Privacy Policy — SvitloCheck
Last updated: 9 June 2026
SvitloCheck is a carrier-verification and payment-risk service operated by Hight.io BV, a company registered in Belgium (enterprise number BE 0755752140), with registered office at Da Vincilaan 1, Brussels Airport Corporate Village, 1930 Zaventem, Belgium (Hight.io, we, us, our).
This Privacy Policy explains how we collect and process personal data when you use the SvitloCheck website, web application, and messaging channels (collectively, the Service). It is written to comply with the EU General Data Protection Regulation (GDPR) and Belgian data-protection law.
We are the data controller for the personal data described in this policy, except where we act as a processor on behalf of our business customers (see Section 8).
1. Two kinds of data we handle
SvitloCheck processes two distinct categories of personal data, and it is important to understand the difference:
(a) Data about you, our user. If you are a freight forwarder, broker, or other business user of SvitloCheck, we process data about you and your use of the Service (your account details, the checks you run, billing information).
(b) Data about the carriers and entities you check. When you submit a company (for example by VAT number, company name, IBAN, or vehicle plate) to be verified, we process information about that company — and, where the verification involves named individuals (for example a company director, transport manager, or a person appearing on a sanctions list), that information may constitute personal data of someone who is not our user. We explain the lawful basis for this in Section 4.
2. Personal data we collect
From you, the user:
- Account and contact data: name, business email address, company name, phone number, and (for the WhatsApp/messaging channels) the phone number you contact us from.
- Usage data: the verification queries you submit, results returned, timestamps, and logs needed to operate and secure the Service.
- Billing data: where the Service is paid, billing contact and transaction records (we do not store full card numbers; payments are handled by a payment provider).
- Technical data: IP address, browser/device information, and similar data collected automatically to operate and protect the Service.
About the entities you check (which may include personal data of third parties):
- Company identity data (name, registration/VAT number, address, legal form, activity codes, registration status).
- Operator-licence data, where available from official transport registers.
- Vehicle registration (plate) data, where you supply it or where it appears on an official licence record.
- Bank/IBAN data you submit for payment-risk verification.
- Names of directors or transport managers, where returned by official company or licence registers.
- Sanctions and watchlist data — the names and related details of persons and entities appearing on official sanctions lists (see Section 5).
3. How we use personal data
We use personal data to:
- provide the verification Service you request and return results;
- create and administer your account and authenticate you;
- operate, secure, monitor, debug, and improve the Service;
- carry out the specific checks you initiate (company registry, VAT, IBAN, operator licence, vehicle plate, and sanctions/watchlist screening);
- communicate with you about the Service, including via the messaging channel you choose to use; and
- comply with our legal obligations and enforce our terms.
We do not sell personal data, and we do not use it for advertising.
4. Lawful bases for processing
We rely on the following GDPR lawful bases:
- Performance of a contract (Art. 6(1)(b)) — to provide the Service to you and administer your account.
- Legitimate interests (Art. 6(1)(f)) — to operate, secure, and improve the Service, and to carry out the carrier-verification checks that are the core purpose of SvitloCheck. Verifying the identity, registration, licensing, and risk status of a business counterparty is a legitimate commercial interest of our users (preventing fraud and ensuring they contract with bona fide, authorised carriers), and of the wider goal of integrity in the road-freight market. We have balanced this interest against the rights of the individuals whose data may appear in results; the data we process for this purpose is limited to business-relevant identity, registration, licensing, and risk information, much of it already published in official public registers.
- Compliance with a legal obligation (Art. 6(1)(c)) — where we must process data to meet legal requirements (for example, retaining records, or where screening obligations apply).
- Consent (Art. 6(1)(a)) — where we ask for it specifically (for example certain optional communications). You can withdraw consent at any time.
Where we process the personal data of directors, transport managers, or persons named on sanctions lists, we rely on legitimate interests and (for sanctions data) the public-interest and legal-compliance context in which such lists are published and used.
5. Sanctions and watchlist screening
The Service can screen a company or person's name against official sanctions and watchlist sources (for example the European Union consolidated financial sanctions list). This screening:
- uses data published by official bodies for the express purpose of sanctions compliance;
- is provided as a screening aid to help our users meet their own compliance obligations — it is not a definitive legal determination, and a possible match must be reviewed by the user; and
- may produce name-based matches that require human verification (a name resembling a listed entity is not proof that the two are the same person).
We do not add anyone to a sanctions list; we only check against lists maintained by competent authorities.
6. Where the data comes from
Much of the company, licence, and sanctions data we return does not come from you — it comes from official and public sources, including:
- the EU VAT Information Exchange System (VIES);
- national company and business registers;
- national road-transport operator-licence registers;
- official consolidated sanctions lists; and
- public company-identifier sources (such as the Global Legal Entity Identifier system).
We query these sources to fulfil the verification you request.
7. Sharing and sub-processors
We share personal data only as needed to run the Service:
- Infrastructure and hosting: Amazon Web Services (AWS), hosting our application in the EU (Frankfurt / eu-central-1 region).
- Database: Supabase, used to store reference data and application data.
- Messaging channel: Meta Platforms, where you choose to use the WhatsApp channel (your messages to and from the Service pass through WhatsApp's infrastructure under Meta's own terms and privacy policy).
- Payment provider: where the Service is paid, a third-party payment processor handles transactions.
- Official data sources: as listed in Section 6, to perform the checks.
- Professional advisers and authorities: where required by law.
These providers act as our processors (or, like Meta, as independent controllers for their own platform) under appropriate data-processing terms. We do not sell or rent personal data to anyone.
8. When we act as a processor
Where SvitloCheck is used by a business customer under a separate agreement, and we process personal data on that customer's behalf and on their instructions, the customer is the controller and we act as the processor. In that case, our processing is governed by the data-processing terms in that agreement, which take precedence over this policy for that data.
9. International transfers
We aim to keep personal data within the European Economic Area (our hosting is in the EU). Where a provider (for example Meta, for the WhatsApp channel, or a payment provider) processes data outside the EEA, that transfer is protected by appropriate safeguards such as the European Commission's Standard Contractual Clauses or an adequacy decision.
10. How long we keep data
We keep personal data only as long as necessary for the purposes described:
- Account data: for as long as your account is active, and a reasonable period afterwards.
- Verification queries and results: for a limited period to provide the Service, support you, secure the system, and meet legal obligations, after which they are deleted or aggregated.
- Reference data (such as sanctions and registry data from official sources) is refreshed and superseded as the source updates.
- Billing records: for the period required by law (in Belgium, generally up to 7–10 years for accounting records).
11. Your rights
Under the GDPR you have the right to: access your personal data; have it corrected; have it erased; restrict or object to processing; data portability; and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with a supervisory authority — in Belgium, the Gegevensbeschermingsautoriteit / Autorité de protection des données (www.gegevensbeschermingsautoriteit.be).
To exercise any of these rights, contact us at the address in Section 13. Note that where data about a third-party company or individual was returned from an official public register, the authoritative record is held by that register, and corrections to source data must be made there.
12. Security
We use technical and organisational measures appropriate to the risk, including encryption in transit, access controls, EU-based hosting, and least-privilege access to systems. No system is perfectly secure, but we work to protect personal data against unauthorised access, loss, or misuse.
13. Contact
Hight.io BV
Da Vincilaan 1, Brussels Airport Corporate Village
1930 Zaventem, Belgium
Enterprise number: BE 0755752140
Email: privacy@svitlocheck.com
14. Changes to this policy
We may update this Privacy Policy from time to time. We will post the updated version here and change the "Last updated" date above. Material changes will be communicated where appropriate.