Skip to main content
--:-- LONDON

Legal · Privacy

Privacy Policy

Taurex Freight Ltd is the controller for your personal data. We collect only what we need to ship your goods, comply with HMRC and AML laws, and stay safe — we don't sell data and we honour every UK GDPR right.

Who we are

Taurex Freight Ltd (England and Wales, company no. 16939200, registered at 15 Cooper Street, Leicester, LE4 5BL) is the data controller. Our Data Protection contact is reachable at [email protected].

What we collect

Identity (name, role, signature), contact (email, phone, address), commercial (company, VAT, EORI, IEC, bank), KYC and due-diligence (director ID, beneficial owners, Companies House records, sanctions screening outcomes), shipment (consignee/shipper details, commercial invoices, packing lists, HS codes), technical (IP, device, cookies), communications (emails, portal messages, AI call recordings and transcripts), and marketing preferences. We do not collect special category data in normal operations.

Why we collect it and our lawful basis

Contract (Article 6(1)(b)) to quote, book and execute shipments. Legal obligation (Article 6(1)(c)) for HMRC customs records, Companies House KYC, sanctions screening, AML. Legitimate interest (Article 6(1)(f)) for fraud prevention, credit checks, soft-opt-in marketing to existing customers, service quality. Consent (Article 6(1)(a)) for marketing to new prospects and AI training data use. Legitimate Interest Assessments are available on request.

Who we share with

Carriers and agents (Maersk, MSC, CMA CGM, Hapag-Lloyd, COSCO, ONE, Evergreen, OOCL, HMM, Yang Ming and others) to execute shipments. Customs authorities (HMRC, destination customs). Insurance brokers and underwriters. Banks and payment processors. Trade credit insurers and credit reference agencies. Sanctions and KYC screening providers. Cloud, software and AI voice vendors under written DPAs. Professional advisors. Public authorities when legally required (HMRC, NCA, OFSI, ICO, courts). We do NOT sell personal data.

International transfers

Because freight is international, some data leaves the UK. We use UK adequacy decisions where available; otherwise the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs with a documented Transfer Risk Assessment (per ICO January 2026 guidance). A sub-processor list is available on request.

How long we keep it

Customs records: 6 years (HMRC). AML / KYC: 5 years from end of relationship (Money Laundering Regulations 2017). Contract records: 6 years (Limitation Act 1980). Marketing: until you opt out + 30 days. Website analytics: 14 months. Call recordings: 90 days (service) or 6 months (complaints). Call transcripts: 12 months. Conversation summaries linked to customer: 6 years. AI training data: 24 months (opt-in only). We do NOT store voiceprints. Full schedule at /policies/operational/16-data-retention-policy.md.

Your rights

Under UK GDPR you have rights to access, rectification, erasure (subject to legal-obligation retention), restriction, objection, portability, and to not be subject to solely automated decisions with legal effects (Article 22). Our AI voice assistant gives indicative information only — no binding decisions are made by AI. You can withdraw consent at any time. To exercise any right, email [email protected] — we respond within one month. You can lodge a complaint with the ICO at ico.org.uk/concerns or 0303 123 1113.

How we use Companies House data and the UK Sanctions List

When you create a business account, we use the Companies House public register (via its official API under the Open Government Licence v3.0) to verify your company status, registered address, and director listings. We screen against the UK Sanctions List (published by the FCDO at search-uk-sanctions-list.service.gov.uk — replaced the OFSI Consolidated List on 28 January 2026), plus UN, EU, and OFAC for best-practice cover. Lawful basis is our legal obligation under sanctions and AML law, plus legitimate interest in safe B2B commerce. Records retained 5 years from end of relationship (MLR 2017 reg. 40).

Security and breaches

TLS 1.2+ in transit, AES-256 at rest, role-based access control, MFA, audit logs, regular backups, written contracts with all processors, and staff training. We align with ISO 27001 principles. If we suffer a personal data breach affecting your rights, we tell you and the ICO within 72 hours where required.

Last reviewed 2026-06-06.