CARGOLABS - AI Workers - Built for Freight Forwarding

Last updated: August 2025

Data Protection and Privacy Statement

In this privacy notice, we inform you about the processing of your personal data in connection with the use of the CARGOLABS web application (“App”).

1. The person responsible under the data protection law

The controller for the processing described herein is: Lufthansa Innovation Hub GmbH, Brunnenstrasse 19-21, 10119 Berlin, Germany represented by its managing director Xavier Lagardère; email: datenschutz@lh-innovationhub.com

The Group Data Protection Officer – FRA CJ/D can be reached as follows: datenschutz@dlh.de, Deutsche Lufthansa AG, Airportring – LAC, 60546 Frankfurt, Germany.

Lufthansa Innovation Hub acts as the controller of your personal data within the meaning of the European Union Data Protection Regulation (“GDPR”) and the German Federal Data Protection Act (“BDSG”).

2. Your personal data

The following personal data is processed in the course of using the platform:

First and last name
Salutation
Email address
Phone number
Company name

3. Purposes and legal bases of the processing

a) User contract

The data we collect is processed by us to fulfill the services offered in the App (“usage contract”) (Art. 6 para. 1 p.1 lit. b DSGVO - contract performance and pre-contractual measures).

b) Promotional communication

During the registration process or later in your account, you have the option of granting us consent to send you information and individual offers regarding the App's services and to contact us for this purpose by electronic means of communication (via e-mail).

If you have given us the corresponding consent, we will process your contact data (i.e. name and email address) in order to send you the information and individual offers (Art. 6 para. 1 p. 1 lit. a DSGVO - Consent).

You have the right to revoke your consent at any time by clicking “Unsubscribe” on any promotional email that you receive. For more information on your right of revocation, please refer to section 7 of this data protection notice. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

c) Automated communication and interaction

Within the scope of the establishment, performance, and/or termination of contracts, the controller has automated parts of its communication with you. In the process, the controller processes all communication data of the data subjects that trigger automatic responses by this controller, such as the shipping or delivery of a product or service. In this regard, it controls (1) the collection of your personal data during measures to prepare for the relevant contract, (2) the communication required in order to establish, perform, and/or terminate the contract (particularly via email) with the data subjects, and (3) the shipping or delivery of the products and/or services.

Data that are processed: (1) All contact and order data entered by you; (2) where applicable, payment data; (3) data regarding the shipping or delivery; and (4) data concerning the assertion of rights of data subjects and the response of this controller.

Third-party provider: The automation tool MailChimp from Rocket Science Group LLC (USA) is used. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://mailchimp.com/marketing-platform/ and https://mailchimp.com/features/email/. The fact that the provider is based outside the European Union does not conflict with the processing. This is because the provider has undertaken an obligation in accordance with the EU standard contractual clauses (Article 46 GDPR).

d) Other purposes

In addition, we process your data for the purpose of fraud prevention and assertion of legal claims (Art. 6 para. 1 p. 1 lit. f DSGVO - safeguarding legitimate interests - entrepreneurial interest in protecting the company against material and immaterial damage).

4. Recipients of your data

a) In order to be able to offer you our services, we use service providers such as IT service providers as processors in accordance with Art. 28 DSGVO. The service providers have been carefully selected and work exclusively according to our instructions. They provide sufficient guarantees for compliance with data protection obligations.

d) Where personal data is transferred to third countries, appropriate safeguards are in place to protect you and your data in accordance with legal requirements (in particular, EU adequacy decision, and application of EU standard contractual clauses; information on EU standard contractual clauses can be found on the websites of the European Union). Furthermore, in certain cases, we are legally obliged to provide personal data to German and international authorities (Art. 6 para. 1 p. 1 lit. c DSGVO - legal obligation).

The data collected by us will not be transmitted to other third parties.

5. Duration of storage

We process your data as long as it is necessary for the fulfilment of our contractual and legal obligations. When the purpose for which your data was processed ceases to apply, it will be deleted, unless its retention is required for the following purposes:

Fulfilment of retention periods under commercial and tax law, such as those arising from the German Commercial Code or the German Fiscal Code; these periods are up to 10 years.
Preservation of evidence within the framework of the statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years, with the regular limitation period being three years.

In these cases, your data will be blocked so that it can no longer be processed for other purposes.

6. Your data subject rights

6.1. Rights

a) Data subjects have the following rights with regard to the data stored concerning them personally: the right of access to information, the right to rectification of inaccurate data, the right to erasure of data for which there is no longer any reason for storage, and the rights to restriction of processing and to data portability. Moreover, they have the right to lodge a complaint with the supervisory authority with jurisdiction over the controller.

b) Where the processing is based on consent granted by the data subjects, the data subjects are permitted to withdraw that consent at any time, with effect for the future. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required.

c) Where the processing is based on fulfillment of a legitimate interest, meaning on point (f) of Article 6(1) of the EU General Data Protection Regulation (GDPR), the data subjects are permitted to object to the processing at any time. This can be done, for example, by sending a message via any of the contact channels mentioned above (controller), with no particular form required. If the objection is justified, the processing will be discontinued. Where the legitimate interest lies in direct marketing, an objection is always deemed to be justified.

6.2 Competent supervisory authority

The competent supervisory authority for the Lufthansa Innovation Hub is: Berlin Commissioner for Data Protection and Freedom of Information Alt-Moabit 59-61 10555 Berlin Tel.:0049-30-13889-0 Fax:0049-30-2155050 Email:mailbox@datenschutz-berlin.de

7. Deletion of your account

If you no longer wish to use the services of the Platform, you can delete your account at any time. Your personal data collected in the course of using the Platform will then be deleted immediately - subject to conflicting retention reasons and obligations.

You can delete your account yourself by contacting us at support@cargolabs.ai. Likewise, we reserve the right to delete your account if you have not used it for 2 years.

8. Analytics tools and cookies

In brief: The controller uses cookies to analyze use behavior on and interaction with this website. After that, the controller analyzes and interprets this information to be able to design this website on an even more targeted basis. Processing in detail: What are known as cookies are used to analyze user behavior by data subjects on this website. These are text files that are stored on the computer of data subjects and enable analysis of the use of the website. The information on use behavior is used to create reports on activity and interactions. This controller uses these data to be able to improve the use experience on the website on a regular basis. The controller can also use the statistics generated to improve what it offers in order to steer the interest of data subjects on a more targeted basis toward products and services that are suitable for them. Data that are processed: Cookie-based data regarding the interactions (especially sequence of interactions, duration of stay). Third-party provider: The analytical tool Google Analytics from Google Ireland Ltd. (Ireland, EU) is used in conjunction with the analysis of use behavior. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following link: https://support.google.com/analytics/answer/9306384?hl=de. The following is added on this point: The IP address is truncated (shortened) beforehand by the provider within Member States of the European Union or in other states that are signatories to the Agreement on the European Economic Area. Only in isolated cases is the full IP address transferred to a server of the provider in the United States and truncated there. The IP address transferred by the browser within the scope of the use of this tool is not combined with other data by the provider. The tool is also used for a cross-device analysis of visitor streams that is performed via a user ID. The data subjects can deactivate the cross-device analysis in their customer account under “My data” / “Personal data.” For information purposes, it is pointed out that this tool is used with the extension “_anonymizeIp().” As a result, IP addresses are truncated before they are processed further, which thus rules out the possibility of being associated with a specific person. Where the data collected regarding the data subjects do relate to a specific person, this association is thus ruled out immediately, and the personal data are thus erased right away. It does not conflict with the processing that the data are transferred to the United States, possibly in cooperation with Google LLC (USA). This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor. Third-party provider: The central control tool Google Tag Manager from Google Ireland Ltd. (Ireland, EU) is used in conjunction with the analysis of use behavior. This entity has been engaged in accordance with Article 28 GDPR. For further details on the nature and manner of processing by this third-party provider, please consult the following links: https://marketingplatform.google.com/intl/de/about/tag-manager/. The following is added on this point: This tool allows the controller to incorporate various codes and services into this website in an organized and simplified way. In the process, this tool implements the tags or triggers the tags incorporated with it. When a tag is triggered, the provider may also process personal data. In the process, it is not impossible that the provider may also transfer the data to a server in a third country. Nonetheless, it does not conflict with the processing that the data are transferred to the United States, possibly in cooperation with Google LLC (USA). This is because the processing of the personal data takes place only if the data subjects consent to the associated transfer of data to the United States (see point (a) of Article 49(1) GDPR). In this regard, the risk information mentioned above (basic information / transfers to countries outside the European Union) is the operative factor.

9. Data security

We use technical and organisational security measures to protect your data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons. Our security measures are continuously improved in line with technological developments.

10. Updating

We regularly review this data protection notice and will update it as necessary. We will inform you of any significant changes to this data protection notice.

11. Data Privacy Officer

The GroupData Protection Officer of Deutsche Lufthansa AG is also the Data Protection Officer of the Lufthansa Innovation Hub. If you have any questions regarding data protection, please contact the Lufthansa Group Data Protection Officer (e.g. by mail: Deutsche Lufthansa AG, Group Data Protection Officer, FRA CJ/D, Lufthansa Aviation Center, Airportring, 60549 Frankfurt or by e-mail:datenschutz@dlh.de).

Controller: Lufthansa Innovation Hub GmbH, Brunnenstrasse 19-21, 10119 Berlin, Germany

Contact: datenschutz@lh-innovationhub.com

German data protection law (GDPR and BDSG) applies to the processing of personal data.

Privacy Policy