Anyone who has information stored about them has the right to know why their data is stored, what it is used for and where it is stored under the General Data Protection Regulations or GDPR (known in the UK as the Data Protection Act 2018).
For this purpose, we have created this page here to help you understand our role in processing your data.
Who We Are
Courier API is a business service provider to eCommerce and similar companies, and part of Despatch Cloud Ltd. Courier API services allow companies to interface with multiple couriers, to book deliveries, create courier labels, request insurance, and to track deliveries.
Why We Process Your Data
We provide a shipping management software as a service that connects retail companies who process orders from their own websites, from third party sites, like Amazon, Fruugo or Etsy, take telephone orders or mail orders or other orders which involve sending items through post or courier networks.
Because of that your data is passed through our systems. We therefore act as a Data Processor as defined by the GDPR. This means we process the data on behalf on some one else (defined as the Data Controller under GDPR).
Your data is used to book orders into couriers’ systems, generate labels, and allow your order to be tracked.
Data is shared with courier and post services to enable orders to be booked and for items to be tracked.
No other third parties have access to personal data.
What Data Do We Store?
The data we store includes the name on the delivery address, the delivery address, telephone numbers, and email addresses as well as any comments you left for your delivery. These are considered Personal Identifiable Information (PII).
How Long Do We Store Your Data For?
Under our standard terms, we store your data for 90 days before it is deleted from our systems. It is stored to allow our client companies to check delivery details, and tracking for missing orders.
The Security of Your Data
Data security is our primary concern - we have multiple layers of security. All data, whether it is being sent across networks (in transit) or in stored (at rest), is encrypted to AES-256 which stands for Advanced Encryption Standard and is the current industry standard in data security.
Access to the servers is strictly limited and monitored. Any uploads and downloads are logged and our staff are trained in cyber security and data ethics.
We only use data centres in the UK and all our data centres conform to ISO27001.
About Despatch Cloud Ltd & Courier API
Courier API is a brand of Despatch Cloud Ltd, we are registered with the Information Commissioners Office (ICO) under registration number A8116774. Despatch Cloud offers an order processing, warehouse management and integration software.
Our registered address is Unit 76, Kelleythorpe Industrial Estate, Warfield Rd, Kelleythorpe, Driffield YO25 9FQ.
If you have further questions, please contact us at [email protected]
What Happens If I Want to See, Change and Delete (Rectification/Deletion) the Data?
By law, any individual has a right to see the data stored and processed about them, and have that data edited if incorrect or deleted if there is no good reason for retaining that data. In the first instance, please contact the data protection organiser of the company who you ordered from and raise a “Subject Access Request”. They will be able to access the data about you for your request. You may need to provide evidence of your identity to ensure that data is not released to the wrong person.
You may also raise a subject access request to us and we will immediately rectify or erase your personal data. We will in that case also notify the data controller of the data.
Your rights over your data
- You have the right to be informed
- You have a right to access you data
- You have a right to rectification of your data
- You have right to erasure data
- You right to restrict processing
- You have a right to data portability
- You have a right to object
- Your Rights relating to automated decision-making including profiling.
Through this page we are telling you what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties.
You can submit subject access requests, to us or to our client who
your purchased from or processed your order. This obliges us to
provide a copy of any personal data concerning you.
We must respond within one month, although there are exceptions for requests that are manifestly unfounded, repetitive, or excessive.
There is no charge for this. We are required to confirm your identity before data is provided.
If you discovers that the data we hold on you is inaccurate or incomplete, you can request that it be corrected. We are required to do this within one month.
You can request that we erase your data in certain circumstances, for example if the data is no longer necessary, if the data was unlawfully processed or it no longer meets the lawful ground for which it was collected. This includes if you have withdrawn consent.
You can request that we limit the way an organisation uses personal
As an an alternative to requesting the erasure of data, and you might use this if you contests the accuracy of your personal data.
You are permitted to obtain and reuse your personal data for your own purposes across different services. This right only applies to personal data that an you have provided to our clients (data controllers) by way of a contract or consent.
You can object to the processing of personal data that we have, on
the grounds of legitimate interests or the performance of a task in
the interest/exercise of official authority.
We must stop processing information unless they can demonstrate compelling legitimate grounds for the processing that overrides the interests, your rights and freedoms of the individual or if the processing is for the establishment or exercise of defence of legal claims.
We would however in normal circumstances defend this that we have legitimate grounds to help process your order.
While GDPR includes provisions for decisions made with no human involvement, such as profiling, which uses personal data to make calculated assumptions about individuals. This is something we do not currently do.