Privacy Policy

Introduction

SPConnector, operated by JonesLabs LLC ("we," "our," or "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our automated packing slip printing service that integrates Shippo and PrintNode.

SPConnector is a product of JonesLabs LLC, operating as a software service for e-commerce automation. JonesLabs LLC is the data controller for all personal information processed through SPConnector.

By using SPConnector, you agree to the collection and use of information in accordance with this policy.

Information We Collect

Account Information

• Email address for account creation and login verification
• User session data for maintaining authenticated access
• Account preferences and settings stored in our system
• User-to-tenant mapping for multi-tenant access control

API Integration Data

• Shippo API keys (encrypted with AES-256 encryption)
• PrintNode API tokens (encrypted with AES-256 encryption)
• Printer configuration settings
• Order processing preferences and filters

Order Processing Data

• Order information retrieved from Shippo (order numbers, shipping addresses, package details) - all encrypted at rest with AES-256 encryption
• Print job records and status updates
• Processing logs and system activity records
• Error logs for troubleshooting purposes

Usage Information

• Login times and session data
• Feature usage patterns and dashboard interactions
• System performance metrics

Analytics Data

We use Umami, a privacy-focused, cookie-free analytics platform that we self-host on our own infrastructure. Umami does not collect any personal data or use tracking cookies. The anonymous data we collect includes:

• Page views and website navigation patterns
• General device type and browser information
• Referral sources
• General geographic location (country/region, derived without collecting IP addresses)

No personal data is collected, no visitor profiles are created, and analytics data is never associated with individual user accounts.

How We Use Your Information

We use the collected information solely for the following purposes:

• Providing automated packing slip printing services
• Connecting to your Shippo and PrintNode accounts via their APIs
• Processing and printing packing slips based on your configured settings
• Monitoring system performance and providing dashboard analytics
• Troubleshooting technical issues and providing customer support
• Sending service-related notifications and updates
• Maintaining system security and preventing unauthorized access
• Analyzing anonymous website usage patterns to improve our service (via Umami, our self-hosted analytics)
• Understanding feature adoption and user engagement patterns
• Optimizing our marketing efforts and conversion rates

We do not use your data for advertising, marketing to third parties, or any commercial purposes beyond providing our printing automation service.

Data Security

Encryption

• All API keys (Shippo and PrintNode) are encrypted using AES-256 encryption before storage in our database
• All order data including customer addresses, names, and contact information are encrypted using AES-256 encryption
• User authentication is managed using industry-standard practices including OAuth 2.0 and encrypted session tokens
• Data is encrypted in transit using TLS 1.3
• Database storage uses encryption at rest

Infrastructure Security

• Hosted on Railway's SOC 2 Type II certified infrastructure with SOC 3 and HIPAA attestations
• 24/7 security monitoring and intrusion detection
• Regular security audits and vulnerability assessments
• Automated backup and disaster recovery procedures
• Full transparency available at Railway's Trust Center: https://trust.railway.com/

Access Controls

• Role-based access controls with minimum necessary permissions
• Multi-factor authentication for administrative access
• Regular access reviews and deprovisioning procedures

Data Sharing and Disclosure

We do not sell, trade, or share your personal information with third parties for commercial purposes.

Service Providers

We share data only with essential service providers under strict confidentiality agreements:

• Resend: Our email delivery provider that handles login verification codes and transactional emails
• Polar: Our Merchant of Record for payments and subscriptions. Polar handles billing, invoices, and sales tax compliance. Charges on your statement will appear from "Polar Software, Inc." See Polar's Privacy Policy
• Shippo: We transmit your API key to retrieve order information
• PrintNode: We transmit your API token to send print jobs
• Railway: Our hosting provider for infrastructure services
• Umami (self-hosted): Privacy-focused, cookie-free analytics hosted on our own infrastructure. No personal data is collected or shared with third parties. About Umami

Legal Requirements

We may disclose information if required by law, such as:

• Compliance with legal process or government requests
• Protection of our rights, property, or safety
• Investigation of potential violations of our terms of service

Data Retention

Standard Retention Periods

• Account Data (Our System): User-to-tenant mapping and preferences retained for the duration of your active subscription plus 90 days after cancellation
• Authentication Data: Session tokens and login records retained for the duration of your active sessions; expired sessions are automatically cleaned up
• Order Processing Data: Automatically retained based on your subscription tier:
  • Starter Tier: 7 days order history retention
  • Growth Tier: 30 days order history retention
  • Business Tier: 90 days order history retention
  • Enterprise Tier: 365 days order history retention
• API Keys: Encrypted and stored securely in our database; deleted immediately upon account deletion or key rotation
• System Logs: Retained for 90 days for security and performance monitoring
• Analytics Data: Anonymous analytics data is stored on our own self-hosted infrastructure with no third-party data retention

Automatic Data Retention

Our system automatically enforces data retention limits based on your subscription tier. Orders older than your tier's retention period are automatically and permanently deleted during daily maintenance cycles. This ensures compliance with data minimization principles and helps maintain system performance.

Account Deletion vs. Cancellation

• Account Cancellation: Subscription ends but data is retained for 90 days for potential reactivation
• Account Deletion: All data in our system is permanently deleted within 24 hours with no recovery period
• Authentication Cleanup: All session data and authentication records are permanently removed
• Complete Data Removal: Account deletion removes all data from our systems, including any analytics data associated with your account
• No Backup Retention: Deleted data is not retained in backups beyond standard backup rotation cycles

Data Deletion Options

You have multiple options for data removal:

• Self-Service Account Deletion: Permanently delete all data through your user menu
• Individual Order Deletion: Delete specific orders through the orders dashboard
• Bulk Order Deletion: Clear all orders while keeping your account active
• Configuration Reset: Remove API keys and settings while preserving order history
• Data Export Before Deletion: Download your data before permanent removal

Your Rights and Choices

Data Access and Control

• Access and Export: Download all your data in GDPR-compliant formats through your account dashboard or user menu
• Complete Data Export: Export all account information, orders, configuration, and system data in JSON format
• Orders Export: Export order data in CSV format for easy analysis and record-keeping
• Account Management: Modify or update your account information and preferences at any time
• Account Deletion: Permanently delete your account and all associated data through a secure multi-step process
• Data Portability: All exports are provided in machine-readable formats for easy migration

Account Deletion Process

We provide a comprehensive account deletion feature that ensures complete data removal:

• Self-Service Deletion: Delete your account directly from your user menu
• Multi-Step Verification: Email confirmation and typed confirmation required for security
• Complete Data Removal: All data is permanently deleted from our systems within 24 hours
• Authentication Cleanup: All session data and authentication records are permanently removed
• Irreversible Process: Account deletion cannot be undone - we recommend exporting data first
• No Data Retention: Unlike cancellation, deletion removes all data immediately with no recovery period

Data Export Features

Our GDPR-compliant data export system provides comprehensive access to your information:

• Complete Export: Includes account info, all orders, configuration settings, and system data
• Orders-Only Export: CSV format with comprehensive order details for business analysis
• Security Protection: API keys are masked in exports to protect sensitive credentials
• GDPR Compliance: Exports include metadata explaining your data rights under Article 15
• Instant Download: All exports are generated in real-time and available immediately
• Multiple Access Points: Available from main navigation, user menu, and account deletion flow

GDPR Rights (EU Residents)

• Right to Access: Export all your personal data through our self-service portal
• Right to Rectification: Update inaccurate data through your account settings
• Right to Erasure: Permanently delete your account and all data through our deletion feature
• Right to Restrict Processing: Contact support to limit how we process your data
• Right to Data Portability: Export data in machine-readable JSON and CSV formats
• Right to Object: Opt-out of analytics and non-essential processing

CCPA Rights (California Residents)

• Right to Know: Our data export feature shows exactly what personal information we collect
• Right to Delete: Use our account deletion feature to permanently remove all personal information
• Right to Opt-Out: We do not sell personal information, but you can opt-out of analytics
• Right to Non-Discrimination: All features remain available regardless of privacy choices

Alternative Options

Before deleting your account, consider these alternatives:

• Downgrade Plan: Switch to a lower-tier plan to reduce costs while keeping your data
• Export Data: Download your data for backup before making any permanent changes
• Contact Support: Discuss concerns or issues that might be resolved without deletion
• Temporary Suspension: Contact support for temporary account suspension options

Cookies and Tracking

We use cookies and tracking technologies to provide and improve our service:

Essential Cookies (Always Active)

• Authentication Cookies: Required for user login and session management
• Security Cookies: Protect against cross-site request forgery and other attacks
• Preference Cookies: Store your dashboard settings and user preferences

Analytics

We use Umami for website analytics, which is completely cookie-free. Umami does not set any cookies or use any tracking technologies that require consent. All analytics data is collected anonymously without identifying individual visitors.

Cookie Management

You have control over cookie usage:

• Essential cookies cannot be disabled as they are required for service functionality
• You can manage cookies through your browser settings
• Our analytics solution (Umami) is cookie-free and does not require any cookie consent

Third-Party Tracking

• Umami Analytics (self-hosted): Our analytics are self-hosted on our own infrastructure. No data is sent to third-party analytics providers. Umami does not collect IP addresses or any personally identifiable information.
• No Advertising: We do not use advertising cookies or share data for advertising
• No Third-Party Data Sharing: Analytics data remains entirely on our own infrastructure and is never shared with external parties

International Data Transfers

Our services are hosted in the United States. If you are accessing our services from outside the US, your data will be transferred to and processed in the United States.

We ensure appropriate safeguards are in place for international transfers, including encryption and contractual protections that meet international standards.

Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

• Posting the updated policy on our website
• Displaying a prominent notice in your account dashboard

Your continued use of the service after changes become effective constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us: