Purpose(s):

• Providing the website
• Ensuring the website is delivered to visitors as expected, including ensuring a smooth navigation experience
• Security monitoring against cyberattacks
• Retention period: 3 months since collection

Description
If a visitor wishes to navigate any website, the server hosting the website requires to collect a certain set of information from the visitor, so that the website and visitors servers can communicate, and the visitor may enter and navigate the website, including performing the actions allowed in the website. Each action performed is logged in a single file, hence the name “log file”. A log file stores the personal information relating to the visitor and the activity performed in the website – the list of categories of personal information is displayed above.

Forto processes log files in order to provide a functional website to its visitors, a smooth and secure navigation experience. The processing of log files, in fact, ensures that the website is not only available to its visitors, but is also delivered to the standards expected by Forto. This means retaining log files also for debugging, forensics investigations, and for monitoring against possible third-party cyberattacks, such as DDoS.

The identified period for keeping log files is 3 months since its collection. This means that 3 months after the log file has been generated, it is deleted. Deletion is achieved by anonymising the personal information in the log file.

Categories of personal data processed:

IP address of the requesting server (of the visitor)

Purpose(s): ensuring the website is delivered to visitors as expected, including ensuring a smooth navigation experience

Description

Content delivery networks (CDN) are a technology currently implemented by most common and successful websites for delivering website content such as texts, fonts, videos and more, with high quality and speed. The end result is that the content of the website is delivered to the visitor instantaneously, improving the website navigation experience.

In very simplified terms, a CDN is made up of a network of servers located in different locations on the planet. Website publishers which employ a CDN have their website content stored in each of these servers. When visitors from each location of the planet call to visit the website, each visitor will be receiving the content of the same website from a different server of the CDN, strictly depending on which of these servers is located closest to the visitor. This makes for faster loading times and ensures the same quality standards of the content, no matter where the visitor is located. For more information on how a CDN works, please visit our partner’s own explanation of how a CDN technically works.

Categories of personal data processed:

• Visitor ID (randomised alphanumeric sequence)
• Consent state (consent/deny)
• Timestamp (date, time, time-zone)

Purpose(s): allowing visitors to toggle tracking preferences, as required under applicable data protection law

Retention period: 1 year since collection

Description

Visiting Forto’s website for the first time, any visitor would notice a banner popping up at the bottom of the page. In it, the website is asking the visitor to provide the tracking preferences: which tracking activities to allow and which to deny. The tracking preference is collected in a cookie, which visitors can see in the banner itself, listed under “necessary cookies”. After a preference has been provided, the banner vanishes, but the settings may be changed at any time by clicking “Cookie Preferences” in the footer section of the website. The banner may also appear, after the first ever visit to Forto’s website, if one of the following circumstances apply:

• Forto has changed its tracking settings or tools, and therefore asks for the tracking preference once more; or
• The website visitor has deleted all cookies since the last visit session.

The tracking preference collected from the visitor is available at this URL. This processing activity is carried out in order to ensure that Forto provides sufficient information to the website visitors on the occurring tracking processes, as well as to provide website visitors with a meaningful and impactful way to control the processing of their personal data. The tracking preferences are stored for one year to ensure an unspoiled navigating experience: It is hard to imagine the average website visitor wanting to toggle tracking settings each visit. After said year, the tracking preference is deleted.

Information on the deployed tracking tools, including recipients of the collected information and expiration periods, can be found on the consent banner.

Categories of personal information processed, purposes, retention periods applicable and legal bases depend on the individual tracking activity, as detailed in the consent banner.

Description

Forto’s website uses tracking tools to allow for certain functionalities to be carried out, such as connecting to requested information or content stored in servers outside of the website, collection of analytics data and security monitoring for preventing cyberattacks, such as DDoS or traffic overload.

The most used tracking tools are cookies, which are small text files downloaded to and stored within your browser from the moment you visit a website: depending on the cookies’ settings, they may remain stored in the browser for a given amount of time, for example the duration of your browsing session or other specific time period.

Tracking pixels may also be deployed. These are 1×1 pixels — so practically invisible to the naked eye — embedded on the web page, which collect information on the visitor’s use of the website to the same extent a cookie would.

All processing activities carried out in the website, described in the subsequent subsections, require some form of information collection and storage in the tracking tools, in order to be successfully carried out. An example of this necessary processing is the displaying of forms in the website, which can be used for providing information to Forto upon the visitor’s wishes: without the activation of those cookies, the forms would not be displayable.

Some of the tracking activities are based on the visitor’s explicit consent. It can be provided and revoked, at any time, from the consent banner.

Categories of personal data processed:

• Session ID
• Timestamp (date, time, time-zone)
• Source URL
• Actions performed

Purpose(s): tracking of the number of visitors of Forto’s website, their origin, and whether they perform specific actions on said website.

Retention period: depends from the tracker – for more information, please access the consent banner.

Description

Conversion tracking is a very common and important process for any website publisher, as it essentially determines whether the website is receiving hits – it is being visited –, and whether the website leads visitors to perform certain actions, as well. These “selected” actions will differ from website publisher to website publisher, depending on what the objective of the website is. Forto’s ultimate goal is to inform visitors about our products and services, leading to new customers – hopefully. Therefore, the Forto website will track the origin of its website visitors, hence the tracking of the source URL, and the actions performed by the visitor.

Forto’s website uses 3rd party cookies and pixels to carry out this form of tracking. The latter are code snippets loaded in the website which collect data about the visit session but, unlike a cookie, store it directly in the pixel’s server of origin – usually a third-party server – instead of the user’s browser.

All methods of tracking visits conversion are deployed only after the visitor’s prior explicit consent, which can be provided (and later revoked) from the consent banner. Not providing consent to the deployment of these tracking tools does not impact the visitor’s navigation experience in Forto’s website, but it does help Forto improve its website, as well as assessing its marketing efforts online.

Therefore, Your consent would be greatly appreciated!

Please keep in mind that at no point your name or any other directly identifiable information is collected by these trackers, therefore neither Forto or any other third-party service provider is able to identify you by name, by carrying out these activities.

Purpose(s): provide visibility to Forto’s company profile and content across multiple platforms.

For information on categories of personal data processed and retention periods, please refer to the description below.

Description

Forto does not make use of social media plugins in its website. Rather, the website contains links to Forto’s company profile pages found in social media platforms. When a visitor clicks on a social media widget of choice, the visitor will be redirected to Forto’s company profile page on the selected social media platform. Performing this action produces data which is collected by the social media platform operator and later shared with Forto. If the visitor has a profile in the selected social media platform and is still logged on in it, then the activity will be associated with said profile.

Forto does not decide which data is generated and collected by the third party operators. However, details about the collection and retention of personal data generated by this activity, as well as the type, scope and purpose of the processing by the respective social media platform operator can be found in the following privacy notices:

• LinkedIn: https://privacy.linkedin.com/.

Categories of personal data processed:

• IP address
• Browser information
• Unique identifier, for associating to the user’s usage history
• Activity log, such as actions performed on the video player
• Activity timestamps

Purpose: playing the recordings as requested by visitors.

Description

Forto produces videos informing its audience about its company, products, services, and the logistics market. These recordings are uploaded onto Forto’s Vimeo account and are made available for access in Forto’s website. The videos are embedded directly from Forto’s Vimeo account: thus, if one of these recordings is played, the personal data of the visitor listed above is going to be collected and further processed by Vimeo. The content on the website will only be displayed if the visitor consents to statistical cookies: the visitor may toggle the settings directly from the consent banner.

Categories of personal data processed:

• IP address
• Browser information
• Unique identifier, for associating to the user’s usage history
• Activity log, such as actions performed on the audio player
• Activity timestamps

Purpose: enabling visitors to play audio (podcast) content found on Forto’s “FortoBites” page

Retention period: max. 1 year or until revocation of consent

Description

Forto periodically produces and publishes podcast content on its website, called “FortoBites”. The content is uploaded onto Forto’s Spotify account and is made available for access on Forto’s website. The content is embedded directly from Forto’s Spotify account: thus, if one of the podcast episodes is played, the personal data of the listener listed above is going to be collected and further processed by Spotify. The content on the website will only be displayed if the visitor consents to statistical cookies: the visitor may toggle the settings directly from the consent banner.

Categories of personal data processed:

• Full name
• Email address
• Job title
• Company
• Country
• Agreement for receiving the newsletter
• Agreement for processing personal data
• Activity timestamp (time, date, time-zone)

Purpose: sending the newsletter to all who have agreed to receiving it.

Retention period: until revocation of consent.

Description

Every two weeks Forto creates newsletter posts and emails them to each individual who has signed up to the newsletter recipient list. The newsletter list sign-up can be made at this URL. While the recipient email address is used to send the newsletters, the rest of the collected information is of Forto’s interest mainly (hoping) for initiating a business relationship with the recipient’s company. The data collected is saved in a recipient list repository, hosted by a third party service provider – Hubspot –, which then automatically sends out newsletters to all registered recipients the moment they are ready to be shipped out.

Visitors may also choose to sign up to Forto’s “Coffee & Logistics” video journal. Visitors may choose to receive new content directly by email, by subscribing to the “Coffee & Logistics” recipient list in the same way as for the newsletters.

Forto’s marketing communications are sent to the recipient only on the basis of the latter’s prior explicit consent. The recipient is able to unsubscribe from the newsletter and/or Coffee & Logistics list at any time: the link for doing so is found at the bottom of each marketing email received.

Categories of personal data processed:

• First and last name
• Email address
• Phone number
• Company
• Country
• Agreement for receiving communications from Forto
• Agreement for processing personal data
• Activity timestamp (time, date, time-zone)

Purpose(s): establishing inbound contact with a potential customer. Enabling customers to create accounts in Forto’s customer platform.

Retention period(s):

• Personal data processed for fulfilling business and legal obligations is retained for a minimum period between 5-10 years, depending on the obligatory retention period applicable to each category of personal data processed;
• The personal data processed on the basis of consent is processed until valid revocation.

The remaining personal data processed on the basis of this activity, for which the previously mentioned retention periods do not apply, is retained for a minimum period of time compatible with the minimum statutory limitations, as it may be used as proof for establishing, exercising or defending legal claims.

Description

For creating an account in Forto’s customer platform (ship.forto.com), the company of the interested visitor must first become a Forto customer. The first step towards becoming a customer is to provide the contact information in this form and agree to the processing of personal data for further contact.

The collection and processing of the personal data provided in the form is dependent on whether the visitor has provided explicit consent to the processing activity. Without such consent, Forto would not be able to contact the interested visitor further, nor to create the desired account, later on.

After Forto has received said information, a member of Forto’s sales team will reach out. Once the general terms and conditions are accepted, then an account will be activated. The customer account will be associated with the company purchasing Forto services. Each customer account may have one or more user accounts, each one associated with an individual operator of the customer. The description of the processing connected to the user account creation is found in the Product Privacy Notice.

Categories of personal data processed: see “Navigating Forto’s website” section.

Purpose(s): provide visitors looking for information on generic topics about Forto’s products and services with suitable answers.

Description

Forto’s “Help Center” page is designed to provide information on Forto’s products and services, as well as on logistics terminology, for users of Forto services. Though Forto is ready to receive support questions from users and welcomes the opportunity to support, the simplicity and speed of publishing answers to commonly asked questions is recognised. Hence, Forto has published this page for this reason: to save its platform users valuable time.

The Help Center page is published and maintained using a third party service. This allows Forto to plug-and-play the user interface offered by the third party service, designed with support pages in mind, while only worrying about updating and upgrading the Help Center’s content, when required. All the personal data commonly collected for connecting to the web page (please scroll up to the “Navigating Forto’s website” section for more information) is sent to this third party service provider, so that the Help Center pages may be displayed.

Categories of personal data processed:

• Full name
• Email address
• Phone number
• CV – Resumé
• Presentation letter (not necessary)
• LinkedIn profile (not necessary)
• Website URL (not necessary)
• Demographics information (not necessary)
• Permission confirmation to process personal data for the purpose of initiating the job interview process
• Information about the candidate profile and conducted interviews.
• Purpose(s): initiate the job application process and evaluate the candidate.

Retention period: 180 days since collection. May be extended further upon consent.

Description

Visitors of the Forto website who would like to apply for a job at Forto may do so by providing the requested information in the form for the corresponding job opening. The information necessary for initiating the application process is marked by a *. Without providing this information Forto may not initiate the application process.

—

The information that is not required to be added for successfully filing a job application is provided by the applicant upon their explicit consent, which is to be provided by the applicant at the bottom of the form page by ticking the checkbox. Some of the information asked about may be of particularly sensitive nature, namely age category, ethnicity and sexual identification. Forto invites applicants to provide demographic information in order to constantly evaluate its diversity and inclusion efforts. Providing this information is done on a purely voluntary basis: failure to provide this additional information does not compromise the application process in any way.

—

All the information provided in the context of this processing is stored in Forto’s application tracking system (ATS), itself provided as a service by a third party. All conducted interviews and their outcome are logged in the ATS for reference.

If an application does not result in a successful hiring, that does not mean that Forto does not consider the applicant profile interesting! Forto may ask, in fact, to insert the candidate profile in its “talent pool”, by extending the storage period of the applicant profile for longer than the usual 180 days, in the hope to match said profile with a suitable position. This is done only on the basis of explicit consent of the applicant. Without the provided consent, the applicant profile will be deleted automatically.

Any consent provided in the context of the job application, both for the initial sending and inclusion in the talent pool, may be revoked at any time by the applicant, using the appropriate channels of communication.

 

The activities described in this section have been carried out mainly on the basis of Forto’s legitimate interest — based on Art. 6 (1) lit. f GDPR — where applicable. Depending on the individual activity, the following legitimate interests may be applicable:

• provision of information to the public about itself, its services and its activities, by means of a functioning website;
• maintain its website’s safety and security for itself and its visitors;
• improvement its services and products to fit customer needs better;
• provide information about its products and services to previous customers;
• approach potential customers — intended exclusively as commercially active legal entities;
• provision of communication channels with which interested parties may contact Forto;
• where processing is necessary towards the establishment, exercise or defence of legal claims.

As a data subject, you have the right to object to the processing of personal information that involves you, personally: please scroll down to the ‘Right to Object’ sub-section to learn under which circumstance and how you may express your objection.

Where the above-mentioned legal basis is applicable, Forto ensures that your consent for processing personal information relating to you is requested and obtained prior to commencement of said activity. You may revoke your consent at any time, without justification: please scroll down to the ‘Right to Withdraw Consent’ sub-section for more information.

Consent is applied as a legal basis for example, in the context of your application for a job opening posted on our website’s portal, the deployment of tracking when these are not strictly necessary and your sign-up to our newsletter mailing list.

Forto uses a number of services from third party providers to carry out its processing activities. The table below illustrates all the ones engaged by Forto for carrying out the processing activities described in this privacy notice.

Provider name	Provider Address	Country	Link to privacy notice	Processing activity	Description
Bleech GmbH	Koepenicker Strasse 10a, 10997 Berlin	Germany	ALL-INKL.COM	Navigating Forto’s website	Website hosting services.
Google Ireland Ltd.	Gordon House, Barrow Street, Dublin 4, D04 E5W5	Ireland	Google	Website tracking (Google Analytics, Google Tag Manager) Visits conversion (Google Ads) Careers (Google reCAPTCHA) Marketing activities (Google Ads)	Google Analytics (GA) is used to analyse how users interact with Forto’s website. GA implements targeting cookies which store an anonymised IP address, the accessed website URL, as well as of the referrer URL, subpages visited, length of visit session and visit frequency. The functionalities of GA also permit the visitor to receive more interesting ads, on the basis of the data collected. Google Tag Manager (GMT) is used to implement and manage tracking tools in the website without having to change the website’s code. GTM only processes the visitor’s IP address and browser information for deploying. Google Ads services are used to create and launch marketing campaigns. An example is when the word “Forto” is researched on the Google search engine, forto.com will appear at the top of the results list, with a tag at the top stating that the result is “sponsored”. Forto additionally receives data on how successful its marketing campaigns run through Google Ads are, for instance the number of times the words associated with Forto are researched, how many times the links provided in the results list are clicked etc. Google Ads’ Customer Match function uses the data provided by data subjects who have given consent to Forto to process their data for marketing purposes, to identify other Google accounts connected to the same individual. These connected accounts will then be the recipients of marketing communications from Forto also in other social networks, such as YouTube or GMail. Google reCAPTCHA is a risk analysis software used to protect against bots, spam and other malicious attacks aimed at compromising Forto’s systems. A visitor will see the reCAPTCHA symbol at the end of pages if the technology is deployed for the form submission.
LinkedIn Ireland Unlimited Company	Wilton Place, Dublin 2	Ireland	LinkedIn	Website tracking	Forto’s website uses LinkedIn Insights Tag to track how many visitors enter coming from LinkedIn links. This allows Forto to evaluate the success of its marketing campaigns run in LinkedIn, as well as the level of content posted on its LinkedIn profile. If the visitor is logged in a LinkedIn account during Forto’s website visit, and the cookie settings for the Insights Tag are accepted, then LinkedIn will additionally store the LinkedIn user data together with the logged activities performed on Forto’s website.
Cloudflare, Inc.	101 Townsend Street, San Francisco, CA 94107	USA	Cloudflare	Content Delivery Network (CDN), Website tracking	Forto’s website uses Cloudflare’s CDN services to deliver website content in the same standard globally. In this context, it provides scanning and bot-blocking measures. Cloudflare provides Forto’s website with performance analytics and security services, for instance DDoS protection.
Hubspot Germany GmbH	Am Postbahnhof 17, 10243 Berlin	Germany	Hubspot	Signing up to the newsletter, Contact requests, Support subdomain, Landing pages	Forto’s website uses Hubspot’s automation capabilities to create its landing pages and forms. Each form filled out and sent to Forto is processed via Hubspot’s service. Hubspot therefore receives all information provided to Forto in the forms.
Vimeo.com, Inc.	330 West 34th Street, 5th Floor, New York, New York 10001	USA	Vimeo.com	Playing videos on the website	Forto’s video content is stored into its Vimeo account and directly embedded onto the website. Vimeo receives the connection data of the visitor in order to enable the video to be displayed and played.
Intercom R&D Unlimited Company	2nd Floor, Stephen Court, 18-21 St. Stephen’s Green, Dublin 2	Ireland	Intercom	Help subdomain	Forto’s website is integrated with Intercom’s “Proactive Support” functionality in order to provide helpful information to frequently asked questions by website visitors and customers. The activity logs performed while navigating the help.forto.com subdomain are collected by Intercom in order to be able to provide the requested web pages.
Ashby, Inc.	548 Market St PMP 397006 San Francisco, CA 94104-5401	USA	Ashby	Job Applications	Forto uses the Ashby platform as its application tracking system (ATS). All job applications sent to Forto are stored in Ashby, as well as all information gathered during the application process.
Calendly LLC	115 E Main St, Ste A1B, Buford, GA 30518	USA	Calendly	Job Applications	Forto uses Calendly to enable the scheduling of interviews during job application processes, directly onto the interviewer’s calendar.

Categories of personal data processed:

• First and last name
• Work contact information
• Job role (possibly)
• Company information
• Purpose: Outreach to (potential) customers for marketing purposes.

Retention period: Until the processing purpose is fulfilled or consent from the data subject is withdrawn.

Description

Forto may use the personal data provided under consent for marketing activities, for sending you advertisements in possibly different forms (e-mail, banner or similar) reminding of Forto’s products and services. These advertisements might appear in different platforms, such as YouTube and GMail. This is possible because Forto leverages the Customer Match service from Google. The previous link provides information on what it is about, but, to summarise, the aforementioned functionality leverages the fact that multiple platforms and spaces managed by Google are accessible to users with a single common Google account. Knowing this, Google enables its Ads customers to send marketing information to its audience in the different platforms where the audience target has an active account. For example: Joanne, a made-up data subject, has provided Forto with the email address and with the consent for contact with marketing communications. After successfully sending the data over, Joanne may start to receive marketing content from Forto in YouTube and GMail, if the data subject has connected to these platforms using the contact information provided to Forto previously for the purpose of receiving marketing material.

Categories of personal data processed:

• First and last name
• Work contact information
• Job role (possibly)
• Company

Purpose(s): Establishment of a business relationship.

Retention period: Until the processing purpose is fulfilled.

Description

Forto takes part in and organises events for letting companies and professionals get to know its products and services. During such events contacts may be exchanged on the basis of a common interest to establish a business relationship, usually by signing up to an “interested parties” list, exchanging business cards or many other possible ways. Regardless of the way the information is exchanged, the information is provided by the individual if she or he wants to: the information Forto received is based solely on what information is provided by the individual. The information may be later used to contact the parties, in order to follow up on the manifested interest.

Categories of personal data processed:

• First and last name (possibly)
• Work contact information
• Job role (possibly)
• Company

Purpose(s): Establishment of a business relationship.

Retention period: Until the processing purpose is fulfilled.

Description

Forto may reach out to potential customers to inquire about possibly establishing business relationships. To do so, Forto uses contact lists gathered previously through its own efforts, i.e. at events, and a number of service providers’ databases to determine which companies may be interested in Forto’s services and, if so, how to contact them. Forto may attempt to reach out in a number of ways – phone call, email, messaging in social media platforms (i.e. LinkedIn).

Further progress on the possible establishment of a business relationship will continue only if the recipient of Forto’s approach decides so on the basis of her or his free will. Said approach recipient may also choose to not be contacted for these purposes any longer, in which case, the recipient must communicate to Forto said wish. Forto will then store the minimum contact information necessary to make sure no further approaches are made within a reasonable timeframe.

Categories of personal data processed:

• First and last name
• Work contact information
• Job role
• Company information
• Communication and interaction data – content of communications, time and date of communication, duration of call, other information associated with the interaction, business outcome

Purpose(s): Analysis and improvement of Forto’s approach and communication with potential customers.

Retention period: Until the processing purpose is fulfilled.

Description

All presale interactions are logged in Forto’s sales pipeline management system provided by a third party. The purpose of this process is to analyse and improve Forto’s communication with potential customers.

Categories of personal data processed:

• Work email address
• Company name
• Connection data, including but not limited to IP address, browser information and activity timestamps

Purpose(s): Conducting a demonstration of Forto’s products and services to potential customers.

Retention period: Until the processing purpose is fulfilled or until consent is revoked.

Description

During talks for setting up a business relationship with Forto, a demonstration (a demo) of Forto’s products and services will likely be scheduled. The entire demo will take place remotely, using a third party service provider. This processing requires certain information, therefore, such as the IP address, browser information and other connection data.
To access the demo platform, a link will be provided via email together with the call invitation. Recipients of the invite may choose to accept or decline it. Though the demo ultimately may not be an essential factor to concluding a business relationship agreement, Forto’s recommendation is to attend one in order to get a better understanding of what Forto may offer before using its services.

The activities described in this section have been carried out on the basis of Forto’s legitimate interest — based on Art. 6 (1) lit. f GDPR — where applicable. Depending on the individual activity, the following legitimate interests may be applicable:

• reaching out to potential customers — intended exclusively as commercially active legal entities;
• establish a business relationship between Forto and its potential customers;
• ensure the correct conduct held by agents when communicating with external parties;
• processing is necessary towards the establishment, exercise or defence of legal claims.

As a data subject, you have the right to object to the processing of personal information that involves you, personally: please scroll down to the ‘Right to Object’ sub-section to learn under which circumstance and how you may express your objection.

Where the above-mentioned legal basis is applicable, Forto ensures that your consent for processing personal information relating to you is requested and obtained prior to commencement of said activity. You may revoke your consent at any time, without justification: please scroll down to the ‘Right to Withdraw Consent’ sub-section for more information.

Consent is applied as a legal basis for example, in the context of your application for a job opening posted on our website’s portal, the deployment of tracking when these are not strictly necessary and your sign-up to our newsletter mailing list.

Forto uses a number of services from third party providers to carry out its processing activities. The table below illustrates all the ones engaged by Forto for carrying out the processing activities described in this privacy notice.

Provider name	Provider Address	Country	Link to privacy notice	Processing activity	Description
Google Ireland Ltd.	Gordon House, Barrow Street, Dublin 4, D04 E5W5	Ireland	Google	Contact outreach, Demos	Forto associates make use of Google Workspace applications, such as Mail, Drive and Calendar, to send and receive electronic communications, store files and schedule appointments. The contact information of their communication counterpart and details of an appointment, such as date, time and contact information of the individuals attending, may be processed using Google Workspace products.
LinkedIn Ireland Unlimited Company	Wilton Place, Dublin 2	Ireland	LinkedIn	Contact outreach	Forto may use LinkedIn services to enter into contact with you for the purposes of (possibly) establishing a business relationship between it and the contacted individual’s company.
Outreach Corporation	333 Elliott Ave W, Suite 500, Seattle, WA 98119	USA	Outreach	Communication logging	Forto uses the Outreach platform to log all presale communications had with potential customers. This is to have a single platform where interaction information is stored and manageable. Outreach is used by Forto to analyse its business interactions with potential customers.
Demodesk GmbH	Brienner Straße 45 a-d, 80333, Munich	Germany	Demodesk	Demos	Forto uses Demodesk’s demonstration platform for conducting its product and service demos with potential customers. Demodesk creates access links for the invitees to enter the demonstration meeting with the Forto operator. Only those who have received the link are able to access the virtual meeting in Demodesk. Additionally to the email address of the invitees, collected upon invite creation, Demodesk processes the connection information of the meeting participants, in order to deliver the call functionalities as expected.

Categories of personal data processed:

• Login information
• Profile information, including full name, employer
• Activity timestamp

Purpose: creation of user account.

Description

Once the general terms and conditions are accepted, then an account will be activated. The customer account will be associated with the company purchasing Forto services. Each customer account may itself be associated with one or more user accounts. These will contain the personal information of the individual user, such as name and work contact information.

In case an operator is not associated with (employed by) the customer any longer, Forto highly recommends to request the deletion of the user account of that operator, in order to help protect the former operator’s personal data.

Categories of personal data processed:

• Login information
• Activity timestamp

Purpose: resetting the password of the account.

Description

Users may access their accounts by providing the login information at the beginning of each session – Forto highly recommends logging out once the session is over, to preserve the account’s security! In case a new password is needed, the user may simply click on “reset password” at the login page. Providing the email address connected to the user account will create a temporary password and send it to the provided email address, if the latter is found in the user account repository. Otherwise no temporary password is sent. Once logged in, the user should immediately set a new password and safely store it. The user login information is stored in Forto’s internal systems and is not shared to any third party.

Categories of personal data processed:

• Login information
• Browser information
• Login timestamp

Purpose: authentication of platform users, platform security.

Description

Forto uses a user authentication service for verifying the identity of its platform users at the moment of login. The user will be able to login using their individual preferred method, either by providing a username and password which are unique to SHIP, or by using an external identity provider (i.e. Google or Meta accounts), in the latter case using Single-Sign-On (SSO), logging in to their service of choice. As the identification data is passed between Forto’s platform and identity provider through the user’s browser using a token, said token stores the identity information necessary to authenticate, as well as information about the browser it is passing through.

Categories of personal data processed:

• Unique user identifier;
• session ID;
• IP and MAC addresses;
• approximate geographical location (limited to the country);
• browser information;
• OS information;
• device information;
• network connection information;
• activity performed;
• request outcome (for example, error codes generated).

Purpose(s): ensuring the security and correct delivery of Forto’s services platform SHIP.

Description

User activity logs are collected automatically from the SHIP platform. Activity logging serves many purposes, prominently maintenance of security and correct delivery of the service platform.

Categories of personal data processed:

• same categories listed in the previous section and, additionally
• bug reporter contact information;
• screen recording sent for bug reporting

Purpose(s): ensuring the security and correct delivery of Forto’s services platform SHIP.

Description

Users of SHIP who encounter a bug may create a report to Forto for fixing. The user will have the possibility of recording the screen session showing how the bug occurs from their point of view. This recording helps Forto engineers discover and design fixes accordingly.

Once the bug is fixed, the bug report and recording may be further used by Forto for internal knowledge acquisition and learning: however, no bug report and recording remain stored by Forto for longer than 6 months.

Categories of personal data processed:

• IP and MAC addresses;
• approximate geographical location (limited to the country);
• browser information;
• OS information;
• device information;
• network connection information;
• web pages visited;
• user journey;
• user interactions with the web pages.

Purpose(s): analysis of user interactions with the web pages and user journeys carried out during the use of the platform, improve user experience and efficiency.

Description

Forto fully understands the important role that efficiency and assurance of requests producing desired results play in the use of its services platform. To constantly provide better services that its customers and platform users need, Forto analyses users’ journeys while navigating SHIP. All collection and analysis is carried out within a third-party application.

Categories of personal data processed:

• name and contact information;
• connection log information (IP and MAC addresses, activity timestamp, browser information, OS information, device information);
• communication content.

Purpose(s): providing platform users with valuable and timely information surrounding the use of the platform and services delivery status.

Description

A support chatbot is made available within the SHIP platform to all users: its objective is to provide automated information upon request on the use of the platform or on the status of customer bookings and freight transports. The chatbot is supported by an AI algorithm, which relies on delivering information found in Forto’s freight transport database which is made relevant on the basis of the user’s inquiry. Personal information is only used to verify the user’s account prior to providing information and to give a more personalised experience when using the chatbot.

Categories of personal data processed:

• name and contact information;
• request content, typically related to shipments.

Purpose: fulfilment of customer requests.

Description

You may request to book a freight transport using the SHIP platform or contacting Forto directly. The request will contain information about you, as in the source of the request, and the request’s details needed to fulfil the request successfully. If the booking request is carried out from the SHIP platform, the activity logs associated with the booking request sending are also processed automatically.

Categories of personal data processed:

• user activity logs when interacting with the location service, including:
• IP address and approximate location;
• browser information;
• operating system information;
• end-device information.

Purpose(s): calculation of expected shipment distance using the user-entered origin and destination locations.

Description

The SHIP platform provides a location service, powered by a third party service provider, which allows Forto and users to calculate the distance between shipment origin and destination. The third-party service uses API connectivity to deliver its services. The API call sends to the third party service provider information on the user activity — limited to the user’s interaction with the location service’s interactive map. This activity logging includes the association of connectivity, with the IP address, browser, operating system and end-device information to a randomised identifier generated by said third party provider and to the requests made using the location service, namely the selection of the origin and destination points on the interactive map.

Without this information, Forto would not be able to provide its service from its designated platform, therefore being directly detrimental to users in terms of service and experience.

Categories of personal data processed:

• identifying information of data subjects possibly associated with a business entity involved in a freight transport request made to Forto, incl. names, nationalities, residential
• addresses, dates of birth.

Purpose: fulfilment of legal obligations

Description

As a freight forwarding services provider, Forto must observe sanction regulatory measures. Any new customer (legal entity) onboarded onto the Forto platform and any booked freight forwarding request trigger a compliance screening. The data inserted by Forto for this processing solely refer to the legal entities being subject to screening, however the results of the screening may reveal personal information of individuals mentioned in sanction lists.

Categories of personal data processed:

any personal information which might be included in an invoice (or related or similar document), such as names, contact details and signatures of company or public authority representatives and contact points.

Purpose: fulfilment of legal obligations

Description

This section applies to all types of documents generated or otherwise processed in the context of providing freight forwarding services, including but not limited to invoices and bills of lading. Official documents have a standardised form, which might bring the inclusion of personal information, for instance the use of signatures and mentioning of company representatives. Forto has access to this information but does not process any of this personal information outside of mere electronic storage.

Categories of personal data processed:

• Customer contact name and details;
• Content of communications and other forms of interactions, such as in-person visits.

Purpose(s): fulfilment of customer requests; customer account management.

Description

Forto manages customer accounts with the help of a customer relationship management (“CRM”) system. All customer interactions are logged in said system, in any form they may have occurred, and customer contact information’s accuracy is maintained and ensured.

Categories of personal data processed:

Customer contact name and details.

Purpose: Reach out to customers in regards to service-related information, milestones and issues.

Description

Customers are informed in a timely manner by Forto about its freight’s milestones and any incurring issues. The intent is to provide customers with valuable information, useful for planning and taking action. Freight shipments are tracked by Forto’s data system: each shipment milestone triggers an automated email notification with the information relative to the event. The same happens with any issue impacting the shipment’s status.

Categories of personal data processed:

• Customer contact name and details;
• Content of the communication.

Purpose(s): Hold business relations and information exchange.

Description

Forto has a dedicated team of agents dedicated to sales, customer care and ensuring that the shipment information remains accurate. Customers and interested parties may communicate directly, via email or call, either using the dedicated channels or their direct contact at Forto.

Forto may also contact you relating to your use of Forto’s platform and services or other content, for instance participating in surveys or contests organised by Forto.

Categories of personal data processed:

• Survey participant’s name, contact information and details;
• Unique identifiers possibly created to associate survey participants’ provided information with contact profiles created in the customer relationship management system;
• Responses given.

Purpose: Gather opinions on users’ relationship with Forto’s platform and services.

Description

Forto is very interested in constantly bringing the best solutions to customers’ and users’ needs. One of the ways it gathers information on how to do this is by relying on customer and user feedback. Every now and then platform users and customer contacts may be contacted via email to take part in a survey on how they view Forto’s platform and services. Topics may differ depending on the survey, as well as the type of answers to provide. There is no obligation to take part in any survey: participation will be entirely voluntary. Consent to this processing activity may be revoked at any time, at which point any personal data provided will be deleted.

Categories of personal data processed:

• content of correspondences

Purpose(s): Higher efficiency and faster processing time of customer requests.

Description

Forto makes active use of artificial intelligence software to speed up its processes. As freight forwarding is still very correspondence-reliant, Forto utilises AI-enhanced technologies to summarise incoming communications from customers and interested parties in general. Forto utilises AI-enhanced technologies only in a way which avoids the further use of sent information: requests to AI software are made using API technology, and submission of input data for improving algorithms is never allowed, by default.

The processing activities described in the previous section have been carried out on the basis of either the fulfilment of a contract with a customer or on the basis of applicable law or regulation.

Where neither bases are applicable, Forto processes personal information on the basis of its own legitimate interests, which mainly involve the maintenance of processed information’s confidentiality, integrity, availability and accuracy, ensuring that Forto’s services remain dependable and valuable for its customers. As a data subject, you have the right to object to the processing of personal information that involves you, personally: please scroll down to the ‘Right to Object’ sub-section to learn under which circumstance and how you may express your objection.

Where none of the above-mentioned legal bases are applicable, Forto ensures that your consent for processing personal information relating to you is requested and obtained prior to commencement of said activity. You may revoke your consent at any time, without justification: please scroll down to the ‘Right to Withdraw Consent’ sub-section for more information.

The amount of time that personal data is retained by Forto depends on their purpose of processing.

Some personal data may need to be retained in accordance with applicable laws on subject matters which include, but are not limited to, tax and accounting.
Forto may retain personal data originating from access and activity logs, in order to ensure the security of its platform and of the information the company processes and otherwise stores. Personal data processed for purposes of security is retained for a maximum of one year. It may, however, be exceeded, if said data is required for carrying out forensics investigations at the time of the retention period’s expiration.

Personal data may also be retained for ensuring Forto is able to provide valid proof in the context of legal disputes.

Forto’s services and platform are delivered thanks to a number of partners. These third parties may process users’ personal information: the table below highlights which process each listed third party is involved in.

Provider name	Provider Address	Country	Link to privacy notice	Processing activity	Description
Google Cloud EMEA Limited	70 Sir John Rogerson’s Quay, Dublin 2	Ireland	Google	Data cloud storage services Location Service Communicating with Forto: Direct Contact	All data produced in Forto’s platforms is managed using Google Cloud servers, geographically located in the EU. Forto uses Google Workspace to process and store electronic communications and for collaborative documentation and productivity. Virtual meetings and appointments may also be set up using Google Workspace services, with the information deriving from these activities being stored on Google servers. Forto uses the services of Google Maps to deliver Location Services in its platforms.
MongoDB Limited	Building 2 Number One Ballsbridge, Shelbourne Rd, Ballsbridge, Dublin 4, D04 Y3X9	Ireland	MongoDB	Data cloud storage services	All data produced in Forto’s platforms is stored in MongoDB servers, geographically located in the EU.
Okta, Inc.	100 First Street, 6th Floor, San Francisco, CA 94105	USA	Okta	User Authentication	Forto deploys Auth0 for verifying users at login. The service is set up on Forto’s platforms by means of API connection: users are asked to log in through the Auth0 integration, using their chosen authentication method.
Datadog, Inc.	620 8th Avenue 45th floor, New York, NY 10018	USA	Datadog	Activity Logging Bug Reporting	Datadog processes and stores all activity logs produced in Forto’s applications on a single repository — application performance and security monitoring. The service detects errors and threats, notifying relevant teams about their nature and existence to enable fixing. Any bugs experienced by users may be reported to Forto, including with the use of session replay, which users may activate to enable Forto to visualise the sequence of HTML instances from the user session which has led to the error.
Amazon Web Services EMEA Sárl	38 Avenue John F. Kennedy, L-1855 Luxembourg	Luxembourg	AWS	Activity Logging	AWS is used to archive activity logs for further retention for security purposes, for example forensics investigations.
Fullstory, Inc.	1745 Peachtree Street NE, Suite G, Atlanta, GA 30309	USA	Fullstory	Platform Usage Logging	Forto stores how users, once logged in, use the platform and interact with its features. Every interaction is timestamped and logged, recreating user sessions and interactions in anonymous fashion.
Castellum.AI Corporation	99 Wall Street, Suite 1377, New York, NY 10005	USA	Castellum.AI	Compliance Screening	Castellum.AI provides Forto with sanctions screening services. For any legal entity Forto scans (as is required to) against the sanctions lists made available by Castellum.AI, Castellum.AI returns the results, which may contain information on whichever item provides a match, even if only partial. This screening activity allows Forto to identify potential risks associated with individuals or entities that are on international sanction lists.
Microsoft Ireland Operations, Ltd.	South County Business Park, One Microsoft Place, Carmanhall And Leopardstown, Dublin, D18 P521	Ireland	Microsoft	Invoice Management	Dynamics 365 Business Central serves as Forto’s central repository and management system for invoicing. Each incoming and outgoing invoice is either received or produced using this system. It also serves as the main invoice storage location.
salesforce.com Germany GmbH	Erika-Mann-Str. 31, 80636 Munich	Germany	Salesforce	Customer Relationship Management	Forto uses Salesforce’s CRM platform for managing customer contacts and accounts. All information regarding the customer’s entity, contact points, held communications, bookings and business success rate are contained and managed in the CRM.
Messagebird B.V.	Trompenburgstraat 2C, 1079 TX Amsterdam	Netherlands	Bird	Notifications	Bird offers mass messaging services, which Forto uses for notifying customers about relevant shipment events and milestones.
FrontApp, Inc.	300 Montgomery Street, Floor 5, San Francisco, CA 94104	USA	Front	Communicating with Forto: Direct Contact	Front is a customer request and task management service, based on electronic communications.
Zoom Video Communications, Inc.	55 Almaden Blvd. Suite 600 San Jose, CA 95113	USA	Zoom	Communicating with Forto: Direct Contact	Zoom provides Forto with VoIP and virtual meeting services. Call and meeting logs, information on participants, their connection logs and communication information and metadata is stored in Zoom servers.
SurveySparrow, Inc.	2345 Yale St FL 1 Palo Alto, CA 94306	USA	Surveysparrow	Surveys	Forto uses SurveySparrow to create and send out surveys.
OpenAI Ireland Limited	1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43	Ireland	OpenAI	AI-enhanced Activities	Forto uses OpenAI’s application programming interfaces to submit requests to its GenAI service.
Langdock GmbH	Fehrbelliner Strasse 4 10119 Berlin	Germany	Langdock	AI-enhanced Activities	Forto uses Langdock’s platform to submit requests to GenAI models offered by a variety of service providers, all carried out using API technology.

Forto may process personal data about you. You have the right to know what it is and how it is being processed.

If Forto does process your personal data, you have the right to obtain information about:
– the processing purposes;
– the categories of personal data being processed;
– the recipients or categories of recipients to whom your personal data has been or will be disclosed, in particular recipients in third countries or international organisations;
– if possible, the planned duration of retention of your personal data, or, if this is not possible, the criteria for determining it;
– the existence of a right to rectification or erasure of personal data concerning you or to restriction of processing by Forto or a right to object to such processing;
– the existence of a right to lodge a complaint to a supervisory authority;
– if the personal data has not been collected directly from you, all available information about the origin of the data;
– the existence of automated decision-making including profiling in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved and the scope and intended effects of such processing for you.

In case you find your personal data to be incorrect or incomplete, you have the right to rectify it or have it rectified by the data controller.

Under certain conditions, you have the right to obtain that Forto restrict the processing of your personal data.

At least one of the following conditions must be fulfilled:
– you contest the accuracy of the personal data for a period that allows us to verify its accuracy;
– the processing is unlawful and you refuse to delete the personal data and instead want to restrict its use;
– Forto no longer need the personal data for the purposes of processing, but you need it for the establishment, exercise or defence of legal claims; or
– you have objected to the processing in accordance with Art. 21 (1) GDPR, as long as it is not yet clear whether Forto’s legitimate reasons outweigh your interests.

Under certain conditions, you have the right to obtain that Forto permanently delete the personal data about you under processing.
At least one of the following conditions must be fulfilled:
– the personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
– you revoke your consent, on which the processing is based according to Art. 6 (1) lit. a or Art. 9 (2) lit. a GDPR, and there is no other legal basis for the processing;
– you object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR;
– your personal data has been processed unlawfully;
– the deletion of personal data is necessary to fulfil a legal obligation under Union law or the law of the Member States to which we are subject;
– your personal data has been collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

Sometimes Forto will not be able to fulfil your deletion request, on the grounds of a legal retention period applicable to your personal data or have a legitimate grounds in processing your personal data, which would supersede your right to object to the data processing. These instances are:
– the exercise of the right to freedom of expression and information;
– the fulfilment of a legal obligation that requires processing in accordance with the law of the Union or the Member States to which the data controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the data controller;
– reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i as well as Art. 9 (3) GDPR;
– archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR, insofar as the law referred to is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
– establishment, exercise or defence of legal claims.

If:
– the processing is based on your provided consent or on a contractual obligation; and
– the processing is carried out with automated means;

you have the right to receive the personal data you have provided Forto in a structured, commonly used and machine-readable format and have these data transmitted to another controller of your choice, insofar as this process is technically feasible and does not affect the freedoms and rights of other data subjects.

The right to data portability does not apply if the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on Forto.

You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on public interest or Forto’s legitimate interest. After a successful objection, Forto will no longer process your personal data unless a compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, can be demonstrated, or the processing serves to assert, exercise or defend legal claims.

This is not a particular right on its own, but is rather a specification of the generic right to object described just above.

If Forto processes your personal data for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising. This also applies to any related activity involving profiling. If you object to the processing of your personal data for direct marketing purposes, Forto will no longer process these for such purposes.

These sort of processing activities usually involve your subscription to a newsletter or emailing list: you are not required to send an objection email to our communication channels in order to unsubscribe. In fact, you may easily unsubscribe by following the “Unsubscribe” (or similar wording) link at the bottom of each one of these emails.

You may be asked to provide consent for certain processing activities Forto carries out. You also have the right to withdraw the consents given at any time. An example of how Forto makes this right easy for data subjects to use is represented by the tracking consent banner of Forto’s website: in it, visitors are able to easily toggle the consent settings provided to each category and type of tracking tool deployed on the website.

Withdrawing a previously provided consent does not affect the processing carried out until the moment the communication on the withdrawal of the consent reaches Forto.

Are you not satisfied with the way Forto processes your personal data?

Here at Forto, we are committed to fulfilling your requests and answer your concerns regarding the way Forto processes your personal data.

Regardless, data protection law provides data subjects the right to lodge a complaint with a supervisory authority, without prejudice to any other administrative or judicial remedy against alleged infringements of data protection rights and freedoms. In particular, data subjects may exercise their right of appeal in the Member State of the place of residence, place of work or the place of the alleged infringement has taken place.

For data subjects located in the EEA, an overview of the respective country data protection officers of the countries and their contact details can be found here:
https://edpb.europa.eu/about-edpb/about-edpb/members_en#

The data protection supervisory authority responsible for us may be reached through the following addresses:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Phone: +49 30 13889-0
E-Mail: [email protected]
Homepage: https://www.datenschutz-berlin.de

In addition to the ways Forto may communicate with business partners and customers, which have been mentioned in other sections of this privacy notice, the Controller uses WeChat (Weixin) to communicate with prospective or existing customers located in the People’s Republic of China. For this purpose, the personal profiles of those contacted in WeChat (Weixin) may be processed, as well as any information shared in the communications held on WeChat (Weixin). The information found on individual profiles on WeChat (Weixin) are publicly available. WeChat (Weixin) processes and stores information within the territory of the People’s Republic of China and, to the Controller’s knowledge, does not transfer the processed personal information outside of the territory of the People’s Republic of China.

WeChat (Weixin)’s privacy notice is available at this link: there, data subjects located in the People’s Republic of China may find information on how to exercise their rights established under applicable law, to the extent personal information referring to them is processed using WeChat (Weixin). The table below provides information on the company providing WeChat (Weixin)’s service.

Company name	Company address
Shenzhen Tencent Computer Systems Co.,Ltd.	35/F, Tencent Building, Keji Zhongyi Road, Maling Community, Yuehai Street, Nanshan District Shenzhen, Guangdong, 518057

We do not control how WeChat (Weixin) processes the personal data used to populate personal profiles on its social network or shared in communications. The personal information processed on WeChat (Weixin) on behalf of the Controller does not leave WeChat (Weixin)’s servers due to an action performed by us. As such, the personal information processed on WeChat (Weixin) on the Controller’s behalf is not transferred to a country outside of the People’s Republic of China.

We use Zalo to communicate with prospective or existing customers located in Viet Nam. For this purpose, the personal profiles of those contacted in Zalo may be processed. The information found on individual profiles on Zalo are publicly available. Zalo processes and stores information within the territory of the Socialist Republic of VietNam. Please refer to the information on the table below on how Zalo processes personal data.

Company name	Company address	Data storage locations
VNG Corporation	Z06, Road 13, Tan Thuan Dong Ward, District 7, Ho Chi Minh City	S.38b-39-40 Zone, Road 19, Tan Thuan Dong Ward, District 7, Ho Chi Minh City Helio Building, Lot 6, No. 3 Street, Tan Chanh Hiep Ward, District 12, Ho Chi Minh City

We do not control how Zalo processes the personal data used to populate personal profiles on its social network or shared in communications.

If an obligation to disclose any personal data to a competent law enforcement agency, public authority or other judicial body exists, we will disclose the personal data residing under our control upon receipt of written request from such entities.