Data Protection

01Our approach

Freight Astro identifies and ranks Australian companies likely to ship freight, for B2B sales teams. Because we work mainly with company information from public sources, our posture is to collect openly available business signals, attach clear provenance, exclude anything a client has suppressed, and keep individual-level data out of benchmarks. For how we handle personal information generally, see our Privacy Policy.

02Public-source-first data

We collect company and trade signals from sources that are openly published or that we are licensed to use:

• public registers and directories, such as the TGA ARTG, ABF Trusted Trader listings, trade directories, ACCC recalls, APVMA records, export awards, and public job advertisements;
• companies' own public websites, through a freight-evidence crawler that reads publicly published pages; and
• licensed and key-gated feeds, including an ABR entity resolver, a licensed job-advertisement feed, and a commercial trade-data contract, used within the terms of those licences.

We process limited business-contact information, such as a generic company contact or a publicly listed role, to make a signal actionable for sales teams.

03What we will never touch

We hold a firm line on sources. Freight Astro does not, and will not:

• use leaked, stolen, or private carrier customer data;
• scrape content that sits behind a paid login or paywall;
• access or use confidential ABF or Integrated Cargo System (ICS) cargo data; or
• use dark-web datasets or other illegitimately obtained data.

If a source cannot be obtained lawfully and within its terms, we do not use it.

04Provenance on every signal

Every signal in the platform is traceable. For each one we record where it came from (a source URL or named feed), which adapter produced it, a short supporting excerpt so the claim can be checked, and a freshness date so users know how current it is. This lets clients see the basis for a ranking rather than trusting a black box, and it lets us correct or remove a signal at its source when needed.

05Suppression-first

Clients can give us a suppression list of companies they do not want surfaced, identified by ABN, domain, or company name. We apply suppression before anything is shown, so a suppressed company does not appear in rankings or outputs for that client. Suppression entries are kept for as long as the relationship requires so that exclusions remain in force, and a company or client can ask us to add an entry at any time.

06Anonymised and aggregated benchmarks only

Where carrier intelligence informs benchmarks, we use it only in anonymised, aggregated form. Benchmarks are built from cohorts of at least five so no single company is identifiable, and a PII guard runs at the boundary that fails closed: if it cannot confirm the output is safely aggregated, it blocks the output rather than risk exposure. We do not present identified carrier customer data, and we do not reconstruct individual customers from aggregates.

07Security measures

We maintain technical and organisational measures appropriate to the risk, including:

• encryption of data in transit (TLS) and at rest;
• scoped, authenticated access to production systems, with access logging and least-privilege defaults;
• secret management with key rotation;
• network controls, rate limiting, and monitoring of the Service;
• the fail-closed PII guard on benchmarking outputs; and
• backups and recovery procedures for core data.

No method of transmission or storage is completely secure, so we work to protect data but cannot guarantee absolute security.

08Sub-processors

We rely on a small set of vendors to run the Service, covering hosting and compute, the managed database, caching and job queues, authentication, analytics, and transactional email. Each is bound by a contract requiring it to protect data and to process it only as needed to provide its service to us. A current list, including the regions where each operates, is available on request at [email protected], and we give notice of changes as required so clients can object to a new sub-processor where they have that right.

09International transfers

We may process data in countries other than Australia, including through overseas service providers. Before disclosing personal information overseas we take reasonable steps to ensure it is handled consistently with the Australian Privacy Principles, and where the GDPR applies we rely on an appropriate transfer mechanism such as the Standard Contractual Clauses (with the UK Addendum where relevant) or transfers to countries recognised as adequate, with supplementary measures where needed.

10Data-subject and business requests

We help individuals and companies exercise their rights. You can ask us to confirm what we hold about a company or person, correct a signal that is wrong or out of date, remove or suppress a signal, or delete personal information where the law requires. Because most signals are sourced from public records, many requests are resolved as a correction, suppression, or removal of the specific signal and its provenance. Send requests to [email protected]; we will respond within the time required by law and may need to verify your identity or authority first.

11Breach response

We maintain procedures to detect, assess, and respond to data incidents. If we become aware of a data breach likely to cause serious harm, we will act in line with the Notifiable Data Breaches scheme under the Australian Privacy Act, including notifying affected individuals and the OAIC where required, and we will notify affected clients without undue delay and give them the information they reasonably need to meet their own obligations.

12Contact

For data-protection questions, sub-processor or DPA requests, suppression requests, or to report a concern, contact Freight Astro at [email protected].