Freight Exchange Pty Ltd (“FreightExchange”, “we”, “us”) operates a global freight management platform. This policy applies to all individuals who interact with our website (freightexchange.com.au), platform (portal.freightexchange.com.au), or services, regardless of location.
We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). Where we process personal data of individuals in the European Economic Area or United Kingdom, we also comply with the EU General Data Protection Regulation (GDPR) and UK GDPR respectively. For individuals in other jurisdictions, we apply the standards of applicable local law. Where no local law applies, we apply Australian APP standards as our baseline.
Questions can be directed to our Privacy Officer at tech@freightexchange.com.au.
FreightExchange acts as:
Data Controller – for personal data we collect directly from users of our website and platform (account data, usage data, marketing communications).
Data Processor – for personal data submitted by business customers (freight senders, recipients, and consignment data). In this role, we process data on the instructions of our customers, who are the Data Controllers. Individuals whose data is included in a customer’s freight bookings should contact that customer in the first instance.
Our Data Protection contact is: tech@freightexchange.com.au
Note: EU and UK Article 27 representatives will be appointed prior to processing personal data of EEA or UK residents at material scale. Contact details will be published at freightexchange.com.au/privacy-policy when appointed.
| Category | Examples |
|---|---|
| Account and identity | Name, company, email, phone number, postal address, username |
| Freight and shipment data | Sender/recipient names, pickup and delivery addresses, consignment details, carrier bookings, tracking information |
| Billing | Company billing details, invoice data. Payment card details are processed by Braintree (PayPal) – we do not store full card numbers |
| Technical and usage | IP address, browser type, device identifiers, session tokens, platform usage patterns |
| Support | Details of enquiries, complaints, and communications |
We do not collect sensitive or special category personal data (including health, racial or ethnic origin, religious beliefs, or biometric data).
For individuals in the EEA and UK, we rely on the following legal bases under GDPR Article 6. Equivalent justifications apply under other applicable privacy laws.
| Processing Activity | GDPR Legal Basis | Other Framework Equivalent |
|---|---|---|
| Providing the platform and processing freight bookings | Contract (Art. 6(1)(b)) | Necessary for service (APPs, PIPEDA) |
| Regulatory compliance: customs, CoR, sanctions, dangerous goods | Legal obligation (Art. 6(1)(c)) | Authorised/required by law (APPs) |
| Account security, fraud prevention, audit logging | Legitimate interests (Art. 6(1)(f)) | Legitimate business purpose |
| Platform analytics and performance improvement | Legitimate interests (Art. 6(1)(f)) | Legitimate business purpose |
| Marketing communications (opt-in) | Consent (Art. 6(1)(a)) | Consent (APPs, Spam Act 2003) |
| Responding to support enquiries | Contract / Legitimate interests | Necessary for service |
You may withdraw consent for marketing at any time without affecting the lawfulness of prior processing.
Providing and managing freight management services: bookings, consignment notes, quotes, tracking, and notifications.
Meeting mandatory legal obligations including Chain of Responsibility (CoR) under the Heavy Vehicle National Law, customs and biosecurity declarations, sanctions screening, and dangerous goods compliance.
Platform security, fraud detection, and technical support.
Analytics and service improvement (aggregated and pseudonymised where practicable).
Marketing communications where you have opted in or we are otherwise permitted by law.
We do not use personal data for solely automated decision-making that produces legal or similarly significant effects.
| Provider | Location | Service | Personal data received |
|---|---|---|---|
| Amazon Web Services | Australia and USA | Cloud hosting, storage, databases, compute | All customer data |
| Braintree (PayPal) | USA | Payment processing | Billing name, billing address |
| Freshdesk (Freshworks) | USA and India | Customer support ticketing | Name, email address, support request content |
| Mailchimp (Intuit) | USA | Transactional and marketing email | Name, email address |
| Twilio | USA | SMS notifications and two-factor authentication | Mobile phone number, name |
| Google Workspace | USA | Email, document storage, and internal collaboration | Customer and Company Name, email addresses and phone numbers. |
| HubSpot | USA | Marketing communications and customer engagement | Name, email address, engagement data |
| Brevo | France | Marketing communications and customer engagement | Name, email address, company name |
| Xero | New Zealand and Australia | Accounting and invoicing | Billing name, billing address, invoice data |
| CreditorWatch | Australia | Credit risk assessment and business verification | Company name, ABN, business contact details |
| Paperform | Australia and USA | Online forms and data collection | Name, email address, form submission data |
We conduct due diligence before engaging any service provider and require each to meet our data protection standards. We will let you know about changes to this list only where required by law or by a data processing agreement with you.
When you book a shipment, sender and recipient names, contact details, and consignment information are shared with the selected carrier. This is necessary to fulfil the booking.
We disclose personal data to customs authorities, the Australian Border Force, the NHVR, biosecurity authorities, and other regulatory bodies where required by law. See Section 8.
We do not sell, rent, or share personal data with third parties for their own commercial purposes, including cross-context behavioural advertising.
Our primary infrastructure is hosted in Australia (AWS Sydney, ap-southeast-2). Several sub-processors are located in the United States and the EU. Where personal data is transferred internationally, we ensure an adequate level of protection through one or more of the following mechanisms:
Standard Contractual Clauses (EU Commission Decision 2021/914) for transfers of EEA personal data.
UK International Data Transfer Addendum (IDTA) for transfers of UK personal data.
Contractual obligations consistent with APP 8 for transfers from Australia.
Data Processing Agreements with all sub-processors incorporating applicable transfer mechanisms.
AWS holds ISO 27001 certification and SOC 2 Type II compliance.
FreightExchange is subject to mandatory data collection and accuracy obligations under Australian and international law, including: Chain of Responsibility (CoR) under the Heavy Vehicle National Law; Customs Act 1901 (Cth) and Biosecurity Act 2015 (Cth); the National Heavy Vehicle System (NHVS); dangerous goods codes (ADG, IATA DGR, IMDG); international customs frameworks (WCO, WTO, ICAO, IMO/SOLAS); and sanctions laws including the Autonomous Sanctions Act 2011 (Cth), UN, US OFAC, and EU sanctions regimes.
Where these obligations apply, the following privacy rights are limited to the extent permitted by law:
Erasure: mandatory regulatory records (typically retained 5–7 years) cannot be erased on request during the applicable retention period.
Restriction: data required for active CoR compliance, customs declarations, or sanctions screening cannot be restricted while a consignment is in progress or under regulatory review.
Correction: corrections to data already transmitted to regulatory authorities must be directed to those authorities.
FreightExchange is a logistics platform. The accuracy, completeness, and lawfulness of data submitted through the platform is the responsibility of the submitting party. By submitting data, customers, users, and consignors warrant that it is accurate, complete, and compliant with all applicable law.
FreightExchange accepts no responsibility or liability for inaccurate, incomplete, or false data submitted by customers, users, consignors, consignees, or any other party – including misdescription of goods, false customs values, incorrect dangerous goods classifications, or false identity information – nor for any resulting regulatory penalties, delays, safety incidents, or sanctions breaches.
FreightExchange accepts privacy responsibility only to the extent required by applicable privacy law in its role as Controller or Processor. Nothing in this section limits liability that cannot be excluded under applicable mandatory law.
| Data Type | Retention Period |
|---|---|
| Account data | Duration of subscription plus 3 years |
| Shipment and transactional data | Duration of subscription plus 7 years (customs/regulatory requirement) |
| Marketing contact data | Until opt-out or deletion request |
| Security and audit logs | 2 years |
| Support records | 3 years from resolution |
We conduct quarterly data reviews to identify and securely delete information no longer required. Where retention is required by law beyond these periods, we will notify you of the basis and duration.
Subject to applicable law and the limitations in Section 8, you have the following rights in relation to your personal data:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete data |
| Erasure | Request deletion of your data where no legal retention obligation applies |
| Restriction | Request that we limit processing of your data in certain circumstances |
| Portability | Receive your data in a structured, machine-readable format (GDPR / UK GDPR) |
| Object | Object to processing based on legitimate interests or for direct marketing |
| Withdraw consent | Withdraw consent for marketing or other consent-based processing at any time |
| Lodge a complaint | Complain to your local supervisory authority (see Section 13) |
To exercise any right, contact us at tech@freightexchange.com.au or www.freightexchange.com.au/privacy-request. We will respond within 30 days (extendable to 90 days for complex requests under GDPR, with notice). We may verify your identity before processing requests.
All personal data is hosted on AWS infrastructure in the Sydney region. Data in transit is encrypted using TLS 1.2 or higher; data at rest is encrypted using AES-256. Access is restricted using role-based controls and enforced multi-factor authentication for privileged accounts. We conduct weekly vulnerability scanning and annual penetration testing. Audit logs are retained on Amazon S3.
We maintain a documented breach response programme. In the event of a personal data breach:
We will notify affected business customers within 24 hours of becoming aware of a suspected breach affecting their data.
Where required under the Australian NDB scheme (Part IIIC, Privacy Act), we will notify the OAIC and affected individuals as soon as practicable.
Where required under GDPR or UK GDPR, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay where the breach is likely to result in high risk.
You have the right to lodge a complaint with the supervisory authority in your jurisdiction. Key authorities include:
| Jurisdiction | Authority and Contact |
|---|---|
| Australia | Office of the Australian Information Commissioner (OAIC) – www.oaic.gov.au | 1300 363 992 |
| European Union | Your national data protection authority – edpb.europa.eu/about-edpb/about-edpb/members |
| United Kingdom | Information Commissioner’s Office (ICO) – ico.org.uk | 0303 123 1113 |
| United States (California) | California Privacy Protection Agency – cppa.ca.gov |
| Canada | Office of the Privacy Commissioner – priv.gc.ca |
| Other jurisdictions | Contact us and we will direct you to the appropriate authority |
Our website uses essential cookies (required for platform operation), analytics cookies (to understand usage patterns), and marketing cookies (to deliver relevant content). Analytics and marketing cookies are only set where you have consented. You can manage preferences through your browser or our cookie preference centre at freightexchange.com.au. Disabling essential cookies may affect platform functionality.
| Privacy Officer | tech@freightexchange.com.au |
| Support | support@freightexchange.com.au |
| Privacy requests | www.freightexchange.com.au/privacy-request |
| Postal address | 207/46 Kippax Street, Surry Hills NSW 2010, Australia |
| Business hours | Monday to Friday, 9:00am – 5:00pm AEST |
We may update this policy from time to time. Material changes will be notified to registered users by email at least 30 days before taking effect. Where GDPR applies and the change affects consent-based processing, we will seek renewed consent where required. The current version is always available at freightexchange.com.au/privacy-policy.
Effective Date: 13 March 2026