Last updated: May 2, 2026 · Effective: May 2, 2026
Short version: CartonFlow collects only what it needs to operate. We don't sell your data. Ever. We don't use your logistics data to train AI models. Privacy Mode tenants can encrypt their most sensitive fields client-side so even our staff can't read them.
CartonFlow is operated by Pevara Systems. When we say "CartonFlow," "we," "us," or "our," we mean Pevara Systems. Questions? [email protected] · For security and privacy specifics: [email protected]
When you create an account we collect your name, email address, company name, and password (hashed — we never store it in plaintext).
Data you enter into the platform: shipments, products, destinations, 3PL contacts, messages, invoices, and documents. This data belongs to you.
We collect standard server logs: IP address, browser type, pages visited, and timestamps. This helps us diagnose issues and improve the product.
All payment processing is handled by Stripe. CartonFlow never sees or stores your full card number. We store only your Stripe customer ID and subscription status.
If you connect FedEx or UPS accounts, we store your API credentials (encrypted at rest) solely to pull tracking data on your behalf.
If you connect an Amazon Seller Central account, we use Amazon's official SP-API via OAuth to read order, FBA inventory, and shipment data on your behalf. We never see your Amazon password. The OAuth grant is revocable from Seller Central at any time, which immediately disconnects CartonFlow from your Amazon account. We retain Amazon-derived data only as long as needed to power your dashboards and historical reporting.
Tenants who enable Privacy Mode encrypt supplier names, product names, ASINs, and SKUs in the browser before sending to our servers. The decryption key never leaves your devices. Even CartonFlow staff cannot decrypt this data — we store opaque ciphertext.
We do not use your data for advertising. We do not sell your data to third parties. We do not use your logistics data to train AI models.
We share data only with the third-party services we rely on to deliver the platform. Our complete, current subprocessor list — including the data each one processes and the region they store it in — lives at cartonflow.io/subprocessors.
Headline subprocessors:
We notify customers via email at least 30 days before adding a new subprocessor that processes customer data.
We retain your data for as long as your account is active. If you cancel, we retain your data for 90 days before permanent deletion, unless you request immediate deletion.
You have the right to access, correct, export, or delete your data at any time. Email [email protected] and we'll respond within 5 business days.
If you live in the European Economic Area or the UK, you have specific rights under the General Data Protection Regulation, including: the right to access your personal data, the right to rectification, the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, and the right to object to processing. We honor these requests within 30 days. To exercise your rights, email [email protected]. You also have the right to lodge a complaint with your local data protection authority.
California residents have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell your personal information. To exercise your rights, email [email protected].
We make a Data Processing Agreement (DPA) available to any customer who needs one for procurement, GDPR compliance, or internal review. Email [email protected] to request the current DPA template.
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Passwords are hashed using Argon2id (the OWASP-recommended algorithm). We use JWT-based authentication with short-lived access tokens and longer-lived refresh tokens stored securely. Two-factor authentication is available for all accounts. Privacy Mode tenants additionally get client-side AES-GCM encryption for the most sensitive fields.
Full security architecture, subprocessor list, and operations process: cartonflow.io/security
If we discover a security incident affecting your data, we will notify you by email within 72 hours of confirmation, with a follow-up post-incident report within 7 days describing what happened, what data was affected, and what we did about it. This applies to incidents at any of our subprocessors that affect customer data as well.
Found a security issue? Please report it to [email protected]. Our coordinated disclosure policy and safe harbor terms are at cartonflow.io/security-disclosure.
We use session cookies for authentication only. We do not use advertising or tracking cookies. See our Cookie Policy for details.
CartonFlow operates from the United States. If you access the service from outside the U.S., your data is transferred to and processed in the U.S. For EU/UK customers, our DPA includes the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum to provide a lawful basis for cross-border transfers.
We'll notify you by email if we make material changes to this policy. Continued use of CartonFlow after changes constitutes acceptance. Material changes are effective 30 days after notification.
Pevara Systems