Data Handling & Processing Policy

How we process and protect data in our fulfillment operations

Last updated:

1. Overview

This Data Handling Policy explains how SellerShipping LLC ("SellerShipping," "we," or "us") processes personal data and business information in connection with our fulfillment, warehousing, and distribution services. This policy supplements our Privacy Policy and Terms of Service.

1.1 Our Role as Data Processor

When providing fulfillment services, SellerShipping typically acts as a data processor on behalf of our clients (who are the data controllers). This means:

  • We process personal data only on your instructions and for the purpose of providing services
  • You remain the data controller responsible for compliance with data protection laws
  • We implement appropriate technical and organizational measures to protect the data
  • We assist you in fulfilling your obligations under applicable data protection laws

1.2 Applicable Laws and Standards

Our data handling practices comply with:

  • GDPR: General Data Protection Regulation (EU) 2016/679
  • CCPA: California Consumer Privacy Act
  • KVKK: Turkish Personal Data Protection Law (Kişisel Verilerin Korunması Kanunu)
  • SOC 2: Service Organization Control standards (in progress)
  • PCI DSS: Payment Card Industry Data Security Standard (for payment data)

2. Data Collection in Fulfillment Operations

In the course of providing fulfillment services, we collect and process the following categories of data:

2.1 Order Data

  • Order numbers and transaction IDs
  • Order dates and timestamps
  • Product information (SKU, quantity, description)
  • Order status and tracking information
  • Shipping method and service level
  • Order notes and special instructions

2.2 Customer Shipping Information

We process end-customer information on your behalf to fulfill orders:

  • Name: Recipient full name
  • Address: Shipping address (street, city, state, ZIP, country)
  • Contact: Phone number and/or email (when provided)
  • Delivery Instructions: Gate codes, building numbers, special requests

Important: We do not collect or store payment card information. All payment processing is handled directly between you and your payment processor.

2.3 Inventory Data

  • Product details and descriptions
  • SKU numbers and barcodes
  • Quantities and stock levels
  • Product dimensions and weight
  • Storage location within our facilities
  • Product images (when provided)

2.4 Business and Account Data

  • Your company name and contact information
  • Account credentials and preferences
  • Integration settings and API keys
  • Communication preferences
  • Service usage patterns and analytics

3. Purpose of Data Processing

We process data for the following specific purposes:

3.1 Service Delivery

  • Receiving and storing inventory
  • Processing and fulfilling orders
  • Generating shipping labels
  • Tracking shipments and deliveries
  • Managing returns and exchanges

3.2 Communication and Support

  • Providing order status updates
  • Resolving delivery issues
  • Answering customer service inquiries
  • Sending system notifications

3.3 Compliance and Legal Obligations

  • Customs documentation for international shipments
  • Tax reporting and compliance
  • Responding to lawful requests from authorities
  • Maintaining records as required by law

3.4 Service Improvement

  • Analyzing operational efficiency
  • Improving fulfillment processes
  • Identifying and resolving issues
  • Developing new features and services

4. Data Processing for Fulfillment Services

4.1 Order Processing Flow

  1. Order Receipt: Order data is received via API integration or manual entry
  2. Address Verification: Shipping address is validated using carrier services
  3. Inventory Allocation: System assigns inventory and generates pick list
  4. Picking: Warehouse staff retrieves items based on pick list
  5. Packing: Items are packed with customer address label
  6. Shipping: Package is scanned and transferred to carrier
  7. Tracking: Tracking information is updated in real-time
  8. Archival: Order data is retained per our retention policy

4.2 Data Minimization

We adhere to the principle of data minimization:

  • We collect only data necessary for fulfillment operations
  • We do not request unnecessary personal information
  • We anonymize or pseudonymize data where possible for analytics
  • We regularly review and purge unnecessary data

4.3 Automated Processing

Our fulfillment operations involve automated processing for:

  • Address validation and correction (to ensure successful delivery)
  • Optimal carrier and service level selection
  • Fraud detection and prevention
  • Inventory allocation and routing

These automated systems do not make decisions that produce legal effects or similarly significantly affect individuals.

5. Data Security Measures

5.1 Physical Security

Our warehouse facilities implement:

  • Access Control: Key card systems and biometric authentication
  • Video Surveillance: 24/7 CCTV monitoring of all areas
  • Visitor Management: Sign-in procedures and escort requirements
  • Restricted Areas: Limited access to data processing zones
  • After-Hours Security: Alarm systems and security patrols

5.2 Digital Security

Our systems employ:

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Authentication: Multi-factor authentication (MFA) for all user accounts
  • Authorization: Role-based access control (RBAC) with principle of least privilege
  • Network Security: Firewalls, intrusion detection/prevention systems
  • Database Security: Encrypted databases with access logging
  • API Security: API key authentication, rate limiting, and monitoring

5.3 Operational Security

  • Employee Training: Regular security and privacy training programs
  • Background Checks: Pre-employment screening for all staff
  • Confidentiality Agreements: All employees sign NDAs
  • Clean Desk Policy: No personal data left unattended
  • Secure Disposal: Shredding of physical documents, secure data deletion

5.4 Monitoring and Auditing

  • Continuous security monitoring and logging
  • Regular vulnerability assessments and penetration testing
  • Annual third-party security audits
  • Incident detection and response systems
  • Access log reviews and anomaly detection

6. Data Access and Confidentiality

6.1 Who Has Access

Access to customer data is strictly limited to:

  • Warehouse Operations: Staff who need access to fulfill orders (name, address)
  • Customer Support: Representatives resolving delivery issues
  • System Administrators: IT staff maintaining systems (with logging)
  • Management: Senior staff for audit and compliance purposes

6.2 Access Controls

  • Individual user accounts (no shared credentials)
  • Role-based permissions matched to job functions
  • All access logged and monitored
  • Regular access reviews and revocations
  • Automatic session timeouts

6.3 Confidentiality Obligations

All SellerShipping personnel:

  • Sign confidentiality and non-disclosure agreements
  • Receive training on data protection and privacy
  • Are prohibited from using data for personal purposes
  • Must report suspected data breaches immediately
  • Face disciplinary action for violations up to and including termination

7. Subprocessors and Third Parties

We engage the following categories of subprocessors to assist in providing services:

7.1 Shipping Carriers

Carriers: FedEx, UPS, USPS, Purolator, APC, EVRI, DPD, Estafeta, Paquet Express (Mexico)

Data Shared: Recipient name, shipping address, package details

Purpose: Package delivery and tracking

Location: United States, Canada

7.2 Cloud Infrastructure

Provider: Amazon Web Services (AWS)

Data Stored: All operational data

Purpose: System hosting and data storage

Location: US-East region (with backup in US-West)

7.3 Payment Processing

Provider: Stripe

Data Shared: Billing information only (we never see full card numbers)

Purpose: Processing client payments

Compliance: PCI DSS Level 1 certified

7.4 Analytics and Monitoring

Provider: Google Analytics

Data Shared: Anonymized usage data

Purpose: Website analytics and service improvement

7.5 Subprocessor Management

For all subprocessors, we ensure:

  • Written data processing agreements are in place
  • Adequate security and privacy measures are implemented
  • Compliance with applicable data protection laws
  • Regular audits and assessments
  • Notification of subprocessor changes (30 days' notice)

8. Data Retention and Deletion

8.1 Retention Periods

Data TypeRetention PeriodReason
Order Data7 yearsTax and accounting requirements
Shipping Information2 yearsDispute resolution, warranty claims
Inventory Records90 days after removalOperational needs
Access Logs12 monthsSecurity and audit purposes
Support Communications3 yearsService quality and training

8.2 Data Deletion Process

When data reaches end of retention period or upon deletion request:

  • Data is permanently deleted from production systems within 30 days
  • Backups are purged according to backup rotation schedule (90 days)
  • Physical media containing data is securely destroyed or degaussed
  • Deletion certificates are available upon request

8.3 Legal Hold

Data subject to legal proceedings, investigations, or disputes is retained until resolution, even if it exceeds normal retention periods.

9. Client Data Rights

As the data controller, you have the right to instruct us regarding data processing. We will assist you in fulfilling your obligations to end-customers:

9.1 Data Subject Access Requests (DSAR)

If your customer requests access to their data, we will provide you with the necessary information within 15 business days.

9.2 Rectification and Correction

You may update or correct data through your account portal or by contacting support.

9.3 Erasure ("Right to Be Forgotten")

We will delete customer data upon your instruction, subject to legal retention requirements.

9.4 Data Portability

We provide export functionality for order data, inventory records, and other information in CSV and JSON formats.

9.5 Objection and Restriction

You may instruct us to restrict processing or object to certain uses of data, where legally permissible.

10. Compliance Certifications

10.1 Current Certifications

  • ISO 27001 (Information Security Management) - In progress, target Q3 2025
  • SOC 2 Type II (Service Organization Control) - In progress, target Q4 2025

10.2 Compliance Framework

Our data handling practices are designed to comply with:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • KVKK (Turkish Personal Data Protection Law)
  • PIPEDA (Canadian Personal Information Protection Law)

10.3 Regular Assessments

  • Annual third-party privacy and security audits
  • Quarterly internal compliance reviews
  • Continuous monitoring and improvement programs
  • Data protection impact assessments (DPIAs) for new processing

11. Incident Response and Data Breaches

11.1 Breach Notification

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will:

  • Notify you within 24 hours of becoming aware of the breach
  • Provide details about the nature, scope, and impact of the breach
  • Describe the measures taken to address the breach
  • Recommend actions you should take to mitigate harm
  • Cooperate with your notification obligations to authorities and individuals

11.2 Incident Response Process

  1. Detection: Incident detected through monitoring or report
  2. Containment: Immediate action to stop further data exposure
  3. Assessment: Evaluate scope, impact, and affected data
  4. Notification: Notify affected clients and relevant authorities
  5. Remediation: Fix vulnerabilities and implement preventive measures
  6. Documentation: Document incident and lessons learned

11.3 Security Incident Support

We will:

  • Preserve evidence for forensic analysis
  • Cooperate with law enforcement if requested
  • Provide detailed incident reports
  • Offer affected individuals appropriate assistance

12. Contact for Data Matters

For questions, concerns, or requests related to data handling and processing:

Data Protection Team

SellerShipping LLC

39 Montclair Ave, Little Falls, NJ 07424

United States

Email: dpo@sellershipping.com

Privacy: privacy@sellershipping.com

Phone: +1 (201) 417-0888

12.1 Data Processing Agreement (DPA)

We offer a standard Data Processing Agreement (DPA) that includes Standard Contractual Clauses (SCCs) for international data transfers. Contact us to request a signed DPA for your records.

Questions About This Policy?

If you have any questions or concerns about this policy, please contact us:

SellerShipping LLC

39 Montclair Ave, Little Falls, NJ 07424

Email: legal@sellershipping.com

Phone: +1 (201) 417-0888