🔒

Privacy Policy

Last updated: January 1, 2025

1. Introduction and Data Controller Identity

This privacy policy describes how GP360 collects, uses, retains and protects your personal data when you use our mobile application and website.

Data Controller:
GP360
Domain: gp360.ca
Email: privacy@gp360.ca

By using the GP360 app or website, you accept the practices described in this policy.

2. Personal Data Collected

We collect the following categories of data:

2.1 Email Address

Authentication Notifications

Your email address is used to:

  • Create and authenticate your account via a secure JWT token mechanism.
  • Send you transactional notifications related to your shipments (participation confirmation, acceptance, modification, delivery).
  • Contact you in the event of a security issue or important update to the terms of service.

2.2 Full Name

Profile Shipments

Your full name is used to:

  • Display your identity on your user profile.
  • Identify participants and creators in the context of collaborative shipments.
  • Allow businesses to identify their invited collaborators.

2.3 Geolocation Data

Geolocation Consent required

Geolocation is collected only with your explicit consent, via the standard permission request on your mobile device (iOS or Android). It is used for:

  • Proximity discovery: display shipping events near your current geographic location.
  • Package tracking: record location data during active transit of your packages to enable real-time tracking.

Background location is not used. Location data is only collected in the foreground when the app is active. You can revoke access at any time in your device settings.

2.4 Technical Data

We automatically collect certain anonymized technical data: app version, device type, operating system. This data does not personally identify you and is used only for diagnostics and service improvement.

3. Legal Basis for Processing

The processing of your data rests on the following legal bases:

  • Contract performance: processing of your email, name and delivery data is necessary to provide the collaborative shipping service.
  • Consent: collection of geolocation data is subject to your prior explicit consent.
  • Legitimate interest: collection of anonymized technical data aims to ensure service stability and security.
  • Legal obligation: certain billing data may be retained to meet Canadian tax and accounting obligations.

4. Data Retention Periods

  • Account data (email, name): retained for the lifetime of the account, then deleted within 30 days of account deletion.
  • Geolocation data: positions recorded during package tracking are retained until the corresponding shipment is closed, then deleted.
  • Shipment history: retained for 3 years from the delivery date, in accordance with Canadian billing data retention requirements.
  • Anonymized technical data: retained for a maximum of 12 months.

5. Data Sharing with Third Parties

GP360 does not monetize your personal data. Your data may be shared in the following strictly limited cases:

  • Infrastructure providers: our VPS host (Hostinger) processes data to provide the technical infrastructure. Contractual clauses guarantee the protection of your data.
  • Transactional email service: a third-party SMTP provider may process your email address for sending notifications.
  • Legal obligations: we may disclose data if required by Canadian law or in response to a valid court order.

6. Data Security

We implement the following technical and organizational measures:

  • Encryption of all communications via TLS 1.3 (HTTPS).
  • Authentication via time-limited JWT tokens.
  • Masking of sensitive data in application logs.
  • Production data access limited to authorized personnel.
  • Passwords stored in hashed form (bcrypt) — never in plain text.
  • HTTP security headers: HSTS, X-Content-Type-Options, X-Frame-Options, CSP.

7. Your Rights

In accordance with Canadian personal information protection laws (PIPEDA / Law 25), you have the following rights:

  • Right of access: obtain a copy of your personal data we hold.
  • Right of rectification: correct inaccurate or incomplete data.
  • Right to deletion: request deletion of your account and data (see the Delete Account page).
  • Right to withdraw consent: revoke your consent to geolocation at any time in app or device settings.
  • Right to portability: receive your data in a structured format upon request.
  • Right to object: object to certain processing based on legitimate interest.

To exercise these rights, contact our data protection officer at: privacy@gp360.ca. We will respond within 30 days.

8. Children

GP360 is not intended for persons under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us immediately.

9. Cookies and Similar Technologies

The GP360 mobile app does not use cookies. The website may use essential technical cookies only (session, language preferences), without tracking or advertising cookies.

10. Changes to this Policy

We may modify this privacy policy from time to time. Significant changes will be notified to you by email or via an in-app notification. The last updated date is shown at the top of this page.

11. Contact — Data Protection Officer (DPO)

For any questions related to this policy or your personal data:
DPO Email: privacy@gp360.ca
General support: support@gp360.ca