Privacy Policy
§1. Data controller
The controller of your personal data is closemrn.com (operated by CloseMRN Paweł Dubel, ul. Piłsudskiego 36 lok. 87, 10-577 Olsztyn, Poland, VAT ID PL5214052379). Contact details of the controller are available at /en.
For any matter concerning your personal data, please contact us at support@closemrn.com.
§2. What data we collect
When you use the Service, we collect and process the following categories of personal data:
- email address (registration and login)
- company name and VAT / tax ID number (client identification)
- phone number (communication regarding orders)
- port filing data (MRN, exporter details, container number, port of exit)
- invoicing data (on request)
- technical data (IP address, access logs, session cookies, device and browser metadata)
- content of emails sent to us in connection with orders - such emails may contain personal data of third parties (contacts at the Client’s counterparties, carriers, terminal staff).
§3. Purpose and legal basis
We process personal data for the following purposes:
- performance of the Service Agreement with the Client - Article 6(1)(b) of Regulation (EU) 2016/679 (GDPR);
- compliance with legal obligations (in particular tax and accounting obligations) - Article 6(1)(c) GDPR;
- legitimate interests of the controller, including security of the service, prevention of fraud, and the establishment, exercise or defence of legal claims - Article 6(1)(f) GDPR;
- processing the content of emails sent to us by or about the Client in connection with the handling of orders - Article 6(1)(f) GDPR (legitimate interest in handling commercial correspondence).
§4. Retention
We retain personal data for as long as necessary to perform the Service and, after termination, for the period required by law. In particular:
- transactional data (orders, invoices): 5 years from the end of the tax year in which the service was performed (Polish tax law), extended to 10 years for German clients where the German Commercial Code (§ 257 HGB) and Tax Code (§ 147 AO) apply;
- content of incoming emails: anonymised after 24 months from the last action on the relevant case, metadata retained for statistical purposes;
- technical and analytics data: 90 days (event level) / 365 days (aggregated level);
- audit logs: 5 years.
§5. Your rights
Under the GDPR you have the right to:
- access your personal data (Article 15);
- rectification (Article 16);
- erasure - the “right to be forgotten” (Article 17);
- restriction of processing (Article 18);
- data portability (Article 20);
- object to processing (Article 21).
You also have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for closemrn.com is the Polish Data Protection Authority (Prezes Urzędu Ochrony Danych Osobowych, uodo.gov.pl). You may also contact the supervisory authority of your Member State of residence or habitual work.
§6. Recipients of data - sub-processors
We engage the following sub-processors and recipients to provide the Service. An up-to-date list is published at /en/subprocessors.
| Sub-processor | Role | Location / transfer |
|---|---|---|
| MongoDB (self-hosted) | Database (all personal data) | EU (OVH VPS, France) |
| Amazon Web Services EMEA SARL (S3) | Storage of order attachments | EU region |
| Twilio, Inc. | WhatsApp Business messaging | USA - DPF + SCC |
| Google LLC - Gmail API | Processing of our business mailbox + transactional email delivery | USA - DPF |
| Google LLC - Cloud Vision API | OCR of order documents | USA - DPF |
| Google Cloud - Pub/Sub | Push notifications for Gmail | USA - DPF |
| Fakturownia Sp. z o.o. | Invoice issuance | Poland |
| OVH SAS | Application hosting (VPS) | EU (France - Roubaix/Strasbourg/Gravelines) |
| OpenAI, Ireland Limited | Document text extraction (incoming-email parsing only - no decisions on user accounts/contracts) | USA - SCC |
We do not sell personal data and we do not share it with third parties other than those listed above, except where required by law or to respond to lawful requests from public authorities.
§7. International transfers
Some of our sub-processors are established outside the European Economic Area, primarily in the United States. Transfers to these recipients are carried out in accordance with Chapter V of the GDPR, relying on:
- the European Commission’s adequacy decision (EU) 2023/1795 - EU-U.S. Data Privacy Framework - for recipients certified under the DPF Active List;
- the Standard Contractual Clauses set out in Commission Implementing Decision (EU) 2021/914, for any transfers not covered by the adequacy decision.
On request, we will provide information about the safeguards in place for any specific transfer.
§8. Security
We implement appropriate technical and organisational measures in accordance with Article 32 GDPR, including TLS 1.2+ encryption in transit, encryption at rest, role-based access control, multi-factor authentication on administrative accounts, comprehensive audit logging, automated backups, and documented incident response procedures.
§9. Cookies
closemrn.com uses cookies and similar technologies (Local Storage / Session Storage) only as strictly necessary, plus optional analytics storage activated only after your consent given via the cookie banner (Planet49 / GDPR Art. 7).
| Name | Category | Provider | Duration | Purpose |
|---|---|---|---|---|
cookie-consent-v1 | Essential | closemrn.com | 12 months | Stores your cookie consent choice |
fp (Local Storage) | Analytics | closemrn.com | 12 months | Anonymous device identifier (consent only) |
sid (Session Storage) | Analytics | closemrn.com | until tab close | Browsing session ID (consent only) |
| Authenticated session | Essential | closemrn.com | until logout | Authentication and CSRF protection |
You can change your choice anytime by clicking "Cookies" in the footer or by clearing the cookie-consent-v1 entry in your browser to see the banner again. You may also block cookies in your browser settings, which may limit Service functionality.
§10. Automated decision-making
We do not use your personal data for automated decision-making, including profiling, within the meaning of Article 22 GDPR. Document parsing of incoming emails uses AI assistance (OpenAI text extraction and Google Cloud Vision OCR) for technical data transcription only - no AI-based decisions are made on user accounts, contracts, or service eligibility.
§11. Data protection contact
For any matter regarding this Privacy Policy or your personal data, please contact us at support@closemrn.com.
Last updated: 12 April 2026.