Privacy Policy & Notice

1. Introduction and Scope

This Comprehensive Privacy Policy explains how Cantarell Energy Corp (operating in the United States) and Cantarell Systems S.A.P.I de C.V. (operating in Mexico), collectively referred to as "Cantarell OS," "we," "us," or "our," collect, use, process, disclose, and protect your personal and corporate data.

This policy applies to our websites, mobile applications, IoT terminal integrations, and any other services (collectively, the "Services") that link to this policy. We are committed to protecting your privacy in compliance with applicable laws, including but not limited to the California Consumer Privacy Act (CCPA) and the Mexican Federal Law on Protection of Personal Data Held by Private Parties (Ley Federal de Protección de Datos Personales en Posesión de los Particulares - LFPDPPP).

2. The Data We Collect

We collect information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with you or your business ("Personal/Corporate Data"). This includes:

• Identity and Contact Data: Name, Title, Company Name, Government IDs (e.g., DOT numbers, RFC, MC Numbers), email addresses, physical addresses, and phone numbers.
• Financial and Transactional Data: Bank account details, cross-border payment histories, billing addresses, and credit metrics used for wholesale distribution.
• Operational and Telematics Data: GPS coordinates for fleet tracking, Hours of Service (HOS) logs, IoT sensor data from terminal tanks (temperatures, pressure, volumes), and route optimizations.
• Regulatory Compliance Data: Declarations, pedimentos, USMCA certificates, and permits filed with agencies such as the EPA, CRE, SAT, ASEA, and CBP.
• Technical Data: IP addresses, browser types, operating systems, platform usage sequences, and authentication tokens.

3. Purposes of Data Processing

In accordance with the LFPDPPP and US privacy standards, we outline the specific primary and secondary purposes for processing your data:

Primary Purposes (Necessary for Services):

• To provide, operate, and maintain the Cantarell OS platform, including cross-border fuel logistics tracking and terminal management.
• To process multi-currency transactions and issue digital customs documentation (e.g., Digital Pedimentos).
• To ensure compliance with the 14 monitored regulatory bodies across the US and Mexico (e.g., auto-generating EPA/CRE reports).
• To provide customer support and respond to technical issues.

Secondary Purposes (Requires ongoing consent):

• To analyze platform usage trends to develop new AI-driven route optimizations and trading intelligence features.
• To send promotional communications, market intelligence updates, and feature announcements.

4. ARCO Rights (For Users in Mexico)

Under the Mexican LFPDPPP, you are entitled to exercise your ARCO Rights (Access, Rectification, Cancellation, and Opposition) regarding your personal data.

• Access: Request confirmation of the data we hold about you and how it is used.
• Rectification: Request correction of inaccurate, outdated, or incomplete data.
• Cancellation: Request the deletion of your data when it is no longer required for the purposes outlined, subject to legal retention requirements (e.g., tax or customs laws).
• Opposition: Object to the processing of your data for specific secondary purposes.

To exercise your ARCO rights, please download our ARCO Request Form (available upon request) and email it to privacy@cantarell-os.com. We will respond within the legally mandated 20 business days.

5. Data Sharing and International Transfers

Given the binational nature of our platform, your data may be transferred between the United States and Mexico. By utilizing Cantarell OS, you explicitly consent to cross-border data transfers necessary to execute operations like "Digital Pedimentos" and binational freight matching.

We do not sell your Personal Data. We may share your data strictly with:

• Regulatory Agencies: Only when mandated or explicitly triggered by your compliance workflows (e.g., SAT, CBP, EPA).
• Service Providers: Cloud hosting infrastructure (e.g., Google Cloud, AWS), payment processors, and SMS gateways bound by strict confidentiality agreements.
• Authorized Trading Partners: When you execute a transaction connecting an Exporter to an Importer, the requisite data to fulfill the freight movement is shared between the matched parties.

6. Security Measures

We implement enterprise-grade technical, physical, and administrative security measures designed to protect your data from unauthorized access, destruction, use, modification, or disclosure. This includes end-to-end encryption for transit data (TLS 1.3), AES-256 encryption at rest, secure VPC networking, and strict role-based access controls (RBAC).

7. Contact the Privacy Officer

If you have questions, concerns, or wish to revoke consent or exercise your privacy rights, please contact our Data Protection Office at: