Privacy & Data Handling Policy

Last Updated: March 2026

DARGO TECH, INC ("we," "us," or "our") operates BuyShipping (buyshipping.app), a web application that helps e-commerce sellers purchase shipping labels for seller-fulfilled orders across Amazon, Walmart, Wayfair, and Shopify. This Privacy & Data Handling Policy describes how we collect, process, store, use, share, and dispose of information, including data accessed through marketplace APIs such as the Amazon Selling Partner API ("SP-API").

1. Information We Collect

We collect and process the following categories of information:

  • Account Information: Your name, email address, company name, and password when you register for a BuyShipping account.
  • Marketplace Account Information: Seller name, marketplace identifiers, and account settings provided through OAuth authorization processes (Amazon, Walmart, Wayfair, Shopify).
  • Order Information: Order details including order IDs, product information, quantities, and order status retrieved via marketplace APIs.
  • Personally Identifiable Information (PII): Buyer name and shipping address, accessed solely for the purpose of generating shipping labels to fulfill seller-fulfilled orders.
  • Shipment Information: Package dimensions, weight, carrier and service selections, tracking numbers, and shipping labels.
  • Payment Information: Billing details processed through Stripe. We do not store credit card numbers on our servers.

2. How We Use Information

All information accessed through marketplace APIs is used exclusively to support authorized sellers' businesses. Specifically, we use information to:

  • Retrieve unfulfilled seller-fulfilled orders for display in our application.
  • Apply pre-configured package settings and request shipping rate quotes.
  • Purchase shipping labels on behalf of the seller through each platform's native shipping service.
  • Deliver shipping labels and sync tracking information back to the seller's orders.
  • Provide account management, billing, and customer support services.

We do not use marketplace information for marketing, advertising, analytics unrelated to the seller's shipping operations, or any purpose beyond the functionality described above.

3. Personally Identifiable Information (PII)

We access buyer PII (name and shipping address) solely for the purpose of generating shipping labels to fulfill orders. PII is subject to the following strict controls:

  • Purpose Limitation: Buyer PII is used exclusively for shipping label generation. It is never used for marketing, buyer targeting, analytics, or any other purpose.
  • Retention: PII is retained for no longer than 30 days after order shipment. After this period, PII is permanently and securely deleted in accordance with NIST 800-88 sanitization standards. PII may only be retained beyond 30 days if required by applicable tax or regulatory law.
  • Encryption: All PII is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher.
  • Access Control: Access to PII is restricted to authorized personnel on a need-to-know basis following the principle of least privilege.

4. Data Storage and Security

We maintain physical, administrative, and technical safeguards to protect all information we access. Our security measures include:

  • Network Protection: Firewalls, intrusion detection and prevention systems (IDS/IPS), anti-virus and anti-malware tools, and network segmentation.
  • Access Management: Unique user accounts for all personnel, multi-factor authentication (MFA) required for all accounts, role-based access controls, and account lockout after 10 unsuccessful login attempts.
  • Encryption: All information is encrypted in transit using TLS 1.2+ and all PII is encrypted at rest using AES-256. API keys and credentials are encrypted and accessible only to authorized personnel.
  • Endpoint Protection: Marketplace information may not be stored on personal devices, USB drives, or unsecured cloud storage. Data loss prevention (DLP) controls monitor for unauthorized data movement.
  • Secure Coding: Sensitive credentials are never hardcoded. Separate test and production environments are maintained.
  • Vulnerability Management: Vulnerability scanning is performed at least every 30 days. Critical vulnerabilities are remediated within 7 days and high-risk vulnerabilities within 30 days.
  • Logging and Monitoring: Security events are logged and monitored, including access attempts, data changes, and system errors. Logs are retained for at least 12 months.

5. Data Sharing

We do not sell, rent, or trade your information or marketplace data to any third party. Marketplace information may be processed by our cloud infrastructure hosting provider solely for the purpose of providing hosting services. Our hosting provider acts as a data processor and does not access, use, or share information for any purpose beyond hosting.

We do not aggregate data across authorized users' businesses or customers to provide or sell to any parties. We do not share marketplace information with any other outside parties unless required by applicable law.

6. Data Disposal

When marketplace information is no longer needed or upon a marketplace's request, we permanently and securely delete the information in accordance with NIST 800-88 standards. Specifically:

  • PII is deleted within 30 days after order shipment.
  • Non-PII data is deleted within 18 months unless required by applicable laws or regulations.
  • Upon a marketplace's deletion request, all live instances of information are deleted within 90 days.
  • Upon request, we will certify in writing that all information has been securely destroyed.

7. Data Attribution

Marketplace information is stored and tagged to identify its origin, ensuring clear data attribution and compliance with each marketplace's data protection policies.

8. Incident Response

We maintain an incident response plan to detect and handle security incidents. In the event of any actual or suspected unauthorized access, disclosure, or loss of marketplace information:

  • The affected marketplace will be notified within 24 hours of detection.
  • The incident will be investigated, documented, and remediated with corrective actions to prevent recurrence.
  • Relevant government or regulatory agencies will be informed as required by applicable law.

9. Cookies and Tracking

We use essential cookies and local storage for authentication (JWT tokens) and session management. We do not use third-party advertising cookies or trackers. We may collect basic page visit analytics for improving our service.

10. Your Rights

You have the right to request access to, rectification of, erasure of, or cessation of processing of your personal information, where applicable under data privacy regulations. You may delete your account at any time from your account settings. Please contact us to exercise any additional rights.

11. Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or applicable regulations. Any updates will be posted on this page with a revised "Last Updated" date.

12. Contact Information

If you have questions about this Privacy & Data Handling Policy, please contact us at:

DARGO TECH, INC
Email: support@buyshipping.app