Privacy Policy

1. Information We Collect

We collect information you provide directly, including:

• Account Information: Name, email address, company name, and billing details when you create an account.
• Mail Content: Physical postcards and return mail you send to our processing facility, including recipient names, addresses, and any information printed or written on returned mail pieces. After scanning, all physical mail is securely shredded. We do not ship or return original mail pieces to you.
• Uploaded Designs: Postcard design templates you upload for automated matching purposes.
• Payment Information: Credit card and billing details processed securely through Stripe. We do not store full card numbers on our servers.
• Usage Data: IP address, browser type, pages visited, and interactions with our platform, collected automatically through standard web technologies.

2. How We Use Your Information

We use collected information to:

• Process and extract data from your return mail postcards using AI-powered vision models.
• Provide address verification and forwarding address detection.
• Display extracted data in your dashboard and enable CSV/Excel exports.
• Generate shipping labels for inbound mail shipments.
• Process subscription payments and credit pack purchases.
• Send service notifications (shipment status, quota alerts, payment reminders).
• Improve our extraction models through anonymized accuracy analysis.
• Comply with legal obligations and enforce our Terms of Service.

3. Data Processing & Third-Party Services

We use trusted third-party services to deliver our platform. Each provider is contractually obligated to protect your data and process it only per our instructions:

• Stripe — Payment processing and subscription management.
• AI/VLM Providers — Vision-language models for postcard image extraction. Postcard images are transmitted for processing and are not retained by the AI provider beyond the processing window.
• AWS S3 — Encrypted object storage for scanned images and exports (SSE-KMS encryption).
• Postmark / AWS SES — Transactional email delivery.

4. Data Retention

We retain your data for the duration of your account plus a 90-day cool-off grace period after cancellation, unless a longer retention period is required by law. You may configure a shorter retention period (minimum 90 days) in your account settings. After the retention period:

• All physical mail pieces are securely shredded after processing. Original mail is never returned to you.
• All scan images and extraction data are permanently deleted from S3 and our database.
• Account records are anonymized for audit purposes.
• Payment records are retained for tax compliance per applicable law.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption: All scan images are encrypted at rest using AES-256 (AWS S3 SSE-KMS). All data in transit is encrypted via TLS 1.2+.
• Access Controls: Strict role-based access (RBAC) with MFA required for administrative accounts. Row-Level Security in our database enforces tenant isolation.
• Audit Logging: Every state-changing action is logged with actor, timestamp, IP address, and user agent.
• PII Redaction: Recipient names and addresses are automatically excluded from application logs.
• Penetration Testing: Regular third-party security assessments.

6. Your Rights (GDPR, CCPA, and Others)

Depending on your jurisdiction, you may have the following rights:

• Right of Access: Request a copy of your personal data we hold. Use the Data Export function in Settings or contact us.
• Right to Rectification: Correct inaccurate or incomplete data. Most fields are editable in your dashboard.
• Right to Erasure (“Right to be Forgotten”): Request deletion of your personal data. Use the Delete Account function in Settings, which triggers a cascade delete per our retention policy.
• Right to Restrict Processing: Limit how we process your data in certain circumstances.
• Right to Data Portability: Receive your data in a structured, machine-readable format. Our CSV/Excel export and REST API provide this natively.
• Right to Object: Object to processing based on legitimate interests or direct marketing.
• CCPA Rights: California residents may request disclosure of categories of personal information collected, sources, business purposes, and third parties with whom data is shared. You may opt out of the sale of personal information (note: we do not sell personal information).

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days as required by law.

7. Cookies & Tracking

We use essential cookies for authentication and session management. We also use analytics cookies (if you consent) to understand platform usage and improve our service. You can manage cookie preferences through our cookie consent banner.

8. International Data Transfers

Your data is stored and processed in the United States. If you are located outside the US and choose to use our service, you consent to the transfer of your data to the United States. We ensure appropriate safeguards (Standard Contractual Clauses) are in place for any international data transfers.

9. Children's Privacy

Our service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and an in-app notification at least 30 days before taking effect. Continued use of the platform after changes constitutes acceptance of the updated policy.

11. Contact Us

For questions about this Privacy Policy or to exercise your data rights:

Email: [email protected]
Mail: returnmailscan Data Protection Office, [address]
EU Representative: [EU rep details — required for GDPR compliance if processing EU data]