Privacy Policy

Last updated: March 4, 2026

Introduction

Welcome to ProtoPost. We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application and delivery services.

By using ProtoPost, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

Information We Collect

Personal Information

When you register for ProtoPost, we collect:

  • Full name
  • Email address
  • Phone number
  • Delivery addresses
  • Payment information (processed securely through third-party providers)

Delivery Information

We collect details about your parcels including sender and recipient information, package dimensions, delivery instructions, and tracking preferences to facilitate our delivery services.

Device Information

We automatically collect device information such as device type, operating system, unique device identifiers, mobile network information, and app version to improve our services and troubleshoot issues.

Identity Verification Information

For senders using our service, we collect government-issued identification documents to verify identity and prevent fraud. This includes:

  • Government ID (national ID card or passport)
  • Photo captured via device camera for verification purposes

ID verification is required only for senders to ensure secure and trustworthy delivery services. Regular recipients do not need to provide ID verification.

How We Use Your Data

ProtoPost uses the collected information for various purposes:

  • To provide and maintain our delivery services
  • To process your orders and manage deliveries
  • To send you real-time notifications about your parcel status
  • To communicate with you about service updates and promotional offers (with your consent)
  • To improve our app functionality and user experience
  • To detect, prevent, and address technical issues or fraudulent activities
  • To provide customer support and respond to your inquiries
  • To analyze usage patterns and optimize our delivery routes
  • To verify sender identity and prevent fraud through ID verification
  • To comply with legal obligations and enforce our terms of service

Data Minimization Principle

We follow the principle of data minimization - we only collect and process data that is necessary for providing our delivery services. We do not collect data for purposes unrelated to delivery operations.

Examples: We don't collect your contacts, browsing history outside our app, social media profiles, or other personal information not directly related to delivery services.

Data Linked to Your Identity vs. Not Linked

Data Linked to Your Account:

  • • Contact information (name, email, phone)
  • • Delivery addresses and order history
  • • Location data during app use
  • • Government ID photos (senders only)
  • • Payment transaction records
  • • App preferences and settings

Data Not Linked to Your Identity:

  • • Aggregated usage statistics (anonymized)
  • • Crash reports and diagnostic data (anonymized)
  • • Performance metrics (anonymized)

Marketing Communications

We may send you promotional offers and marketing communications about new features, special deals, and service updates. Marketing communications are:

  • Opt-in by default: You can opt-out at any time
  • Easy to unsubscribe: Click "Unsubscribe" in any marketing email or disable in app settings
  • Transactional messages: Order confirmations and delivery updates cannot be disabled as they are essential to the service

Control: Settings → Notifications → Marketing Preferences

Location Data

ProtoPost collects location data to provide accurate delivery tracking and optimize delivery routes. Location data collection varies based on your role:

For Customers (Senders & Recipients)

  • Foreground Only: Location is collected ONLY when you're actively using the app to place orders or track deliveries
  • Precise Location: GPS coordinates for accurate pickup and delivery addresses
  • Automatic Stop: Location tracking stops immediately when you close the app or complete your order
  • No Background Tracking: We do NOT track your location when the app is in the background or closed

For Delivery Personnel Only

  • Background Location: Required during active delivery assignments to provide real-time tracking to customers
  • Why It's Necessary: Customers need to see live delivery progress and estimated arrival times. This cannot be achieved with foreground-only tracking
  • Duration: Background tracking is active ONLY during assigned deliveries, not 24/7
  • Automatic Stop: Background tracking stops immediately after delivery completion or when you end your shift
  • Explicit Consent: You must explicitly grant background location permission to work as delivery personnel

Location Data We Collect

  • GPS coordinates (latitude and longitude) for precise location
  • Pickup and delivery addresses
  • Route optimization data for efficient deliveries
  • Timestamps of location updates

Your Control Over Location Data

You have full control over location permissions through your device settings:

  • iOS: Settings → Privacy & Security → Location Services → ProtoPost
  • Android: Settings → Apps → ProtoPost → Permissions → Location

Note: Disabling location services will limit app functionality. Customers won't be able to set delivery addresses or track deliveries. Delivery personnel cannot accept delivery assignments without location access.

Why We Use Precise Location (Not Approximate)

We require precise location (GPS) rather than approximate location because delivery services demand exact addresses. Approximate location (city-level) would make it impossible to complete deliveries accurately or provide reliable tracking.

Data Sharing and Disclosure

We may share your information in the following circumstances:

Service Providers

We share data with third-party service providers who assist us in operating our app, processing payments, sending notifications, and analyzing app usage. These providers are contractually obligated to protect your data and may only use it for the specific services they provide to us.

Third-Party Services We Use:

  • Payment Processing: FIB (First Iraqi Bank), Fastpay for secure payment transactions. We do NOT store credit card numbers, CVV codes, or full payment card details on our servers.
  • Push Notifications: Firebase Cloud Messaging (Google) for delivery status updates and app notifications
  • Cloud Hosting: OVH Cloud (France) for secure data storage with dedicated hosting infrastructure
  • Mapping Services: Mapbox for delivery tracking, route optimization, and address geocoding
  • Analytics (Future): Firebase Analytics (Google) - planned for future implementation to improve app performance and user experience. Not currently active.

Note: Each service has its own privacy policy. Links: Firebase, Mapbox, OVH

Delivery Personnel

We share necessary delivery information (recipient name, address, phone number) with our delivery personnel to complete your orders.

Data Storage Location

Your data is stored on secure servers located in France through OVH Cloud infrastructure. We use dedicated hosting to ensure optimal performance and security. France is part of the European Union and subject to GDPR data protection regulations. We do not store data in countries designated as foreign adversaries by the United States or European Union.

No Advertising or Cross-App Tracking

We do NOT:

  • • Use your data for targeted advertising
  • • Share your data with advertising networks
  • • Track you across other apps or websites
  • • Sell your personal information to third parties
  • • Use your data for any purpose other than providing delivery services

Legal Requirements

We may disclose your information if required by law, court order, or governmental authority, or to protect our rights, property, or safety.

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the new entity.

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

Account Information

Retained for the duration of your account. Upon deletion request, all account data is permanently deleted within 2 weeks.

Delivery Records

Retained for 2 years for customer service, dispute resolution, and legal compliance purposes.

Location Data

Real-time location data collected during deliveries is retained for 6 months, after which it is automatically deleted.

Payment Information

We do NOT store credit card numbers, CVV codes, or full payment card details. Payments are processed securely through FIB and Fastpay. Only transaction status, transaction IDs, and basic transaction records are retained for 2 years for accounting and dispute resolution purposes.

Identity Verification Documents

Government ID photos and verification data for senders are retained for 3 years to comply with anti-fraud regulations and legal requirements. After this period, documents are securely deleted.

Analytics & Cookies

Analytics data and cookies are retained for 12 months, after which they are automatically deleted or anonymized.

Marketing Communications

Marketing preferences and communication history are retained until you opt out or close your account.

When data is no longer needed, we securely delete or anonymize it. You can request early deletion of your data by exercising your right to deletion as described in the "Your Privacy Rights" section.

Data Security

We implement industry-standard security measures to protect your personal information:

  • End-to-end encryption for sensitive data transmission
  • Secure storage using encrypted databases
  • Regular security audits and vulnerability assessments
  • Access controls limiting employee access to personal data
  • Secure payment processing through PCI-DSS compliant providers

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you and relevant authorities within 72 hours of becoming aware of the breach, as required by GDPR and other applicable regulations. Notifications will be sent via email and in-app notification.

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to improve our security measures.

Your Privacy Rights

You have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your account and associated data
  • Portability: Receive your data in a structured, machine-readable format (JSON or CSV)
  • Opt-out: Unsubscribe from marketing communications at any time
  • Restriction: Request limitation of processing your data
  • Withdraw Consent: Revoke permissions for location, camera, or notifications through device settings

In-App Account Deletion

You can delete your account directly from the ProtoPost app:

  1. Open the ProtoPost app
  2. Go to Settings → Account Settings
  3. Tap "Delete Account"
  4. Confirm your decision
  5. Your account will be permanently deleted within 30 days

What Gets Deleted: Your account, profile information, delivery addresses, and preferences will be permanently deleted. Some data may be retained for legal compliance (transaction records for 2 years, ID verification for 3 years as required by law).

Response Timelines

  • • Access requests: 30 days (may extend to 60 days for complex requests with notification)
  • • Deletion requests: 30 days (may extend to 45 days with notification)
  • • Data portability: 30 days
  • • Marketing opt-out: Immediate
  • • Data correction: 5-10 business days

To exercise these rights via email, contact us at [email protected]. We will acknowledge your request within 5 business days and provide a substantive response within the timelines specified above.

Cookies and Tracking Technologies

ProtoPost uses cookies and similar tracking technologies to enhance your experience. We do NOT use cookies for advertising or cross-site tracking.

Essential Cookies (Required)

Required for app functionality, authentication, security, and session management. These cannot be disabled.

Analytics Cookies (Optional - Future)

When Firebase Analytics is implemented in the future, it will help us understand how users interact with our app to improve services. You will be able to opt-out through app settings.

Preference Cookies

Remember your settings and preferences (language, notification preferences) for a personalized experience.

Managing Cookies

You can manage cookie preferences through:

  • • App Settings → Privacy → Cookie Preferences
  • • Device settings for mobile apps
  • • Browser settings for our website

Third-Party Services & SDKs

ProtoPost integrates with the following third-party services. Each service may collect data according to their own privacy policies:

Firebase (Google)

Purpose: Push notifications, cloud messaging, and future analytics

Data Shared: Device tokens, app instance IDs, notification preferences

View Firebase Privacy Policy →

Mapbox

Purpose: Maps, geocoding, route optimization, and delivery tracking

Data Shared: Location coordinates, addresses, route data

View Mapbox Privacy Policy →

Payment Processors (FIB & Fastpay)

Purpose: Secure payment processing

Data Shared: Transaction amount, order ID, customer name. Payment card details are entered directly on their secure platforms, not shared with ProtoPost.

OVH Cloud

Purpose: Secure data storage and hosting infrastructure

Data Shared: All user data stored on our servers (located in France, EU)

View OVH Privacy Policy →

App Permissions Explained

ProtoPost requests the following permissions to provide delivery services. You have full control over these permissions through your device settings:

📍 Location (Required)

Why We Need It: To set pickup/delivery addresses, track deliveries in real-time, and optimize routes

When It's Used: Customers - foreground only. Delivery personnel - background during active deliveries

Your Control: Settings → Privacy → Location Services → ProtoPost

📷 Camera (Required for Senders)

Why We Need It: To capture government ID photos for sender identity verification and fraud prevention

When It's Used: Only when you register as a sender and during the ID verification process. Not used for regular recipients.

Your Control: Settings → Privacy → Camera → ProtoPost

🔔 Notifications (Optional but Recommended)

Why We Need It: To send real-time delivery status updates, arrival notifications, and important service alerts

Types of Notifications:

  • • Transactional: Order confirmations, delivery status, arrival alerts (cannot be disabled)
  • • Marketing: Promotional offers, new features (can be disabled in app settings)

Your Control: Settings → Notifications → ProtoPost, or in-app Settings → Notification Preferences

💾 Storage (Optional)

Why We Need It: To save delivery receipts, invoices, and ID verification photos locally on your device

When It's Used: Only when you choose to download or save documents

Your Control: Settings → Privacy → Files and Folders → ProtoPost

✅ Permissions We DON'T Request

  • • Contacts - We don't access your contact list
  • • Microphone - We don't record audio
  • • Calendar - We don't access your calendar
  • • Phone - We don't make calls without your explicit action

Children's Privacy

ProtoPost is intended for users aged 18 and older. We do not knowingly collect personal information from individuals under 18 years of age.

Age Verification

We rely on age verification mechanisms provided by the Apple App Store and Google Play Store to ensure users meet the minimum age requirement of 18 years. These platforms verify user age during account creation and app download. Our app is rated 18+ on both app stores.

Parental Consent

In jurisdictions requiring parental consent for minors, we comply with app store-level consent mechanisms. Parents or guardians maintain control over app downloads and purchases through Family Sharing settings on their respective platforms (Apple Family Sharing or Google Family Link).

If We Discover Underage Users

If we become aware that a user under 18 has provided us with personal information, we will take immediate steps to delete such information from our systems within 48 hours. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected].

International Data Transfers

ProtoPost operates primarily in Iraq and the Kurdistan Region, but your data may be transferred to and stored in other countries as part of our service operations.

Primary Data Storage

Your data is primarily stored on secure servers located in France (European Union) through OVH Cloud infrastructure. France is subject to the EU General Data Protection Regulation (GDPR), which provides strong data protection standards.

Cross-Border Transfers

When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Transfers only to countries with adequate data protection laws
  • Encryption of data in transit and at rest
  • Contractual obligations with third-party service providers

Restricted Countries

We do NOT transfer or store your data in countries designated as foreign adversaries or countries with inadequate data protection standards by the United States, European Union, or international regulatory bodies.

Your Rights Across Borders

Regardless of where your data is stored or processed, you retain all privacy rights described in this policy, including the right to access, correct, delete, and port your data.

California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

Your California Rights

  • Right to Know: Request information about the personal data we collect, use, disclose, and sell
  • Right to Delete: Request deletion of your personal data (subject to legal exceptions)
  • Right to Correct: Request correction of inaccurate personal data
  • Right to Opt-Out: Opt-out of the sale or sharing of personal data
  • Right to Limit: Limit the use of sensitive personal information
  • Right to Non-Discrimination: Not be discriminated against for exercising your rights

We Do Not Sell Your Personal Information

ProtoPost does NOT sell your personal information to third parties for monetary or other valuable consideration. We do NOT:

  • • Sell your data to data brokers
  • • Share your data with advertisers for targeted advertising
  • • Exchange your data for any form of compensation

Therefore, there is no need to opt-out of data sales. However, if our practices change in the future, we will update this policy and provide a "Do Not Sell My Personal Information" link.

Categories of Personal Information We Collect

  • Identifiers: Name, email, phone number, device ID, IP address
  • Commercial Information: Delivery orders, transaction history, payment records
  • Geolocation Data: Precise location for deliveries and tracking
  • Sensory Information: Government ID photos for sender verification
  • Internet Activity: App usage, interactions, preferences
  • Inferences: Delivery preferences, usage patterns

How to Exercise Your Rights

To exercise your California privacy rights:

  • Email us at [email protected] with "California Privacy Request" in the subject line
  • Use the in-app account deletion feature (Settings → Account Settings → Delete Account)
  • We will verify your identity before processing your request
  • We will respond within 45 days (may extend to 90 days with notification)

Authorized Agent

You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly with us.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal, operational, or regulatory reasons. We will notify you of any material changes by:

  • Posting the updated policy on this page with a new "Last Updated" date
  • Sending you an in-app notification or email
  • Requiring you to accept the updated policy before continuing to use our services

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Address

ProtoPost
Iraq, Kurdistan Region