Privacy Policy — Sigil RMPD
Version: 1.1 Effective date: 29 May 2026 Last updated: 20 June 20261. Introduction and Data Controller
Sigil RMPD ("Sigil", "we", "us") is committed to protecting the personal data of its users and third parties whose data appears in processed documents.
Data Controller:FOP Makaiev Kostiantyn Oleksandrovych, RNOKPP 3142416974, Ukraine, 04136, Kyiv, 20V Ivan Vyhovsky St., Apt. 50
Email: privacy@sigil.app
This Privacy Policy explains what personal data we collect, how we use it, with whom we share it, and what rights you have under the General Data Protection Regulation (GDPR) and Ukrainian Law No. 2297-VI "On Personal Data Protection".
2. Roles: Controller and Processor
Sigil operates in two distinct legal roles depending on the category of data:
| Role | Data category | Controller | |
| Data Controller | Account data (name, email, company, billing) | Sigil | |
| Data Processor | CMR document contents uploaded by the Carrier | The Carrier's company | |
| Purpose | Legal basis | ||
| Providing the Platform service | Art. 6(1)(b) — contract performance | ||
| Processing CMR data for RMPD submission | Art. 6(1)(b) — contract performance (as processor: Carrier's instruction) | ||
| Legal obligations (SENT records, accounting) | Art. 6(1)(c) — legal obligation | ||
| Fraud prevention and system security | Art. 6(1)(f) — legitimate interest | ||
| Sending marketing communications | Art. 6(1)(a) — consent (opt-in only) | ||
| Performance monitoring and error logging (Sentry) | Art. 6(1)(f) — legitimate interest | ||
| Recipient | Country | Transfer mechanism | |
| Anthropic (OCR/AI) | USA | Standard Contractual Clauses (SCC) — Art. 46(2)(c) | |
| LiqPay / PrivatBank (payments) | Ukraine | Art. 46 GDPR + Law No. 2297-VI Art. 29(4) | |
| Sentry (error monitoring) | USA | SCC + Sentry EU data residency option | |
| Data category | Retention period | Legal basis | |
| CMR scans and RMPD declaration data | 10 years | Art. 6(1)(c) — transport law, accounting law | |
| Account and user data | Duration of contract + 30 days | Art. 6(1)(b) | |
| Billing and invoice data | 7 years | Art. 6(1)(c) — tax law | |
| System and access logs | 24 months | Art. 6(1)(f) — security | |
| PUESC audit trail | 10 years | Art. 6(1)(c) — SENT law | |
| Marketing consent records | Until consent withdrawn + 3 years | Art. 6(1)(a) + legitimate interest | |
| Sub-processor | Purpose | Location | DPA reference |
| Supabase (PostgreSQL) | Database | Frankfurt, EU | Supabase DPA |
| Render.com | Application hosting | Frankfurt, EU | Render DPA |
| Cloudflare R2 | CMR file storage | Frankfurt EU bucket | Cloudflare DPA |
| Google Cloud (Document AI) | OCR processing | EU region | Google DPA |
| Anthropic | AI field mapping | USA | Anthropic DPA |
| LiqPay / PrivatBank | Payment processing | Ukraine | LiqPay Terms |
| Sentry | Error and performance monitoring | USA (EU residency option) | Sentry DPA |
| Right | Description | ||
| Access (Art. 15) | Obtain a copy of the personal data we hold about you | ||
| Rectification (Art. 16) | Request correction of inaccurate data | ||
| Erasure (Art. 17) | Request deletion (subject to legal retention obligations) | ||
| Restriction (Art. 18) | Request restriction of processing | ||
| Portability (Art. 20) | Receive your data in a structured, machine-readable format | ||
| Objection (Art. 21) | Object to processing based on legitimate interest | ||
| Withdraw consent | Withdraw marketing consent at any time |
13. Cookies
We use cookies and similar technologies as described in our Cookie Policy (available at /legal/cookies). Analytics cookies (Sentry) are only activated after you provide consent via our cookie banner.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to account holders at least 14 days before taking effect. The current version is always available at /legal/privacy.
15. Data Processing Agreement
If the Carrier is a legal entity processing CMR data that contains personal data of third parties (drivers, consignors, consignees), the Carrier acts as data controller and Sigil acts as data processor. The full Data Processing Agreement governing this relationship is available at /legal/dpa.
16. Supervisory Authority and Contact
Ukrainian supervisory authority for personal data protection:
Ukrainian Parliament Commissioner for Human Rights (Уповноважений Верховної Ради України з прав людини)вул. Інститутська, 21/8, Київ, 01008
hotline@ombudsman.gov.ua | www.ombudsman.gov.ua
Individuals located in the European Union may additionally lodge a complaint with the competent data protection supervisory authority of their EU Member State where GDPR applies to their situation.
You have the right to lodge a complaint with the supervisory authority at any time. We encourage you to contact us first at privacy@sigil.app — we take every concern seriously and respond promptly.