Delivery365 is the controller for its own account, billing and platform data; for the information that business customers (entrepreneurs) upload about their own end-customers and drivers, Delivery365 acts as a processor on the entrepreneur's instructions and the entrepreneur is the controller.
We process personal data on lawful bases that match each purpose — contract for running the delivery service and billing, legitimate interest (with an opt-out) for analytics and security, and legal obligation for tax and invoicing records — never on a single blanket claim of consent.
We collect account and contact details, billing identifiers (no full card number is stored on our systems — payments are handled by Stripe), tax/business identifiers, precise driver GPS, the delivery content entrepreneurs upload, and technical logs and cookies.
Precise driver GPS is treated as Sensitive Personal Information under California law and is used only to provide and verify the delivery service.
We do not sell or share your personal information as defined by the CCPA, and we share data only with the sub-processors that the service actually depends on.
You can exercise your privacy rights — including the right to complain to your local supervisory authority — by contacting [email protected].
This document is a draft pending legal review; the operating legal entity and effective date are shown as placeholders until counsel finalises them.
1. Who we are and how to contact us
The operating legal entity responsible for this service is {{LEGAL_ENTITY}} ("Delivery365", "we", "us" or "our"). The legal entity, its registered address and its establishment jurisdiction are being finalised as part of the legal review of this draft and appear here as a placeholder until then.
Delivery365 is a delivery and logistics platform offered to business customers ("entrepreneurs") and their end-customers and drivers. For the personal data we collect about our own accounts, billing and platform operations, Delivery365 is the controller. For the personal data that entrepreneurs upload about their own end-customers and drivers, Delivery365 acts as a processor on the entrepreneur's instructions and the entrepreneur is the controller (see Section 2).
You can contact us about this policy, or exercise any of your privacy rights, by emailing [email protected]. Requests sent to this address are also the channel for any data protection contact, including the role of data protection officer or encarregado where one is required; we do not name a specific individual in this draft.
You also have the right to lodge a complaint with a data protection supervisory authority. Depending on where you live, this may be your local supervisory authority in the European Union or European Economic Area, the Information Commissioner's Office (ICO) in the United Kingdom, the Autoridade Nacional de Proteção de Dados (ANPD) in Brazil, or the California Privacy Protection Agency (CPPA) or Attorney General in California. We encourage you to contact us first at [email protected] so we can try to resolve your concern.
2. Scope and key terms
This policy applies to our public websites, the entrepreneur backoffice, the customer portal, the deliveryman mobile application, and our integration API. It does not apply to third-party websites or services that an entrepreneur may link to or use; those are governed by their own privacy policies.
For personal data that business customers ("entrepreneurs") upload about their own customers and drivers, Delivery365 acts as a data processor / service provider / operador on the entrepreneur's instructions; the entrepreneur is the controller and is responsible for the lawful basis and for informing those individuals. For entrepreneurs' own account data, Delivery365 is the controller.
To make this policy easier to read, we use the following terms consistently throughout:
Controller — the party that decides why and how personal data is processed.
Processor — the party that processes personal data on a controller's behalf and on its instructions (called a "service provider" under California law and an "operador" under Brazilian law).
Personal data — any information relating to an identified or identifiable individual.
End-customer — the recipient of a delivery, whose details an entrepreneur uploads to arrange that delivery.
Entrepreneur (or tenant) — a business customer that uses Delivery365 to run its own delivery operation.
Deliveryman — a driver who uses the mobile application to carry out deliveries.
Sub-processor — a third party that processes personal data on our behalf to help us provide the service.
Lawful basis — the legal ground, under the applicable data protection law, that allows a specific processing purpose.
3. The personal data we collect
We collect the categories of personal data set out below. For each category we indicate whether Delivery365 is the controller (our own data) or the processor (data an entrepreneur uploads about their own customers and drivers).
Account and identity data (controller) — names, email addresses, and hashed login credentials for platform staff, entrepreneur users, customer-portal users and drivers, together with sign-in IP addresses and locale and timezone preferences.
Billing data (controller) — Stripe billing identifiers used to manage subscriptions. We do not store full payment card numbers on our own systems; card data is handled by Stripe (see Section 6).
Tax and business identifiers (controller and processor) — tax numbers such as CPF or CNPJ and related registration identifiers for entrepreneurs (our data) and for the customers and recipients that entrepreneurs upload (their data). Where these are Brazilian government identifiers, we treat them as sensitive and handle them with additional care; their precise classification is being confirmed as part of the legal review of this draft.
Driver and recipient contact and address data — names, phone numbers and postal addresses, including the delivery content (recipients, addresses, invoice and order identifiers, proof-of-delivery photos and signatures, and free-text notes) that entrepreneurs upload to arrange deliveries (processor), and driver account contact details (controller).
Precise location data (controller and processor) — precise GPS coordinates for drivers (last-known position and the tracking trail recorded during deliveries) and geocoded coordinates of delivery points. We treat precise driver geolocation as "precise geolocation" Sensitive Personal Information under California law, and as high-risk personal data under European and Brazilian law (it is not, by itself, a special category of data). It is used only to provide and verify the delivery service (see Section 4).
Technical, telemetry and error-log data (controller) — application and request logs and error reports that can include IP addresses, device and browser information, request parameters and the context captured by our error-monitoring provider. Our request logging currently filters only passwords, so other request data can appear in these logs and error reports; this is a known limitation we are reviewing.
Cookies and device data (controller) — first-party cookies needed to run the service and a small number of third-party widget cookies (see Section 5).
We do not intentionally collect special categories of data such as biometric, health or government social-security numbers beyond the tax identifiers described above, and we do not knowingly collect data from children (see the children's-data section of this policy).
4. Why we use your data and our lawful basis
We use personal data only for the purposes set out below, and we rely on a lawful basis that matches each purpose. We do not rely on a single, blanket claim of consent for everything we do.
Account creation and authentication — to create and secure your account. Basis: performance of a contract (GDPR Art. 6(1)(b); LGPD execução de contrato; a business purpose under the CCPA).
Billing and subscriptions — to manage subscriptions, take payment through Stripe, and keep invoicing and tax records. Basis: performance of a contract and compliance with a legal obligation (GDPR Art. 6(1)(b) and (c); LGPD execução de contrato and obrigação legal).
Delivery fulfilment and routing — to plan, carry out and verify deliveries, including geocoding and route calculation. Basis: performance of a contract (GDPR Art. 6(1)(b); LGPD execução de contrato).
Driver assignment and GPS tracking — to assign deliveries and provide operational visibility, proof of service and safety during active deliveries. Basis: performance of a contract supported by our legitimate interest in operational visibility, proof of service and driver and recipient safety — not consent. You have the right to object to processing based on legitimate interest. Precise geolocation is treated as Sensitive Personal Information under California law and is used only to provide the service.
Customer notifications and transactional email — to send operational messages such as account, delivery and billing notices (not marketing). Basis: performance of a contract (GDPR Art. 6(1)(b); LGPD execução de contrato).
Error monitoring and security — to keep the platform and our customers' data secure, available and free from abuse. Basis: our legitimate interest in security (GDPR Art. 6(1)(f); LGPD legítimo interesse). You have the right to object.
Product analytics — to understand and improve how the service is used. We use first-party, server-side analytics that do not set a tracking cookie. Basis: our legitimate interest in improving the service, with an opt-out available by contacting [email protected] — not consent.
Lead and conversion tracking — to measure how business accounts are acquired and converted, which involves sending a primary administrator's name and email and some account details to a tracking provider. Basis: our legitimate interest in measuring acquisition, with an opt-out available by contacting [email protected] — not consent.
Legal and tax retention — to comply with invoicing, tax and other legal obligations. Basis: compliance with a legal obligation (GDPR Art. 6(1)(c); LGPD obrigação legal).
For the data that entrepreneurs upload about their own customers and drivers, Delivery365 has no independent lawful basis. We process that data only as a processor on the entrepreneur's instructions, and the entrepreneur, as controller, selects and documents the lawful basis and informs the affected individuals.
5. Cookies and similar technologies
We use a small number of first-party cookies that are essential to run the service, plus a small number of third-party widget cookies that may be set by external scripts. We do not load any client-side third-party analytics or advertising tracker, and we do not set a third-party analytics cookie: our product analytics (Ahoy) runs server-side with the API turned off, so it sets no client-side cookie.
The public cookie banner records your acknowledgement in your browser's localStorage (under the key "accept-terms"), not in a cookie. We do not operate a Consent Management Platform (CMP); managing cookie preferences through a consent platform is outside the scope of this service.
The exact cookies set by the third-party Cloudflare Turnstile and TurboChat scripts are controlled by those vendors and cannot be determined precisely from our own code; for those rows we describe them as vendor-controlled and under review, and you should consult the relevant vendor's policy for the definitive list.
The cookies and similar technologies used are:
Cookie
Provider
Purpose
Duration
Type
_delivery365_web_session
Delivery365 (first-party)
Maintains your server-side session and stores your selected locale; carries the cross-site request forgery (CSRF) secret.
Session (cleared when the browser session ends)
essential
CSRF token (authenticity_token)
Delivery365 (first-party)
Cross-site request forgery protection for forms and authenticated requests; the secret is held inside the session cookie above.
Keeps you signed in when you choose 'remember me'; set only when you opt in, and cleared on sign-out.
Up to two weeks (Devise default), cleared on sign-out
essential (authentication)
Cloudflare Turnstile challenge cookie
Cloudflare, Inc. (third-party)
Bot and abuse protection on public forms; the Turnstile widget and the Cloudflare edge may set their own cookies. The exact cookie set is vendor-controlled and not determinable from our code.
Vendor-defined (under review)
third-party — under review
TurboChat widget cookies
TurboChat (third-party, when the support widget is configured)
Powers the embedded real-time support chat widget; the widget may set its own cookies. The exact cookie set is vendor-controlled and not determinable from our code, and nothing is loaded when the widget is not configured.
Vendor-defined (under review)
third-party — under review
6. Sub-processors we rely on
To provide the service we rely on the sub-processors listed below. Each one acts as a processor / service provider / operador, processing personal data on our behalf under data-processing terms (for example, terms meeting GDPR Article 28, the CCPA service-provider requirements, or the LGPD operador requirements). We list only the sub-processors that the service actually depends on.
Our first-party server-side analytics (Ahoy) keeps its data inside our own database and does not send data to a third party, and our self-hosted job queue and cache (Redis / Sidekiq) run on our own infrastructure; neither is a third-party sub-processor, though job payloads held in Redis can reference personal data while a job is pending. Where a sub-processor's hosting region or transfer safeguard has not yet been confirmed, its safeguard is shown as "SCCs/DPF — to be confirmed" and is being finalised as part of the legal review of this draft (see Section 7).
The sub-processors are:
Sub-processor
Purpose
Data shared
Region
Safeguard
Stripe
Payments and subscription billing, including inbound billing webhook events.
Billing identifiers and subscription / transaction metadata. No full payment card number is stored on our systems; card data is handled by Stripe.
United States (Stripe, Inc.), with global infrastructure
EU-US DPF + UK extension + Swiss-US DPF (SCCs fallback)
Mailtrap (Railsware Products Studio LLC)
Transactional email delivery — our sole outgoing email provider.
Recipient email address and name, and the content of operational messages (such as account, delivery and billing notices).
United States entity; EU infrastructure option (under review)
EU SCCs + UK Addendum
DigitalOcean Spaces
Object and file storage for uploaded media.
Uploaded images and documents — proof-of-delivery photos, receipts and custom-field files — which may show people, vehicle plates, addresses and signatures. Stored objects are private.
The region selected in our configuration (default New York); data stays in the selected region.
SCCs + region-pinning
Google Maps Platform
Server-side geocoding and route calculation, and client-side maps and address autocomplete.
Delivery and pickup addresses and coordinates.
United States (Google LLC), with global infrastructure
EU-US DPF + UK extension + Swiss-US DPF (SCCs fallback)
Cloudflare
Bot and abuse protection (Turnstile), edge delivery, and timezone detection.
Visitor IP address, request metadata, and the Turnstile challenge token.
United States (Cloudflare, Inc.), with a global edge network
EU-US DPF + UK extension + Swiss-US DPF + SCCs
Honeybadger
Error and exception monitoring and alerting.
Exception context that, by default, can capture request parameters, cookies, session data, IP address and user context.
United States (likely); transfer mechanism under review
SCCs/DPF — to be confirmed
TurboChat
Real-time support chat widget on public and portal pages.
Support-conversation content and the page and visitor metadata captured by the embedded widget.
Operator and region under review
SCCs/DPF — to be confirmed
Risenexa
Lead and conversion tracking for business-account acquisition.
A primary administrator's name and email, plus the entrepreneur's country, city, subdomain, identifier and plan tier.
Region and data-processing agreement under review
SCCs/DPF — to be confirmed
Expo (exponent-server-sdk)
Push notifications to deliverymen (new-delivery and reassignment alerts).
A deliveryman's device push token and the notification body, which can include delivery-area context.
Region under review
SCCs/DPF — to be confirmed
7. International data transfers
Because Delivery365 is offered globally, some of the sub-processors listed in Section 6 are located outside the European Economic Area (EEA), including in the United States. This means your personal data may be transferred to, and processed in, countries whose data-protection laws differ from those where you live. We do not claim that we never transfer personal data internationally; instead, we rely on a recognised transfer mechanism for each transfer, named per sub-processor in Section 6.
The transfer mechanisms we rely on, by sub-processor class, are:
Stripe, Google Maps and Cloudflare — the EU-US Data Privacy Framework (DPF), with its UK extension and the Swiss-US DPF extension where applicable, backed by Standard Contractual Clauses (SCCs) as a fallback.
Mailtrap — EU Standard Contractual Clauses together with the UK International Data Transfer Addendum.
DigitalOcean Spaces — Standard Contractual Clauses combined with region-pinning, so stored data remains in the region we select.
Honeybadger, TurboChat, Risenexa and Expo — these vendors' hosting region and transfer safeguard are still being confirmed as part of the legal review of this draft; their safeguard is shown as "SCCs/DPF — to be confirmed" and must not be read as a final, verified claim.
Different regimes impose different requirements on these transfers, and we account for them as follows:
United Kingdom — EU Standard Contractual Clauses alone are not sufficient for transfers restricted under UK data-protection law. For UK transfers we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as updated by the Information Commissioner's Office (ICO), together with a transfer risk assessment.
Brazil — under the LGPD and the ANPD's international-transfer rules, transfers out of Brazil rely on ANPD-approved standard contractual clauses (cláusulas-padrão) or another lawful Article 33 basis, in addition to a lawful basis for the processing itself. We also publish information about international transfers in Portuguese on our website, and you may request the full text of the relevant transfer clauses, which we will provide within 15 days (subject to the protection of trade secrets), as part of your LGPD Right to Information.
Switzerland — for individuals in Switzerland we rely, where applicable, on the Swiss-US Data Privacy Framework extension for US sub-processors that hold it. We do not claim to have appointed a Swiss representative.
A transfer mechanism does not replace the need for a lawful basis for the underlying processing; both apply. If you have questions about a specific transfer, contact us at [email protected].
8. How long we keep your data
We keep personal data only for as long as we have a purpose and a lawful basis for keeping it, and we describe below how long each category is retained, by category and by the criteria we use. We do not rely on a bare "as long as necessary" with nothing behind it. Some concrete numeric periods (for example the exact number of days driver GPS is kept, or how long application logs are retained) are still being defined as part of the legal review of this draft, and where that is the case we say so rather than invent a figure.
For data we control:
Account and identity data (controller) — retained for the life of the account. When an entrepreneur, customer-portal user, driver or staff account is deleted, the associated records are removed. We also retain data for the period required by applicable tax, accounting and commercial law, and for the period needed to establish, exercise or defend legal claims, after which it is deleted.
Billing and tax records (controller) — retained for the period required by applicable tax and accounting law (a legal obligation under GDPR Art. 6(1)(c) / LGPD obrigação legal), which is typically several years, even after an account closes.
Driver GPS and location data (controller / processor) — driver GPS tracking points are retained for the life of the associated delivery record and are deleted together with that delivery (a hard-delete cascade when the parent delivery is removed). There is no separate, shorter automatic purge of GPS points, and a concrete standalone retention period for location data is being finalised as part of the legal review of this draft; we do not state an invented figure here.
Application and request logs, background-job data, error reports and analytics (controller) — these include items such as Rails application logs, the job-queue payloads held while a background job is pending, our first-party analytics, and the context captured by our error-monitoring provider. For these categories a single fixed period is not yet defined in our configuration: they are retained for the life of the account plus the period required by applicable tax or commercial law and our operational and security need, and the concrete numeric periods are being finalised as part of the legal review of this draft. Some of these stores are held by sub-processors and are subject to the sub-processor's own retention period (see Section 6).
For data an entrepreneur uploads about their own customers and drivers (where Delivery365 is the processor), retention is governed by the entrepreneur-controller's instructions and its agreement with us. We retain that data while the entrepreneur uses the service and delete it on the entrepreneur's instruction — including through the deletion cascade that removes a customer's or a delivery's records when the parent record is deleted. The entrepreneur, as controller, is responsible for setting the retention period for that data.
When a retention period ends, we delete the data or, where deletion is not immediately possible (for example data held in backups or in a sub-processor's store), we isolate it from further processing until it can be deleted.
9. How we protect your data
We take the security of personal data seriously and apply appropriate technical and organisational measures designed to protect it against unauthorised access, alteration, disclosure or destruction. The measures described here are the controls our systems actually implement; we describe them in general terms rather than disclosing configuration details that could help an attacker.
The measures we apply include:
Encryption in transit — traffic between your browser or device and our service, and between our service and the sub-processors we rely on, is protected using Transport Layer Security (TLS), and our server-to-sub-processor connections verify the other party's certificate.
Password protection — account passwords are stored only as salted one-way hashes (bcrypt), never as plain text.
API-key protection — integration API keys are stored only as one-way SHA-256 digests, never as the original key.
Private file storage — uploaded files (such as proof-of-delivery photos) are stored in non-public object storage and are served only through time-limited, on-demand links rather than public URLs.
Mobile-application authentication — the deliveryman mobile application authenticates with signed tokens (JWT) that can be individually revoked.
Multi-tenant isolation — each business customer's data is logically separated, and access is scoped so that one business customer cannot read another's data.
Abuse and bot protection — public forms are protected by a bot-and-abuse-protection challenge, and our integration API is rate-limited.
No method of transmission over the internet or method of electronic storage is completely secure, so while we strive to protect your personal data we cannot promise it will always be fully secure. We do not make any security-certification claim in this draft, and we do not assert encryption of data at rest, because that is being confirmed separately as part of the legal and infrastructure review; this section describes only the controls our code actually implements. If you believe your account or data has been compromised, contact us at [email protected].
10. Your privacy rights
Depending on where you live and which law applies to you, you have rights over your personal data. We honour these rights for the data we control. To exercise any of them, or to ask a question about this policy, contact us at [email protected]. We will verify your identity before acting on a request, we do not charge a fee for exercising your rights (except where a request is manifestly unfounded or excessive, as the law allows), and we aim to respond within one month, which we may extend by up to two further months for complex or numerous requests, telling you if we need the extra time.
If the European Union / European Economic Area or United Kingdom GDPR applies to you, you have the right to: access your data; have inaccurate data corrected (rectification); have your data erased; restrict our processing; data portability; object to processing based on our legitimate interests; and, where we rely on consent, withdraw that consent at any time without affecting prior processing. You also have the right to lodge a complaint with a data protection supervisory authority — your local authority in the EU/EEA, or the Information Commissioner's Office (ICO) in the United Kingdom — although we ask that you contact us first at [email protected] so we can try to resolve your concern.
If the Brazilian LGPD applies to you, you have the rights set out in Article 18, including: confirmation that we process your data and access to it; correction; anonymisation, blocking or deletion of unnecessary or excessive data or data processed in non-compliance with the law; portability; deletion of data processed with consent; information about the public and private entities with which we have shared your data; information about the possibility of refusing consent and the consequences of doing so; and revocation of consent. You also have a Right to Information about our international transfers: you may request the full text of the relevant transfer clauses, which we will provide within 15 days (subject to the protection of trade secrets). You may petition the Brazilian data protection authority (ANPD). Our data protection contact (Encarregado channel) is [email protected]; we do not name a specific individual in this draft.
If the California CCPA/CPRA applies to you, you have the right to: know what personal information we collect and how we use and disclose it; access and obtain a copy of it; correct inaccurate information; delete it; opt out of the sale or sharing of personal information; limit the use and disclosure of your Sensitive Personal Information (which, for our service, includes precise driver geolocation); and not be discriminated against for exercising your rights. We do not sell or share your personal information as defined by the CCPA. Where required, "Do Not Sell or Share My Personal Information" and "Limit the Use of My Sensitive Personal Information" choices are made available by contacting [email protected]. Depending on your state or country of residence you may have additional rights; contact [email protected] and we will help.
Requests about data that a business customer (entrepreneur) uploaded about their own customers, recipients or drivers must be directed to that entrepreneur, because for that data the entrepreneur is the controller and Delivery365 acts only as its processor. If you are not sure who controls your data, contact us at [email protected] and we will route your request to the right entrepreneur-controller and assist them in responding.
11. Children's data
Delivery365 is a business-to-business logistics tool intended for use by businesses and their staff, drivers and customers, and it is not directed to children. We do not intend the service to be used by, and we do not knowingly collect personal data from, individuals under the age of 16 (or the higher age of digital consent set by your local law; some laws use a lower age, such as 13 in the United States or 13 under Brazil's framework for children's data).
We do not operate any age-gating or parental-consent process, and we do not promise one — none exists in the service. If we become aware that we have collected personal data from a child without an appropriate legal basis, we will delete that data. If you believe a child has provided us with personal data, contact us at [email protected] and we will take appropriate steps to remove it.
12. Automated processing
We use algorithms to help run the delivery service — for example to optimise and calculate delivery routes, to geocode addresses into map coordinates, and to estimate delivery times and service-level compliance. These are operational aids that support the people who run deliveries; they do not, by themselves, make decisions that produce legal effects concerning you or that similarly significantly affect you.
Because dispatchers and entrepreneurs review and act on these outputs, there is meaningful human involvement, and this processing is not "solely automated decision-making" of the kind addressed by GDPR Article 22 (or the analogous provision in Article 20 of the Brazilian LGPD). We therefore do not make automated decisions about you with legal or similarly significant effects.
We do not send your personal data to any third-party artificial-intelligence or large-language-model service for runtime processing. Where artificial intelligence is used to help us prepare materials such as translations of this website, that happens during our development process and does not involve processing your personal data.
13. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in how we process personal data, in the service, or in applicable law. When we make a material change, we will take reasonable steps to bring it to your attention before it takes effect — for example by an in-app notice or by email to the relevant account holders. For non-material updates, we will post the revised policy with an updated effective date, and we encourage you to review this page periodically.
We do not undertake to notify you of every minor change, and this section does not create a commitment to notify you separately about changes to the sub-processors we use; the current list of sub-processors is in Section 6.
14. Effective date, version and legal-review status
LEGAL_REVIEW_REQUIRED — This Privacy Policy is a defensible, evidence-based draft, not legal advice. It describes how Delivery365 actually processes personal data based on our codebase and configuration, and it must be reviewed by qualified legal counsel before it is relied upon as a final, binding document.
Version: v2.0.
Effective date: {{EFFECTIVE_DATE}}. The effective date is shown as a placeholder and will be set once this draft has completed legal review. Until then, this document should be treated as a draft pending legal review and not as final legal advice.
The operating legal entity responsible for the service ({{LEGAL_ENTITY}}) and certain other details are likewise shown as placeholders pending that review (see Section 1). Questions about this policy can be sent to [email protected].
We use cookies to provide you with the best online experience. By using our website, you agree to our privacy policy.
Learn more here.
Schedule an online meetingYou will be redirected to schedule an online meeting, where you can choose the best day and time for us to present the Delivery365 platform.