Legal & Compliance
How We Handle Personal Data Across All Operations
Effective: May 26, 2026 · Next review: May 26, 2027 · Pythias Technologies, LLC
1
This policy governs the collection, use, storage, sharing, and disposal of personal data by Pythias Technologies, LLC in the course of its business operations. It applies to personal data relating to: clients and their representatives, end-customers of clients (order recipients), employees and contractors, website visitors, and sales leads.
"Personal data" means any information that identifies or can reasonably identify a living individual — including names, email addresses, phone numbers, shipping addresses, IP addresses, and device identifiers.
2
Pythias processes personal data under one or more of the following lawful bases:
Contract — processing necessary to deliver the services contracted by clients (order fulfillment, shipping, marketplace sync).
Legitimate interests — analytics to improve service quality, fraud prevention, and security monitoring.
Consent — marketing communications to website visitors and leads who have opted in.
Legal obligation — retention of records required by applicable law (e.g., tax records, fraud dispute documentation).
3
Personal data is collected only to the extent necessary for the stated purpose. Fields not required for the service are not collected or retained.
Personal data collected for one purpose is not repurposed without a new lawful basis and, where required, new consent.
End-customer order data (names, addresses) ingested for fulfillment purposes is used only for order processing, shipping, and fulfillment dispute resolution. It is not used for Pythias' own marketing.
4
Individuals whose personal data Pythias holds have the following rights, exercised by contacting [email protected]:
Right of access — to receive a copy of personal data held about them.
Right to rectification — to correct inaccurate or incomplete data.
Right to erasure — to request deletion of personal data, subject to legal retention requirements.
Right to data portability — to receive data in a structured, machine-readable format.
Right to object — to object to processing based on legitimate interests, including profiling.
Right to withdraw consent — where processing is based on consent, to withdraw it at any time without penalty.
All rights requests are acknowledged within 5 business days and fulfilled within 30 days.
5
Employees access personal data only when required for their job function. Personal curiosity is not a valid reason to access client or end-customer data.
Personal data must not be shared via unencrypted email, personal messaging apps, or personal cloud storage.
Personal data must not be stored on personal devices except in temporary, encrypted form strictly required for a specific task.
Employees who discover accidental personal data exposure (e.g., data in a log file, sent to the wrong recipient) must report it immediately as a data incident.
6
Personal data is shared with third parties only as documented in the Data Protection Policy and only to the extent required for service delivery. Key third-party processors include MongoDB Atlas (storage), Wasabi (file storage), ShipStation (shipping fulfillment), marketplace platforms (order sync), and Google (analytics).
Pythias does not sell personal data. Pythias does not share personal data with third parties for their own marketing or profiling purposes.
7
Personal data is retained only as long as necessary for the original purpose or as required by applicable law. Retention periods by category:
End-customer order data (names, addresses) — 3 years from fulfillment date.
Client contact and account data — duration of client relationship plus 1 year.
Lead/prospect data — up to 2 years from last interaction, or until opt-out.
Employee/contractor data — duration of engagement plus 2 years for legal purposes.
Website visitor analytics — 24 months (session-level), 14 months (Google Analytics).
Data is deleted securely upon expiry or request. Deletion is logged and confirmed.
8
When new features or integrations are developed, privacy impact is considered from the outset. New personal data fields are added only with explicit justification. Privacy settings default to the most protective option where feasible.
9
This policy is reviewed annually (next review: May 26, 2027), or sooner if applicable law, product features, or data handling practices materially change.
© 2026 Pythias Technologies, LLC · All rights reserved
