This page lists the third-party service providers, carriers, and other third parties involved in the operation of the Pircel Website (https://www.pircel.com) and the Pircel hosted shipping management platform (the Service). It supplements our Privacy Policy and Data Processing Agreement (available to Customers on request).
We classify third parties into three categories. The category matters because the legal basis, contractual safeguards, and notification obligations differ.
| Category | What it means |
|---|---|
| Sub-processors | Third parties that Pircel engages to process personal data on our documented instructions, on behalf of our Customers, under contractual safeguards meeting Article 28 GDPR. |
| Third-party recipients (independent controllers) | Third parties that receive personal data from us (or via the Service) but determine their own purposes and means of processing — typically carriers performing delivery. |
| Merchant-controlled integrations | Third-party systems operated by, or on behalf of, our Customers (e.g., their e-commerce platform). Data flows are initiated by the Customer. |
1. Pircel Sub-processors
The following sub-processors are engaged by Pircel under Article 28 GDPR contracts. Each is bound by data protection obligations consistent with our own.
| Sub-processor | Purpose | Categories of personal data | Location of processing | Cross-border transfer safeguards |
|---|---|---|---|---|
| Vercel, Inc. | Hosting and content delivery for the Website and Service frontend | All inbound traffic (IP, request metadata), cookies (incl. session token), any data submitted via the Website | European Union | Standard Contractual Clauses cover any access from outside the EEA by Vercel, Inc. |
| Salesforce, Inc. (Heroku) | Backend application hosting (the Service's API) | All personal data processed by the Service in transit and in memory | European Union (Dublin, Ireland) | Standard Contractual Clauses cover any access from outside the EEA by Salesforce, Inc. |
| MongoDB, Inc. (MongoDB Atlas) | Primary application database | All persisted personal data: Customer account data, shipment data (End Recipient name, address, phone, email, COD amount), audit logs, document metadata | European Union | Standard Contractual Clauses cover any access from outside the EEA by MongoDB, Inc. |
| Redis Ltd. (Redis Cloud) | Distributed cache, job queues, rate limiting | Job payloads referencing shipment and Customer identifiers; tracking-sync metadata | Ireland (EEA) | Standard Contractual Clauses cover any access from outside the EEA by Redis Ltd. |
| Amazon Web Services, Inc. (S3, CloudFront, Certificate Manager, SNS) | Object storage and CDN for static assets (cdn.pircel.com); TLS certificates; internal alerting | Public marketing/asset images; no End Recipient personal data | Ireland (EEA); global edge delivery for static assets only | Standard Contractual Clauses cover any access from outside the EEA by Amazon Web Services, Inc. |
| Functional Software, Inc. (Sentry) | Error monitoring, performance tracing, and Session Replay for diagnostic purposes | Diagnostic data including stack traces, request metadata, and short DOM-interaction replays (inputs masked by default); user IP | Germany (Frankfurt) | Standard Contractual Clauses cover any access from outside the EEA by Functional Software, Inc. |
| PostHog, Inc. | Product analytics and Session Replay | For authenticated users: account identifier, email address, full name, eshop name; pageviews, events, device data, IP; masked session recordings | European Union | Standard Contractual Clauses cover any access from outside the EEA by PostHog, Inc. |
| Sinch Group (Mailgun, EU region) | Transactional email (contact-form delivery to our team mailbox; shipment notifications to End Recipients on Customer instructions) | Sender name and email; message body; recipient email; email content (which may include shipment references) | European Union (Germany / Netherlands) | Standard Contractual Clauses cover any access from outside the EEA by the Sinch Group |
| Mistral AI SAS | Optical character recognition (OCR) of Customer-uploaded carrier invoices | Full invoice PDFs (which may contain End Recipient names, addresses, voucher codes, COD amounts) | France (EEA) | Not applicable (intra-EEA processor) |
| Google LLC (Google Maps Platform — Geocoding API, Places API, Maps JS API) | Server-side address canonicalisation; client-side rendering of dashboard maps | Server-side: postal address strings of End Recipients and senders. Client-side: viewer IP, user-agent, referrer | United States | EU–US Data Privacy Framework and Standard Contractual Clauses |
| MongoDB, Inc. (Atlas Charts) | Embedded analytics charts in the Customer dashboard (hosted separately from the MongoDB Atlas database) | Eshop identifier and chart-filter context loaded via charts.mongodb.com | United States | EU–US Data Privacy Framework and Standard Contractual Clauses |
| GitHub, Inc. (Microsoft) — GitHub Actions | Source-code hosting and CI/CD (linting, automated tests) | Source code; CI logs. No production personal data is intentionally processed in CI | United States | EU–US Data Privacy Framework and Standard Contractual Clauses |
Notes on this list
- Where personal data is processed within the European Economic Area but the corporate provider is headquartered outside the EEA (for example, in the United States), Standard Contractual Clauses (Commission Decision (EU) 2021/914) are in place to address any extraterritorial access by the provider's personnel — for example, by support engineers. This approach follows the European Data Protection Board's guidance subsequent to Schrems II (Case C-311/18).
- Where data is processed outside the EEA, we rely on a combination of the EU–US Data Privacy Framework (where the recipient is self-certified) and Standard Contractual Clauses, supplemented by appropriate technical and organisational measures.
- Some of these sub-processors themselves rely on further sub-processors (for example, AWS underlies MongoDB Atlas and Heroku). The list above reflects the parties with which Pircel contracts directly; further sub-processor information is available in each provider's published documentation and upon request.
2. Third-Party Recipients (Independent Data Controllers)
The following third parties receive personal data through the Service but act as independent data controllers, not as Pircel's sub-processors. This classification follows the European Data Protection Board's Guidelines 07/2020 on the concepts of controller and processor under the GDPR, which identify postal and courier service providers as a typical example of independent controllers.
When a shipment is created, the relevant End Recipient personal data (name, postal address, phone, email where applicable, and shipment metadata such as COD amount and parcel details) is transmitted from the Service to the carrier chosen by the Customer or End Recipient. Each carrier processes that data for its own purposes (performance of the delivery contract, regulatory compliance, customs declarations, postal-sector retention obligations) and under its own privacy notice.
| Recipient | Role | Headquarters / Data location |
|---|---|---|
| ACS Courier S.A. | Greek courier — domestic and selected international deliveries | Greece (EEA) |
| BCS Courier / Hermes | Greek courier — domestic deliveries | Greece (EEA) |
| BoxNow | Out-of-home locker delivery network | Greece / Cyprus (EEA) |
| Geniki Taxydromiki (DPD Group) | Greek courier (part of DPD Group) — domestic and international | Greece (EEA); DPD Group is EU-based |
| Speedex S.A. | Greek courier — domestic deliveries | Greece (EEA) |
| TCS / Evresis | Greek courier — domestic deliveries | Greece (EEA) |
| DHL Group | International express delivery | Germany (EEA) |
| FedEx Corporation | International express delivery | United States |
| United Parcel Service, Inc. (UPS) | International express delivery | United States |
Notes on this list
- Each carrier's privacy notice governs its independent processing. Links to those notices are typically available from the carrier's own website.
- Where carriers are headquartered outside the EEA (FedEx, UPS), Customers are responsible for assessing the transfer implications in the context of their own data-controller obligations to End Recipients. Pircel facilitates the data transmission as the Customer's processor; the legal basis and transfer mechanism for the carrier's independent processing is established between the Customer (or End Recipient) and the carrier.
- Pircel does not exercise control over the carriers' security practices, retention periods, or onward disclosures.
3. Merchant-Controlled Integrations
The following systems are operated by, or on behalf of, our Customers. Data flowing between the Service and these systems is initiated by the Customer in their role as data controller. We do not list these as sub-processors because we do not engage them; the Customer does.
| Platform | Role | Operator |
|---|---|---|
| Shopify, Inc. | E-commerce platform — hosted store from which Customers may sync orders to the Service | Shopify, Inc. (Canada/US) |
| WooCommerce (Automattic, Inc.) | E-commerce plugin for WordPress, typically self-hosted by the Customer | Customer-hosted; plugin author Automattic, Inc. (US) |
| Magento (Adobe Commerce) | E-commerce platform, typically self-hosted or hosted by the Customer | Customer-hosted; software by Adobe Inc. (US) |
| PrestaShop, S.A. | E-commerce platform, typically self-hosted by the Customer | Customer-hosted; software by PrestaShop, S.A. (France, EEA) |
When the Customer connects one of these platforms to the Service, the Service exchanges data with that platform under the Customer's authorization (e.g., reading product catalog data, receiving order data). The Customer is the data controller in respect of data resident in that platform.
4. Outbound Links to Third Parties
The following third parties are referenced from the Website as outbound links. We do not transmit personal data to them; if you click the link and interact with them, your interaction is governed by their own privacy notices.
| Service | Purpose | Provider |
|---|---|---|
| Cal.com | Scheduling tool for "Book a demo" link from our marketing site | Cal.com, Inc. |
| UptimeRobot | Public service-status page linked from our footer | UptimeRobot Service Provider Ltd. |
We do not embed these services as iframes or scripts on our pages; they are simple outbound links.
5. Notifications of Changes to This Page
We may add, replace, or remove sub-processors and other third parties from time to time as our infrastructure and integrations evolve. Material changes to our list of sub-processors (Section 1) will be reflected on this page with a revised "Last Updated" date.
For Customers: in accordance with our Data Processing Agreement, we will notify you of material changes to our sub-processor list at least thirty (30) days before the change takes effect, where reasonably practicable, so that you have an opportunity to object. Notification is given by updating this page and, where applicable, by email.
To receive notifications by email when this page is updated, contact us at privacy@pircel.com.
6. Changelog
| Date | Change |
|---|---|
| 14 January 2025 | Initial publication of this page. |
7. Contact
Questions about this page, our sub-processors, or any data-processing relationship described here:
Pircel P.C.
32 Voukourestiou Street, 106 71 Athens, Greece
Privacy contact: privacy@pircel.com
General contact: contact@pircel.com
For more information, please refer to our Privacy Policy, Cookie Policy, and Terms of Service.