Privacy Policy

We have not appointed a formal Data Protection Officer (DPO) as we are not required to under Article 37 GDPR, but you can contact us about any privacy matter at the email address above.

Pircel operates in two distinct capacities with respect to personal data:

2.1 As a Data Controller

We determine the purposes and means of processing for:

• Visitors to the Website and recipients of our marketing communications;
• Prospective customers who submit inquiries through our contact form, book demos, or otherwise interact with our sales process;
• Authorized users of our customers (e.g., employees and contractors of our Merchant customers who log into the Service); and
• Our own employees, suppliers, and other counterparties.

This Privacy Policy describes how we process personal data in our role as Controller.

2.2 As a Data Processor

We process personal data on behalf of our Merchant customers (each a Customer) who use the Service to manage their shipping operations. This includes the personal data of natural persons to whom Customers ship parcels (End Recipients). For this processing, the Customer is the Data Controller and Pircel is the Data Processor. Our processing of such data is governed by the Data Processing Agreement entered into with each Customer.

End Recipients seeking to exercise data subject rights in respect of their shipment-related data should contact the Merchant that arranged the shipment. We will assist Merchants in fulfilling such requests in accordance with our Data Processing Agreements.

3.1 From Website Visitors

When you visit the Website, we (and our service providers acting on our behalf) automatically collect:

• Technical and device data: IP address, browser type and version, operating system, language settings, screen resolution, device identifiers, and referring URL.
• Usage data: pages viewed, time spent on pages, clicks, navigation paths, and timestamps.
• Diagnostic data: error reports, performance metrics, and (where applicable) interaction recordings captured for debugging purposes (see Section 5 on Session Replay).
• Cookie and tracker data: as described in our Cookie Policy.

3.2 From Prospective Customers (Contact Form, Demo Bookings)

When you submit the contact form on the Website or contact us by email:

• Identification data: full name.
• Contact data: email address; phone number (if provided).
• Content of inquiry: the message you write and any other information you choose to provide.

When you book a demo via our scheduling tool (Cal.com):

• Data you provide to that tool (typically name, email, and chosen time slot). Cal.com is the data controller for the booking process; please refer to Cal.com's privacy policy. We receive the booking confirmation and details.

3.3 From Customers and Their Authorized Users

When you (or your colleagues) register for and use the Service:

• Account data: full name, email address, hashed/derived authentication material (we use one-time passcodes and signed tokens; we do not store account passwords).
• Profile data: role within your organization, eshop name, configuration preferences.
• Authentication metadata: session timestamps, IP addresses associated with sign-ins, and security events (e.g., login attempts, OTP requests).
• Service usage data: actions taken within the dashboard, features used, support inquiries, and audit-log entries.
• Billing data (where applicable): commercial terms are agreed at the Customer level; if billing data is collected, the details are set out in the applicable Customer Agreement.

3.4 From or About End Recipients (Processed on Behalf of Our Customers)

When a Customer uses the Service to arrange a shipment, the Customer submits (or causes to be submitted) personal data about the End Recipient. This data is processed by Pircel on the Customer's behalf as a Processor. It includes:

• Identification data: recipient full name; sender full name.
• Contact data: recipient postal address (street, city, postcode, country), phone number, and (where provided) email address.
• Shipment data: order reference, parcel dimensions and weight, cash-on-delivery (COD) amount, delivery notes, and any other information necessary to fulfil the shipment.
• Document data: where applicable, customs documents, invoices, or other shipping-related documents containing personal data (e.g., recipient identity for customs purposes).
• Tracking data: shipment status updates received from Carriers and made available via the Service and the tracking widget.

For details on how we handle this data as a Processor, please see the Data Processing Agreement entered into with the relevant Customer.

We process personal data for the following purposes, relying on the legal bases identified below in accordance with Article 6 GDPR.

You may withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

5.1 Error Monitoring and Session Replay (Sentry)

We use Sentry (provided by Functional Software, Inc., with ingestion in Frankfurt, Germany) to capture application errors, performance metrics, and — when an error occurs — short replays of the affected browser session to help us diagnose and fix the problem. Session Replay records DOM interactions on the affected page; user inputs and other sensitive fields are masked by default. Replays are stored for a limited period in Sentry's EU data plane and accessed only by authorized engineers.

5.2 Product Analytics (PostHog)

We use PostHog (PostHog, Inc., processed in the EU at eu.i.posthog.com) to understand how the Service is used. For authenticated users, we associate analytics events with the user's account identifier, email address, full name, and eshop identifier so that we can analyze usage at the level of individual organizations and accounts. This is described in PostHog's privacy policy at posthog.com/privacy. You can object to this processing at any time by contacting us at privacy@pircel.com.

5.3 Session Replay (PostHog, where enabled)

Where enabled, PostHog Session Replay records playback of user interactions within the Service to help us understand user behavior and diagnose usability issues. Inputs and sensitive fields are masked by default. Recordings are stored in PostHog's EU data plane.

5.4 Carrier-Invoice OCR (Mistral AI)

When a Customer uploads carrier invoices for reconciliation purposes, the invoice files (which may contain End Recipient names, addresses, voucher codes, COD amounts, and other shipment details) are transmitted to Mistral AI (Mistral AI SAS, France) for optical character recognition and structured extraction. Mistral acts as our sub-processor and processes the data on our documented instructions, with data processing taking place within the European Union.

5.5 Maps and Address Canonicalization (Google Maps Platform)

We use Google Maps Platform services (Google LLC) for two purposes:

• Server-side: to canonicalize postal addresses (e.g., Geocoding API, Places API). When you enter a shipping address, the address text is sent to Google for canonicalization; the returned canonical address is stored against the shipment.
• Client-side: when the dashboard displays a map (e.g., the tracking timeline map or analytics region map), your browser loads map tiles directly from Google's servers. Google therefore receives your IP address, user-agent, and referrer information on each map load.

Google's processing is governed by its own privacy policy, available at policies.google.com/privacy.

5.6 Embedded Analytics (MongoDB Atlas Charts)

Certain dashboards within the Service render analytics charts via embedded MongoDB Atlas Charts (operated by MongoDB, Inc.). When such charts load, your browser establishes a connection to charts.mongodb.com (United States). The chart context (e.g., your eshop identifier, applied filters) is transmitted to MongoDB to render the chart.

5.7 Transactional Email and Contact Form (Mailgun)

When you submit our contact form, your name, email address, and message are transmitted to Mailgun (Sinch group, EU region — api.eu.mailgun.net) for delivery to our internal team mailbox. We also use Mailgun to send transactional emails to Customers and End Recipients (e.g., shipment status notifications) where instructed by the relevant Merchant.

5.8 Marketing Site Performance and Hosting (Vercel)

The Website and certain Service interfaces are hosted on Vercel (Vercel, Inc.). Personal data processed by Vercel for our deployments is processed within the European Union. As Vercel, Inc. is headquartered in the United States, Standard Contractual Clauses are in place to address any access to such data from outside the EEA by Vercel personnel.

5.9 Backend Infrastructure

The Service's backend application and database run on infrastructure provided by third-party hosting and storage providers (currently including Heroku/Salesforce, MongoDB Atlas, Redis Cloud, and Amazon Web Services). Personal data processed by the Service is processed within the European Union. Where the corporate provider is headquartered outside the EEA (such as Salesforce, MongoDB, Redis Ltd., and Amazon Web Services), Standard Contractual Clauses are in place to address any access to such data from outside the EEA by the provider's personnel. A current list of these infrastructure providers and their location of processing is published at /subprocessors.

5.10 No Automated Decision-Making with Legal or Similarly Significant Effects

We do not carry out automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR. The automated processing we perform (e.g., OCR of invoices, address canonicalization, analytics aggregation) is operational in nature and does not result in decisions of that kind.

We collect personal data:

• Directly from you, when you interact with the Website, submit the contact form, request a demo, sign up for the Service, sign in, or otherwise communicate with us;
• From our Customers, when they use the Service to arrange shipments (including data about End Recipients);
• Automatically, through cookies and similar technologies as described in our Cookie Policy;
• From third parties, including Carriers (for shipment-tracking updates), e-commerce platforms connected by Customers (for order synchronization), and publicly available sources (where lawful).

We disclose personal data to the following categories of recipients, only as necessary for the purposes described above:

7.1 Sub-processors

Third-party service providers that process personal data on our documented instructions to deliver the Website and the Service (including hosting, databases, error monitoring, analytics, transactional email, OCR, maps, and similar services). A current list of our material sub-processors, including their location and the categories of data they process, is published at /subprocessors and is updated when changes occur. Each sub-processor is bound by a contract that meets the requirements of Article 28 GDPR.

7.2 Third-Party Recipients (Independent Data Controllers)

Certain third parties receive personal data not as our sub-processors, but as independent data controllers acting in their own right:

• Carriers (currently including ACS, BCS, BoxNow, DHL, FedEx, Geniki Taxydromiki, Speedex, TCS, and UPS). When a shipment is created, the End Recipient's name, address, phone number, and (where applicable) email address and shipment details are transmitted to the chosen Carrier to enable delivery. Each Carrier acts as an independent data controller in respect of that data and is subject to its own privacy notice and obligations.
• E-commerce platforms (Shopify, WooCommerce, Magento, PrestaShop) — where a Customer connects their e-commerce store, data is exchanged between that store and the Service. The merchant's store is operated by the Customer and/or the platform provider as a separate controller.
• Cal.com (scheduling), for demo bookings you initiate via the booking link.

7.3 Professional Advisors, Authorities, and Successors

We may disclose personal data to our auditors, lawyers, accountants, insurers, and other professional advisors; to public authorities, courts, or regulators where required by law or to establish, exercise, or defend legal claims; and to third parties in connection with a merger, acquisition, financing, reorganization, or sale of all or part of our business (subject to appropriate confidentiality and data protection commitments).

The substantial majority of our personal data processing takes place within the European Economic Area (EEA). Our principal sub-processors — including Vercel, Heroku (Salesforce), MongoDB Atlas, Redis Cloud, AWS, Sentry, PostHog, and Mailgun — process personal data within EEA member states. End Recipient shipment data is, where applicable, transmitted to Greek and other EEA-based carriers (ACS, BCS, BoxNow, Geniki Taxydromiki, Speedex, TCS, and DHL Group), which receive the data within the EEA.

A limited number of services involve, or may involve, the transfer of personal data outside the EEA — principally to the United States. These include:

• Google Maps Platform (geocoding, places, and map-tile rendering) — operated by Google LLC globally;
• MongoDB Atlas Charts — the embedded-charts service is hosted at charts.mongodb.com (United States), separately from our EEA-resident MongoDB Atlas database;
• GitHub Actions — used for source-code hosting and continuous integration; production personal data is not intentionally processed in CI;
• FedEx and UPS — international couriers that act as independent data controllers when selected by a Customer or End Recipient for cross-border delivery.

In addition, certain of our EEA-resident sub-processors are controlled by corporate entities headquartered outside the EEA (for example, Salesforce, MongoDB, Vercel, PostHog, Sentry, and Redis Ltd.). Although the personal data they process for us is processed within the EEA, this corporate structure means that the provider's personnel may, in limited circumstances, access that data from outside the EEA (for example, for technical support).

Where personal data is transferred outside the EEA, or where such extraterritorial access is possible, we rely on one or more of the following transfer mechanisms under Chapter V GDPR:

• The EU–US Data Privacy Framework ("DPF"), where the recipient is self-certified;
• The European Commission's Standard Contractual Clauses (Decision (EU) 2021/914), supplemented by appropriate technical and organisational measures; and/or
• An applicable derogation under Article 49 GDPR, used only where necessary and lawful.

The location of processing for each material sub-processor, and the applicable safeguard, is identified at /subprocessors. You may request a copy of the relevant transfer safeguards by contacting privacy@pircel.com.

We retain personal data only for as long as necessary to fulfil the purposes set out in this Privacy Policy, including to comply with legal, accounting, tax, or reporting requirements. Specific retention periods include:

• Contact-form submissions and demo-booking data: up to 24 months from the date of last contact, unless a customer relationship is established (in which case Customer retention rules apply).
• Account data of authorized users of Customers: for the duration of the Customer's subscription and, thereafter, in accordance with the data return / deletion obligations set out in the applicable Data Processing Agreement (typically up to 90 days after termination, after which data is deleted or anonymized).
• End Recipient shipment data (processed as Processor): retained for the period specified by the relevant Customer in the Data Processing Agreement, plus any period required by law (for example, tax and shipping record retention obligations under Greek law, typically up to 5–10 years depending on the document type).
• Audit logs and security records: typically up to 24 months, longer where required to investigate or respond to a security incident.
• Error reports and Session Replay recordings: typically up to 90 days.
• Billing and accounting records: retained for the period required by Greek tax and accounting law (typically up to 10 years).
• Marketing data: until you withdraw your consent or object.

After expiry of the applicable retention period, we delete or anonymize the personal data unless we are legally required to retain it.

We implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, or disclosure. These measures include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256);
• Strong authentication, including signed-token sessions and one-time-passcode verification;
• Role-based access controls and the principle of least privilege;
• Audit logging of administrative activities;
• Regular reviews of our security posture and vendor security;
• Storage of secrets in dedicated secret-management systems rather than in source code; and
• Incident response procedures.

No method of transmission over the Internet or method of electronic storage is 100% secure, but we work continuously to improve our security posture.

Subject to applicable law, you have the following rights in respect of your personal data:

• Right of access (Art. 15) — to confirm whether we process personal data about you and to obtain a copy.
• Right to rectification (Art. 16) — to correct inaccurate or incomplete data.
• Right to erasure (Art. 17) — to request deletion of your personal data in certain circumstances.
• Right to restriction (Art. 18) — to request that we limit processing in certain circumstances.
• Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
• Right to object (Art. 21) — to object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Rights related to automated decision-making (Art. 22) — although, as noted in Section 5.10, we do not carry out such processing.

End Recipients: if you wish to exercise rights in respect of personal data we process about you as a Processor on behalf of a Merchant (for example, shipment data), please contact the Merchant. We will assist the Merchant in responding to your request as required under the applicable Data Processing Agreement.

To exercise any of these rights, contact us at privacy@pircel.com. We may need to verify your identity before responding. We will respond within one (1) month of receiving your request; this period may be extended by up to two further months for complex requests, in which case we will inform you of the extension and the reasons for it.

Requests are free of charge unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

If you believe our processing of your personal data infringes the GDPR or other applicable law, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

The supervisory authority for Pircel is the:

We would, however, appreciate the opportunity to address your concerns directly before you contact the authority — please contact us first at privacy@pircel.com.

The Website and the Service are not directed to children under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@pircel.com and we will take steps to delete the data.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Hellenic Data Protection Authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

We may update this Privacy Policy from time to time to reflect changes in our practices, the services we offer, or applicable law. The updated version will be posted on the Website with a revised "Last Updated" date. Where the changes are material, we will provide additional notice (for example, by email to Customers or by a prominent notice on the Website). Your continued use of the Website or the Service after the effective date of the revised Privacy Policy constitutes acceptance of the revised terms, to the extent permitted by applicable law.

For any questions, concerns, or requests regarding this Privacy Policy or our processing of personal data: