PostalDataPI Privacy Policy — DRAFT v1.0
Status: DRAFT — attorney review pending. Author: PE (PostalDataPI, non-attorney draft) Purpose: Public privacy notice for PostalDataPI LLC, covering customers, partners, prospects, and website visitors. Accepted by reference in the Partner Agreement (§9.5) and customer Terms of Service. Operationalizes US state privacy rights (CCPA/CPRA and the VCDPA-family states) since the Partner Data Protection Addendum is scoped to EEA/UK/Swiss only. URL: postaldatapi.com/privacy
PostalDataPI Privacy Policy
Version 1.0 — Effective [DATE]
PostalDataPI LLC, an Idaho limited liability company with principal place of business at 2357 W Burns Street, Eagle, Idaho 83616 ("PostalDataPI," "we," "us," or "our"), values your privacy. This Privacy Policy explains how we collect, use, share, retain, and protect Personal Data, and the rights you have under applicable privacy laws.
This Policy applies to:
- Visitors to postaldatapi.com, docs.postaldatapi.com, and our other web properties.
- Customers who sign up for PostalDataPI API services.
- Partners in the PostalDataPI Partner Program (with additional protections in the Partner Data Protection Addendum at postaldatapi.com/partners/dpa for EEA/UK/Swiss partners).
- People whose Personal Data we receive from customers, partners, or through our sub-processors.
If this Policy conflicts with the Partner Agreement, the Partner Data Protection Addendum, or a separate agreement you have with us, the more specific document controls on the conflicting point.
1. Quick Summary
If you only read one section, read this one:
- What we collect: account information (name, email, billing), API usage records, limited technical data (IP, device), and — for partners — tax and banking information via Stripe Connect.
- Why: to operate PostalDataPI, serve you, comply with law, and prevent abuse.
- What we don't do: we don't sell your Personal Data, we don't share it for cross-context behavioral advertising, and we don't use it to build profiles outside PostalDataPI's operation.
- Your rights: you have meaningful rights under US state laws, GDPR, UK GDPR, Swiss FADP, and other applicable laws. See Sections 4-7.
- Contact: privacy@postaldatapi.com for any privacy matter.
Everything below is the detail behind that summary.
2. Who We Are
PostalDataPI LLC is a single-member Idaho limited liability company operating postal code lookup, validation, and enrichment API services.
- Controller for purposes of GDPR, UK GDPR, Swiss FADP, and analogous laws: PostalDataPI LLC.
- Registered address: 2357 W Burns Street, Eagle, Idaho 83616, United States.
- Contact for privacy matters: privacy@postaldatapi.com.
We do not have an EU representative appointed under GDPR Article 27 because the volume of EEA-based processing we conduct is limited and falls within Art. 27(2)'s exemption. If our EEA footprint grows to require one, we will appoint and publish their contact here.
3. Personal Data We Collect
3.1 From customers (people and entities using PostalDataPI API services)
| Category | Examples | Purpose | Lawful basis (GDPR) |
|---|---|---|---|
| Identifiers | Name, email, account credentials (username, hashed password) | Account creation, authentication, communication | Contract performance (Art. 6(1)(b)) |
| Billing and financial | Billing address, payment card details (tokenized via Stripe), tax ID (if self-reported for VAT/invoicing) | Billing, tax compliance, fraud prevention | Contract performance; legal obligation (Art. 6(1)(c)) |
| Usage and technical | API requests, query patterns, response metadata, IP address, device/browser information, timestamps | Service operation, analytics, debugging, fraud prevention | Contract performance; legitimate interest (Art. 6(1)(f)) — operating and securing the service |
| Referral source | Information about how you found us, including any partner who referred you (via the "Who referred you?" field) | Attribution to partners; marketing analytics | Legitimate interest of both PostalDataPI and the Partner (joint controllers for this specific data flow — see Partner DPA Appendix D) |
| Communication | Support tickets, emails, chat messages | Customer support, record-keeping | Contract performance; legitimate interest |
| Marketing consent | Whether you opted into marketing emails, your preferences | Opt-in marketing, preference management | Consent (Art. 6(1)(a)), withdrawable any time |
3.2 From partners in the PostalDataPI Partner Program
See Partner Data Protection Addendum §3.1 for EEA/UK/Swiss partners. For US and other partners, the same categories apply, plus:
- Stripe Connect KYC information (date of birth, government ID for identity verification, bank account for payouts)
- Tax forms (W-9 for US partners; W-8BEN/W-8BEN-E for non-US partners) and 1099-NEC records
- Partnership-related communication and dispute records
3.3 Cookies and similar technologies
Our website uses:
- Essential cookies for login session management and security. These cannot be disabled without breaking login.
- Analytics cookies for anonymous usage measurement. Disabled by default in jurisdictions requiring opt-in consent (EEA/UK/Swiss).
- No third-party advertising cookies. We do not run behavioral advertising or cross-site tracking cookies.
We honor Global Privacy Control (GPC) signals and other "Do Not Sell or Share" mechanisms recognized under applicable state law. If your browser sends a GPC signal, we treat it as a valid opt-out request with respect to the categories and processing operations it covers under the relevant state's law.
3.4 Data we do NOT collect
- We do not knowingly collect data from children under 13 (COPPA), or under 16 (GDPR) without parental consent. The PostalDataPI service is not directed to minors. If we learn that we have inadvertently collected data from a minor, we will delete it.
- We do not collect special category data (GDPR Art. 9 — health, political opinions, religious beliefs, sexual orientation, biometric, etc.) intentionally. We do not ask for it.
- We do not collect data from public sources to enrich our customer profiles.
4. How We Use Personal Data
4.1 Purposes
- Provide, operate, and maintain the PostalDataPI API service and related tools.
- Process payments and payouts via Stripe.
- Communicate with you (account notices, service updates, support, legally required notices).
- Prevent fraud, abuse, and security incidents.
- Comply with legal obligations (tax, sanctions, subpoenas, court orders).
- Improve the service through aggregate analytics.
- If you opted in, send marketing communications (always with opt-out link).
- Operate the Partner Program, including attribution and payouts.
4.2 Automated decision-making and profiling
We do not use automated decision-making that produces legal or similarly significant effects on you under GDPR Art. 22. We do not build behavioral profiles of you or use your data for targeted advertising.
4.3 Sensitive Personal Information (CCPA/CPRA and analogous state laws)
We process certain Sensitive Personal Information (SPI) under CCPA/CPRA §1798.140(ae):
- Government-issued identification numbers (tax ID, for partners only)
- Account log-in credentials (user password — hashed, never in cleartext)
- Precise geolocation is NOT collected (we collect IP-derived approximate location for fraud/security only, not precise geolocation)
We limit the use of SPI to the purposes enumerated in CPRA §7027(m): providing services, detecting security incidents and fraud, preserving the integrity of our systems, resisting malicious or illegal actions, ensuring physical safety, short-term transient use that does not build a profile, undertaking internal research, verifying or maintaining the quality of services, and performing services on your behalf. We do not use SPI for purposes outside this list.
California residents have the right to limit the use of Sensitive Personal Information under CPRA §1798.121 — see Section 5 for how to exercise it.
5. Your Rights
You have rights under applicable privacy laws. How to exercise them (Section 6) and the timelines we commit to (Section 7) apply to all of the following rights unless specifically noted.
5.1 Rights available to California residents (CCPA/CPRA)
- Right to know (§1798.100): categories and specific pieces of Personal Information we have collected, shared, or sold about you, in the prior 12 months and lifetime as applicable.
- Right to delete (§1798.105): we will delete your Personal Information unless a statutory exception applies (tax records, pending disputes, security purposes, etc.).
- Right to correct (§1798.106): correct inaccurate Personal Information we maintain.
- Right to opt out of Sale or Sharing (§1798.120): we do not sell or share your Personal Information, so this right is automatically honored — but you can still submit a formal request.
- Right to limit use of Sensitive Personal Information (§1798.121): limit our use of SPI to the CPRA-enumerated purposes. See Section 4.3.
- Right to non-discrimination (§1798.125): we will not retaliate against you for exercising these rights.
- Right to access authorized agents (§1798.140(d)): you may use an authorized agent to exercise these rights on your behalf; we will verify the agent's authorization.
5.2 Rights available to Virginia, Colorado, Connecticut, Texas, Oregon, and other VCDPA-family state residents
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), and analogous states have:
- Right to confirm and access Personal Data we process about you.
- Right to correct inaccurate Personal Data.
- Right to delete Personal Data.
- Right to portability (copy of Personal Data in a portable, machine-readable format).
- Right to opt out of (i) sale of Personal Data, (ii) targeted advertising, and (iii) profiling in furtherance of decisions that produce legal or similarly significant effects. We do none of these; opt-out is automatically honored.
- Right to appeal our denial of a privacy rights request. Submit appeals to privacy@postaldatapi.com with "Appeal" in the subject line; we respond within 60 days.
- Right to consent or opt-in for Sensitive Data processing (in VCDPA-family states; we use the "legal obligation" or "necessary for contract" exceptions for tax ID processing, which are recognized exceptions under these laws).
5.3 Rights for Utah residents (UCPA)
Utah's privacy law is narrower. Utah residents have:
- Right to confirm and access Personal Data.
- Right to delete Personal Data.
- Right to portability.
- Right to opt out of sale and targeted advertising.
Utah does not provide a right to correct or a right to appeal. We nevertheless honor correction requests from Utah residents as a matter of policy.
5.4 Rights for EEA, UK, and Swiss residents (GDPR, UK GDPR, Swiss FADP)
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17), subject to legal obligations (tax retention, etc.)
- Right to restriction (Art. 18)
- Right to portability (Art. 20)
- Right to object (Art. 21), including to processing based on legitimate interest
- Right not to be subject to automated decision-making (Art. 22) — we do not use automated decision-making
- Right to withdraw consent (Art. 7(3)) for any consent-based processing
- Right to lodge a complaint with a supervisory authority (Art. 77) — your habitual residence's authority, or the Irish DPC as default for cross-border matters; UK residents: ICO; Swiss residents: FDPIC
See the Partner Data Protection Addendum at postaldatapi.com/partners/dpa for additional detail for EEA/UK/Swiss partners.
5.5 Universal Opt-Out Mechanisms
We honor Global Privacy Control (GPC) signals as an opt-out mechanism for:
- Sale of Personal Information (CCPA/CPRA)
- Sharing for cross-context behavioral advertising (CCPA/CPRA)
- Targeted advertising (CPA, CTDPA, TDPSA, OCPA, and others requiring UOOM recognition)
When your browser sends a GPC signal, we treat it as a valid opt-out request to the extent applicable state law recognizes it. No additional action is needed from you.
5.6 No discrimination
We will not discriminate against you for exercising any of these rights. We will not deny service, charge different prices, provide a different level of quality, or retaliate against you.
6. How to Exercise Your Rights
6.1 Submit a request
Email privacy@postaldatapi.com with the following information:
- Which right you want to exercise (access, delete, correct, portability, opt-out, limit SPI use, appeal, withdraw consent, etc.)
- Your account email or other identifier that lets us locate you
- A brief description of the specific Personal Data you're asking about, if applicable
If you are using an authorized agent, the agent must provide written proof of authorization that meets the applicable state's requirements.
6.2 Verification
Where we have reasonable doubts about the identity of the requester, we may ask for additional information to verify you are the Data Subject or an authorized agent. Verification is proportionate to the sensitivity of the request. We do not impose blanket re-authentication for every request.
6.3 Response timelines
| Jurisdiction | Acknowledgment | Substantive response |
|---|---|---|
| GDPR / UK GDPR / Swiss FADP (EEA/UK/Switzerland) | 5 business days | 1 month from receipt, extendable by 2 months for complex requests |
| CCPA/CPRA (California) | 10 business days | 45 days, extendable by 45 additional days |
| VCDPA family (Virginia, Colorado, Connecticut, Texas, Oregon, and analogous states) | 5 business days | 45 days, extendable by 45 additional days |
| Utah (UCPA) | 5 business days | 45 days |
| Appeals (VCDPA-family states) | 10 business days | 60 days from receipt of appeal |
6.4 No fees
We do not charge for privacy rights requests, except where a request is manifestly unfounded or excessive, consistent with applicable law.
7. How We Share Personal Data
We share Personal Data with:
7.1 Sub-processors (service providers / processors)
We engage third-party service providers to operate PostalDataPI. These are "service providers" under CCPA/CPRA, "processors" under VCDPA-family laws and GDPR. We bind them by contract to:
- Process Personal Data only for the limited, specified purposes we engage them for
- Not sell or share the Personal Data
- Not combine the Personal Data with data from other sources except as permitted for service provision
- Implement reasonable security measures
- Return or delete Personal Data at the end of the engagement
- Meet the specific contractual requirements of CCPA/CPRA §1798.140(ag) / CPA 4 CCR 904-3 Rule 8.03, VCDPA §59.1-579, and analogous state provisions
The current list of sub-processors is maintained at postaldatapi.com/subprocessors with change notifications via email subscription.
7.2 Legal and safety purposes
We may disclose Personal Data:
- To comply with legal obligations (subpoenas, court orders, tax authorities)
- To enforce our agreements with you
- To protect the rights, property, or safety of PostalDataPI, our customers, or the public
- In connection with a business transaction (acquisition, merger, financing, restructuring)
For law enforcement requests concerning Personal Data of EEA/UK/Swiss Data Subjects, we will notify the Data Subject where legally permitted, challenge orders that conflict with applicable privacy rights, and escalate to privacy counsel before disclosure.
7.3 With your consent or at your direction
We share Personal Data with others where you explicitly direct us to, such as:
- Partner attribution confirmation (we share minimal information with a Partner when a customer identifies them as their referral source — see Partner DPA Appendix D)
- Integration partners you choose to connect to your account
- Public endorsements, testimonials, or case studies you consent to
7.4 What we do NOT do
- We do not sell Personal Data. This statement is accurate under every US state law's definition of "sale" that we are aware of.
- We do not share Personal Data for cross-context behavioral advertising. This statement is accurate under CPRA's definition of "share."
- We do not engage in targeted advertising as defined by VCDPA, CPA, CTDPA, TDPSA, OCPA, and analogous laws.
- We do not use Personal Data for profiling that produces legal or similarly significant effects on you.
8. Sub-processors
Current sub-processors include:
| Sub-processor | Purpose | Location | More info |
|---|---|---|---|
| Stripe, Inc. | Billing, payments, partner payouts, KYC, tax reporting | United States | stripe.com/privacy |
| Vercel Inc. | Application hosting, edge delivery | United States, global edge | vercel.com/legal/privacy-policy |
| Neon Inc. | Database hosting (PostgreSQL) | United States, regional options | neon.tech/privacy-policy |
| Sentry (Functional Software) | Error monitoring and observability | United States | sentry.io/privacy |
| ImprovMX | Email forwarding for @postaldatapi.com addresses | France (EU) | improvmx.com/privacy |
| Google LLC | Business email (Workspace) for internal PostalDataPI email | United States | cloud.google.com/terms |
9. Data Retention
We retain Personal Data only as long as needed for the purpose we collected it for, unless longer retention is required by law:
| Data category | Retention period | Basis |
|---|---|---|
| Customer account and service records | Duration of your account plus 2 years | Operational / dispute support |
| Billing and tax records | 7 years from tax year-end | IRS record retention |
| Partner attribution records | 7 years from termination of the attribution | Audit support, commission records |
| Partner KYC (via Stripe) | Per Stripe retention (typically 7+ years) | Legal obligation |
| API usage logs | 2 years | Security, fraud prevention |
| Support correspondence | 3 years from last substantive communication | Quality, training, dispute support |
| Marketing consent records | Until withdrawn plus 2 years | Consent audit trail |
| Web analytics (anonymized) | Per analytics tool retention; typically 14-26 months | Analytics |
| Unclaimed-property escheat (dormant accounts) | Per Idaho Code §14-501 et seq. | Legal obligation; for EEA/UK/Swiss residents, Idaho escheat law is applied consistent with the Data Subject's GDPR/UK GDPR/FADP rights |
| Anonymized and aggregated data | Indefinite | No longer Personal Data once fully anonymized |
10. Security
We implement reasonable technical and organizational measures to protect Personal Data:
- TLS 1.2+ in transit; AES-256 at rest (via our sub-processors).
- Access controls, multi-factor authentication for administrative access.
- Logging and monitoring.
- Documented incident response procedures (see Partner DPA Appendix E for detail).
- Regular review of our security posture as the Company matures.
For our full Technical and Organizational Measures, see the Partner Data Protection Addendum Appendix E at postaldatapi.com/partners/dpa.
Security incidents. We will notify you of a security incident affecting your Personal Data without undue delay and in any event within the timeline required by applicable law (typically 72 hours under GDPR/UK GDPR/FADP; state-law timelines vary for US residents).
11. International Data Transfers
PostalDataPI is based in the United States. Personal Data we process may be transferred to and stored in the United States, including via our sub-processors.
For EEA, UK, and Swiss Data Subjects, we rely on the EU Standard Contractual Clauses 2021/914, the UK Addendum to those SCCs, and the Swiss FADP adaptations. Details of the transfer mechanism are set out in the Partner Data Protection Addendum at postaldatapi.com/partners/dpa. If you are not a partner but your Personal Data is transferred from the EEA, UK, or Switzerland to us (e.g., you are a customer or prospect), the same transfer mechanism applies.
We have conducted a Transfer Impact Assessment (TIA) addressing US laws (FISA 702, EO 12333, CLOUD Act) and concluded that our data categories and use patterns present a low practical risk of US government access. See the Partner DPA for detail.
12. Children's Privacy
The PostalDataPI service is not directed to children under 13 (under 16 in the EEA). We do not knowingly collect Personal Data from children. If you are a parent or guardian and believe we have collected Personal Data from a child, email privacy@postaldatapi.com and we will investigate and delete.
13. Changes to this Privacy Policy
We may update this Privacy Policy to reflect changes in our practices or applicable law. We post the updated Policy with a new "Last updated" date. Material changes that expand the use of your Personal Data in ways you would not reasonably expect, or that reduce your rights, will be communicated to you via email to your registered address at least 30 days before they take effect.
The current version and effective date are shown at the top of this document. Prior versions are available on request.
14. Contact Us
For any privacy matter — rights request, question, concern, or complaint — contact us at:
privacy@postaldatapi.com
Postal address:
PostalDataPI LLC Attn: Privacy 2357 W Burns Street Eagle, Idaho 83616 United States
We acknowledge privacy emails within 5 business days (10 business days for California residents where more than one request is outstanding) and respond substantively per the timelines in Section 6.3.
If you are not satisfied with our response, you have the right to lodge a complaint with your local privacy authority:
- California: California Privacy Protection Agency at cppa.ca.gov/complaint
- Other US states: state Attorney General's office (most states) or specific agency where applicable
- EEA: supervisory authority of your habitual residence, or Irish DPC for cross-border matters at dataprotection.ie
- UK: Information Commissioner's Office at ico.org.uk/make-a-complaint
- Switzerland: Federal Data Protection and Information Commissioner at edoeb.admin.ch
Revision Log
- v1.0 — 2026-04-22: Initial draft by PE, covering customer, partner, prospect, and visitor data. US state privacy rights (CCPA/CPRA, VCDPA family, Utah, Universal Opt-Out Mechanism) included per the decision to scope the Partner DPA to EEA/UK/Swiss only. GDPR/UK GDPR/Swiss FADP rights included as fallback for non-partner data subjects in those jurisdictions. Sub-processor list, retention schedule, TIA reference, security measures by reference to Partner DPA Appendix E. Ready for privacy counsel review alongside Partner Agreement v1.3.2 and Partner DPA v1.1.