Privacy Policy

Last Updated: 18 June 2025

This Privacy Policy explains how Ediblesites Limited (“Company”, “we”, “us”, or “our”) collects, uses, and protects your information when you use the ExpressTrack package tracking API service (“Service”).

Company Details:

  • Ediblesites Limited
  • Company Registration: 12109195
  • Registered Office: 71-75, Shelton Street, London, WC2H 9JQ, United Kingdom
  • Data Protection Contact: [email protected]

1. Information We Collect

1.1 Account Information

When you register for our Service, we collect:

  • Name and email address
  • Company name and business details
  • Billing address and payment information
  • Account preferences and settings

1.2 API Usage Data

Through your use of our API, we collect:

  • Tracking numbers and carrier codes you submit
  • Package metadata you choose to include
  • API request logs and response data
  • Usage statistics and performance metrics
  • IP addresses and access timestamps

1.3 Tracking Events Data

We process tracking information including:

  • Package status updates from carriers
  • Location and timestamp data
  • Delivery confirmations and exceptions
  • Carrier-provided tracking messages

1.4 Technical Information

We automatically collect:

  • Device and browser information
  • API client software details
  • Error logs and diagnostic data
  • Security and fraud prevention data

2. How We Use Your Information

2.1 Service Provision

We use your information to:

  • Provide package tracking services
  • Authenticate API requests
  • Normalize and standardize tracking data
  • Send webhook notifications
  • Generate usage reports and analytics

2.2 Account Management

We process your data to:

  • Manage your account and subscription
  • Process payments and billing
  • Provide customer support
  • Communicate service updates

2.3 Service Improvement

We may use aggregated data to:

  • Improve API performance and reliability
  • Develop new features and integrations
  • Analyze usage patterns and trends
  • Enhance security measures

We may process your information to:

  • Comply with legal obligations
  • Respond to lawful requests from authorities
  • Protect our rights and interests
  • Prevent fraud and abuse

We process your personal data under the following legal bases:

3.1 Contract Performance

  • Providing the API service you’ve subscribed to
  • Processing payments and managing your account
  • Delivering tracking data and webhook notifications

3.2 Legitimate Interests

  • Improving service performance and security
  • Preventing fraud and abuse
  • Analyzing usage for service development
  • Marketing our services (with opt-out options)
  • Complying with tax and accounting requirements
  • Responding to legal requests and court orders
  • Meeting data protection obligations
  • Sending marketing communications (where required)
  • Using optional analytics and tracking
  • Processing special categories of data (if applicable)

4. Data Sharing and Disclosure

4.1 Third-Party Carriers

We share tracking numbers with carrier partners to:

  • Retrieve package status updates
  • Access tracking history and events
  • Provide normalized tracking data

Carriers include: UPS, FedEx, DHL, Royal Mail, and 200+ other logistics providers. Each carrier has their own privacy policy governing their data handling.

4.2 Service Providers

We may share data with trusted service providers for:

  • Payment processing (Stripe)
  • Cloud hosting and infrastructure (Hetzner)
  • Website analytics (Clicky Analytics)
  • Customer support tools (TBA)
  • Analytics and monitoring services (Honeybadger)

All service providers are contractually bound to protect your data and use it only for specified purposes.

We may disclose information when required to:

  • Comply with legal obligations
  • Respond to valid legal requests
  • Protect our rights and property
  • Ensure user safety and security

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to equivalent privacy protections.

5. Data Security

5.1 Technical Safeguards

We implement industry-standard security measures:

  • Encryption in transit (TLS 1.2+) and at rest
  • API authentication and access controls
  • Regular security assessments and monitoring
  • Secure data centers and infrastructure

5.2 Access Controls

  • Employee access is limited to business needs
  • Multi-factor authentication for administrative access
  • Regular access reviews and deprovisioning
  • Security training for all personnel

5.3 Incident Response

We maintain procedures for:

  • Detecting and responding to security incidents
  • Notifying affected users within 72 hours
  • Coordinating with authorities when required
  • Implementing corrective measures

6. Data Retention

6.1 Account Data

We retain account information for:

  • Active accounts: duration of subscription plus 3 years, but not less than 7 years for legal and tax purposes
  • Closed accounts: 7 years for legal and tax purposes
  • Marketing data: until you unsubscribe or object

6.2 Tracking Data

Package tracking information is retained for:

  • API response data: 90 days from last access
  • Tracking events: 1 year for service improvement
  • Usage logs: 2 years for billing and support
  • Error logs: 90 days for troubleshooting

6.3 Payment Data

Financial information is retained for:

  • Transaction records: 7 years for tax compliance
  • Payment methods: stored by third-party processors (Stripe, PayPal) – we do not retain payment card details
  • Billing history: 7 years from last transaction

7. Your Rights Under UK GDPR

7.1 Access and Portability

You have the right to:

  • Access your personal data we hold
  • Receive a copy in a structured, machine-readable format
  • Transfer your data to another service provider

7.2 Correction and Deletion

You may:

  • Correct inaccurate personal data
  • Request deletion of your data (subject to legal requirements)
  • Withdraw consent where processing is based on consent

7.3 Processing Restrictions

You can request that we:

  • Restrict processing of your data in certain circumstances
  • Object to processing based on legitimate interests
  • Stop direct marketing communications

7.4 Exercising Your Rights

To exercise your rights:

  • Email: [email protected]
  • Include: your account email and specific request
  • Verification: we may require identity confirmation
  • Response time: within 30 days of valid requests

8. International Data Transfers

8.1 Transfer Safeguards

When transferring data outside the UK, we ensure adequate protection through:

  • Adequacy decisions for approved countries
  • Standard Contractual Clauses (SCCs) with data processors
  • Binding Corporate Rules where applicable
  • Additional safeguards as required by law

9. Cookies and Tracking

9.1 Essential Cookies

We use necessary cookies for:

  • User authentication and session management
  • API request processing
  • Security and fraud prevention
  • Service functionality

9.2 Analytics Cookies

With your consent, we may use:

  • Website analytics for usage statistics
  • Performance monitoring tools
  • User experience improvement tools

9.3 Managing Cookies

You can control cookies through:

  • Browser settings and preferences
  • Our cookie consent banner
  • Privacy dashboard in your account

10. Marketing Communications

10.1 Service Communications

We send essential communications about:

  • Account status and billing
  • Service updates and maintenance
  • Security notifications
  • Legal notices

These communications are necessary for service provision and cannot be opted out of while using the Service.

10.2 Marketing Communications

We may send promotional emails about:

  • New features and integrations
  • Industry insights and best practices
  • Special offers and updates

You can unsubscribe from marketing emails at any time using the unsubscribe link or by contacting us.

11. Children’s Privacy

The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will delete that information promptly.

12. Changes to This Policy

12.1 Policy Updates

We may update this Privacy Policy to:

  • Reflect changes in our practices
  • Address new legal requirements
  • Improve clarity and transparency

12.2 Notification of Changes

We will notify you of material changes by:

  • Email to your registered address
  • Notice on our website
  • In-app notifications

Continued use of the Service after changes constitutes acceptance of the updated policy.

13. Supervisory Authority

You have the right to lodge a complaint with the UK’s data protection supervisory authority:

Information Commissioner’s Office (ICO)

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

14. Contact Information

For privacy-related questions or to exercise your rights, contact us at:

Data Protection Officer
Ediblesites Limited
71-75, Shelton Street
London, WC2H 9JQ
United Kingdom

Email: [email protected]
Support: [email protected]


This Privacy Policy is effective as of 18 June 2025 and supersedes all previous versions.