Legal

Privacy Policy

This policy explains what data Postpin collects, why we collect it, how it is processed and stored, and the rights you have over it.

Last updated 07 Jul 2026·v1.5

Terms

1. Overview

Postpin (“we”, “us”) is an India-first shipping rate API. We are committed to collecting the minimum data needed to run the Service and to keeping it secure. This policy applies to our marketing site, dashboard and API. It should be read alongside our Terms of Service.

We act as a data controller for your account data, and as a data processor for the request payloads you send through the API on behalf of your own customers.

2. Data we collect

We collect only what we need to provide and improve the Service. Notably, the rate API is designed to work without end-customer personal data — pincodes and parcel dimensions are sufficient.

CategoryExamplesPurpose
Account dataName, work email, company, hashed password, GSTINAuthentication, billing, support
Usage dataAPI call metadata, endpoints, latency, status codes, IPAnalytics, abuse prevention, rate limiting
Request payloadsPincodes, weights, dimensions, payment type (no PII required)Computing shipping rates
Billing dataPlan, invoices, payment tokens (held by our PSP)Processing payments

3. Cookies & tracking

We use a small, itemised set of cookies. Strictly necessary cookies are required for the Service to function (sign-in, security) and are always active. Analytics cookies load only if you allow them — on your first visit a consent banner lets you accept all, reject everything non-essential, or choose per category. You can change your choice anytime via “Cookie preferences” in the footer. We do not sell your data or use third-party advertising trackers.

CookieCategoryPurposeRetentionType
pp_rtStrictly necessaryKeeps you signed in — rotating refresh session (HttpOnly, not readable by scripts).Session, or up to 30 days with “Remember me”First-party
pp_csrfStrictly necessaryCSRF protection — pairs with pp_rt to block cross-site request forgery.Matches your sessionFirst-party
pp_cookie_consentStrictly necessaryRemembers your cookie choices so we don’t ask on every visit.12 monthsFirst-party
_ga, _ga_*Analytics (optional)Google Analytics — aggregate, non-identifying usage stats. Set only if you accept analytics.Up to 24 monthsThird-party (Google)

Analytics is provided by Google Analytics 4; see Google’s Privacy Policy. If you decline analytics, these cookies are never set. Signed-in users can also opt in or out of product-update emails under Settings → Communication.

4. How we process data

We process personal data on the following legal bases: performance of our contract with you, our legitimate interests in operating and securing the Service, your consent (for optional analytics), and compliance with legal obligations (such as GST record-keeping).

API request payloads are processed in-memory to compute a rate and are logged in metadata form (pincodes, weight, zone, latency) for analytics and debugging. We do not require or store end-customer names, addresses or phone numbers.

5. Sharing & disclosure

We share data only with the sub-processors listed below, and only as needed to run the Service. We may disclose data if required by law or to protect the rights, safety and integrity of Postpin, our users or the public. In the event of a merger or acquisition, data may transfer subject to this policy.

6. Data retention

  • Account data: kept while your account is active and deleted within 30 days of account closure.
  • Usage logs: retained for 13 months, then aggregated and anonymised.
  • Billing & GST records: retained for 8 years as required by Indian tax law.

7. Security

Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed with a modern algorithm; API keys are stored as salted hashes and shown in full only once. We enforce least-privilege access, audit logging and regular backups. No method of transmission is 100% secure, but we work hard to protect your data.

8. DPA & sub-processors

For customers who require one, we offer a Data Processing Addendum (DPA) that governs our processing of personal data on your behalf. To request a signed DPA, email hello@postpin.in. We engage the following sub-processors:

Sub-processorPurposeLocation
Amazon Web Services (AWS)Cloud hosting & databasesMumbai (ap-south-1), India
RazorpayPayment processing & GST invoicingIndia
ResendTransactional email deliveryUnited States
CloudflareCDN, DDoS protection & DNSGlobal edge network
PostHog (self-hosted)Product analyticsMumbai, India

We notify customers of new sub-processors at least 30 days before they begin processing, giving you an opportunity to object.

9. Your rights

Subject to applicable law (including India’s DPDP Act), you have the right to access, correct, export and delete your personal data, to withdraw consent for optional processing, and to lodge a complaint. Most of these actions are self-service from your account settings; for the rest, contact us and we will respond within 30 days.

  • Access & portability — export your account and usage data.
  • Rectification — update inaccurate account details.
  • Erasure — request deletion of your account and associated data.
  • Objection — opt out of optional analytics processing.

10. Contact

For privacy questions, data requests or to reach our Data Protection Officer, email hello@postpin.in or write to us via our contact page. We are based in Jaipur, Rajasthan, India.