Package Retriever operates a business-to-business e-commerce fulfillment, inventory management, and data infrastructure platform used by merchants (“Merchants”) to process shipments, manage orders, operate returns, and conduct wholesale commerce. This Privacy Policy explains how we handle personal information across the Services.

This Policy is the primary privacy document for Package Retriever. It is supplemented by the additional documents linked above. Where this Policy conflicts with a jurisdiction-specific supplement (for example, our California Notice), the supplement governs for that jurisdiction.

Package Retriever processes personal information in two distinct capacities:

We act as the “controller” (as that term is used in applicable privacy laws, including the EU and UK General Data Protection Regulation (“GDPR”), the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), and comparable state privacy laws) when we determine the purposes and means of processing. This includes processing related to:

• Operation of our own website, marketing, and direct communications;
• Administration of Merchant accounts (billing, support, authentication, account security);
• Operation of the Rookie's Rewards browser extension for individual end users who install and authenticate it;
• Operation of the Fetch desktop application for users who install it;
• Operation of the Source wholesale marketplace, in our capacity as the platform operator;
• Research, product improvement, analytics, fraud prevention, and information security;
• Legal compliance and enforcement of our agreements.

We act as a “processor” (or “service provider” under the CCPA) when we process personal information of a Merchant's end customers on the Merchant's behalf and on the Merchant's documented instructions. This includes processing of order data, shipment data, customer contact data, and return data that our Merchants provide to us or collect through our integrations with marketplace platforms (Shopify, Etsy, eBay, WooCommerce, Discogs, Walmart, Wix, Square, and others). This processor relationship is governed by our Data Processing Agreement (“DPA”), available at /legal/dpa.

With respect to the cross-merchant identity graph described in Section 7, we may act as a joint controller together with the Merchant when the Merchant elects to opt in to Commercial Activation (as defined below). Our respective obligations for joint controller processing are allocated in our Merchant Terms and our DPA.

In the 12 months preceding the Effective Date of this Policy, we have collected, and may continue to collect, the following categories of personal information. Categories are drawn from CCPA § 1798.140(v).

We do not knowingly collect biometric identifiers, genetic data, racial or ethnic origin, religious beliefs, union membership, philosophical beliefs, sex life, sexual orientation, health or medical information (other than as incidentally captured in a shipping label), or contents of mail or private communications.

We collect personal information from the following sources:

• Directly from you. When you create a Merchant account, install Fetch or the extension, contact us, respond to a survey, or interact with our marketing.
• From Merchants on behalf of their customers. When Merchants import or sync orders, shipments, returns, or customer records with our platform.
• From marketplace integrations. When a Merchant authorizes our access to Shopify, Etsy, eBay, WooCommerce, Discogs, Walmart, Wix, Square, or similar platforms.
• From carriers. When we receive tracking events, delivery confirmations, or address-validation responses from USPS, UPS, FedEx, DHL, Sendle, Pitney Bowes, or other transportation providers.
• From affiliate networks. When Commission Junction, Amazon Associates, ShareASale, Awin, Impact, Rakuten, or other affiliate networks report postback data for purchases.
• From the browser extension. When you have installed and authenticated the Rookie's Rewards extension and are actively signed in, as described in Section 11.
• From our public tracking page. When a person enters a tracking number at our public tracking page, as described in Section 6.
• From third-party infrastructure providers. Where a service provider processes data for us under our instructions (see Subprocessor List).

We use personal information for the following specific purposes:

Where required by law, we rely on one or more of the following legal bases under the GDPR for processing of personal information: (a) performance of a contract (Art. 6(1)(b)); (b) our legitimate interests or those of a third party, balanced against your rights and freedoms (Art. 6(1)(f)); (c) compliance with legal obligations (Art. 6(1)(c)); or (d) your consent, where we rely on it (Art. 6(1)(a)). We do not use sensitive personal information for purposes other than those disclosed in Section 8.

We share personal information with the following categories of recipients:

We do not sell personal information for monetary consideration as the term “sale” is commonly understood. For purposes of the CCPA and certain other state privacy laws, certain disclosures we make for Commercial Activation or for analytics may be considered a “sale” or “share” because they involve the disclosure of personal information to third-party advertising platforms. You have the right to opt out of these disclosures at any time; see Section 17 and our California Notice.

Package Retriever operates an identity resolution service that links events and records across the Merchants who use the Services. For example, if an end customer interacts with Merchant A's storefront, opens a shipping email from Merchant B, and later uses our Returns Widget embedded on Merchant C's website, our systems may recognize these events as belonging to the same individual based on a combination of deterministic signals (email, phone, name and postal address) and limited probabilistic signals (device fingerprint, cookies, network cohort).

We use the identity graph for three purposes, each with escalating consumer controls:

• Merchant self-service analytics (always active). We help each Merchant better understand its own customer base — for example, repeat-purchase analysis, returns trends, and recognition of the same customer across that Merchant's multiple storefronts.
• Aggregated cross-merchant benchmarks (always active, aggregated only). We provide Merchants with industry and category-level benchmarks derived from pooled, aggregated data. These outputs do not identify any individual consumer and are produced in a manner intended to prevent re-identification.
• Commercial Activation (optional, Merchant-initiated, consumer-opt-out). If a Merchant opts in to Commercial Activation, we may — only for that Merchant, and only with respect to consumers who have not opted out — transmit hashed identifiers to advertising platforms (Meta, Google, LinkedIn, TikTok) so the Merchant can build audiences (including lookalike audiences) on those platforms. Commercial Activation is gated on (i) the Merchant's written attestation that it has updated its consumer-facing privacy disclosures to describe this processing, (ii) our detection of the consumer-disclosure widget (or equivalent disclosure) on the Merchant's storefront, and (iii) a minimum audience size.

We do not sell person-level records outside the Package Retriever Merchant ecosystem. We do not enable one Merchant to view another Merchant's raw customer records. We do not disclose individual identities of a Merchant's customers to its competitors. Commercial Activation is performed using one-way hashed identifiers that advertising platforms use only to match against their own user base — we do not transmit raw email addresses, phone numbers, or names to advertising platforms.

You can opt out of cross-merchant processing at any time using the mechanisms in Section 17, by submitting a privacy request, or by enabling Global Privacy Control (GPC) in your browser. We honor GPC as a valid opt-out under applicable law. If you opt out, we will continue to process your data as necessary to deliver the Services you interact with and for the security and compliance purposes described in this Policy.

The CCPA and certain state laws define a category of “sensitive personal information” that is subject to heightened handling requirements. The only sensitive personal information we knowingly process is (a) account authentication credentials, which we store only in hashed or tokenized form, and (b) approximate and shipment-linked precise geolocation, which we process only to the extent necessary to deliver the specific shipment or to verify the recipient's address.

We do not use sensitive personal information for purposes of inferring characteristics about you or for cross-context behavioral advertising. You have the right to limit our use of sensitive personal information beyond what is reasonably necessary to provide the Services; see Section 17.

Rookie is our artificial intelligence system that assists Merchants with fulfillment operations, inventory planning, carrier selection, customer messaging, and analytics. Certain Rookie functions constitute “automated decision-making technology” under the CCPA regulations taking effect in 2026 and potentially “solely automated decisions producing legal or similarly significant effects” under Article 22 of the GDPR. The following is a meaningful description of the specific decisions Rookie makes and the controls available to you.

Where applicable law grants you the right to a meaningful explanation of automated decision-making, to contest a decision, or to request human review, we will honor that right. Submit requests through the mechanisms in Section 17.

Retriever Rewards are promotional credits with no monetary value, as described in our Terms. To operate the Rewards program, we process: (a) the transactions that accrue rewards; (b) account identifiers to credit rewards correctly; (c) affiliate network postback data when rewards are generated through the extension; and (d) fraud-prevention signals to verify that rewards are legitimately earned. We retain rewards-related records for seven years for audit and dispute purposes.

The Rookie's Rewards browser extension (the “Extension”) is optional. If you install and authenticate the Extension, the following additional data practices apply. A dedicated Extension Privacy Notice describes these practices in more detail, including the specific browser permissions the Extension uses.

The Extension is engineered to perform data collection only while you are authenticated with your Package Retriever account. When you are not signed in, no browsing telemetry is collected or transmitted to our servers. We audit this property as part of our release process and will publicly disclose any confirmed deviation from this standard within seven days of confirmation. We do not intercept checkout form data, password fields, or payment field content, at any time.

While authenticated and on HTTPS pages, the Extension collects:

• Publicly visible product information from retailer pages (product name, price, brand, SKU, availability, image, category, rating) for identifying eligible purchases and applying coupons;
• Shopping events (page views on product pages, variation changes, image views, add-to-cart, purchase confirmations) for reward attribution;
• Search activity on search engines (query, result positions viewed, clicks, pagination) for understanding the research-to-purchase funnel;
• On AI assistant platforms (e.g., ChatGPT, Claude, Gemini, Copilot, Perplexity), a shopping-intent classifier runs locally in your browser to determine whether your interaction relates to shopping. Only where the classifier identifies a shopping-related interaction do we extract and transmit: (a) the product names referenced in the AI response; (b) the outbound links contained in the response; and (c) your query that produced the response. We do not transmit or store the full text of AI assistant responses or conversations. The raw response text never leaves your browser;
• Coupon application results (code, success/failure, estimated savings);
• General engagement metrics (scroll depth, time on page, referring URL) for data quality and product improvement;
• Cross-session attribution data stored locally for up to five minutes to connect research events to retailer visits.

The Extension does not collect: passwords or credentials for third-party sites; payment card numbers or financial account details; personal health or medical information; full AI conversation history; the contents of private messaging, email, or social media; browsing on non-commerce pages; or any data from non-HTTPS pages. The Extension does not record keystrokes, does not record mouse movement, does not take screenshots, and does not record audio or video.

Our use of information received from Google APIs and from the Chrome Web Store complies with the Chrome Web Store Developer Program Policies, including the Limited Use requirements. We use data collected through the Extension only to provide the Extension's user-facing functionality (rewards, coupons, affiliate attribution) and related product improvement. We do not sell data collected through the Extension to third parties. We do not transfer data collected through the Extension except to service providers operating under written contracts and subject to the Limited Use requirements.

The Extension may redirect a click through an affiliate link on a partner retailer's site to establish a commission relationship. Where it does so, Package Retriever may earn a commission on qualifying purchases, which funds the Rewards program and the Services. This is a “material connection” within the meaning of the U.S. Federal Trade Commission's endorsement guidelines (16 C.F.R. Part 255).

Fetch is an optional desktop application that bridges peripheral hardware (scales, printers) to the Services. When installed, Fetch reports: device identifiers, model and firmware of connected peripherals, scale weights read at label purchase time, and error diagnostics. Fetch does not access files outside its own directory unless you explicitly instruct it to do so. Fetch operates on your local device and communicates with our servers over TLS.

We retain personal information for the periods listed below, after which we delete, anonymize, or de-identify the information. Where retention would otherwise end but we are subject to a legal hold, litigation, tax-audit requirement, or regulatory obligation, we retain the information only as long as necessary to comply with that obligation.

We maintain administrative, technical, and physical safeguards designed to protect personal information. These include: encryption of data in transit using industry-standard TLS; encryption at rest for stored credentials, tokens, and sensitive fields; access controls based on least privilege and role; logging and monitoring of access; quarterly review of access and subprocessors; secure software development lifecycle practices; and ongoing security training of our personnel. No system is impenetrable, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your credentials and for promptly notifying us of any suspected compromise of your account.

If we determine that a personal data breach has occurred that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify affected Merchants without undue delay and no later than seventy-two (72) hours after becoming aware of the breach, consistent with Article 33 of the GDPR. Where we act as a processor, our DPA governs our notification obligations to the Merchant. Where we act as a controller, we will notify affected individuals consistent with applicable state and federal breach-notification laws.

Depending on where you live, applicable law may grant you some or all of the following rights:

You may submit a privacy rights request by:

• Emailing privacy@packageretriever.com;
• Using the self-service portal at packageretriever.com/privacy/request;
• Writing to the postal address in Section 20.

To protect you, we are required to verify your identity before responding to most privacy requests. For access, deletion, and correction requests we will generally verify by matching information you provide (email, phone, postal address, or recent order numbers) against information we already hold. For sensitive requests or where there is a reason to doubt an identity, we may request additional information. We will not use information supplied solely for identity verification for any purpose other than verification.

You may designate an authorized agent to submit a request on your behalf. We require signed documentation of the agent's authority and, where permitted, direct confirmation from you.

We will respond to verifiable requests within forty-five (45) days of receipt, or such shorter period as required by applicable law. If we require additional time (up to an additional forty-five days), we will notify you of the extension in writing within the original period.

If we deny your request in whole or in part, you may appeal by replying to our response or by emailing privacy-appeals@packageretriever.com. We will respond to appeals within sixty (60) days.

Where we hold personal information as a processor on behalf of a Merchant, we will forward privacy rights requests to the relevant Merchant and assist the Merchant in responding, consistent with our DPA. If you are an end customer of a Merchant, please contact the Merchant directly in the first instance.

You have the right to opt out of the “sale” or “sharing” (as those terms are defined in applicable state laws) of your personal information, and to opt out of its use for targeted advertising. You can exercise this right by:

• Clicking the “Do Not Sell or Share My Personal Information” link in our footer;
• Enabling the Global Privacy Control (GPC) signal in your browser — we honor GPC as a valid opt-out;
• Submitting a request through Section 17.

Opt-out preferences are applied to all identifiers we have on file for you at the time of the opt-out, and are preserved across any subsequent identity-graph merges involving your record (we take the union of opt-outs, never the narrower set). Opt-outs do not affect processing that is necessary to deliver the Services, to prevent fraud, to comply with law, or that is based on truly aggregated and de-identified data.

The Services are business-to-business and are not directed to children. We do not knowingly collect personal information from children under age sixteen (16) or, in the EU, under the age of digital consent in the applicable Member State. If we learn we have collected personal information from a child below these ages, we will delete that information. Under the CCPA, we do not sell or share personal information of any consumer we actually know to be under 16, absent affirmative opt-in (and, for those under 13, affirmative parental opt-in).

Package Retriever is headquartered in the United States, and our infrastructure providers are primarily based in the United States. If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal information will be transferred to and processed in the United States and potentially other countries.

Where we transfer personal information from the European Economic Area, the United Kingdom, or Switzerland to a country not subject to an adequacy decision, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement (or the UK Addendum to the SCCs), or another lawful transfer mechanism. A copy of the applicable clauses is available on request.

EU / UK Representative. Package Retriever has appointed [EU Representative name and address] as its representative in the European Union for purposes of Article 27 GDPR, and [UK Representative] in the United Kingdom for purposes of Article 27 UK GDPR. Individuals in those jurisdictions may contact the representative at the addresses listed on our EU Representative page. You may also lodge a complaint with your local data protection authority.

We use cookies, local storage, pixels, and similar technologies on our website and in the extension. Our full Cookie Policy lists the specific cookies we use, their purpose, their duration, and how to manage them. You can control cookies through your browser settings, through our cookie preference center, or by enabling Global Privacy Control.

For residents of specific U.S. states, additional rights and disclosures may apply. Please see our California Privacy Notice and our State Privacy Addenda (covering Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states as applicable).

We may update this Policy from time to time. When we do, we will update the “Effective Date” at the top of the Policy and, for material changes affecting your rights, we will provide additional notice (for example, by email to Merchant account holders, by in-product notice, or by posting a prominent notice on our website) before the changes take effect.