Last Updated: 18 June 2025
This Privacy Policy explains how Ediblesites Limited (“Company”, “we”, “us”, or “our”) collects, uses, and protects your information when you use the ExpressTrack package tracking API service (“Service”).
Company Details:
- Ediblesites Limited
- Company Registration: 12109195
- Registered Office: 71-75, Shelton Street, London, WC2H 9JQ, United Kingdom
- Data Protection Contact: [email protected]
1. Information We Collect
1.1 Account Information
When you register for our Service, we collect:
- Name and email address
- Company name and business details
- Billing address and payment information
- Account preferences and settings
1.2 API Usage Data
Through your use of our API, we collect:
- Tracking numbers and carrier codes you submit
- Package metadata you choose to include
- API request logs and response data
- Usage statistics and performance metrics
- IP addresses and access timestamps
1.3 Tracking Events Data
We process tracking information including:
- Package status updates from carriers
- Location and timestamp data
- Delivery confirmations and exceptions
- Carrier-provided tracking messages
1.4 Technical Information
We automatically collect:
- Device and browser information
- API client software details
- Error logs and diagnostic data
- Security and fraud prevention data
2. How We Use Your Information
2.1 Service Provision
We use your information to:
- Provide package tracking services
- Authenticate API requests
- Normalize and standardize tracking data
- Send webhook notifications
- Generate usage reports and analytics
2.2 Account Management
We process your data to:
- Manage your account and subscription
- Process payments and billing
- Provide customer support
- Communicate service updates
2.3 Service Improvement
We may use aggregated data to:
- Improve API performance and reliability
- Develop new features and integrations
- Analyze usage patterns and trends
- Enhance security measures
2.4 Legal Compliance
We may process your information to:
- Comply with legal obligations
- Respond to lawful requests from authorities
- Protect our rights and interests
- Prevent fraud and abuse
3. Legal Basis for Processing (UK GDPR)
We process your personal data under the following legal bases:
3.1 Contract Performance
- Providing the API service you’ve subscribed to
- Processing payments and managing your account
- Delivering tracking data and webhook notifications
3.2 Legitimate Interests
- Improving service performance and security
- Preventing fraud and abuse
- Analyzing usage for service development
- Marketing our services (with opt-out options)
3.3 Legal Obligation
- Complying with tax and accounting requirements
- Responding to legal requests and court orders
- Meeting data protection obligations
3.4 Consent
- Sending marketing communications (where required)
- Using optional analytics and tracking
- Processing special categories of data (if applicable)
4. Data Sharing and Disclosure
4.1 Third-Party Carriers
We share tracking numbers with carrier partners to:
- Retrieve package status updates
- Access tracking history and events
- Provide normalized tracking data
Carriers include: UPS, FedEx, DHL, Royal Mail, and 200+ other logistics providers. Each carrier has their own privacy policy governing their data handling.
4.2 Service Providers
We may share data with trusted service providers for:
- Payment processing (Stripe)
- Cloud hosting and infrastructure (Hetzner)
- Website analytics (Clicky Analytics)
- Customer support tools (TBA)
- Analytics and monitoring services (Honeybadger)
All service providers are contractually bound to protect your data and use it only for specified purposes.
4.3 Legal Requirements
We may disclose information when required to:
- Comply with legal obligations
- Respond to valid legal requests
- Protect our rights and property
- Ensure user safety and security
4.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction, subject to equivalent privacy protections.
5. Data Security
5.1 Technical Safeguards
We implement industry-standard security measures:
- Encryption in transit (TLS 1.2+) and at rest
- API authentication and access controls
- Regular security assessments and monitoring
- Secure data centers and infrastructure
5.2 Access Controls
- Employee access is limited to business needs
- Multi-factor authentication for administrative access
- Regular access reviews and deprovisioning
- Security training for all personnel
5.3 Incident Response
We maintain procedures for:
- Detecting and responding to security incidents
- Notifying affected users within 72 hours
- Coordinating with authorities when required
- Implementing corrective measures
6. Data Retention
6.1 Account Data
We retain account information for:
- Active accounts: duration of subscription plus 3 years, but not less than 7 years for legal and tax purposes
- Closed accounts: 7 years for legal and tax purposes
- Marketing data: until you unsubscribe or object
6.2 Tracking Data
Package tracking information is retained for:
- API response data: 90 days from last access
- Tracking events: 1 year for service improvement
- Usage logs: 2 years for billing and support
- Error logs: 90 days for troubleshooting
6.3 Payment Data
Financial information is retained for:
- Transaction records: 7 years for tax compliance
- Payment methods: stored by third-party processors (Stripe, PayPal) – we do not retain payment card details
- Billing history: 7 years from last transaction
7. Your Rights Under UK GDPR
7.1 Access and Portability
You have the right to:
- Access your personal data we hold
- Receive a copy in a structured, machine-readable format
- Transfer your data to another service provider
7.2 Correction and Deletion
You may:
- Correct inaccurate personal data
- Request deletion of your data (subject to legal requirements)
- Withdraw consent where processing is based on consent
7.3 Processing Restrictions
You can request that we:
- Restrict processing of your data in certain circumstances
- Object to processing based on legitimate interests
- Stop direct marketing communications
7.4 Exercising Your Rights
To exercise your rights:
- Email: [email protected]
- Include: your account email and specific request
- Verification: we may require identity confirmation
- Response time: within 30 days of valid requests
8. International Data Transfers
8.1 Transfer Safeguards
When transferring data outside the UK, we ensure adequate protection through:
- Adequacy decisions for approved countries
- Standard Contractual Clauses (SCCs) with data processors
- Binding Corporate Rules where applicable
- Additional safeguards as required by law
9. Cookies and Tracking
9.1 Essential Cookies
We use necessary cookies for:
- User authentication and session management
- API request processing
- Security and fraud prevention
- Service functionality
9.2 Analytics Cookies
With your consent, we may use:
- Website analytics for usage statistics
- Performance monitoring tools
- User experience improvement tools
9.3 Managing Cookies
You can control cookies through:
- Browser settings and preferences
- Our cookie consent banner
- Privacy dashboard in your account
10. Marketing Communications
10.1 Service Communications
We send essential communications about:
- Account status and billing
- Service updates and maintenance
- Security notifications
- Legal notices
These communications are necessary for service provision and cannot be opted out of while using the Service.
10.2 Marketing Communications
We may send promotional emails about:
- New features and integrations
- Industry insights and best practices
- Special offers and updates
You can unsubscribe from marketing emails at any time using the unsubscribe link or by contacting us.
11. Children’s Privacy
The Service is not intended for users under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16, we will delete that information promptly.
12. Changes to This Policy
12.1 Policy Updates
We may update this Privacy Policy to:
- Reflect changes in our practices
- Address new legal requirements
- Improve clarity and transparency
12.2 Notification of Changes
We will notify you of material changes by:
- Email to your registered address
- Notice on our website
- In-app notifications
Continued use of the Service after changes constitutes acceptance of the updated policy.
13. Supervisory Authority
You have the right to lodge a complaint with the UK’s data protection supervisory authority:
Information Commissioner’s Office (ICO)
- Website: ico.org.uk
- Phone: 0303 123 1113
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
14. Contact Information
For privacy-related questions or to exercise your rights, contact us at:
Data Protection Officer
Ediblesites Limited
71-75, Shelton Street
London, WC2H 9JQ
United Kingdom
Email: [email protected]
Support: [email protected]
This Privacy Policy is effective as of 18 June 2025 and supersedes all previous versions.