level encryption: Payment-related fields are encrypted at the application layer, not just at the database level, providing defense in depth.
• No plaintext token storage: Session tokens are stored only as SHA-256 hashes server-side. A compromised database cannot be used to impersonate users.
• Rate limiting: Authentication endpoints are rate-limited to prevent brute-force attacks.
• Least-privilege access: The application binary runs as a non-root OS user with restricted filesystem access.
• Regular backups: Daily encrypted backups stored in a geographically separate EU facility.
• Security patches: We apply security patches to underlying infrastructure within 72 hours of notification.

Despite these measures, no system is perfectly secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal data, we will notify you within 72 hours of becoming aware, as required by Art. 33-34 GDPR, and report to the relevant supervisory authority as required by applicable law.

8. International Data Transfers

Your User Data is stored on EU-based servers and does not routinely leave the European Economic Area. Where data is processed by US-based third-party processors (Stripe, email providers), such transfers are conducted under:

• EU Standard Contractual Clauses (SCCs) as approved by the European Commission;
• The EU-US Data Privacy Framework (DPF) where applicable; and/or
• Binding Corporate Rules (BCRs) where the processor has obtained such approval.

You may request copies of the relevant transfer mechanisms by contacting support@cloudjod.com.

9. Your Rights — GDPR (EU/EEA Users)

• Right of Access (Art. 15): You have the right to obtain confirmation that we process your personal data and to receive a copy of that data in a commonly used electronic format.
• Right to Rectification (Art. 16): You have the right to correct inaccurate personal data. Most account data can be updated directly via Settings → Profile.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data. Note: CBAM compliance records subject to Art. 7, Reg. (EU) 2023/956 mandatory retention cannot be deleted until the statutory period expires. All other data will be deleted within 30 days of a verified request.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your personal data in certain circumstances.
• Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON) and to transmit it to another controller.
• Right to Object (Art. 21): You have the right to object to processing based on legitimate interests, including any use of your data for service improvement or analytics.
• Right to Withdraw Consent (Art. 7): Where processing is based on consent (e.g., marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with your national data protection supervisory authority. For EU-wide complaints, you may also use the EU online dispute resolution platform at ec.europa.eu/consumers/odr.

Our legal bases for processing under GDPR are: (a) performance of a contract (Art. 6(1)(b)) for service delivery; (b) compliance with a legal obligation (Art. 6(1)(c)) for regulatory data retention; (c) legitimate interests (Art. 6(1)(f)) for security and service improvement; and (d) consent (Art. 6(1)(a)) for marketing communications.

10. Your Rights — CCPA (California Users)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request disclosure of the categories of personal information we collect and the specific pieces of information we hold about you.
• Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to applicable legal exceptions.
• Right to Correct: You have the right to correct inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information with third parties for cross-context behavioral advertising. No opt-out action is necessary.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
• Right to Limit Use of Sensitive Personal Information: We use sensitive personal information (such as financial account details) only to provide the Service, not for inferring characteristics about you or for advertising.

To exercise CCPA rights, submit a verifiable consumer request to support@cloudjod.com. We will respond within 45 days. Verification may require confirming the email address associated with your account.

In the preceding 12 months, we have not sold personal information to any third party.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will take immediate steps to delete that information. If you believe we may have collected information from a child, please contact us immediately at support@cloudjod.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will: (a) send a notification email to your registered address at least 14 days before the changes take effect; and (b) display a prominent notice on the Service. The "Last Updated" date at the top of this page will reflect the most recent revision.

Continued use of the Service after the effective date of any changes constitutes acceptance of the revised Privacy Policy. If you do not agree to the changes, you must stop using the Service and delete your account before the effective date.

13. Contact and Data Protection Officer

For any privacy-related questions, requests to exercise your rights, or data protection concerns, contact us at:

Cloudjod — Data Protection
30 N Gould St, Suite R
Sheridan, Wyoming 82801
United States of America
Email: support@cloudjod.com
Subject line: "Privacy Request" or "GDPR Inquiry" or "CCPA Request"

We aim to acknowledge all privacy requests within 5 business days and complete them within 30 days (or 45 days for complex CCPA requests). We will confirm receipt and provide a reference number for tracking purposes.

This Privacy Policy was last updated on May 20, 2026.