Legal

Privacy Policy

This policy explains what data Postpin collects, why we collect it, how it is processed and stored, and the rights you have over it.

Last updated 26 Jun 2026·v1.4

Terms

1. Overview

Postpin (“we”, “us”) is an India-first shipping rate API. We are committed to collecting the minimum data needed to run the Service and to keeping it secure. This policy applies to our marketing site, dashboard and API. It should be read alongside our Terms of Service.

We act as a data controller for your account data, and as a data processor for the request payloads you send through the API on behalf of your own customers.

2. Data we collect

We collect only what we need to provide and improve the Service. Notably, the rate API is designed to work without end-customer personal data — pincodes and parcel dimensions are sufficient.

CategoryExamplesPurpose
Account dataName, work email, company, hashed password, GSTINAuthentication, billing, support
Usage dataAPI call metadata, endpoints, latency, status codes, IPAnalytics, abuse prevention, rate limiting
Request payloadsPincodes, weights, dimensions, payment type (no PII required)Computing shipping rates
Billing dataPlan, invoices, payment tokens (held by our PSP)Processing payments

3. Cookies & tracking

We use a small set of cookies. Strictly necessary cookies keep you signed in (a JWT session cookie) and remember your theme preference. We use privacy-friendly, self-hosted product analytics to understand dashboard usage in aggregate.

  • Essential: session, CSRF and theme cookies — cannot be disabled.
  • Analytics: anonymised usage events; you can opt out in your account settings.
  • We do not sell your data or use third-party advertising trackers.

4. How we process data

We process personal data on the following legal bases: performance of our contract with you, our legitimate interests in operating and securing the Service, your consent (for optional analytics), and compliance with legal obligations (such as GST record-keeping).

API request payloads are processed in-memory to compute a rate and are logged in metadata form (pincodes, weight, zone, latency) for analytics and debugging. We do not require or store end-customer names, addresses or phone numbers.

5. Sharing & disclosure

We share data only with the sub-processors listed below, and only as needed to run the Service. We may disclose data if required by law or to protect the rights, safety and integrity of Postpin, our users or the public. In the event of a merger or acquisition, data may transfer subject to this policy.

6. Data retention

  • Account data: kept while your account is active and deleted within 30 days of account closure.
  • Usage logs: retained for 13 months, then aggregated and anonymised.
  • Billing & GST records: retained for 8 years as required by Indian tax law.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed with a modern algorithm; API keys are stored as salted hashes and shown in full only once. We enforce least-privilege access, audit logging and regular backups. No method of transmission is 100% secure, but we work hard to protect your data.

8. DPA & sub-processors

For customers who require one, we offer a Data Processing Addendum (DPA) that governs our processing of personal data on your behalf. To request a signed DPA, email hello@postpin.creatibyte.in. We engage the following sub-processors:

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud hosting & databasesMumbai (ap-south-1), India
RazorpayPayment processing & GST invoicingIndia
ResendTransactional email deliveryUnited States
CloudflareCDN, DDoS protection & DNSGlobal edge network
PostHog (self-hosted)Product analyticsMumbai, India

We notify customers of new sub-processors at least 30 days before they begin processing, giving you an opportunity to object.

9. Your rights

Subject to applicable law (including India’s DPDP Act), you have the right to access, correct, export and delete your personal data, to withdraw consent for optional processing, and to lodge a complaint. Most of these actions are self-service from your account settings; for the rest, contact us and we will respond within 30 days.

  • Access & portability — export your account and usage data.
  • Rectification — update inaccurate account details.
  • Erasure — request deletion of your account and associated data.
  • Objection — opt out of optional analytics processing.

10. Contact

For privacy questions, data requests or to reach our Data Protection Officer, email hello@postpin.creatibyte.in or write to us via our contact page. We are based in Jaipur, Rajasthan, India.