Privacy Policy

Dear User,

 

this privacy policy provides you with information on the processing of your personal data carried out through our website not only to comply with the obligations imposed by the Laws on the protection of personal data - Regulation (EU) 2016/679 (hereinafter "GDPR"), D.Lgs 196/2003, as updated by D.Lgs 101/2018 (or "Codice per la protezione dei dati personali") and the relevant measures of the Data Protection Authority - but also because ShippyPro believes that the protection of personal data is a fundamental value of its business and wishes to provide any information that may help you protect your privacy and control the use that is made of personal data when you browse the site shippypro.com (hereinafter the "Site").

 

1. Contacting us

The Data Controller is ShippyPro by Italian Valley S.r.l. based in Piazza Francesca Morvillo 15, CAP 50122, Firenze (FI) Italy. For questions about this privacy policy, or our use of your personal information, cookies or similar technologies, please contact us by email at [email protected]. Please note that when you contact us to assist you, for your safety and ours we may need to authenticate your identity before fulfilling your request.

 

2. Data source

The personal data being processed are mainly provided by you, when you browse the Site or use the services made available. This policy analyzes the personal data processed in the various sections of the Site and regulates only the personal data processing activities carried out on the Site and not for other websites to which you may be redirected.

 

3. Data, purposes and legal basis for each website section

 

3.1 General navigation, log and interaction data

 

3.1.1 Navigation and log data

 

3.1.1.1 Data

IP addresses, pages visited, cookies related to the Site as per Cookie Policy, browser and operating system versions, log data, data relating to installation and configuration licenses.

 

3.1.1.2 Purposes

To enable you to browse our website and provide any of its features.

In particular:

  • - We use data from IP addresses, requested URL and User Agent (e.g. browser and operating system versions) to provide security features through our Web Application Firewall, CloudFlare
  • - We use technical cookies as per our Cookie Policy to provide you access persistency across HTTP requests (“Session”)
  • - We use data from recordings and interactions carried out with the Site to troubleshoot issues and resolve technical issues with the Site (bugs)

3.1.1.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.1.1.4 Essentiality

Consenting to the treatment of general navigation data is necessary if you want to navigate and interact with our website. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.1.1.1 would prevent you from browsing this website in all its parts.

 

3.1.1.5 Sub-processors for this data

- CloudFlare Inc.
- Amazon Web Services EMEA SARL
- Sentry
- Catamorphic Co. DBA LaunchDarkly
- KeyCDN (Proinity LLC)

 

3.1.2 Interaction data

 

3.1.2.1 Data

Data relating to recordings carried out, interaction and transaction processes, performance indicators, data relating to browsing flows and page views, usage of features and counts.

 

3.1.2.2 Purposes

To understand feature relevancy and effectively market the Site across platforms.

 

In particular:

  • – We use data from the sequence of requested URLs (browsing flows and page views) to understand which pages were used during the history of a particular feature usage, and use cookies as per our Cookie Policy to distinguish users from each other
  • – We use data from recordings and interactions carried out with the Site to understand what features are relevant to users
  • – We use cookies as per our Cookie Policy to effectively advertise the Site across various platforms
  •  

3.1.2.3 Legal basis

The data subject has given consent to the processing of his or her personal data.

(Article 6(1)(a) GDPR).

 

3.1.2.4 Essentiality

Your personal data is necessary and mandatory only for the aforementioned purpose. The withdrawal of the consent to the treatment of the data would prevent us from effectively marketing the Site and improve its current features.

 

3.1.2.5 Sub-processors for this data

- AutopilotHQ Inc
- Delighted LLC
- Google Ireland Limited
- Facebook Ireland Limited
- Hotjar Ltd
- Hootsuite Inc
- Hubspot
- Intercom R&D Unlimited Company
- Mailchimp c/o The Rocket Science Group, LLC
- Mailgun Technologies Inc
- Messagenet S.p.A.
- Microsoft Ireland Operations Ltd.
- Tooltip
- TYPEFORM S.L.
- Zendesk Inc

 

3.2 Contact

 

3.2.1 Data

First name, last name, email, phone, company name, reason for contact, monthly shipment volume and any other information you enter in the request form, in the chat provided or via email.

 

3.2.2 Purposes

To provide you with explanations and clarifications requested by you in relation to ShippyPro products.

 

3.2.3 Legal basis

The data subject has given consent to the processing of his or her personal data.

(Article 6(1)(a) GDPR).

 

3.2.4 Essentiality

Your personal data is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.2.1 would prevent us from reaching out in response to your contact request.

 

3.2.5 Sub-processors for this data

  • - CloudFlare Inc.
  • - Amazon Web Services EMEA SARL
  • - Sentry
  • - Calendly LLC
  •  

3.3 Work with us

 

3.3.1 Data

First name, last name, email, CV and cover letter.

 

3.3.2 Purposes

To consider your application.

 

3.3.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.3.4 Essentiality

Your personal data is necessary and mandatory only for the aforementioned purpose. Any refusal to provide them would prevent us from considering your application.

 

3.3.5 Sub-processors for this data

  • - CloudFlare Inc.
  • - Amazon Web Services EMEA SARL
  • - Sentry
  •  

3.4 Partnerships

 

3.4.1 Data

First name, last name, email, phone number, company name, company website, type of partner, reason for contact, monthly shipping volume and any other information you enter in the request form.

 

3.4.2 Purposes

To consider the viability of a partnership with our Company.

 

3.4.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.4.4 Essentiality

Your personal data is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.4.1 would prevent us from considering the viability of a partnership.

 

3.4.5 Sub-processors for this data

  • - IT Infrastructure:
  • CloudFlare Inc.
  • Amazon Web Services EMEA SARL
  • Sentry
  •  
  • - CRM & Engagement platforms:
  • - Hubspot
  •  

3.5 Shipping Automation

 

3.5.1 Included services

  • - Label Creator ®
  • - Label Design
  • - Rate Comparison
  • - Shipping documents
  • - Shipping rules
  • - Routing optimizer
  • - Live Checkout ®
  •  

3.5.2 Shipment recipient data

 

3.5.2.1 Data

Full name, email, phone number, delivery address, shipment content and value, optionally company name.

 

3.5.2.2 Purposes

To allow your partner parcel carriers to deliver shipments to the correct recipient.

 

3.5.2.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.5.2.4 Essentiality

Your customers personal data is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.5.2.1 would prevent us from providing the requested services part of the Shipping automation features - for instance but not limited to printing shipping labels, booking the pick up of a shipment by the parcel carrier, comparing rates between different carriers, organizing shipment documents, automating logistic flows via ShippyPro Shipping Rules, merge orders that should be delivered to the same customer, and augment the checkout on the configured order sources.

 

3.5.2.5 Sub-processors for this data

  • - IT Infrastructure:
CloudFlare Inc.
  • Amazon Web Services EMEA SARL
  • Sentry
  •  
  • - Parcel carriers:
  • Your partner parcel carrier handling the shipment
  • If Rate Comparison is used, all your partner parcel carriers eligible to handle the shipment
  •  
  • - Order sources:
  •  Your configured order source which originated the order
  •  

3.5.3 Shipment sender data

 

3.5.3.1 Data

Full name, email, phone number, pick-up address, shipment content and value, company name.

 

3.5.3.2 Purposes

To allow your partner parcel carriers to pick up shipments.

 

3.5.3.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.5.3.4 Essentiality

Your personal data, or of your employees, is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.5.3.1 would prevent us from providing the requested services part of the Shipment Automation features - for instance but not limited to printing shipping labels, booking the pick up of a shipment by the parcel carrier, comparing rates between different carriers, organizing shipment documents, automating logistic flows via ShippyPro Shipping Rules, merge orders that should be delivered to the same customer, and augment the checkout on the configured order sources.

 

3.5.3.5 Sub-processors for this data

  •  
    • - IT Infrastructure:
    CloudFlare Inc.
    • Amazon Web Services EMEA SARL
    • Sentry
    •  
    • - Parcel carriers:
    • Your partner parcel carrier handling the shipment
    •  
    • - Order sources:
    •  Your configured order source which originated the order
    •  

3.6 Delivery experience

 

3.6.1 Included services

  • - Track & Trace ®
  • - Email notifications
  • - SMS notifications
  • - WhatsApp notifications
  • - Recommended products
    - Tracking page
  •  

3.6.2 Shipment recipient data

 

3.6.2.1 Data

Full name, email, phone number, delivery address, shipment content and value, optionally company name.

 

3.6.2.2 Purposes

To provide updates on the delivery progress to the shipment recipient.

 

3.6.2.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.6.2.4 Essentiality

Your customers personal data is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.6.2.1 would prevent us from providing the requested services part of the Delivery experience features - for instance but not limited to sending emails to update the user, sending SMS messages to update the user, sending WhatsApp messages to update the user, including your configured products in tracking email messages, supplying a script through which your customers may find out the status history of their shipment.

 

3.6.2.5 Sub-processors for this data

  • - IT Infrastructure:
  • CloudFlare Inc.
  • Amazon Web Services EMEA SARL
  • Sentry
  •  
  • - Parcel carriers that offer direct tracking APIs to us:
  • Your partner parcel carrier handling the shipment
  •  
  • - Parcel carriers that do not offer direct tracking APIs to us:
  • If the shipment is handled by SFExpress: 17TRACK DEMON NETWORK TECH CO., LIMITED
  • If the shipment is handled by Royal Mail: INTERSOFT SYSTEMS & PROG LTD
  •  
  • - Order sources:
  •  Your configured order source which originated the order
  •  

3.7 Return management

 

3.7.1 Included services

  • - Easy Return ®
  • - Return form
  • - Return label in the box
  •  

3.7.2 Shipment recipient data

 

3.7.2.1 Data

Full name, email, phone number, delivery address, shipment content and value, optionally company name.

 

3.7.2.2 Purposes

To easily generate shipping labels and book shipment pick-up appointments through which your customers may return the merchandise they’ve purchased from your company.

 

3.7.2.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.7.2.4 Essentiality

Your customers personal data is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.7.2.1 would prevent us from providing the requested services part of the Return management features - for instance but not limited to creating shipment return labels, supplying a script through which your customers may issue a request for a return shipment, creating a shipping label to insert in the shipped parcel to potentially request a return shipment at a later time.

 

3.7.2.5 Sub-processors for this data

  • - IT Infrastructure:
  • CloudFlare Inc.
  • Amazon Web Services EMEA SARL
  • Sentry
  •  
  • - Parcel carriers
  •  Your partner parcel carrier handling the shipment
  •  
  • - Order sources
  •  Your configured order source which originated the order
  •  

3.8 Support tools

 

3.8.1 Included services

  • - Support chat
  • - Help center
  • - Incident response tools
  • - Project management tools
  • - Code change management tools
  •  

3.8.2 Data

Full name, email, phone number, delivery address of any shipment pertaining to the reported issue.

 

3.8.3 Purposes

To provide you with a self-service help center, respond to your support requests, and when needed implement any code change to address any technical issue brought to light by your requests.

 

3.8.4 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.8.5 Essentiality

Your customers personal data is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.8.1 would prevent us from providing the requested services part of the Support tools features - for instance but not limited to responding to your support requests, providing the self-service help center, or deploy the relevant code changes to address the issue you could have reported.

 

3.8.6 Sub-processors for this data

  • - To provide the help center:
  • Intercom R&D Unlimited Company
  •  
  • - To receive and respond to your support requests:
  • Hubspot
  •  
  • - To handle code changes:
  • Atlassian Pty Ltd
  • DigitalOcean LLC
  • GitHub, Inc.
  • Slack Technologies Limited
  •  

3.9 Invoicing, payments and contract signing

 

3.9.1 Data

Full name, email, phone number, company name and other data relevant to the payment or contract.

 

3.9.2 Purposes

To accept your online payments for the services of the Site, to create invoices for the due or fulfilled payments for the services of the Site, to offer you an online signing tool for contracts involving the Site.

 

3.9.3 Legal basis

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

(Article 6 (1)(b) GDPR).

 

3.9.4 Essentiality

Your personal data is necessary and mandatory only for the aforementioned purpose and only if you’ll use these features. The withdrawal of the consent to the treatment of the data referred to in paragraph 3.9.1 would prevent us from providing the requested services part of the Invoicing, payments and contract signing features - for instance but not limited to accepting your online payments, generate invoices for the services of the Site, or digitally signing legally binding contracts with the company operating the Site.

 

3.9.5 Sub-processors for this data

  • - Payments and invoicing:
  • Stripe
  • TEAMSYSTEM S.p.A.
  •  
  • - Digitally signing contracts
  • DocuSign
  • PandaDoc, Inc.
  •  

4. Cookies

You can freely decide whether to accept cookies and other tracking technologies that are not strictly necessary for the functioning of this website. To know how we process your personal data through the use of cookies or other similar technologies, see the Cookie Policy.

 

5. Data storage and protection

We will store your personal data for as long as necessary to fulfill the purposes set out above, except where retention for a longer period is necessary to comply with applicable legislation or requests received from competent authorities. Personal data that we process on the basis of your consent is retained until your consent is revoked.

The data collected by the Site are mainly processed electronically using software and computer procedures suitable to ensure the technical and computer security measures.

 

5.1 Amazon customers data

In compliance with the Amazon Marketplace Developer Agreement, the Amazon Data Retention and Recovery guidelines (https://developer-docs.amazon.com/sp-api/docs/protecting-amazon-api-applications-data-encryption-and-recovery), and the Amazon Services API Data Protection Policy (https://sellercentral.amazon.com/mws/static/policy?documentType=DPP), PII from Amazon customers will be anonymized 30 solar days after the shipment delivery.

 

Furthermore, we only use Amazon data pertaining to Shipment and Tax features, and the latter only to cross-reference order numbers and generate invoices for the customers explicitly requiring said service.
Should the company operating the Site undergo any organizational change or be affected by any event that will necessitate a change in the need or scope of use of this information we will notify Amazon within 30 solar days via email at 
[email protected].

 

5.2 Customer profile impersonation

In order to provide you the support you may have required from our staff we may have to impersonate your profile, and access your account data. This chapter aims at clarifying when this may be necessary, what data will be visible to the staff member operating the impersonation, and what measures have been put in place to ensure the accountability of all actions taken during such an impersonation.

 

5.2.1 Conditions for impersonation

Staff members are allowed to impersonate Customers only upon an explicit and contingent request by the Customer: any other impersonation is expressly prohibited from the Terms of Employment.

 

5.2.2 Impersonation data scope

Impersonation implies that the system presents the same data to the impersonating staff member as it would to the Customer: therefore, all data will be accessible including the following:

  1. 1. Your integration configurations, which account for the vast majority of cases where impersonation is needed.
  2. 2. Your profile configurations, where a consistent minority of other issues requiring impersonation to troubleshoot often present themselves.
  3. 3. The shipment recipient orders data, which is only going to be needed under exceedingly rare circumstances.
  4.  

Please note that impersonating staff members must not access data that isn’t potentially useful to providing you assistance.

 

5.2.3 Measures to ensure legitimacy of impersonation

In order to hold every eligible staff member accountable for the actions they take when impersonating a Customer, all actions undertaken are logged and retained in a pseudonymized form for 19 months.

Should you feel any issue has arisen as a consequence of an action performed by a ShippyPro staff member during their impersonation of your profile, feel free to contact us at [email protected].

 

6. Data transfer outside the EU

The personal processed data may also be transferred to third countries or sites outside the European Economic Area (EEA). In these cases, if it become necessary to transfer data to a third country located outside the EEA, ShippyPro guarantees that such transfer will take place only in the presence of an adequacy decision by the European Commission or other appropriate guarantees provided for by the Laws on the protection of personal data (such as, for example, the stipulation of standard contractual clauses with the subject who will receive the data and who must in any case guarantee that the user's personal data is subject to the same level of protection guaranteed by ShippyPro).

 

7. Sharing your personal data

The data can be accessed exclusively under Article. 29 GDPR by authorized individuals duly trained (e.g. staff and employees are responsible for providing feedback to requests for contact made by users).

We will never sell your personal data, or the personal data for your customers.

The data may be accessed also, as independent data controllers or managers under Art. 28 GDPR, by professionals and consultants appointed by the Data Controller. To obtain an up-to-date list of the subjects who may become aware of your personal data, please contact us by e-mail at [email protected], taking care to specify the reason for the request.

 

8. Data protection rights

You can request access to your personal information or correct or update out-of-date or inaccurate personal information we hold about you. You may also request that we delete personal information that we hold about you.

You can object to processing of your personal information, ask us to restrict the processing of your personal information or request portability of your personal information; if we have collected and processed your personal information with your consent, then you can withdraw your consent at any time; withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

You also have the right to lodge a complaint with a Data Protection Authority about our collection and use of your personal information, in particular in the Member State in which you habitually live or work or in the place where the alleged violation took place.

If you wish to exercise any of these rights, you can write an e-mail to [email protected].

 

9. Changes and updates

This policy may be subject to modification also as a consequence of any regulatory changes. We kindly invite you to periodically review this Privacy Policy for the latest information on our privacy practices.

 

10. Full sub-processors list

The most updated full sub-processors list, that is the list of all data sub-processors regardless of which feature they pertain to, may be found at https://www.shippypro.com/en/legal/privacy/sub-processors/. Within that list, for each sub-processor you may find a summary description of the data treatment purpose they fulfill, and the country they operate from (represented with the matching ISO-3166-2 code).

 

This does not mean that each of those companies gets all of your data, quite the opposite - most of them will never receive any PII pertaining to you or your customers from us. Taking “17TRACK DEMON NETWORK TECH CO., LIMITED“ as an example, they will receive your PII and/or that of your customers if and only if you make use of the shipment tracking features after dispatching a shipment with the carrier SFExpress, and they will receive only the data pertaining to that shipment.

 

11. Intellectual property

This policy is an intellectual property of the company operating the Site, Italian Valley S.r.l., with registered number 06587610483, hereafter the “Company”, and is distributed with the sole purpose of informing on the privacy practices of the Company.

 

This policy should be considered an integral part of the Software as defined in the Terms & Conditions, and as such any reproduction, in whole or otherwise, is against the Terms & Conditions of the Site and is explicitly forbidden.