Privacy Policy

1. Who We Are

Pagoda Logistics AB ("we", "us", "our") is a Swedish logistics company that operates the Pagoda Shipping platform at www.pagodashipping.com. We are the data controller responsible for your personal data.

2. What Data We Collect

We collect the following personal data when you use our Service:

• Account information — name, email address, phone number, company name, postal address
• Authentication data — hashed password, verification codes, session tokens
• Shipment data — tracking numbers, sender/recipient details, package information
• Usage data — login timestamps, language preferences, label format preferences

We do not collect data through analytics or advertising cookies. We do not use tracking pixels or third-party advertising services.

3. How We Use Your Data

Your personal data is processed for the following purposes:

• Providing the Service — account management, shipment tracking, return processing
• Authentication and security — verifying your identity via email or phone (SMS), protecting against unauthorized access
• Communication — sending verification codes, password reset links, return approval notifications, and shipment label deliveries
• Service improvement — understanding usage patterns to improve the platform

4. SMS and Phone Verification

When you provide your phone number during account registration, we may send you a one-time verification code via SMS to verify your phone number. This is a transactional message initiated by you.

• SMS is used solely for account verification — never for marketing or promotional purposes
• You will receive one SMS per verification attempt, only when you request it
• Message and data rates may apply depending on your mobile carrier
• You can reply STOP to opt out of future SMS messages, or HELP for assistance
• SMS is delivered via Amazon Web Services (AWS) SNS infrastructure

Providing your phone number is voluntary. If you choose not to verify your phone number, you may still use the Service with limited functionality.

5. Legal Basis for Processing

Under the EU General Data Protection Regulation (GDPR), we process your data on the following legal bases:

• Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you requested
• Legitimate interest (Art. 6(1)(f)) — security measures, fraud prevention, and service improvement
• Consent (Art. 6(1)(a)) — where you explicitly opt in, such as phone verification via SMS

6. Data Sharing

We share your personal data only with:

• Carrier partners (UPS, DHL, etc.) — to fulfill shipment booking, tracking, and return services
• Amazon Web Services — cloud infrastructure provider (hosting, email delivery via SES, SMS delivery via SNS), data processed in EU (Stockholm, eu-north-1)
• Heroku / Salesforce — application hosting, data processed in EU

We do not sell, rent, or trade your personal data to any third party. Data is shared with the above parties only to the extent necessary to provide the Service.

7. Data Retention

We retain your account data for as long as your account is active. Shipment data is retained for the duration required by applicable tax and accounting regulations (typically 7 years in Sweden). Verification codes and password reset tokens are automatically deleted after expiration (15 minutes and 1 hour respectively). You may request deletion of your account and associated personal data at any time.

8. Your Rights

Under the GDPR, you have the right to:

• Access — request a copy of the personal data we hold about you
• Rectification — request correction of inaccurate or incomplete data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Data portability — receive your data in a structured, machine-readable format
• Restriction — request limitation of processing in certain circumstances
• Objection — object to processing based on legitimate interest
• Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any of these rights, contact us at info@pagodalog.com. We will respond within 30 days. You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including encrypted connections (TLS/HTTPS), hashed passwords (bcrypt), secure token-based authentication (JWT), and access controls. All data is processed and stored within the European Union.

10. Cookies

We use only strictly necessary cookies required for the platform to function:

• Session cookie — maintains your authenticated session
• Security cookie — protection against cross-site request forgery (CSRF)

No analytics, advertising, or third-party tracking cookies are used.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. We will notify registered users of material changes via email.

12. Contact

For questions about this Privacy Policy or to exercise your data rights: