Privacy Policy

1) Who we are & how to contact us

• Legal entity: DispoTag.com, Inc.
• Address: 625 South Hill Street, Suite 131, Los Angeles, CA 90014
• Email: [email protected]
• Data protection contact: [email protected]

2) Scope

This policy describes how we handle personal information when you:

• Visit or interact with our websites;
• Create an account, place orders, or use our dashboards, APIs, or apps;
• Receive emails, SMS messages, or marketing from us;
• Interact with our support team; or
• Use or are impacted by our shipment‑tracking products and services (including DispoTag trackers and related software).

This policy does not apply to third‑party services we don’t control (e.g., carriers, app stores, payment processors, analytics providers). Their practices are governed by their own privacy policies.

3) Personal information we collect

3.1 Website visitors

• Identifiers: cookie IDs, IP address, user agent, approximate location (derived from IP).
• Usage data: pages viewed, links clicked, referring/exit pages, timestamps, error logs.
• Preferences: cookie consent choices.

3.2 Account holders & business contacts

• Business contact details: name, company, role/title, email, phone, billing/shipping addresses.
• Account credentials: usernames, hashed passwords, authentication tokens.
• Commercial data: orders, invoices, payment status, device SKU/serials, service tier, support tickets.
• Communications: emails, chat transcripts, call notes.
• Payment data: handled by our payment processor; we do not store full card numbers.

3.3 End recipients & tracking subjects

Our customers may use DispoTag devices for shipments. In these contexts, customers are the controllers of any personal information they collect about recipients, consignees, drivers, or other individuals. We act as a processor/service provider and handle such data per our contracts and this policy. Data may include:

• Identifiers: reference numbers, labels, order IDs; sometimes recipient name/contact info if provided by the customer;
• Logistics telemetry: device status, timestamps, and location events relating to the tagged item;
• Exception/incident data: loss/delay investigations, delivery outcomes.

Customer responsibility: Customers must ensure they have a lawful basis to collect, disclose, and use personal information with our services and must provide any required notices to affected individuals.

3.4 Optional integrations

If you connect third‑party services (e.g., ecommerce, ERP, carrier portals), we will process the data those services send to us in order to provide the integration.

3.5 Mobile & device data

When you use our mobile applications, websites on a mobile device, or interact with DispoTag hardware, we may collect:

• Device identifiers: mobile advertising IDs (e.g., IDFA, GAID), device model, OS version, app version.
• Location data: approximate location derived from IP address; precise location only if you explicitly grant permission in your device settings.
• Network information: carrier, connection type, Wi‑Fi network name (where relevant to device functionality).
• App usage data: feature usage, session duration, crash/error logs.

We do not sell, share, rent, or disclose mobile device data — including device identifiers, precise or approximate location data, or app usage data — to third parties for their own marketing, advertising, or promotional purposes. Mobile data is used solely to operate, secure, and improve our products and services.

4) How we use personal information

• Provide, maintain, secure, and improve our websites, devices, software, and services;
• Fulfill orders, process payments, and provide customer support;
• Authenticate users and prevent fraud, abuse, and security incidents;
• Display analytics and operational dashboards;
• Send service‑related notices (e.g., transactional emails, security updates);
• With consent or as permitted by law, send marketing communications;
• Comply with legal obligations and enforce our terms;
• Business operations (accounting, audits, forecasting, incident response, and R&D).

We may aggregate or de‑identify data and use it for benchmarking, analytics, or to improve our services. Aggregated/de‑identified data is not intended to identify you.

5) Our legal bases (EEA/UK)

• Contract to provide services you request;
• Legitimate interests such as securing services, preventing fraud, and improving products;
• Consent for certain cookies/marketing;
• Legal obligation for tax, accounting, and compliance.

6) Cookies, analytics, and ads

• We use strictly necessary cookies for security and basic functionality.
• With your consent (where required), we may use analytics cookies or equivalent technologies to understand usage and improve the site.
• We may run ads/retargeting (e.g., Google Ads, LinkedIn, Meta). Where this constitutes “sharing” or cross‑context behavioral advertising under applicable law, you can opt out via our cookie banner or a Do Not Sell/Share My Info link.

Global Privacy Control (GPC): Where legally required, we honor browser‑level GPC signals as an opt‑out of sale/sharing for the browser sending the signal.

Mobile advertising & tracking: We do not share mobile device identifiers (such as IDFA or GAID) with ad networks or data brokers for cross‑app tracking or targeted advertising. If we use analytics SDKs in our mobile applications, they are configured to support our own product improvement only — not to build advertising profiles or enable third‑party ad targeting.

7) When we disclose information

• Service providers / processors: hosting, cloud providers, analytics, email, payments, customer support, logistics/fulfillment, security.
• Business partners: with your direction or consent (e.g., integrations).
• Compliance & safety: to comply with law, protect rights, investigate fraud/security, or respond to lawful requests.
• Corporate transactions: in connection with a merger, acquisition, financing, or sale of assets (subject to appropriate protections).

We do not sell or share personal information for money or other valuable consideration. This includes mobile device data such as device identifiers, location data, and app usage information — none of which are sold, shared, or made available to third parties for marketing, advertising, or promotional purposes. If we engage in targeted advertising or cross‑context behavioral advertising on our websites, you can opt out as described above; such activity does not involve the sale or sharing of mobile device data.

8) International data transfers

We may transfer, store, and process information in countries other than where it was collected. When transferring personal data from the EEA/UK/Switzerland, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and supplementary measures, or other lawful mechanisms.

9) Data security

We implement reasonable and appropriate technical and organizational measures designed to protect personal information, including encryption in transit, access controls, logging, and regular backups. No system is 100% secure; we encourage you to use strong, unique passwords and enable multi‑factor authentication where available.

10) Data retention

We retain personal information for as long as necessary to fulfill the purposes outlined in this policy, including to meet legal, accounting, or reporting obligations. Customer‑generated tracking data is retained according to the customer’s chosen service tier:

• Tier 1: 60 days from activation
• Tier 2: 1 year from activation
• Tier 3: 3 years from activation

Retention may be extended where required by law or to establish or defend legal claims.

11) Your privacy choices & rights

11.1 Email & marketing

• Unsubscribe from marketing emails using the unsubscribe link in the message.
• You will continue to receive service/transactional emails while you are a customer.

11.2 SMS Terms and Conditions

Upon messaging opt‑in, the end user agrees to receive messages from DispoTag regarding general communications and customer support.

• Opt‑out: Reply STOP to any SMS message to unsubscribe.
• Help: Reply HELP to any SMS message for more information.
• Frequency: Message frequency varies.
• Rates: Message and data rates may apply.

If you need assistance or have questions about our SMS service, reply with HELP to any SMS message you receive, or contact our customer support team at (818) 698‑8307.

11.3 Cookies & advertising preferences

• Manage preferences through our cookie banner and Cookie Settings page.
• Where applicable, use the Do Not Sell/Share My Info link to opt out of sale/sharing or targeted/cross‑context behavioral advertising.
• We endeavor to honor Global Privacy Control signals where legally required.

11.4 U.S. state privacy rights

Depending on your state of residence, you may have rights to know/access, correct, delete, opt out of sale/sharing/targeted advertising and certain profiling, and appeal a decision if we deny your request. To exercise rights, use our Privacy Request Portal (if available) or contact us using the information provided on our website.

11.5 EEA/UK rights

Where GDPR/UK GDPR applies, you may request access, correction, deletion, restriction, portability, and object to processing where our basis is legitimate interest. Where processing is based on consent, you may withdraw consent at any time.

12) Children’s privacy

Our services are not directed to children under 13 (or the age required by local law). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us so that we can take appropriate steps.

13) Customer responsibilities as controller

• Provide legally required notices to affected individuals (e.g., recipients, drivers).
• Obtain and document a lawful basis where required (e.g., consent, legitimate interests, contract).
• Configure data retention, access, and deletion settings to align with your policies.
• Do not use our services to track individuals in ways that are unlawful, discriminatory, or intrusive.
• Enter into our Data Processing Addendum (DPA) where required.

14) Payment processing

We use third‑party payment processors, including Stripe, to process payments. These processors collect and use payment data under their own privacy notices. We receive a limited set of information (e.g., last4, card brand, status) sufficient for records, fraud prevention, and refunds.

15) Third‑party links & services

Our services may contain links to or integrations with third‑party websites or platforms. We are not responsible for their privacy practices. Review their policies before sharing personal information.

16) Changes to this policy

We may update this policy from time to time. If we make material changes, we will notify you by posting the updated policy and updating the “Last updated” date, and, where required, by additional notice.

17) Region‑specific disclosures

California (CPRA)

• We do not sell personal information for money or other valuable consideration. We do not sell or share mobile device data (including device identifiers, geolocation, and app usage data) for marketing or advertising purposes. We may engage in cross‑context behavioral advertising on our websites as defined by the CPRA; you may opt out. Any such activity does not involve mobile device data.
• Sensitive personal information: If collected, we use it only for limited purposes permitted by CPRA (e.g., security, service provision) and do not use it to infer characteristics.
• Metrics: Upon request, we can provide statistics on consumer requests received, complied with, and denied.

Virginia/Colorado/Connecticut/Utah and other U.S. state laws

We process personal data as a processor/service provider on behalf of customers and as a controller for our own business operations. You have the rights listed above.

EEA/UK/Switzerland

Where we act as a processor, we do so under a DPA with customers. For controller activities (e.g., website analytics, marketing), our legal bases are described earlier in this policy.

18) Cookie Notice (summary)

• Strictly necessary (session management, security) – always on.
• Analytics (usage insights) – consent‑based where required.
• Advertising (retargeting) – opt‑in/opt‑out per local law.
• Controls: Manage via cookie banner, Cookie Settings, browser settings, and the Do Not Sell/Share My Info link.

19) Data Processing Addendum (processor terms) – overview

• Process only on documented instructions;
• Implement appropriate security measures;
• Ensure confidentiality of personnel;
• Assist with data subject requests and incident notifications;
• Use sub‑processors under written contracts and publish a list;
• Support audits subject to reasonable limits;
• On termination, delete or return personal data per customer direction and law;
• Use SCCs or other transfer mechanisms for international tr