AfterShip’s data privacy programme is designed to comply with the world’s most stringent global data protection laws. When we use “applicable data protection laws”, we mean data protection and privacy laws that apply to our operations. In particular, AfterShip’s services are designed to be be provided with specific attention to (i) data protection laws applicable to European Economic Area (EEA), the United Kingdom (UK), and Switzerland, (ii) US data protection laws, and (iii) any and all data protection laws and regulations applicable to personal data as such laws pertain and have jurisdiction with respect to AfterShip’s operations, in each case as amended, superseded, or replaced from time to time.

Data protection laws applicable to the European Economic Area and the United Kingdom, and Switzerland means (i) the European Union’s (EU) General Data Protection Regulation (2016/679) (GDPR), the 2002/58/EC Directive on Privacy and Electronic Communications, (ii) the UK Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR) as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019, (iii) the Swiss New Federal Act on Data Protection (“nFADP”) entered into force on 1 September 2023, and (iv) any and all other data protection laws and regulations applicable to personal data in the EEA, the UK, and Switzerland. The GDPR/UK GDPR/nFADP applies to all organisations established in the EEA/UK/Switzerland and to organisations, whether or not established in the EEA/UK/Switzerland, that process the personal data of EEA/UK/Swiss individuals in connection with the offering of goods or services to data subjects in the EEA/UK/Switzerland.

US data protection laws means the California Consumer Privacy Act as amended by the California Privacy Rights Act, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, and any other similar comprehensive state privacy laws that place obligations on a business or controller in relation to personal data (as defined under such laws), as well, as or the extent applicable, the Electronic Communications Privacy Act; Massachusetts Gen. Law Ch. 93H; the Federal Trade Commission Act; the Gramm-Leach-Bliley Act, and any relevant regulation, rule, or other binding instrument which implements such laws.

Yes, we strive to meet the requirements set out in applicable data protection laws, and in order to monitor our compliance, we conduct annual audits to ensure all new products, services, and any other changes in our company are in accordance with applicable data protection laws.

Acting as a data processor: The substantial majority of AfterShip’s services are provided as a data processor processing personal data on behalf of a data controller. For the purposes of AfterShip’s services, a data controller is either (i) an AfterShip customer, or (ii) a logistics partner, either of which is contracting AfterShip services or integrating with the AfterShip platform for their tracking and customer post-purchase operations. As a data processor, AfterShip does not independently determine the means or the purposes for processing personal data, and AfterShip will solely act in accordance with the data controller’s instructions, which are set out in a data processing agreement (DPA).

Acting as a data controller: Occasionally, AfterShip may also act as a data controller; most often with respect to individuals' use of AfterShip’s mobile application.

AfterShip systematically concludes a DPA with each data controller, which sets out what type of personal data AfterShip will process and the measures to be applied to such processing.

Any user may request to have personal data held by AfterShip removed in accordance with applicable data protection laws. AfterShip processes personal data in accordance with AfterShip’s retention policy, which accounts for the purpose of such processing in accordance with the GDPR.

AfterShip has implemented and continues to evolve measures to secure personal data. In spite of these measures, should a data breach were to occur, AfterShip will inform the data controller, without undue delay, in accordance with its legal and contractual obligations.

The GDPR promulgated by the EU protects the fundamental right to privacy and the protection of personal data of individuals located in a EEA member-state (“European data subjects”).

The GDPR applies to all organisations established in the EEA and to organisations, whether established in the EEA or not, that process the personal data of European data subjects in connection with the offering of goods or services to data subjects in the EEA.

AfterShip has implemented all the GDPR mandated compliance mechanisms and conducts annual audits to ensure all new products, services, and any other changes in our company comply with GDPR.

The UK and Switzerland have each enacted data protection legislation substantially similar to the GDPR and apply the same mechanisms and processes with respect to personal data originating from these jurisdictions.

The GDPR does not require EU data to reside in Europe, nor does similar legislation in the UK and Switzerland. The GDPR provides mechanisms to facilitate transfers of personal data outside of the EEA. These mechanisms are aimed at confirming an adequate level of protection or ensuring the implementation of appropriate safeguards when personal data is transferred to a third country.

Where personal data will be transferred outside of the EEA to third countries not covered by adequacy decisions, AfterShip commits under its DPA (accessible here), to the compliant processes needed to effectuate the transfer legally. We also conclude the standard contractual clauses that have been pre-approved by the European Commission on 4 June 2021 for data transfers to third countries. Additionally, we follow the European Data Protection Board recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the GDPR mandated level of protection of personal data.

Our DPO ([email protected]), who has expertise in data privacy, with more than 10 years of experience, in privacy and data protection matters: audits, DPIAs, transfer impact assessments, ISO 27001 projects, etc,. and a long track record in assisting clients bringing novel technology products to market and of ensuring regulatory compliance.

Pursuant to Article 27 of the GDPR, AfterShip has appointed the European Data Protection Office (EDPO) as its GDPR representative in the EU. You may contact EDPO regarding matters pertaining to the GDPR:

• by using EDPO’s online request form: https://edpo.com/gdpr-data-request/
• by writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium

All AfterShip personnel who have access to personal data are provided such access in accordance with applicable data protection laws, and trained on the requirements related to such access. In addition to training sessions, AfterShip implements clear access policies and processes to promote compliance and security in line with our ISO27001 and SOC2 Type 2 certification, which are designed to ensure fulfilment of AfterShip’s obligations under applicable data protection laws.

The majority of the time, AfterShip is acting as a data processor. This means that AfterShip processes personal data based on the instructions of a data controller, normally AfterShip’s professional customers such as merchants, platforms, or logistics partners.

In this case, AfterShip will act in accordance with the following process:

• Data subject requests: a request from a data subject should be sent via email to [email protected]. In each case, AfterShip will forward the request to the relevant data controller without undue delay. AfterShip will comply with the data controller’s instructions on how to respond to the Data subject request.

• Data controller requests: instructions from a data controller should be sent via email to [email protected]. AfterShip shall comply with data controller’s instructions, without undue delay, in accordance with and subject to the DPA and the applicable data protection laws.

In the event where AfterShip is acting as a data controller, i.e. when the data subject uses AfterShip mobile application to track personal shipments, AfterShip will act in accordance with the following process:

• Data subject request: request from a data subject should be sent via email to [email protected]. Requests from data subjects will be answered within 30 days and fulfilled free of charge in accordance with applicable data protection laws.

A data subject has the right to obtain the following information:

• Confirmation that data subject’s personal data is being processed;
• The purposes of the processing;
• The categories of personal data processed;
• The recipients or categories of recipients to whom the personal data is disclosed;
• The retention period or the criteria applied to determine that period;
• The existence of the right to object to and to request rectification, erasure, or the restriction of processing of personal data;
• Where personal data was not collected directly from the data subject and any information available regarding the source of personal data; and
• The existence of any automated decision-making (including profiling) and meaningful information about the logic involved and the relevant consequences attached thereto.

This communication shall not adversely affect the rights and freedoms of others, which means that AfterShip cannot provide personal data related to any other data subject.

Each data subject has the right to obtain the rectification of inaccurate personal data. Moreover, a data subject has the right to complete any incomplete personal data which is relevant for the purposes of the data processing.

A data subject may request the erasure of personal data, under the following circumstances:

• Personal data is no longer necessary in relation to the purposes for which such personal data was collected or otherwise processed;
• A data subject withdraws consent which formed the sole legal grounds upon which processing was based;
• A data subject objects to the processing of personal data, which is either based on a data controller’s legitimate interest or necessary for a task carried out in the public interest or in the exercise of official authority vested in the data controller, and there are no overriding legitimate grounds for the processing;

• A data subject objects to the processing of personal data for direct marketing purposes, which includes any profiling related to direct marketing;

• Personal data has been unlawfully processed; or

• Erasure of personal data is necessary to comply with a legal obligation.

A data controller has no obligation to erase personal data in certain cases. In such a case, AfterShip will follow the data controller’s instructions. This includes cases where the processing is necessary, such as:

• To exercise the right to freedom of expression and information;
• To comply with a legal obligation, to carry out a task in the public interest, or to exercise an officiation authority vested in the data controller;
• For reasons of public interest in public health;
• For archiving purposes in the public interest, scientific or historical research, or statistical purposes (to the extent that the request would render impossible or seriously impair the objectives of such processing); or
• For the establishment, exercise, or defence of legal claims.

A data subject may request to restrict the processing of their personal data.

• The data controller must apply the restriction in the following cases:
• During the time needed to verify the accuracy of personal data that has been contested;
• When processing is unlawful, and the data subject requests restriction instead of erasure;
• When the personal data is no longer needed by the data controller but is required by the data subject to establish, exercise, or defend legal claims; or
• When an objection has been raised, and the data controller is verifying whether its legitimate grounds override those of the data subject.

During the restriction period, personal data may only be processed:

• With the data subject’s consent;
• For the establishment, exercise, or defence of legal claims;
• To protect the rights of another natural or legal person;
• For reasons of important public interest; or
• For storage purposes.

When a restriction is lifted, the data subject shall be informed.

This means that the data subject shall receive personal data communicated in an easily transferable format and the data controller must transmit personal data to a person of its choosing. Personal data should be communicated in a structured, commonly used and machine-readable format, and upon request, can be directly transmitted to another data controller.

• This applies in the following cases:
  • The processing is based on data subject’s consent;
  • The processing is based on the performance of a contract to which a data subject is a party.

• This right does not apply to:
  • The processing of personal data necessary for the performance of a task carried out in the public interest or in exercise of official authority vested in the data controller;
  • Another person’s personal data: the communication should not adversely affect other people’s rights. This means that personal data related to another data subject cannot be transferred.

• A data subject has the right to object to the processing of their personal data, in the following cases:
  • Processing is based on the data controller’s legitimate interest, or;
  • Processing is done for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller;
  • Any processing of personal data for direct marketing purposes.
• The data controller should stop processing personal data, unless:
  • Compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject can be demonstrated, or;
  • For the establishment, exercise, or defence of legal claims.

This does not apply to direct marketing activities, which should always be stopped upon objection (including any profiling activities).

• A data subject has the right not to be subject to a decision based solely on automated processing (including profiling), which produces legal effects or affects them similarly. This means that a data subject has the right to have human intervention in decision making that impacts their rights/legal situation, unless otherwise foreseen by the law.