Legal
Privacy Policy
Effective date: January 1, 2026
·
Last updated: April 1, 2026
Plain English summary:
Epitomex collects only the data needed to operate a logistics chain-of-custody
platform. We do not sell your data. We do not use it for advertising.
Operators' location data is collected only while actively scanning pallets
and is never shared with third parties outside of your organisation.
1. Who we are
Epitomex ("we", "us", "our") operates the Epitomex Operations Portal
(web application at epitomex.com) and the
Pallet Pass mobile application (available on the Google Play Store
and Apple App Store). Together these form a logistics chain-of-custody platform
used by warehouse operators, managers, and administrators to track pallets across
terminals and facilities.
We are the data controller for all personal data processed through the Epitomex
platform. Our registered address and contact details are provided in Section 14.
2. Scope of this policy
This Privacy Policy applies to all users of the Epitomex platform, including:
- Terminal operators using the Pallet Pass mobile application
- Managers and supervisors using the Epitomex Operations Portal
- Administrators managing facilities, users, and configurations
- Visitors to the Epitomex public website
It covers data collected via our web portal, mobile app, APIs, and any
communication you have with our support team.
3. Data we collect
| Data category | Examples | Classification |
| Identity |
Full name, username, email address, role |
Collected |
| Credentials |
Bcrypt-hashed password (never plaintext) |
Protected |
| Location |
GPS lat/lng at time of each pallet scan |
Collected |
| Photos |
Pallet images, BOL scans, damage photos |
Collected |
| Device |
OS type, app version (no device ID) |
Collected |
| Activity |
Scan events, login/logout, portal actions |
Retained |
| Communications |
Support emails and contact form submissions |
Collected |
We do not collect biometric data, financial data, health data, or any sensitive
personal categories beyond what is listed above.
4. How we use your data
- Platform operation: Processing pallet scans, maintaining chain-of-custody records, and enabling shipment management
- Authentication: Verifying your identity on login and maintaining secure sessions
- Audit trail: Recording all platform actions for compliance and accountability purposes
- Exception management: Flagging and resolving pallet discrepancies and damage reports
- Support: Responding to your enquiries and resolving technical issues
- Security: Detecting and preventing unauthorised access, fraud, and abuse
- Legal compliance: Meeting our obligations under applicable logistics, employment, and data protection laws
We do not use your data for advertising, profiling, or automated decision-making that produces legal effects.
5. Location data
Important:
Location permission is required for the Pallet Pass app to function.
GPS coordinates are recorded at the moment of each pallet scan and attached
permanently to the event record. This is a core compliance feature of the
EPX geofenced attestation system.
Location data is collected only while the app is in active use during a scan session.
Background location tracking is not used. Location data is:
- Transmitted to our servers over TLS and stored against the pallet event record
- Visible to your organisation's supervisors and administrators
- Used to verify that scans occurred within the declared terminal geofence
- Never sold or shared with third parties for advertising purposes
- Retained for 7 years as part of the logistics compliance record
6. Camera and photo access
Camera access is required to capture pallet photos, BOL document scans, and
damage evidence images. Photos are:
- Uploaded directly to our secure servers over TLS
- Not processed by third-party computer vision or AI services
- Stored as part of the immutable pallet event record
- Accessible to your organisation's supervisors and administrators
- Retained for 7 years as part of the logistics compliance record
The app does not access your photo library or save photos to your device gallery.
Camera access is only used within the active scan session.
7. Data sharing and disclosure
We do not sell personal data. We share data only in the following circumstances:
-
Within your organisation: Supervisors and administrators in your
organisation can view event records, photos, and operator activity logs associated
with their terminals.
-
Infrastructure: We use cloud hosting and database services.
These providers process data on our behalf under data processing agreements
and are not permitted to use it for their own purposes.
-
Email delivery: Account invitation and password reset emails
are sent via our SMTP mail server. Email addresses are not shared with
third-party marketing services.
-
Legal requirement: We may disclose data if required by law,
court order, or regulatory authority, and only to the extent required.
-
Business transfer: If Epitomex is acquired or merges with
another entity, data may be transferred as part of that transaction.
We will notify affected users in advance.
8. Data retention
| Data type | Retention period |
| Pallet events and shipment records | 7 years (logistics compliance) |
| Photos (pallet, BOL, damage) | 7 years |
| Audit logs | 7 years |
| Auth events (login/logout) | 2 years |
| User accounts (active) | Duration of employment / contract |
| User accounts (deactivated) | 3 years after deactivation, then anonymised |
| Exception records | 7 years |
| Draft data (device local storage) | Until shipment is submitted or app is uninstalled |
After the applicable retention period, data is either permanently deleted
or anonymised such that it can no longer be linked to an individual.
9. Security
We implement the following technical and organisational security measures:
- All data in transit is encrypted using TLS 1.2 or higher
- Passwords are stored using bcrypt hashing — plain text passwords are never stored
- Session tokens are encrypted using ASP.NET Core Data Protection
- All user actions in the portal are recorded in a tamper-evident audit log
- Failed login attempts trigger progressive lockout after 5 attempts
- Role-based access control limits data visibility to authorised roles only
- API endpoints are rate-limited to prevent abuse
- Administrators receive alerts for anomalous authentication events
No system is completely secure. In the event of a data breach that affects
your personal data, we will notify affected users and relevant authorities
within 72 hours of becoming aware, in accordance with applicable law.
10. Children's privacy
Epitomex is an enterprise logistics platform intended exclusively for use
by employed adults in a professional capacity. We do not knowingly collect
personal data from anyone under the age of 18. If you believe a minor has
been granted access to our platform in error, please contact us immediately
at support@epitomex.com and we
will deactivate the account and delete associated data promptly.
11. Your rights
Depending on your jurisdiction, you may have the following rights regarding
your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and associated personal data, subject to our legal retention obligations
- Portability: Request your data in a machine-readable format
- Objection: Object to certain types of processing
- Restriction: Request that we restrict processing of your data in certain circumstances
To exercise any of these rights, contact your organisation's Epitomex
administrator or email us directly at
support@epitomex.com.
We will respond within 30 days.
Account deletion / app uninstall:
Uninstalling the Pallet Pass app from your device removes locally stored
draft data but does not delete your account or server-side records.
To request full account deletion, contact your administrator or email
support@epitomex.com.
12. Third-party services
The Pallet Pass app and Epitomex portal do not integrate third-party
analytics SDKs, advertising networks, or social media SDKs.
The only third-party dependencies are:
- Capacitor (Ionic): Open-source framework — no data collection
- Device GPS API: Native OS location service — data passed directly to our server only
- Device Camera API: Native OS camera — photos are not processed by third-party vision APIs
13. Changes to this policy
We may update this Privacy Policy from time to time. When we make material
changes we will update the "Last updated" date at the top of this page and,
where required by law, notify users via email to their registered address.
Continued use of the platform after changes take effect constitutes
acceptance of the updated policy.
The current version of this policy is always available at
epitomex.com/Home/Privacy.
14. Contact us
For any privacy-related questions, requests, or concerns: