1. Overview
Postpin (“we”, “us”) is an India-first shipping rate API. We are committed to collecting the minimum data needed to run the Service and to keeping it secure. This policy applies to our marketing site, dashboard and API. It should be read alongside our Terms of Service.
We act as a data controller for your account data, and as a data processor for the request payloads you send through the API on behalf of your own customers.
2. Data we collect
We collect only what we need to provide and improve the Service. Notably, the rate API is designed to work without end-customer personal data — pincodes and parcel dimensions are sufficient.
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, work email, company, hashed password, GSTIN | Authentication, billing, support |
| Usage data | API call metadata, endpoints, latency, status codes, IP | Analytics, abuse prevention, rate limiting |
| Request payloads | Pincodes, weights, dimensions, payment type (no PII required) | Computing shipping rates |
| Billing data | Plan, invoices, payment tokens (held by our PSP) | Processing payments |
4. How we process data
We process personal data on the following legal bases: performance of our contract with you, our legitimate interests in operating and securing the Service, your consent (for optional analytics), and compliance with legal obligations (such as GST record-keeping).
API request payloads are processed in-memory to compute a rate and are logged in metadata form (pincodes, weight, zone, latency) for analytics and debugging. We do not require or store end-customer names, addresses or phone numbers.
6. Data retention
- Account data: kept while your account is active and deleted within 30 days of account closure.
- Usage logs: retained for 13 months, then aggregated and anonymised.
- Billing & GST records: retained for 8 years as required by Indian tax law.
7. Security
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed with a modern algorithm; API keys are stored as salted hashes and shown in full only once. We enforce least-privilege access, audit logging and regular backups. No method of transmission is 100% secure, but we work hard to protect your data.
8. DPA & sub-processors
For customers who require one, we offer a Data Processing Addendum (DPA) that governs our processing of personal data on your behalf. To request a signed DPA, email hello@postpin.creatibyte.in. We engage the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting & databases | Mumbai (ap-south-1), India |
| Razorpay | Payment processing & GST invoicing | India |
| Resend | Transactional email delivery | United States |
| Cloudflare | CDN, DDoS protection & DNS | Global edge network |
| PostHog (self-hosted) | Product analytics | Mumbai, India |
We notify customers of new sub-processors at least 30 days before they begin processing, giving you an opportunity to object.
9. Your rights
Subject to applicable law (including India’s DPDP Act), you have the right to access, correct, export and delete your personal data, to withdraw consent for optional processing, and to lodge a complaint. Most of these actions are self-service from your account settings; for the rest, contact us and we will respond within 30 days.
- Access & portability — export your account and usage data.
- Rectification — update inaccurate account details.
- Erasure — request deletion of your account and associated data.
- Objection — opt out of optional analytics processing.
10. Contact
For privacy questions, data requests or to reach our Data Protection Officer, email hello@postpin.creatibyte.in or write to us via our contact page. We are based in Jaipur, Rajasthan, India.