"Personal Data", "Data Subject", "Process", "Controller", "Processor" have the meanings given in GDPR Article 4.

iShipBiz is the Processor of Personal Data you (the Controller) upload to the Service.

iShipBiz processes Personal Data to provide the Service for the duration of the subscription, plus a 30-day return window.

Storage, transmission, and use as required to generate shipping labels, manage orders, and otherwise operate the Service.

Current sub-processors: Stripe (payments), EasyPost (carriers), Resend (email), Supabase (hosting & database). The current list is maintained at /legal/subprocessors. We will give 30 days’ notice before adding new sub-processors.

iShipBiz implements appropriate technical and organizational measures to protect Personal Data, including encryption in transit and at rest, access controls, audit logging, and personnel training.

EU/EEA Personal Data may be transferred to the United States under Standard Contractual Clauses (Module 2: Controller to Processor) which are incorporated by reference.

iShipBiz will assist Customer in responding to data subject requests where reasonable and consistent with our role as Processor.

Customer may request a copy of iShipBiz’s most recent SOC 2 report no more than once per year, subject to confidentiality terms.

Upon termination, iShipBiz will return or delete Personal Data within 30 days, except where retention is required by law.