Steliux Logistics Ltd. ("Steliux", "we", "us", "our") is the data controller responsible for personal data collected through our website at steliux.com, our investment platform at i.steliux.com, our shipment tracking portal, and all related mobile and API services.

We operate a global freight and logistics network spanning 200+ countries, offering air, sea, and road freight, warehousing, customs brokerage, and Secure Elite consignment services. Our investment platform provides logistics-linked investment products to eligible participants.

We collect personal data only to the extent necessary to provide our services. The categories of data we may collect include:

• Identity data — full name, date of birth, government-issued ID (for KYC/AML compliance on investment accounts)
• Contact data — email address, phone number, postal address, billing address
• Shipment data — sender and recipient details, parcel contents descriptions, tracking numbers, delivery instructions, proof-of-delivery records
• Financial data — payment card details (tokenised via PCI-DSS compliant processors), bank account information, transaction history
• Investment data — portfolio holdings, investment preferences, risk profile, source of funds declarations
• Technical data — IP address, browser type and version, device identifiers, operating system, referral source, time zone, page interaction data
• Usage data — pages visited, features used, search queries, click paths, session duration
• Communications data — records of correspondence with our support, sales, and compliance teams

We do not knowingly collect sensitive personal data (health, religion, ethnicity, biometrics) except where explicitly required by customs regulations or Secure Elite service verification, in which case your explicit consent will be sought.

We process personal data for the following purposes:

• To create and manage your Steliux account and authenticate your identity
• To book, process, track, and deliver shipments on your behalf
• To calculate shipping costs, duties, taxes, and issue invoices
• To facilitate customs clearance and comply with export/import regulations
• To onboard you onto our investment platform and manage your portfolio
• To comply with KYC, AML, and financial crime prevention obligations
• To send service notifications, delivery alerts, and billing communications
• To improve our platform through analytics, A/B testing, and user research
• To detect, investigate, and prevent fraud, abuse, or security incidents
• To send marketing communications where you have opted in (you may unsubscribe at any time)
• To meet legal, regulatory, and contractual obligations

Where the GDPR or equivalent data protection laws apply, we process your personal data on the following legal bases:

Steliux does not sell your personal data to third parties. We may share your data with the following categories of recipients strictly as necessary to deliver our services:

• Courier and freight partners — DHL, FedEx, UPS, Maersk, Aramex, and our 250+ carrier network, to execute shipments
• Customs authorities — government agencies in origin, transit, and destination countries as required by law
• Payment processors — PCI-DSS certified processors to handle card and bank transactions securely
• KYC/AML providers — identity verification and fraud screening services for investment platform onboarding
• Cloud and infrastructure providers — hosting, storage, and technical infrastructure partners operating under data processing agreements
• Analytics providers — anonymised or pseudonymised usage data shared with analytics tools to improve platform performance
• Legal and regulatory bodies — where required by court order, law enforcement request, or regulatory directive

All third-party processors are bound by data processing agreements that require them to handle your data in accordance with applicable privacy laws and Steliux's instructions.

Steliux operates globally. Your personal data may be transferred to and processed in countries outside your country of residence, including countries that may not provide the same level of data protection as your home jurisdiction.

Where we transfer data outside the European Economic Area (EEA) or other regions with data transfer restrictions, we ensure appropriate safeguards are in place, including:

• European Commission adequacy decisions for qualifying countries
• Standard Contractual Clauses (SCCs) approved by the European Commission
• Binding Corporate Rules for intra-group transfers where applicable
• Derogations for specific situations, such as execution of a shipment contract

Our website and platforms use cookies and similar technologies to operate core functionality, remember your preferences, and analyse usage patterns. Cookies are categorised as follows:

You can manage or withdraw your cookie consent at any time via our Cookie Preferences panel, accessible from the footer of any Steliux page. You may also configure your browser to block or delete cookies, though this may affect platform functionality.

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our standard retention periods are as follows:

When data is no longer required, it is securely deleted or anonymised. Physical documents containing personal data are shredded in accordance with our data destruction policy.

Depending on your country of residence, you may hold some or all of the following rights regarding your personal data:

To exercise any of these rights, submit a request to privacy@steliux.com. We will respond within 30 days (extendable by a further 60 days for complex requests). We may need to verify your identity before processing your request. There is no charge for making a request, though we may charge a reasonable fee for manifestly unfounded or repetitive requests.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. Our security practices include:

• TLS encryption for all data in transit across our platforms and APIs
• AES-256 encryption for sensitive data at rest, including financial and KYC records
• Role-based access controls limiting employee access to data on a strict need-to-know basis
• Regular penetration testing, vulnerability assessments, and security audits by independent third parties
• Multi-factor authentication enforced on all internal systems and admin accounts
• ISO 27001-aligned information security management framework
• Incident response procedures with regulatory notification within 72 hours of discovering a qualifying breach

Despite our measures, no system is completely immune to risk. If you suspect your account has been compromised, contact us immediately at security@steliux.com.

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided us with personal data, we will take steps to delete that data promptly.

If you believe a minor has submitted personal data through our platform, please contact us at privacy@steliux.com so we can investigate and act accordingly.

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, or data practices. Material changes will be communicated via email to registered users or via a prominent notice on our website at least 14 days before taking effect.