Privacy Policy
⚠️ Unofficial Translation
This is a machine-generated translation provided for convenience. The legally binding version is the German original. If you spot a discrepancy, the German text prevails.
Privacy Policy
1. Controller
TLBM UG (haftungsbeschränkt) Martin Schultz Marienhöhe 157 25451 Quickborn Germany
Email: legal@parce.ls Phone: +4941061282398
2. Overview of Data Processing
This Privacy Policy informs you, pursuant to Art. 13 and 14 of the General Data Protection Regulation (GDPR), about the processing of your personal data when you use our service parce.ls (hereinafter "Service").
parce.ls is a marketplace for shipping labels where private customers can purchase shipping labels from various parcel carriers.
3. Legal Bases for Processing
We process personal data on the following legal bases:
- Art. 6(1)(b) GDPR — Performance of a contract: Processing is necessary to take steps prior to entering into a contract or to perform a contract with you.
- Art. 6(1)(f) GDPR — Legitimate interests: Processing is necessary for the purposes of our legitimate interests, provided your interests or fundamental rights do not override them.
- Art. 6(1)(c) GDPR — Legal obligation: Processing is necessary to comply with a legal obligation (e.g., statutory retention requirements under tax law).
4. Data Processing in Detail
4.1 User Account and Authentication
| Data | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Email address | Account creation, communication, invoice delivery | Art. 6(1)(b) GDPR | Duration of account + 10 years (§ 147 AO) |
| Name (via OAuth) | Display in account, shipping label | Art. 6(1)(b) GDPR | Duration of account + 10 years (§ 147 AO) |
| OAuth token (Apple/Google) | Authentication | Art. 6(1)(b) GDPR | Duration of account |
You can sign in using Apple Sign-In, Google Sign-In, or an email magic link. We do not store passwords.
4.2 Orders and Shipping Labels
| Data | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Name (sender/recipient) | Generation of shipping label | Art. 6(1)(b) GDPR | 10 years (§ 147 AO) |
| Address (sender/recipient) | Generation of shipping label | Art. 6(1)(b) GDPR | 10 years (§ 147 AO) |
| Tracking data | Shipment tracking | Art. 6(1)(b) GDPR | 1 year |
4.3 Payment
| Data | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Payment data (credit card, Apple Pay) | Payment processing | Art. 6(1)(b) GDPR | Never stored with us (stored with Stripe only) |
| Transaction reference | Assignment of payment | Art. 6(1)(b) GDPR | 10 years (§ 147 AO) |
Payment data is processed exclusively by our payment service provider Stripe. We never have access to full card details at any time.
4.4 Customer Support (AI-Assisted)
| Data | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Chat messages | Customer service and issue resolution | Art. 6(1)(b) GDPR | 1 year |
| Voice recordings (future) | AI-based phone support | Art. 6(1)(b) GDPR | 1 year |
Our customer support is assisted by AI systems. Your inquiries are processed via the Claude API (Anthropic). Voice-based support via ElevenLabs is planned for the future. You will be informed before each interaction that you are communicating with an AI system.
4.5 Technical Data
| Data | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| IP address | Fraud prevention, security | Art. 6(1)(f) GDPR | 90 days |
| Usage statistics (anonymized) | Service improvement | Art. 6(1)(f) GDPR | 90 days |
Usage analysis is conducted exclusively through self-hosted systems. No third-party tracking services are used.
5. Cookies
We use only technically necessary cookies:
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| session_token | Authentication | 30 days | Essential |
| anonymous_session | Anonymous shopping cart | 24 hours | Essential |
| locale | Language setting | 1 year | Essential |
We do not use tracking cookies, Google Analytics, the Facebook Pixel, or any comparable services. A cookie banner is therefore not required, as we use exclusively technically necessary cookies.
6. Recipients and Processors
Your personal data is shared with the following recipients to the extent necessary for the performance of a contract or on the basis of legitimate interests:
6.1 Stripe, Inc.
Purpose: Payment processing (Apple Pay, credit card) Data: Payment information, transaction data, email address Location: USA Safeguards: EU-US Data Privacy Framework (adequacy decision by the European Commission), supplemented by Standard Contractual Clauses (SCCs) Privacy Policy: https://stripe.com/de/privacy
6.2 ShipEngine (Auctane, LLC)
Purpose: Generation of shipping labels, rate aggregation, shipment tracking Data: Name, address (sender/recipient), package dimensions, tracking numbers Location: USA Safeguards: Standard Contractual Clauses (SCCs) Privacy Policy: https://www.shipengine.com/privacy-policy/
6.3 Parcel Carriers
Purpose: Carrying out the transport Data: Name, address (sender/recipient), tracking number Location: Varies by carrier (DHL, DPD, Hermes, UPS, GLS, etc.) — primarily Germany/EU Legal Basis: Art. 6(1)(b) GDPR (performance of a contract)
6.4 Apple Inc.
Purpose: Authentication via Apple Sign-In Data: Apple ID token, and depending on user settings, name and email address Location: USA Safeguards: EU-US Data Privacy Framework Privacy Policy: https://www.apple.com/legal/privacy/
6.5 Google LLC
Purpose: Authentication via Google Sign-In Data: Google ID token, name, email address Location: USA Safeguards: EU-US Data Privacy Framework Privacy Policy: https://policies.google.com/privacy
6.6 Anthropic, PBC (Claude API)
Purpose: AI-assisted customer support Data: Chat messages, order references Location: USA Safeguards: Standard Contractual Clauses (SCCs), data processing agreement Privacy Policy: https://www.anthropic.com/privacy
6.7 ElevenLabs, Inc. (future)
Purpose: Voice-based AI customer support Data: Voice recordings, order references Location: USA Safeguards: Standard Contractual Clauses (SCCs) Note: This service is planned and will be announced separately before it goes live.
6.8 Resend (Resend, Inc.)
Purpose: Email delivery (order confirmations, invoices, magic links) Data: Email address, name, content of the respective email Location: USA Safeguards: Standard Contractual Clauses (SCCs)
6.9 Hetzner Online GmbH
Purpose: Hosting of the application and database Data: All data processed in connection with the Service Location: Germany Privacy Policy: https://www.hetzner.com/de/legal/privacy-policy/
7. International Data Transfers
Some of our processors are based in the USA. The transfer of personal data to the USA is carried out on the basis of the following safeguards:
- EU-US Data Privacy Framework: For certified companies (Stripe, Apple, Google), an adequacy decision by the European Commission exists pursuant to Art. 45 GDPR.
- Standard Contractual Clauses (SCCs): We have concluded the Standard Contractual Clauses approved by the European Commission pursuant to Art. 46(2)(c) GDPR with all US-based service providers.
8. Your Rights as a Data Subject
You have the following rights with respect to your personal data:
- Right of access (Art. 15 GDPR): You may request information about the personal data we hold about you.
- Right to rectification (Art. 16 GDPR): You may request the correction of inaccurate data.
- Right to erasure (Art. 17 GDPR): You may request the deletion of your data, provided no statutory retention obligations apply.
- Right to restriction of processing (Art. 18 GDPR): You may request that we restrict the processing of your data.
- Right to data portability (Art. 20 GDPR): You may request that we provide your data to you in a structured, commonly used, and machine-readable format.
- Right to object (Art. 21 GDPR): You may object to the processing of your data where such processing is based on Art. 6(1)(f) GDPR.
To exercise your rights, please contact us by email at: legal@parce.ls
Right to Lodge a Complaint with a Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of personal data. The supervisory authority with jurisdiction over us is:
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) Holstenstraße 98 24103 Kiel https://www.datenschutzzentrum.de
9. Automated Decision-Making
In the context of AI-assisted customer support, no automated individual decisions within the meaning of Art. 22 GDPR are made that produce legal effects concerning you or similarly significantly affect you. The AI assistant supports the handling of inquiries; all material decisions (e.g., refunds) are reviewed by a human.
10. Data Security
We implement appropriate technical and organizational measures to protect your data, including in particular:
- Encrypted data transmission (TLS/HTTPS)
- Hosting exclusively in German data centers (Hetzner, Germany)
- Regular security updates
- Access restrictions and permission management
- No storage of payment data on our systems
11. Changes to This Privacy Policy
We reserve the right to update this Privacy Policy as needed to reflect changes in the legal framework or changes to the Service. The current version is always available on our website at /datenschutz.
Last updated: May 17, 2026
Your rights: data export and account deletion
You can download a machine-readable copy of your data at any time (GDPR Art. 20) and request account deletion (GDPR Art. 17). Both are reachable as a signed-in customer under Settings.
Account deletion: After clicking "Delete my account" you receive a confirmation email. After clicking the link, the following data is deleted immediately: address book, API keys, MCP audit log (records of your AI tool calls), OAuth links (Apple/Google), sessions, OAuth refresh tokens, contact imports, and cancelled/unpaid orders. Your profile (email, name, language preference) is anonymized.
Exception — statutory retention: Invoices and their associated order data (recipient address, shipping details, tracking number) are retained for 10 years (German tax law § 147 AO, § 257 HGB). After your profile is anonymized this data is no longer uniquely linkable to you.
Guest orders: Ordered without an account? Email support@parce.ls with the order number and the shipping email — we verify ownership and perform the anonymization manually.
Stripe (payment processor): We dissolve the link to your Stripe customer record. Stripe itself stores your payment data as a separate data controller; deletion requests go directly to Stripe (privacy@stripe.com) or via the Stripe privacy portal.
Data export: Clicking "Download my data" downloads a JSON file with all data we hold on you (profile, address book, orders, invoice metadata + links to PDF invoices, API-key metadata, MCP audit log, tracking events).