Postally
Log InGet Started

Privacy Policy

Effective Date: March 17, 2026

Last Updated: March 17, 2026

1. Introduction

Postally ("Company", "we", "us", "our") is a BC CCPC incorporated in British Columbia, Canada. We operate the Postally direct mail platform ("Platform"), including the website and dashboard at postally.ca, and the API at api.postally.ca.

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Platform. We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA), the British Columbia Personal Information Protection Act (BC PIPA), the California Consumer Privacy Act (CCPA), and the General Data Protection Regulation (GDPR) where applicable.

2. Privacy Officer

Our designated Privacy Officer is responsible for overseeing compliance with this policy and applicable privacy laws. You may contact our Privacy Officer at:

Privacy Officer
Postally
Email: privacy@postally.ca
General inquiries: support@postally.ca

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Company name and contact email address
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • Billing information (processed by Stripe — we do not store credit card numbers)
  • Data region preference (e.g., Canada)

3.2 Recipient Data

When you use our Platform to send mail, you provide recipient information including:

  • Names and mailing addresses
  • Any custom merge variables included in your mail templates

All recipient personal data is encrypted at rest using AES-256-GCM encryption with dedicated encryption keys. Address fields, names, and other personally identifiable information are encrypted at the field level before storage.

3.3 Usage Data

We automatically collect:

  • API request logs (endpoint, timestamp, response code)
  • QR code scan events (timestamp, approximate location from IP)
  • Dashboard session information

3.4 Information We Do Not Collect

  • Credit card numbers or bank account details (handled entirely by Stripe)
  • Government-issued identification numbers
  • Biometric data

4. How We Use Your Information

We use personal information to:

  • Provide the service: Print and deliver mail pieces to the recipients you specify
  • Process payments: Manage prepaid credit balances and billing via Stripe
  • Verify addresses: Validate mailing addresses through our address verification provider (SmartyStreets)
  • Send notifications: Email you about order confirmations, campaign completions, low balances, and account activity
  • Maintain security: Detect and prevent fraud, abuse, and unauthorized access
  • Improve the service: Analyze usage patterns to improve reliability and features
  • Comply with legal obligations: Respond to lawful requests from authorities

5. Legal Basis for Processing (GDPR / PIPEDA)

We process personal information on the following legal bases:

  • Contract performance: Processing necessary to fulfil our service agreement with you (sending mail, managing recipients)
  • Legitimate interest: Security monitoring, fraud prevention, service improvement
  • Legal obligation: Tax records, responding to lawful data requests
  • Consent: Marketing communications (you may withdraw consent at any time)

6. Data Sharing & Third Parties

We share personal information only with the following categories of service providers, and only to the extent necessary to operate the Platform:

ProviderPurposeData Shared
Print production partnerPrinting and mailingRecipient names and addresses (on mail pieces)
StripePayment processingBilling email, transaction amounts
SmartyStreetsAddress verificationMailing addresses (for validation only)
Amazon Web Services (AWS)Infrastructure, email delivery, file storageEncrypted data at rest, transactional emails

We do not sell, rent, or trade personal information to third parties for marketing purposes.

7. Data Security

We implement the following security measures to protect your data:

  • Encryption at rest: All personal data encrypted with AES-256-GCM using dedicated encryption keys
  • Encryption in transit: All connections secured with TLS 1.2+
  • Access controls: Role-based access control (RBAC) with granular API key permissions
  • Audit logging: Immutable audit log of all personal data access, stored with tamper protection
  • Password security: Passwords hashed with bcrypt
  • API key security: Keys hashed with SHA-256, only prefix shown after creation
  • Infrastructure: Hosted on AWS with network isolation, security groups, and automated backups

8. Data Retention

We retain personal information only as long as necessary for the purposes described in this policy:

  • Account data: Retained while your account is active, plus 30 days after closure
  • Recipient data: Retained until you delete it or request erasure
  • Mail piece records: Retained for 7 years for tax and legal compliance
  • Audit logs: Retained for 7 years (immutable, cannot be modified or deleted)
  • Rendered PDFs: Retained for 90 days after delivery, then deleted from storage

9. Your Rights

9.1 All Users

Regardless of your location, you have the right to:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate information
  • Deletion: Request deletion of your personal information
  • Data portability: Request an export of your data in a machine-readable format

9.2 PIPEDA Rights (Canada)

Under PIPEDA, you have the right to:

  • Know what personal information we hold and how it is used
  • Challenge the accuracy and completeness of your information
  • Withdraw consent for the collection, use, or disclosure of your information
  • File a complaint with the Office of the Privacy Commissioner of Canada

9.3 CCPA Rights (California Residents)

If you are a California resident, you additionally have the right to:

  • Right to Know: Request the categories and specific pieces of personal information collected
  • Right to Delete: Request deletion of personal information
  • Right to Opt-Out: We do not sell personal information, so this right does not apply. If this changes, we will provide a "Do Not Sell My Personal Information" mechanism.
  • Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

9.4 GDPR Rights (EU/EEA Residents)

If you are in the EU/EEA, you additionally have the right to:

  • Restrict processing: Request that we limit how we use your data
  • Object to processing: Object to processing based on legitimate interest
  • Lodge a complaint: File a complaint with your local data protection authority

9.5 How to Exercise Your Rights

You can exercise your data rights in two ways:

  • Via API: Use the /v1/gdpr/access, /v1/gdpr/export, and /v1/gdpr/erasure endpoints
  • Via email: Contact privacy@postally.ca with your request. We will respond within 30 days.

10. Cookies & Tracking

The Platform uses minimal cookies:

  • Session cookie (dm_session): Required for dashboard authentication. Expires after 7 days.
  • Theme preference: Stores your light/dark mode preference locally in your browser.

We do not use third-party tracking cookies, advertising pixels, or analytics services that track individual users.

11. International Data Transfers

Our servers are located in North America (AWS). If you are located outside of Canada, your data will be transferred to and processed in Canada. Canada has been recognized by the European Commission as providing an adequate level of data protection.

Where we use sub-processors located in the United States (Stripe, SmartyStreets, AWS), appropriate safeguards are in place, including Standard Contractual Clauses and the sub-processors' own compliance certifications.

12. Breach Notification

In the event of a data breach that poses a real risk of significant harm, we will:

  • Notify affected individuals as soon as feasible
  • Report to the Office of the Privacy Commissioner of Canada within 72 hours (as required by PIPEDA)
  • Report to relevant supervisory authorities as required by GDPR
  • Notify the California Attorney General if more than 500 California residents are affected (CCPA)
  • Maintain a record of all breaches in our internal breach log

13. Children's Privacy

The Platform is not intended for use by individuals under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child, we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or dashboard notification at least 30 days before taking effect. The "Last Updated" date at the top of this page will be revised accordingly.

15. Contact Us

For questions, concerns, or requests related to this Privacy Policy or your personal information:

Privacy Officer
Postally
Email: privacy@postally.ca
General support: support@postally.ca

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.