Short version: we collect what we need to ship your packages, we don't sell anything, we don't run ad trackers. Long version below.
1. What we collect
- Account data: email address, name, phone number (optional), Suriname delivery address (optional).
- Order data: product links you submit, weights and prices, your AC-XXXX customer code, order status history, the tracking number from the US merchant.
- Payment data: we never see or store your card number. PayPal handles the full card flow and tells us only "paid" or "not paid" plus a capture reference.
- Sign-in data: if you sign in with Google, we receive your email, name, and Google account ID — nothing else from your Google profile. If you use the magic-link option we only have your email.
- Server logs: standard web-server logs (IP address, request path, response code, timestamp). Used for debugging and abuse prevention, kept for 30 days.
2. What we don't collect
- No advertising trackers, no Facebook Pixel, no Google Analytics.
- No browser fingerprinting.
- No third-party cookies. The one cookie we set is a signed session token that keeps you logged in. It's HTTP-only and same-site.
3. Why we collect it
Every field above maps to something we need to ship your package:
- Email → quote, payment confirmation, status updates, sign-in links.
- Name → for the carrier waybill and customs forms.
- Phone and delivery address → so we can reach you when the shipment lands in Paramaribo and arrange pickup or delivery.
- Order data → to actually fulfil the order and let you track it.
- Payment data → to take payment and reconcile against PayPal.
4. Who we share it with
The vendors below are the only third parties that touch your data, and only for the specific purpose listed.
- PayPal — to process payments. Their privacy policy: paypal.com/us/legalhub/privacy-full
- Zoho Mail — to send and receive email from
[email protected]. zoho.com/privacy.html - Cloudflare — DNS, CDN, and TLS termination for air-crate.com. They see request metadata (IP, path) but not request bodies once we decrypt them. cloudflare.com/privacypolicy
- Google — if you choose to sign in with Google, your sign-in flow runs through Google. We never receive your Google password. policies.google.com/privacy
- Our US freight partner — receives your name and the AC-XXXX customer code on inbound packages so they can sort our mail from other customers'. They don't get your phone or Suriname address.
We do not sell your data, and we do not share it with marketing companies, data brokers, or ad networks under any circumstance.
5. How long we keep it
- Order records are kept for 7 years to comply with Suriname tax recordkeeping requirements for receipts and invoices.
- Account profile is kept while your account is active. You can ask us to delete it any time (see section 7).
- Server logs are kept for 30 days then deleted automatically.
- Backups roll on a 30-day window — deleted data leaves the backup set after one month.
6. Where it lives
The Aircrate application database is stored on a single server in Suriname. Email lives in Zoho's EU/US data centres depending on the routing of the individual message. Backups stay on the same server. We do not export your data to other jurisdictions.
7. Your rights
You can:
- See everything we have on you — sign into your account and look at the profile and shipments pages, or email us for the raw data.
- Correct anything inaccurate — update your profile or email us.
- Delete your account — email [email protected] from the address on file. We'll remove your profile and account data within 7 days. Order records may be retained for the 7-year tax window noted above; those keep the order ref and totals but we strip identifying contact info.
- Withdraw consent for Google sign-in — disconnect Aircrate from your Google account at myaccount.google.com/connections. You'll still be able to sign in via magic link.
8. Children
Aircrate isn't for users under 18. Don't create an account if you're younger than that. If you believe a minor has created an account, email us and we'll remove it.
9. Data breach
If we discover unauthorised access to account data we'll email affected customers within 72 hours and post a public notice on the homepage.
10. Changes to this policy
The "Last updated" date reflects the current version. We'll email active customers about material changes at least 14 days before they take effect.
11. Contact
Privacy questions or data requests go to [email protected].