Privacy Policy

Effective Date: December 17, 2025

At PostService.io ("we", "us", "our"), operating from Varna, Bulgaria, we are committed to protecting your personal data. This Privacy Policy explains how we handle your data in compliance with the General Data Protection Regulation (GDPR) and Bulgarian data protection laws.

1. Data We Collect

To provide our postal services, we must collect the following categories of data:

  • Account Data: Your email address, mobile phone number (for verification), and password hash.
  • Postal Data: The recipient's name and physical address, and your return address.
  • Content Data: The PDF files you upload or the text you type for the body of the letter.
  • Payment Data: We do not store credit card numbers. Payments are processed by our secure partner (Stripe/Adyen), who provides us with a payment token and transaction status.
  • Technical Data: IP address, browser type, and timestamps of your requests (for fraud prevention).

2. How We Use Your Data

We process your data for the following specific purposes:

Service Delivery: To print, envelope, and hand over your letter to the postal operator.
Legal Safety: To scan text content for illegal keywords (e.g., threats, explosives) using automated filters to prevent the use of our service for criminal acts.
Communication: To send you transactional emails (e.g., "Letter Sent", "Payment Receipt").

3. Data Retention (The "Auto-Shredding" Policy)

We distinguish between Content Data and Transactional Data:

  • Content Data (Your Letter): We apply a strict retention policy. Your PDF or typed text is stored on our secure print servers only until it is printed. It is automatically and permanently deleted 24 hours after dispatch. We do not keep backups of your letter contents.
  • Transactional Data (Metadata): We retain the sender name, recipient address, and payment record for 5 years. This is a legal requirement under Bulgarian Tax Law (NRA) to prove the service was rendered and for accounting purposes.

4. Sharing Data with Print Partners

We operate a distributed network. To deliver your mail, we must transfer the necessary data (PDF/Address) to our trusted print partners:

  • If you choose Express Local (UK), data is transferred to our partner in the United Kingdom.
  • If you choose Express Local (Turkey), data is transferred to our partner in Turkey.
  • If you choose Eco Saver, data is processed at our HQ in Bulgaria.

All partners have signed strict Data Processing Agreements (DPA) and are contractually forbidden from reading, copying, or storing your mail beyond the printing process.

5. International Transfers

Some of our print nodes (UK, Turkey) are located outside the European Economic Area (EEA). We transfer data to these locations based on Article 49(1)(b) of the GDPR: the transfer is necessary for the performance of a contract between you and PostService.io (i.e., you explicitly requested us to mail a letter in that specific country).

6. Your Rights

Under GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request deletion of your account (Right to be Forgotten).
  • Correct inaccurate data.
  • Export your data (Data Portability).

To exercise these rights, email us at privacy@postservice.io.

7. Security Measures

We use TLS/SSL encryption (256-bit) for all data in transit. Our servers are located in secure data centers within the EU (Google Cloud). Access to print queues is restricted via VPN and multi-factor authentication.

Data Controller:
PostService HQ, operated by Livotov Labs Ltd.
P.O. Box 99
Varna 9002, Bulgaria