Operations Portal · Pallet Pass Mobile App

Legal

Privacy Policy

Effective date: January 1, 2026  ·  Last updated: April 1, 2026

Plain English summary: Epitomex collects only the data needed to operate a logistics chain-of-custody platform. We do not sell your data. We do not use it for advertising. Operators' location data is collected only while actively scanning pallets and is never shared with third parties outside of your organisation.

1. Who we are

Epitomex ("we", "us", "our") operates the Epitomex Operations Portal (web application at epitomex.com) and the Pallet Pass mobile application (available on the Google Play Store and Apple App Store). Together these form a logistics chain-of-custody platform used by warehouse operators, managers, and administrators to track pallets across terminals and facilities.

Our registered contact address for privacy matters is: support@epitomex.com

2. Scope of this policy

This Privacy Policy applies to:

  • The Pallet Pass mobile application (iOS and Android)
  • The Epitomex Operations Portal web application
  • All associated API services operated by Epitomex

This policy applies to all users including warehouse operators, managers, supervisors, and administrators who access either platform. Use of our services is limited to authorised personnel of organisations that have contracted with Epitomex — it is not a consumer product open to the general public.

3. Data we collect

The following table summarises all categories of data collected:

Category Specific data Source Required?
Account data Email address (used as username), hashed password, assigned role, assigned terminal(s) Created by your organisation's administrator Yes
Pallet event data Pallet ID (QR code), event type (check-in/check-out/damage), timestamp, facility ID Mobile app scanning actions Yes — core function
Location data GPS latitude, longitude, accuracy radius at time of scan Device GPS — mobile app only, at scan time Yes — geofence verification
Photo data Pallet photos, BOL photos, damage photos captured during shipment Device camera — mobile app only Yes — chain of custody
Operator ID User ID associated with each scan event Session authentication Yes — audit trail
Session data Login/logout timestamps, IP address, browser/device user agent Automatically on login Yes — security
Audit logs Record of all user actions in the portal (create/edit/delete operations) with before/after snapshots Automatically on every portal action Yes — compliance
Exception records Reported discrepancies, damage notes, resolution notes User-entered No — optional
Draft data Incomplete shipment scan data saved locally if API fails Device local storage — mobile app only No — failure recovery

We do not collect: payment card data, social security numbers, government ID numbers, health information, biometric data, contacts, call logs, or any data unrelated to logistics operations.

4. How we use your data

We use collected data exclusively for the following purposes:

  • Authentication and access control — verifying identity and enforcing role-based permissions
  • Logistics operations — recording pallet movements, shipment creation, and chain-of-custody events
  • Geofence verification — confirming scans occur within authorised facility boundaries
  • Exception management — tracking and resolving damaged or discrepant pallets
  • Audit and compliance — maintaining tamper-evident logs of all system actions for your organisation
  • Security — detecting and preventing unauthorised access, brute-force login attempts, and abuse
  • Platform communications — sending account invitation emails and password reset emails

We do not use your data for advertising, profiling, behavioural analytics, or any purpose beyond operating the Epitomex platform.

5. Location data

Important — location access disclosure (Google Play & Apple App Store requirement)

The Pallet Pass mobile application requests access to your device's precise GPS location. Here is exactly how location data is used:

  • When collected: Only at the moment a pallet scan event is recorded. Location is not tracked continuously or in the background.
  • Why collected: To verify that the scan is occurring within the geofenced boundary of an authorised terminal or facility. Scans outside the geofence are flagged as out-of-bounds.
  • What is stored: Latitude, longitude, and accuracy radius for each scan event — linked to the pallet ID, facility, and operator.
  • Who can see it: Your organisation's managers and administrators via the Operations Portal. Epitomex staff do not routinely access location records.
  • Background location: We do not request background location access. The app only accesses location when it is actively open and a scan is in progress.

You may deny location permission at the device level. If denied, scan events will still be recorded but will be flagged as unable to verify geofence compliance, which may be restricted by your organisation's policies.

6. Camera and photo access

The Pallet Pass app requests access to your device camera to capture:

  • QR code scans on pallet labels
  • Per-pallet condition photos during inbound/outbound shipments
  • Damage documentation photos when a damage event is recorded
  • Wide-angle shipment photos at the end of a session
  • Bill of Lading document photos

Photos are uploaded directly to the Epitomex server and stored as part of the shipment record. Photos are not stored in your device's camera roll or photo library unless you explicitly save them. The app does not access your existing photo library.

7. Data sharing and disclosure

We do not sell, rent, or trade your personal data. We share data only in these limited circumstances:

  • Within your organisation: Pallet event data, scan records, and operator IDs are visible to managers and administrators within your organisation's Epitomex account.
  • Hosting infrastructure: Our servers are hosted on infrastructure provided by our hosting provider. Data is stored on servers located within our contracted data centre. The hosting provider processes data only to provide infrastructure services.
  • Email delivery: Account invitation and password reset emails are sent via our SMTP mail server. Email addresses are not shared with third-party marketing services.
  • Legal requirement: We may disclose data if required by law, court order, or regulatory authority, and only to the extent required.
  • Business transfer: If Epitomex is acquired or merges with another entity, data may be transferred as part of that transaction. We will notify affected users in advance.

8. Data retention

Data typeRetention period
Pallet events and shipment records7 years (logistics compliance)
Photos (pallet, BOL, damage)7 years
Audit logs7 years
Auth events (login/logout)2 years
User accounts (active)Duration of employment / contract
User accounts (deactivated)3 years after deactivation, then anonymised
Exception records7 years
Draft data (device local storage)Until shipment is submitted or app is uninstalled

After the applicable retention period, data is either permanently deleted or anonymised such that it can no longer be linked to an individual.

9. Security

We implement the following technical and organisational security measures:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Passwords are stored using bcrypt hashing — plain text passwords are never stored
  • Session tokens are encrypted using ASP.NET Core Data Protection
  • All user actions in the portal are recorded in a tamper-evident audit log
  • Failed login attempts trigger progressive lockout after 5 attempts
  • Role-based access control limits data visibility to authorised roles only
  • API endpoints are rate-limited to prevent abuse
  • Administrators receive alerts for anomalous authentication events

No system is completely secure. In the event of a data breach that affects your personal data, we will notify affected users and relevant authorities within 72 hours of becoming aware, in accordance with applicable law.

10. Children's privacy

Epitomex is an enterprise logistics platform intended exclusively for use by employed adults in a professional capacity. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has been granted access to our platform in error, please contact us immediately at support@epitomex.com and we will deactivate the account and delete associated data promptly.

11. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated personal data, subject to our legal retention obligations
  • Portability: Request your data in a machine-readable format
  • Objection: Object to certain types of processing
  • Restriction: Request that we restrict processing of your data in certain circumstances

To exercise any of these rights, contact your organisation's Epitomex administrator or email us directly at support@epitomex.com. We will respond within 30 days. Note that some requests may be limited by our legal obligations to retain logistics and audit records.

Account deletion / app uninstall: Uninstalling the Pallet Pass app from your device removes locally stored draft data but does not delete your account or server-side records. To request full account deletion, contact your administrator or email support@epitomex.com.

12. Third-party services

The Pallet Pass app and Epitomex portal do not integrate third-party analytics SDKs (such as Firebase Analytics, Google Analytics, or Mixpanel), advertising networks, or social media SDKs. The only third-party dependencies are:

  • Capacitor (Ionic): Open-source framework for packaging the web app as a native mobile app — no data collection
  • Device GPS API: Native OS location service — data is passed directly to our server and not shared with the OS vendor beyond the standard location permission flow
  • Device Camera API: Native OS camera — photos are not processed by third-party vision APIs

13. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes we will update the "Last updated" date at the top of this page and, where required by law, notify users via email to their registered address. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.

The current version of this policy is always available at epitomex.com/Home/Privacy.

14. Contact us

For any privacy-related questions, requests, or concerns:

Epitomex — Privacy
Email: support@epitomex.com
Web: epitomex.com/Home/ContactUs
Response time: within 5 business days

Home Privacy Policy Terms & Conditions Contact