Privacy Policy — Frayght

Who We Are

Frayght Pte. Ltd. ("Frayght", "we", "us", "our") is a technology company incorporated in Singapore. We operate the Frayght transport management platform at frayght.com.

This Privacy Policy explains how we collect, use, store, and protect personal data in connection with the Frayght platform and website. It applies to all users, including freight forwarder account holders, their staff, and cargo owner account holders.

This policy is compliant with the Personal Data Protection Act 2012 (PDPA) of Singapore. By using the Service, you consent to the practices described in this policy.

Data We Collect

We collect the following categories of personal data:

Category	Examples	Source
Account data	Name, email address, company name, job title, phone number	Provided by you at registration
Company data	Business registration details, company address, staff members	Provided by you during setup
Billing data	Billing address, subscription plan, invoice history	Provided by you; payments processed by third-party providers
Shipping documents	Bills of Lading, Air Waybills, Commercial Invoices, Packing Lists, and other freight documents	Uploaded or emailed by you or your clients
Shipment data	Shipper/consignee names, port codes, cargo descriptions, HS codes, dates	Extracted from documents you provide
Usage data	Log files, IP addresses, browser type, pages visited, feature usage, timestamps	Collected automatically when you use the Service
Communications	Messages sent via the Frayght messaging system between forwarders and cargo owners	Created by you within the platform

Frayght does not collect payment card numbers directly. Payments are processed by third-party payment providers. We receive only transaction confirmation and billing identifiers.

Why We Collect It

We collect and process personal data for the following purposes, each with a lawful basis under the PDPA:

Providing the Service — creating and managing accounts, processing documents, creating shipment jobs, and enabling the marketplace. This is necessary to perform the contract between you and Frayght.
Platform communications — sending transactional emails such as job notifications, document confirmations, team invitations, and account alerts. These are required to provide the Service.
Billing and subscription management — processing subscriptions, issuing invoices, and managing plan usage. Required for the contract.
Platform improvement — analysing usage patterns to fix bugs and improve features. Based on our legitimate interests in maintaining a high-quality service.
Security and fraud prevention — detecting and preventing abuse, unauthorised access, and illegal activity. Based on our legitimate interests and legal obligations.
Legal compliance — retaining records as required by applicable Singapore law, including the Income Tax Act and customs regulations.

We do not use your personal data for marketing purposes without your explicit consent. You may opt out of any marketing communications at any time by clicking the unsubscribe link in any email or contacting us at privacy@frayght.com.

Who We Share It With

We do not sell, rent, or trade your personal data to third parties. Full stop.

We share personal data only in the following limited circumstances:

Service Providers. We work with trusted third-party providers who process data on our behalf, bound by contractual data processing obligations:

Supabase — database hosting (PostgreSQL), located in Singapore region
Cloudflare R2 — file storage for uploaded documents
Resend — transactional email delivery
Railway — application hosting
Anthropic — document processing (documents are sent via API for field extraction; Anthropic's data usage policy applies to API usage)

Within Your Account. Staff members you invite to your freight forwarder account will have access to shipment jobs, documents, and activity logs as permitted by their assigned role (Viewer, Operator, or Admin).

Marketplace. Your forwarder profile — including company name, specialisations, trade lanes, and rating — is visible to cargo owners searching the marketplace. No personal contact details (email, phone) are shared with cargo owners through the marketplace without your explicit action.

Connected Parties. When a cargo owner is connected to your forwarder account, they can view shipment status and documents on jobs you share with them.

Legal Requirements. We may disclose personal data if required by law, court order, regulatory authority, or to protect the rights, property, or safety of Frayght, our users, or the public. We will notify affected users where permitted by law.

Data Retention

We retain personal data for as long as necessary to provide the Service and meet our legal obligations:

Data Type	Retention Period
Active account data	Duration of the account relationship
Account data after closure	30 days, then permanently deleted
Shipping documents and job records	Duration of account + 7 years (Singapore customs and commercial record-keeping requirements)
Billing and invoice records	7 years (Singapore Income Tax Act requirements)
Usage and log data	90 days
Security and audit logs	12 months

When data is deleted, it is permanently removed from our systems and from backups within 30 days. You may request earlier deletion of your personal data (subject to legal retention requirements) by contacting privacy@frayght.com.

Your Rights Under the PDPA

Under the Personal Data Protection Act 2012 (PDPA) of Singapore, you have the following rights in respect of your personal data:

Right of Access — You may request a copy of the personal data we hold about you and information about how it is being used.
Right of Correction — You may request that we correct any inaccurate or incomplete personal data we hold about you.
Right to Withdraw Consent — Where processing is based on your consent, you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before the withdrawal.
Right to Data Portability — You may request your personal data in a structured, machine-readable format.

To exercise any of these rights, submit a written request to our Data Protection Officer at privacy@frayght.com. We will respond within 30 days. We may need to verify your identity before processing requests.

We will not charge a fee for reasonable requests. For manifestly excessive or repetitive requests, we reserve the right to charge a reasonable administrative fee.

If you believe we have not complied with your PDPA rights, you may lodge a complaint with the Personal Data Protection Commission (PDPC) of Singapore at pdpc.gov.sg.

Cookies and Tracking

Frayght uses a minimal number of cookies and local storage to provide the Service. We do not use advertising cookies or third-party tracking pixels.

Session cookies — Used to maintain your authenticated session. Essential for the Service to function.
Preference cookies — Used to remember your settings (e.g., dashboard layout preferences).
Analytics — We may collect anonymised usage analytics to understand how features are used. This data is not linked to individual identities.

You can disable cookies in your browser settings, but this may affect the functionality of the Service. Essential cookies cannot be disabled without preventing the Service from working.

Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest for stored documents and sensitive fields
Role-based access controls limiting staff access to data necessary for their role
Password hashing using bcrypt
Time-limited presigned URLs for document access (1-hour expiry)
Rate limiting and login lockout protection against brute-force attacks
Webhook signature verification for inbound email processing
Regular security reviews

While we take reasonable precautions, no system is completely secure. In the event of a personal data breach that is likely to result in significant harm to individuals, we will notify affected users and the PDPC as required under the PDPA Notification Obligation (effective 1 February 2021).

International Data Transfers

Frayght is operated from Singapore. Some of our service providers may process data in other countries. Where personal data is transferred outside Singapore, we ensure that appropriate safeguards are in place in accordance with the PDPA, including contractual data processing agreements that require equivalent protection to that provided in Singapore.

Current data processing locations include Singapore (primary), and regions operated by our cloud infrastructure providers. Document processing may involve servers operated by Anthropic (United States).

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes — for example, changes to what data we collect, how we use it, or who we share it with — will be communicated to registered users by email with at least 14 days' notice before taking effect.

For minor changes (such as clarifications or corrections), we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

Contact and Data Protection Officer

For any privacy-related questions, requests to exercise your PDPA rights, or to report a potential data breach, please contact:

Data Protection Officer: To be appointed — (DPO details to be updated)
Email: privacy@frayght.com
Company: Frayght Pte. Ltd., Singapore

We will acknowledge receipt of your request within 3 business days and respond in full within 30 days.

For general enquiries about the Service, contact hello@frayght.com.

For complaints to the regulator: Personal Data Protection Commission (PDPC), 10 Pasir Panjang Road, #03-01 Mapletree Business City, Singapore 117438. pdpc.gov.sg.