hello@ishipto.com
Request A QuoteLogin
iShipTo
Login

Legal

Privacy Policy

Effective May 20, 2026 · v4. The full version users sign in-app. Questions? privacy@ishipto.com

Privacy Policy

Effective date: May 20, 2026 Version: v4 Last reviewed: May 20, 2026

Notice. This is the iShipTo production Privacy Policy, prepared with the care of senior legal staff. Please have qualified counsel review it for your specific jurisdiction and business model before final adoption — privacy law varies materially between US states and between the US, EU/UK, and Canada.

This Privacy Policy (the "Policy") describes how iShipTo (the "Platform"), operated by iShipTo, Inc. ("we", "us", "our"), and the warehouse operator that invited you (the "Operator") collect, use, store, share, and disclose information about you in connection with your use of the iShipTo client portal and related services (collectively, the "Service").

By creating an account or otherwise using the Service you acknowledge that you have read and understood this Policy. If you do not agree with it, do not use the Service.

1. Definitions

  • "Personal Information" means information that identifies, relates to, describes, references, or could reasonably be linked to an identified or identifiable individual or household.
  • "Operator" means the third-party logistics provider (3PL) or warehouse that invited you to the Platform and that physically receives, stores, prepares, or ships your inventory.
  • "Service Provider" means a third party we engage to perform services on our behalf (for example, hosting, email delivery, payment processing) and that is contractually limited to using your Personal Information only for those services.
  • "Process" / "Processing" means any operation performed on Personal Information, including collection, recording, organization, storage, retrieval, use, disclosure, transfer, restriction, erasure, or destruction.

2. Roles: who controls your data

For the Personal Information you submit through the Service, the Operator is the data controller of business records relating to your inventory, orders, invoices, and shipments; we are the data controller of your account credentials, session data, audit logs we generate, and your consent records. We act as a Service Provider (US) or Processor (EU/UK) to the Operator for any data that the Operator stores in the Platform on your behalf.

The Operator's own privacy practices for data stored outside the Platform (for example, on the Operator's internal systems) are governed by the Operator's separate notice, which you should request directly from the Operator.

3. Information we collect

We collect the following categories of Personal Information:

(a) Account information. Name, email address, telephone number, password hash, role assignment (client, operator administrator, operator staff), and tenant association.

(b) Business profile information. Company name, billing email, business address, and any company logo or branding assets you upload.

(c) Inventory and order information. Product catalogs (SKUs, titles, GTINs, dimensions, photographs), purchase orders, outbound orders, shipping labels (including recipient names and addresses from those labels), tracking numbers, and discrepancy reports.

(d) Invoice and payment-reference information. Invoice line items, payment amounts, payment methods (cash, check, bank transfer, card, other), reference numbers (check numbers, transaction identifiers), and payment dates. We do not collect or store full payment card numbers; if card payment is recorded, only the reference number you supply is stored.

(e) Communications. Notes you attach to orders, invoices, and discrepancies; messages sent through the Platform; and email correspondence with us.

(f) Technical and usage information. IP address, browser type and version, operating system, device identifiers, pages visited, actions taken, timestamps, and similar log data. We collect this information automatically when you use the Service.

(g) Consent records. When you accept this Policy and our other legal documents, we record your typed signature, the document key, the document version, the SHA-256 hash of the document content you saw, your IP address, your browser user-agent string, and a timestamp.

4. How we use your information

We use the information we collect to:

  1. Provide, operate, secure, and improve the Service;
  2. Authenticate you and authorize your actions consistent with your role;
  3. Process inventory, orders, shipments, invoices, and payments at the Operator's direction;
  4. Send transactional communications (order confirmations, invitation emails, password resets);
  5. Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Acceptable Use Policy;
  6. Comply with legal obligations, respond to lawful requests, and enforce our agreements;
  7. Maintain audit logs and consent records as evidence of agreement and authorized activity;
  8. Generate aggregate, deidentified statistics to understand Service usage (such statistics do not identify you).

We do not use your Personal Information for advertising or profiling, and we do not sell your Personal Information.

5. How we share your information

We share Personal Information only as described below:

(a) With the Operator. The Operator can see all data you submit through the Platform that relates to the Operator's tenant, subject to role-based access controls (for example, an Operator's staff cannot see another tenant's data).

(b) With Service Providers we engage to operate the Platform. These currently include: Supabase, Inc. (database, authentication, email delivery), Cloudflare, Inc. (edge compute, content delivery, object storage), Vercel, Inc. (frontend hosting), and Resend, Inc. (transactional email). Each is bound by contractual data-protection terms.

(c) For legal reasons. We may disclose information when required by law, court order, subpoena, or other valid legal process; to enforce our agreements; to protect the rights, safety, or property of any person; or in connection with a government or law-enforcement investigation.

(d) Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction, subject to standard confidentiality protections and continued application of this Policy.

We do not sell or rent your Personal Information to third parties for their own marketing purposes.

6. Data retention

We retain Personal Information for as long as your account is active and for the periods described below, after which we delete or deidentify it unless a longer period is required by law or to resolve disputes:

  • Account, profile, and inventory records: for the life of your account plus 24 months after account closure.
  • Order, shipment, and invoice records: for 7 years after the date of the transaction (US tax-record norm).
  • Consent records: for the life of your account plus 10 years after account closure, to preserve evidence of agreement.
  • Audit logs and security telemetry: for 24 months from the date of the event.
  • Backups: rotated on a 30-day cycle; data deleted from production may persist in backups until the next rotation.

You may request earlier deletion as described in Section 8.

7. Security

We use industry-standard administrative, technical, and physical safeguards designed to protect Personal Information, including TLS 1.2+ for data in transit, encryption at rest for primary databases and object storage, role-based access control with tenant isolation enforced at the database layer, audit logging of state-changing operations, and least-privilege access for our personnel. No security system is perfect; we cannot guarantee absolute security, and you are responsible for safeguarding your account credentials.

8. Your rights

Depending on your jurisdiction, you may have the following rights with respect to your Personal Information. To exercise any of these rights, email privacy@ishipto.com. We will respond within the time required by applicable law (generally 30 to 45 days). We may need to verify your identity before fulfilling a request.

(a) Right to know / access. You may request a copy of the Personal Information we hold about you.

(b) Right to correct. You may request correction of inaccurate or incomplete Personal Information. Many fields are directly editable in your profile.

(c) Right to delete. You may request deletion of Personal Information we no longer need for the purposes described in Section 6. We may decline where retention is required by law or for legitimate business purposes such as fraud prevention or contract enforcement.

(d) Right to portability. You may request your Personal Information in a structured, commonly used, machine-readable format.

(e) Right to opt out. Where applicable law treats any disclosure described in Section 5 as a "sale" or "sharing" of Personal Information, you may opt out by emailing privacy@ishipto.com. We do not sell or share Personal Information for cross-context behavioral advertising.

(f) Right to non-discrimination. We will not deny you the Service, charge you a different price, or provide a different level of service because you exercised any of these rights.

(g) Authorized agent. California residents may use an authorized agent to make requests on their behalf, with written authorization and verification of identity.

(h) Appeal. If we deny a request, you may appeal by emailing privacy@ishipto.com with "Privacy Appeal" in the subject line.

For residents of the European Economic Area, United Kingdom, or Switzerland, the legal bases on which we Process your Personal Information are: performance of a contract (Article 6(1)(b) GDPR), our legitimate interests in operating and securing the Service (Article 6(1)(f) GDPR), and your consent where required (Article 6(1)(a) GDPR). You may also lodge a complaint with your local supervisory authority.

9. International data transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your Personal Information will be transferred to and processed in the United States. Where required by law, we rely on Standard Contractual Clauses or equivalent transfer mechanisms with our Service Providers.

10. Children's privacy

The Service is intended for business use by individuals 18 years of age or older. We do not knowingly collect Personal Information from anyone under 13 (or under the applicable minimum age in your jurisdiction). If we learn that we have collected such information, we will delete it promptly.

11. Cookies and similar technologies

We use strictly necessary cookies to authenticate sessions and maintain user preferences. We do not use cookies for advertising, cross-site tracking, or analytics that fingerprint individual users.

12. Changes to this Policy

We may update this Policy from time to time. When we make a material change we will increment the version number, update the effective date, and prompt you to review and re-accept the updated Policy when you next sign in. Continued use of the Service after the effective date of a revised Policy constitutes acceptance of it.

13. Contact us

iShipTo, Inc. Privacy inquiries: privacy@ishipto.com Postal mail: please request a mailing address by email

For privacy questions specific to your Operator's handling of your data, please contact the Operator directly using the contact information shown in your client portal.