Contents
This summary is intended to make PolyBag's data handling easy to review at a glance, regardless of which order source (Amazon, Shopify, custom database, etc.) your orders come from:
| Topic | Summary |
|---|---|
| Collected | Order data, recipient shipping details, product catalog data, carrier responses, account information, and operational logs needed to run the service. |
| Used | Only for fulfillment workflows such as order import, rate shopping, packing validation, shipping label generation, shipment updates, support, and security operations. |
| Stored | On dedicated infrastructure with encrypted databases, encrypted backups, and controlled access for authorized users only. |
| Protected | With HTTPS in transit, AES-256 encryption at rest, role-based access controls, audit logging, backup procedures, and a written incident response process. |
| Shared | Only with the selected shipping carrier, and only to the extent required to create and tender the shipment, plus limited infrastructure providers operating the hosting environment. |
| Deleted | Recipient PII is purged within 30 days after shipment confirmation, and other data is deleted according to the retention and deletion processes described below. |
PolyBag is a multi-carrier shipping and fulfillment management platform developed and operated by PolyBag.app LLC, a limited liability company organized in the State of Washington, United States.
PolyBag connects to customer-chosen order sources — including Amazon Seller accounts (via the Amazon Selling Partner API), Shopify stores, and customer-configured database connections — and to USPS, FedEx, and UPS carrier APIs to automate the shipping workflow for e-commerce merchants, including rate shopping, packing validation, and shipping label generation.
Data controller: PolyBag.app LLC
Contact: privacy@polybag.app
Mailing address: PolyBag.app LLC, Seattle, Washington, United States
This Privacy Policy applies to:
This policy does not apply to third-party services we link to or integrate with. Those services have their own privacy policies.
We collect the following categories of data:
| Category | Examples | Source |
|---|---|---|
| Account information | Name, email address, company name, password (hashed) | Provided by the user during registration |
| Order data | Order IDs, order status, order item details, SKU or ASIN, quantity | Retrieved from the connected order source (Amazon SP-API, Shopify Admin API, or a customer-configured database) on behalf of the customer |
| Recipient PII | Recipient name, shipping address, phone number, email address | Retrieved from the connected order source - used solely to generate shipping labels |
| Product catalog data | Product titles, SKUs or ASINs, barcodes, dimensions, weights | Retrieved from the connected order source - used to support the pack-and-validate workflow |
| Carrier credentials | Carrier account numbers, API keys | Provided by the user; stored encrypted |
| Shipment data | Tracking numbers, label data, carrier responses, shipment costs | Generated by PolyBag and returned from carrier APIs |
| Usage data | Application logs, feature usage, error logs | Automatically collected during use of the application |
| Website visitor data | IP address, browser type, pages visited, referral source | Automatically collected via server logs and analytics tools |
We use the data we collect for the following purposes:
We do not use order data, recipient PII, or product catalog data for advertising, marketing, or any purpose not directly related to the fulfillment services described above.
PolyBag imports orders from whichever source the customer configures. Supported sources currently include the Amazon Selling Partner API, Shopify's Admin API, and customer-configured database connections, with additional sources planned. Regardless of source, PolyBag accesses data only as directed by the customer administrator who authorized the connection and only to carry out the fulfillment workflows described in this policy.
What we do not do with data from any order source:
Customers may disconnect any order source from PolyBag at any time through the application settings. Upon disconnection, PolyBag ceases requesting new data from that source. Existing data is retained for the period described in Section 9 and then deleted.
Amazon Selling Partner API (SP-API). When an Amazon Seller connects their account to PolyBag, we access Amazon Information subject to:
Specifically, we access: order information and fulfillment status (via the Inventory and Order Tracking role); buyer shipping information including name, address, and phone number (via the Direct-to-Consumer Shipping restricted role) - used solely to generate shipping labels; and product catalog information including ASINs, barcodes, and product dimensions (via the Business Product Catalog role). All of Amazon's requirements around storage, access, retention, and breach notification apply to Amazon Information and are reflected in Sections 8, 9, and 15 of this policy.
Shopify Admin API. When a Shopify merchant connects a store to PolyBag, we request the minimum scopes required to read orders and product data, update fulfillment status, and write tracking information back to the store. Recipient shipping details are treated identically to recipient PII from any other source and are purged within 30 days of shipment confirmation.
Customer-configured database connections. Some customers import orders from their own databases, ERPs, or WMS systems. In these cases the customer is the data controller for the source database, and PolyBag acts as a processor for whatever order data is pushed into it. Connection credentials are stored encrypted, and PolyBag only reads the tables or queries the customer configures.
We share data only in the following limited circumstances:
Shipping carriers (USPS, FedEx, UPS): Recipient name, shipping address, and phone number are transmitted to the selected carrier's API over encrypted HTTPS to generate a shipping label. Carriers receive only the minimum information required to create the label and tender the shipment. We do not control how carriers use or retain this information - please refer to the carrier's own privacy policy for details.
Infrastructure providers: PolyBag operates on third-party infrastructure (server hosting). These providers access server infrastructure only, not application data, and are bound by contractual data protection obligations.
Legal requirements: We may disclose data if required to do so by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of PolyBag, its users, or others.
Business transfers: In the event of a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We will notify affected users before data is transferred and becomes subject to a different privacy policy.
We do not sell personal data to any third party. We do not share personal data with advertising networks or data brokers.
Infrastructure: PolyBag application and database servers are hosted on dedicated infrastructure. Database ports are not exposed to the public internet - the database is accessible only from the application server via localhost. Administrative access requires key-based SSH authentication; password authentication is disabled.
Encryption in transit: All data transmitted between users and PolyBag, and between PolyBag and carrier APIs, is encrypted using TLS (HTTPS). We enforce HTTPS-only access and use HSTS where supported.
Encryption at rest: The PolyBag database uses InnoDB tablespace encryption with AES-256. Application-level encryption (AES-256-CBC) is applied to carrier API credentials, order-source API tokens (Amazon SP-API tokens, Shopify access tokens, database credentials, etc.), and any other sensitive third-party credentials using Laravel's cryptographic facilities. Encryption keys are managed per a formal Key Management Policy covering key generation, storage, rotation, revocation, and destruction.
Access controls: Access to recipient PII and other customer data within the application is restricted to authenticated and authorized users only, enforced at the application layer via role-based access controls. There are no shared credentials — each user account is individually identified.
Backups: Database backups are encrypted with AES-256 before upload to geographically separated remote storage. Backup restoration procedures are documented and tested.
Monitoring: The application maintains comprehensive audit logs covering authentication events, data access, shipping operations, and configuration changes. Logs are retained for a minimum of 12 months and reviewed on at least a bi-weekly basis for anomalous activity.
Incident response: PolyBag maintains a written incident response plan. Affected users will be notified as required by applicable law. In the event of a confirmed data breach involving Amazon Information specifically, we will additionally notify Amazon at security@amazon.com within 24 hours of detection, as required by Amazon's Data Protection Policy.
We retain data for the minimum period necessary to provide the service and meet legal obligations:
| Data type | Retention period |
|---|---|
| Recipient PII (name, address, phone, email) | Purged within 30 days after order shipment confirmation, regardless of the order source it originated from |
| Order data (order IDs, item details, fulfillment status) | Retained for the duration of the customer's active account, then deleted within 30 days of account closure |
| Shipment records (tracking numbers, label costs, carrier selection) | Retained for the duration of the customer's active account for operational reporting, then deleted within 30 days of account closure |
| Carrier and order-source API credentials | Retained while the account is active; deleted within 30 days of account closure or credential removal |
| User account data | Retained while the account is active; deleted within 30 days of a deletion request or account closure |
| Application audit logs | Retained for 12 months, then automatically purged |
| Website visitor data / analytics | Aggregated and retained for up to 24 months; raw log data purged within 90 days |
When data reaches the end of its retention period, or when a user requests deletion, PolyBag permanently deletes it from the primary database and from all backup systems within the applicable timeframes described in Section 8.
Recipient PII is deleted automatically by a scheduled process that runs at least daily, independent of which order source it came from. No manual intervention is required.
To request deletion of your account and associated data, contact us at privacy@polybag.app. We will confirm the deletion within 30 days.
Note that certain records may be retained longer if required by applicable law, such as financial transaction records. We will inform you if a legal hold prevents immediate deletion.
Depending on your location, you may have the following rights regarding your personal data:
To exercise any of these rights, contact us at privacy@polybag.app. We will respond within 30 days. We may need to verify your identity before processing the request.
Note for order recipients: If you are an order recipient whose shipping information was sent to PolyBag by a merchant (whether that merchant's orders originated on Amazon, Shopify, a direct website, or any other source), you should first contact the merchant directly, or — in the case of Amazon orders — Amazon. PolyBag holds recipient PII only for the minimum time required to fulfill a specific order and does not maintain long-term recipient records.
The polybag.app marketing website uses Cloudflare Web Analytics to understand aggregate traffic patterns. Cloudflare Web Analytics does not use cookies and does not collect personally identifiable information or track individual users across sites.
The PolyBag application uses session cookies necessary for authentication and to maintain your logged-in state. These cookies are essential for the service to function and cannot be disabled.
We do not use advertising cookies, tracking pixels, or third-party behavioral advertising technologies.
PolyBag is a business-to-business service intended for use by adults operating e-commerce and fulfillment businesses. We do not knowingly collect personal data from children under the age of 13. If we become aware that we have collected personal data from a child under 13, we will promptly delete it.
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify active users by email or in-app notification at least 30 days before the changes take effect.
Continued use of PolyBag after the effective date of a revised policy constitutes acceptance of the updated terms.
If you have questions, concerns, or requests relating to this Privacy Policy or PolyBag's data practices, please contact us:
PolyBag.app LLC
Privacy inquiries: privacy@polybag.app
General inquiries: hello@polybag.app
Security incidents: nick@polybag.app
For security incidents or suspected data breaches involving Amazon Information, we also notify Amazon at security@amazon.com within 24 hours of detection, as required by Amazon's Data Protection Policy.