Attorney review required. This document is a draft prepared for the website launch. A California-licensed attorney should review it before production reliance. Until then, treat this text as a working summary rather than a binding privacy notice.

Privacy Policy

Effective date: 2026-05-27 Last updated: 2026-05-27 Company: 365 DELIVERY LLC, 13947 Oxnard St, Unit 206, Van Nuys, CA 91401 Contact: 365deliveryin@gmail.com · +1 (424) 457-7879

This Privacy Policy explains what personal information 365 DELIVERY LLC ("we," "us") collects when you use our website at 365delivery.com or book a service, why we collect it, how we use and share it, and the rights you have under California (CCPA / CPRA) and EU/UK (GDPR) law.

1. Information we collect

a) Information you provide directly

• Contact information: name, email address, phone number.
• Service information: pickup and drop-off addresses, move date, home size, stairs, packing preference, specialty items, and any notes you add.
• Booking history: packages purchased, deposits paid, balance payments, refunds.
• Communications: the content of emails, contact-form messages, and phone calls (calls may be transcribed for quality control with your consent).

b) Information collected automatically

• Device and usage: IP address, browser type and version, operating system, referring URL, pages viewed, timestamps. Used for security and analytics.
• Cookies and similar technologies: session cookies (necessary for booking flow), Stripe security cookies (necessary for payment), and minimal analytics cookies. We do not use advertising cookies.

c) Information from third parties

• Stripe: payment status, charge details (no full card number — Stripe handles that), refund records. We receive a Stripe customer ID and transaction metadata only.
• Google Maps Places: address suggestions and validated addresses you select in the calculator.

2. Why we collect it (legal bases)

• To perform the contract (provide the moving / delivery service you booked, send confirmations, dispatch crews).
• To comply with legal obligations (tax reporting, regulatory inquiries, dispute resolution).
• For our legitimate interests (preventing fraud, improving the website, internal analytics on aggregated booking data).
• With your consent (marketing emails — you can opt out anytime; call transcription).

Under GDPR these are Article 6(1)(b), 6(1)(c), 6(1)(f), and 6(1)(a) respectively.

3. Sharing

We share personal information only as follows:

• Stripe Inc. — payment processing. Your payment card data is sent directly to Stripe and is not stored on our servers. Stripe's privacy notice: https://stripe.com/privacy. Stripe acts as an independent data controller for payment processing.
• Resend — transactional email delivery (booking confirmations, balance links, contact-form replies). Resend acts as a data processor.
• Supabase Inc. — database and authentication hosting (US-based). Acts as a data processor.
• Vercel Inc. — website hosting (US-based). Acts as a data processor.
• Sentry — error tracking. Customer PII is filtered from breadcrumbs; only technical context (URL, browser version, error stack) is sent.
• CAL-T# licensed partner carriers — only for Partner Network long-distance bookings. We share only the information needed to perform the move (your name, contact details, pickup and drop-off addresses, move date, and inventory notes). Each partner carrier acts as an independent data controller for the transport leg.
• Legal authorities — when required by valid legal process (subpoena, court order, regulatory request) and only the data the request covers.

We do not sell or share your personal information for cross-context behavioral advertising, within the meaning of the CCPA / CPRA, and we do not engage in profiling that produces legal or similarly significant effects.

4. Retention

• Booking records (financial and service history): seven (7) years, to comply with California tax and consumer-protection record-keeping rules.
• Marketing-only contact information (email): until you unsubscribe, then deleted within 30 days.
• Contact-form messages and call notes: two (2) years, then deleted unless related to an ongoing dispute.
• Web logs and analytics: 12 months, in aggregated form thereafter.

5. Your rights under California law (CCPA / CPRA)

If you are a California resident, you have the right to:

• Know what categories of personal information we collect, why, and with whom we share it (you can ask for the specific pieces collected about you in the past 12 months).
• Delete the personal information we hold about you, subject to legal exceptions (e.g., we must retain tax records).
• Correct inaccurate personal information.
• Limit the use of sensitive personal information (we do not collect "sensitive personal information" as defined by CPRA other than account credentials for our admin users, which is not customer data).
• Opt out of the sale or sharing of personal information — we do not sell or share, but you can still file an opt-out request as a formal record.
• Non-discrimination — exercising any of these rights will not result in worse service or higher prices.

To exercise any CCPA / CPRA right: email 365deliveryin@gmail.com with subject "CCPA Request — [Right]" or call +1 (424) 457-7879. We respond within 45 days (extendable once by another 45 days with notice).

Do Not Sell or Share My Personal Information: even though we do not sell or share personal information, we provide a formal opt-out path. Email 365deliveryin@gmail.com with subject "CCPA Opt-Out" — we log the request within 15 business days.

You may designate an authorized agent to make requests on your behalf — we will require written authorization and verification.

6. Your rights under EU / UK law (GDPR / UK GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have the rights of:

• Access — request a copy of your personal information.
• Rectification — request correction of inaccurate data.
• Erasure — request deletion, subject to legal retention obligations.
• Restriction of processing — pause processing while a dispute is resolved.
• Data portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest, including direct marketing.
• Withdraw consent — at any time for consent-based processing.
• Lodge a complaint — with your national data-protection supervisory authority.

To exercise any GDPR right, email 365deliveryin@gmail.com with subject "GDPR Request — [Right]." We respond within one month.

International transfers: data is hosted in the United States by Vercel, Supabase, Stripe, Resend, and Sentry. Where required, transfers from the EEA / UK rely on the Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, depending on the processor's certification status.

7. Cookies

We use the minimum set of cookies needed to operate the site:

| Cookie purpose | Examples | Duration | |---|---|---| | Strictly necessary (booking session, CSRF) | session, csrf | Session | | Stripe payment security | Stripe's own cookies on their hosted Checkout pages | Per Stripe | | Internationalization | NEXT_LOCALE | 1 year | | Lightweight analytics (aggregated, no personal profiling) | Vercel Analytics | 1 year |

We do not use third-party advertising cookies, retargeting pixels, or social-network trackers. If we add any in the future, we will request your prior consent through a banner.

8. Security

• All website traffic is served over HTTPS with HSTS.
• Payment card data never touches our servers — Stripe processes payments directly.
• Database access is restricted by Supabase Row-Level Security; only admin users can read booking and quote records.
• Webhook endpoints verify Stripe signatures with the raw request body.
• We perform an annual SAQ A self-assessment and a Vercel ASV scan.

No system is perfectly secure. If we detect a breach affecting your personal information, we will notify you and the California Attorney General as required by Cal. Civ. Code §1798.82.

9. Children

Our services are for adults (18+). We do not knowingly collect personal information from children under 16. If you believe a child has provided us personal information, email 365deliveryin@gmail.com and we will delete it.

10. Changes to this policy

We may update this Privacy Policy. Material changes will be announced on the website with a new effective date. The version archived with each booking record is the version in force for that booking.

11. Contact the Data Protection Lead

For any privacy question or rights request:

365 DELIVERY LLC Attn: Data Protection Lead 13947 Oxnard St, Unit 206 Van Nuys, CA 91401 365deliveryin@gmail.com +1 (424) 457-7879

We aim to acknowledge any privacy request within five (5) business days and resolve it within the timelines required by applicable law.