Shipnest
Legal

Privacy Policy

Last updated: 2026-04-26 · Operated by Craft Lab, SLU · info@shipnest.app

This Privacy Policy explains how Craft Lab, SLU (“we”, “our”, “Shipnest”) processes personal data collected through the Shipnest platform at https://shipnest.app and its sub-domains. We operate under the EU General Data Protection Regulation (GDPR, Regulation 2016/679), the Spanish Organic Law 3/2018 on Personal Data Protection (LOPD-GDD), the California Consumer Privacy Act / CPRA (CCPA) and Shopify’s Protected Customer Data (PCD) requirements where Shipnest is installed as a Shopify app.

1. Data Controller

The data controller for personal data we collect about merchants and platform users is:

  • Name: Craft Lab, SLU
  • NIF: B42627893
  • VAT: ESB42627893
  • Registered address: Calle Leonardo Da Vinci 12A, Nave 8, 03203 Elche, Alicante, Spain
  • Contact: info@shipnest.app

For personal data we receive about end customers (the people you ship to), the merchant is the data controller and Shipnest is the data processor — see Section 4 below.

We have not appointed a Data Protection Officer because we do not meet the Art. 37 GDPR criteria (we are not a public authority, our core activities do not involve large-scale systematic monitoring, and we do not process special-category data on a large scale). All privacy requests are handled by the contact above.

2. Personal data we collect

We process three broad categories of personal data:

2.1 Account data

When you sign up for a Shipnest account we collect your name, email address, scrypt-hashed password, optional two-factor seed (encrypted at rest), IP address of sign-ins and any profile information you choose to add. We use this data to authenticate you, invoice you and provide support.

2.2 Operational data

The platform persists the orders, shipments, tracking events, addresses, products, packing lists, customs declarations and communications that flow through it. This includes personal data of your customers (name, email, shipping address, phone number, optionally tax identifier). We process this data on your behalf as a data processor under Article 28 GDPR — see “Role as Processor” below.

2.3 Technical data

We automatically log IP addresses, user-agent strings, request paths, timestamps and error diagnostics for every request handled by our infrastructure. We use strictly necessary cookies (session token, CSRF token) and, with your consent, functional and analytics cookies — see our Cookie Policy.

3. Source of personal data (GDPR Art. 14)

Some personal data we process about end customers is not collected directly from the data subject. It reaches us through one of the following sources:

  • The merchant’s connected sales channel — Shopify, Amazon, Etsy, eBay, WooCommerce, BigCommerce, Squarespace or Magento. The order, recipient address, contact details and basket contents are pulled into Shipnest via that channel’s API or webhook.
  • The merchant directly — when a merchant creates an order manually, imports a CSV or saves an entry in their address book.
  • Carriers — tracking events, delivery proof (recipient name on signature, location of attempted delivery) flow back from UPS, FedEx, DHL, USPS, Royal Mail or EasyPost during the shipment’s lifecycle.

End customers can exercise their GDPR / CCPA rights against the merchant (the controller) or directly with us — see Section 9.

4. Role as processor

For the personal data of your end customers, Shipnest acts as a data processor on your behalf. You are the controller. Our Data Processing Agreement, which forms part of our Terms of Service, governs this relationship. By using the service you instruct us to process customer data solely for the purpose of executing orders, purchasing labels, returning tracking events and the related operational activities you configure (rules, reports, branded tracking, returns portal).

The full list of sub-processors we engage to deliver the service (carriers, channels, infrastructure, email, insurance, analytics, error monitoring) is published at /legal/subprocessors and forms an exhibit to the DPA. We notify merchants by email at least 30 days before adding or replacing a sub-processor.

5. Legal bases for processing (GDPR)

  • Performance of a contract (Art. 6(1)(b)) — creating and running your account, delivering the subscribed services, processing payments.
  • Legitimate interest (Art. 6(1)(f)) — fraud prevention, security monitoring, service improvement, internal analytics, defence of legal claims.
  • Consent (Art. 6(1)(a)) — non-essential cookies, optional marketing emails. Consent is requested via our cookie banner and can be withdrawn at any time.
  • Legal obligation (Art. 6(1)(c)) — tax, accounting and anti-money-laundering duties under Spanish law.

6. Automated decision-making and profiling (GDPR Art. 22)

Shipnest does not make decisions producing legal effects on data subjects based solely on automated processing or profiling. The platform’s automation rules run only on operational data the merchant configures (e.g. “send orders over 5kg via DHL”) and a human operator can always override the rule outcome before any external action is taken.

7. Recipients of personal data

To operate the service we share data with the categories of recipients listed at /legal/subprocessors, each bound by contractual and technical safeguards. Summary:

  • Carriers — UPS, FedEx, DHL, USPS, Royal Mail and EasyPost receive the recipient name, address and parcel details needed to issue a label and deliver the shipment.
  • Sales channels — Shopify, Amazon, Etsy, eBay, WooCommerce, BigCommerce, Squarespace and Magento receive fulfilment updates (tracking numbers, shipment status) for the orders we fulfil on your behalf.
  • Infrastructure — Railway (hosting), PostgreSQL managed database, GitHub (scheduled jobs, source-control access logs).
  • Email — Resend, for transactional messages (shipping confirmations, password resets, scheduled reports).
  • Insurance — Shipsurance and XCover, when you opt to insure a shipment.
  • Error monitoring — Sentry, with PII scrubbing applied client- and server-side before any event is transmitted (we strip email, phone, address fields, tokens, signature blobs).
  • Authorities — when required by law, court order or a regulator with legitimate jurisdiction.

We do not sell personal data and do not share it with advertising networks for cross-context behavioural advertising.

8. International transfers

Some of the recipients above are established outside the European Economic Area (for example UPS, FedEx, EasyPost, Resend and Sentry in the United States; Amazon SP-API globally). Where a transfer is necessary to deliver the service, we rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914), the EU-US Data Privacy Framework where the recipient is certified, or on the equivalent adequacy decisions in force.

9. Your rights under GDPR

As a data subject in the EU/EEA you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Request erasure (Art. 17) — subject to retention limits in Section 11.
  • Restrict processing (Art. 18).
  • Port your data to another provider (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time where processing is based on consent.
  • Not be subject to a decision based solely on automated processing that produces legal effects (Art. 22) — see Section 6.

To exercise any of these rights, email info@shipnest.app. We respond within one month. If you are an end customer, please also notify the merchant whose store placed the order — they are the controller of that data and can satisfy most requests directly. If you are unsatisfied with our response you may lodge a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos), C/ Jorge Juan 6, 28001 Madrid, or with your local supervisory authority.

10. Your rights under CCPA / CPRA (California residents)

If you reside in California, the California Consumer Privacy Act (as amended by the CPRA) grants you additional rights regarding personal information we have collected about you directly. Categories collected in the last 12 months and their purpose, in CCPA terms:

  • Identifiers (name, email, IP address) — account creation, authentication, billing.
  • Commercial information (purchase history, subscription) — invoicing and service delivery.
  • Internet activity (request logs, error diagnostics) — security monitoring, debugging.
  • Geolocation (IP-derived city/region only) — fraud prevention, audit.
  • Inferences — none. We do not build consumer profiles.

California residents have the right to know what we collect, access copies, delete personal information, correct inaccurate information, opt out of sale or sharing for cross-context behavioural advertising and not be discriminated against for exercising any of the above rights.

Do Not Sell or Share My Personal Information. We do not sell personal information and we do not share it for cross-context behavioural advertising. We honour the Global Privacy Control (GPC) signal — when your browser sends Sec-GPC: 1 we treat it as a confirmed opt-out preference and apply it to your session without further interaction.

To exercise CCPA rights, email info@shipnest.app with the subject line “CCPA request”. We will verify your identity (matching the email on file with the request) and respond within 45 days, extendable by another 45 days for complex requests with notice. Authorised agents acting on your behalf must provide written authorisation. We will not retaliate against, deny service to, charge a different price from or provide a different quality of service to anyone exercising CCPA rights.

11. Retention

  • Account and billing data: as long as your account is active, plus up to 6 years after closure to comply with Spanish tax and commercial law.
  • Operational data (orders, shipments, addresses): 6 years after the shipment date, unless you delete it earlier via the app or request earlier erasure.
  • Audit log: 365 days rolling, swept by an automated retention cron.
  • Webhook delivery records: 90 days for successful deliveries, 180 days for failed ones (so you can retry).
  • Tracking events: 180 days rolling.
  • Login attempts (for security forensics): 90 days rolling.
  • Cookies: see the retention table in our Cookie Policy.

12. Shopify Protected Customer Data (PCD)

When Shipnest is installed as a Shopify app, the Orders API returns Protected Customer Data — personally identifiable information about your shop’s customers (name, email, phone, shipping address). Shipnest’s use of PCD is scoped strictly to the operational purpose of fulfilling orders and providing shipping services to the merchant:

  • Minimum necessary — we read PCD only on orders the merchant has chosen to sync into Shipnest. We do not enrich, sell, share or use PCD for advertising.
  • Encryption — every Shopify access token and refresh token is encrypted at rest with AES-256-GCM before being persisted.
  • Access control — PCD is scoped to the merchant’s own organisation; multi-tenant isolation is enforced at every database query boundary.
  • Retention — PCD is retained per Section 11 above. When a merchant uninstalls the app or deletes an order, the corresponding PCD is removed within the windows described in Section 13 below.

13. Shopify mandatory GDPR webhooks

Shipnest implements the three mandatory Shopify GDPR compliance webhooks at the following endpoints:

  • customers/data_requestPOST /api/shopify/compliance/customers-data-request. On receipt, we email every owner / admin of the merchant organisation a JSON dump of the requested customer’s orders, addresses and address-book entries within 30 days. The merchant forwards the data to the customer.
  • customers/redactPOST /api/shopify/compliance/customers-redact. On receipt, we redact the customer’s name, email, phone and every linked address to [REDACTED]placeholders within 30 days. Order rows themselves are retained for tax / customs / carrier billing forensics (FK-integrity preserved with anonymised PII).
  • shop/redactPOST /api/shopify/compliance/shop-redact. Fires 48 hours after a merchant uninstalls Shipnest. We redact PII on every order address from that shop, then delete the connected store record. Customers whose orders existed only on the uninstalled shop have their profile fully scrubbed.

All three endpoints verify the HMAC-SHA256 signature against Shopify’s app client secret before any database mutation, fail closed if the secret is unset, and write a count-only audit log entry (no PII echo) so the action is provable without re-surfacing the data we just scrubbed.

14. Security

We implement technical and organisational measures appropriate to the risk, including:

  • AES-256-GCM encryption at rest for every stored credential (carrier API tokens, channel OAuth tokens, TOTP seeds, customs signature images).
  • scrypt password hashing with constant-time verification (no plain-text or weak-hash storage).
  • TLS 1.2+ for every network connection.
  • Multi-tenant isolation scoped at the database query boundary — every row is tagged with an organization ID and every query filters on it.
  • Mandatory two-factor authentication (TOTP) for platform administrators; optional but encouraged for tenant users.
  • Audit logs for every credential, configuration and data mutation, with a 365-day retention sweep.
  • Least-privilege access and a five-role RBAC model inside the app (OWNER, ADMIN, MANAGER, MEMBER, VIEWER).
  • IP-based throttling on login (10 attempts per 15 min per IP) and signup (5 per hour per IP) to defeat credential-stuffing and account enumeration.
  • SSRF defence on tenant-supplied URLs (webhooks) — private IP ranges, cloud metadata endpoints and internal TLDs are rejected at registration and at delivery time.
  • Defence-in-depth response headers (X-Content-Type-Options,X-Frame-Options,Referrer-Policy, Permissions-Policy, HSTS in production).

We will notify affected users and the AEPD of any personal-data breach likely to result in a risk to rights and freedoms, without undue delay and in line with Art. 33–34 GDPR.

15. Children

Shipnest is a B2B service not directed at children. We do not knowingly collect personal data from anyone under 14 (under 16 for Shipnest accounts created in the EU; under 13 in jurisdictions where COPPA applies). If you believe a child has provided us personal data, please contact us so we can delete it.

16. Changes to this policy

We may update this policy to reflect changes in our service or the law. The “Last updated” date at the top always reflects the latest version. Material changes will be notified by email to active account holders at least 30 days before they take effect.

17. Contact

For any privacy question or to exercise the rights above, please write to us at info@shipnest.app or to our registered address (Calle Leonardo Da Vinci 12A, Nave 8, 03203 Elche, Alicante, Spain). California residents may use the same address with the subject line “CCPA request”.

Privacy PolicyTerms of ServiceCookie PolicyData Processing AgreementSub-processorsContactinfo@shipnest.app