Legal

Privacy Policy

Effective date: January 1, 2026  ·  Last updated: April 1, 2026

Plain English summary: Epitomex collects only the data needed to operate a logistics chain-of-custody platform. We do not sell your data. We do not use it for advertising. Operators' location data is collected only while actively scanning pallets and is never shared with third parties outside of your organisation.

1. Who we are

Epitomex ("we", "us", "our") operates the Epitomex Operations Portal (web application at epitomex.com) and the Pallet Pass mobile application (available on the Google Play Store and Apple App Store). Together these form a logistics chain-of-custody platform used by warehouse operators, managers, and administrators to track pallets across terminals and facilities.

We are the data controller for all personal data processed through the Epitomex platform. Our registered address and contact details are provided in Section 14.

2. Scope of this policy

This Privacy Policy applies to all users of the Epitomex platform, including:

  • Terminal operators using the Pallet Pass mobile application
  • Managers and supervisors using the Epitomex Operations Portal
  • Administrators managing facilities, users, and configurations
  • Visitors to the Epitomex public website

It covers data collected via our web portal, mobile app, APIs, and any communication you have with our support team.

3. Data we collect

Data categoryExamplesClassification
Identity Full name, username, email address, role Collected
Credentials Bcrypt-hashed password (never plaintext) Protected
Location GPS lat/lng at time of each pallet scan Collected
Photos Pallet images, BOL scans, damage photos Collected
Device OS type, app version (no device ID) Collected
Activity Scan events, login/logout, portal actions Retained
Communications Support emails and contact form submissions Collected

We do not collect biometric data, financial data, health data, or any sensitive personal categories beyond what is listed above.

4. How we use your data

  • Platform operation: Processing pallet scans, maintaining chain-of-custody records, and enabling shipment management
  • Authentication: Verifying your identity on login and maintaining secure sessions
  • Audit trail: Recording all platform actions for compliance and accountability purposes
  • Exception management: Flagging and resolving pallet discrepancies and damage reports
  • Support: Responding to your enquiries and resolving technical issues
  • Security: Detecting and preventing unauthorised access, fraud, and abuse
  • Legal compliance: Meeting our obligations under applicable logistics, employment, and data protection laws

We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.

5. Location data

Important: Location permission is required for the Pallet Pass app to function. GPS coordinates are recorded at the moment of each pallet scan and attached permanently to the event record. This is a core compliance feature of the EPX geofenced attestation system.

Location data is collected only while the app is in active use during a scan session. Background location tracking is not used. Location data is:

  • Transmitted to our servers over TLS and stored against the pallet event record
  • Visible to your organisation's supervisors and administrators
  • Used to verify that scans occurred within the declared terminal geofence
  • Never sold or shared with third parties for advertising purposes
  • Retained for 7 years as part of the logistics compliance record

6. Camera and photo access

Camera access is required to capture pallet photos, BOL document scans, and damage evidence images. Photos are:

  • Uploaded directly to our secure servers over TLS
  • Not processed by third-party computer vision or AI services
  • Stored as part of the immutable pallet event record
  • Accessible to your organisation's supervisors and administrators
  • Retained for 7 years as part of the logistics compliance record

The app does not access your photo library or save photos to your device gallery. Camera access is only used within the active scan session.

7. Data sharing and disclosure

We do not sell personal data. We share data only in the following circumstances:

  • Within your organisation: Supervisors and administrators in your organisation can view event records, photos, and operator activity logs associated with their terminals.
  • Infrastructure: We use cloud hosting and database services. These providers process data on our behalf under data processing agreements and are not permitted to use it for their own purposes.
  • Email delivery: Account invitation and password reset emails are sent via our SMTP mail server. Email addresses are not shared with third-party marketing services.
  • Legal requirement: We may disclose data if required by law, court order, or regulatory authority, and only to the extent required.
  • Business transfer: If Epitomex is acquired or merges with another entity, data may be transferred as part of that transaction. We will notify affected users in advance.

8. Data retention

Data typeRetention period
Pallet events and shipment records7 years (logistics compliance)
Photos (pallet, BOL, damage)7 years
Audit logs7 years
Auth events (login/logout)2 years
User accounts (active)Duration of employment / contract
User accounts (deactivated)3 years after deactivation, then anonymised
Exception records7 years
Draft data (device local storage)Until shipment is submitted or app is uninstalled

After the applicable retention period, data is either permanently deleted or anonymised such that it can no longer be linked to an individual.

9. Security

We implement the following technical and organisational security measures:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Passwords are stored using bcrypt hashing — plain text passwords are never stored
  • Session tokens are encrypted using ASP.NET Core Data Protection
  • All user actions in the portal are recorded in a tamper-evident audit log
  • Failed login attempts trigger progressive lockout after 5 attempts
  • Role-based access control limits data visibility to authorised roles only
  • API endpoints are rate-limited to prevent abuse
  • Administrators receive alerts for anomalous authentication events

No system is completely secure. In the event of a data breach that affects your personal data, we will notify affected users and relevant authorities within 72 hours of becoming aware, in accordance with applicable law.

10. Children's privacy

Epitomex is an enterprise logistics platform intended exclusively for use by employed adults in a professional capacity. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has been granted access to our platform in error, please contact us immediately at support@epitomex.com and we will deactivate the account and delete associated data promptly.

11. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated personal data, subject to our legal retention obligations
  • Portability: Request your data in a machine-readable format
  • Objection: Object to certain types of processing
  • Restriction: Request that we restrict processing of your data in certain circumstances

To exercise any of these rights, contact your organisation's Epitomex administrator or email us directly at support@epitomex.com. We will respond within 30 days.

Account deletion / app uninstall: Uninstalling the Pallet Pass app from your device removes locally stored draft data but does not delete your account or server-side records. To request full account deletion, contact your administrator or email support@epitomex.com.

12. Third-party services

The Pallet Pass app and Epitomex portal do not integrate third-party analytics SDKs, advertising networks, or social media SDKs. The only third-party dependencies are:

  • Capacitor (Ionic): Open-source framework — no data collection
  • Device GPS API: Native OS location service — data passed directly to our server only
  • Device Camera API: Native OS camera — photos are not processed by third-party vision APIs

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where required by law, notify users via email to their registered address. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

The current version of this policy is always available at epitomex.com/Home/Privacy.

14. Contact us

For any privacy-related questions, requests, or concerns:

Epitomex — Privacy
Email: support@epitomex.com
Web: epitomex.com/Home/ContactUs
Response time: within 5 business days