Zum Inhalt springen

Privacy Policy

Last updated: March 2026

1. Data Controller

Elektronikhandel Michael Graef
Breitscheidstraße 84, 70176 Stuttgart
E-Mail: info@labelfleet.com

2. Overview

LABELfleet is a B2B SaaS platform for shipping label creation, invoice management, and order processing. This privacy policy explains what data we collect and how we use it.

3. Data We Collect

a) Account Data

When you register, we collect: email address, hashed password, display name. For two-factor authentication (2FA): encrypted TOTP secret. For passkey login: WebAuthn credential ID and public key. For OAuth login (GitHub, Apple): provider user ID.

b) Shipping Data

For label creation and shipping: recipient name, address, phone number, email. This data is transmitted to DHL via their API for label generation and tracking. Legal basis: Art. 6 (1)(b) GDPR (contract performance).

c) Invoice Data

For invoicing: company name, address, VAT ID, invoice items. Invoices and credit notes are stored as PDF files. Legal basis: Art. 6 (1)(c) GDPR (legal obligation — tax retention periods).

d) API Keys

API keys are stored as SHA-256 hashes. The plaintext key is shown only once at creation time and is not retained by us.

e) Shop Connections

When connecting marketplace accounts (Amazon, eBay, Etsy, etc.), we store OAuth tokens or API credentials to synchronize orders. Order data (buyer name, address, items) is imported for label creation. We do not access data beyond what is required for order fulfillment.

4. Hosting & Infrastructure

LABELfleet is hosted on Hetzner Online GmbH servers in Germany. All data is stored within the EU. We use Docker containers with encrypted connections (HTTPS/TLS). DHL API communication uses TLS-encrypted connections.

5. Third-Party Services

  • DHL (Deutschland) — Shipping label creation, tracking, returns (DHL Geschäftskundenversand API). Data transmitted: recipient address, parcel weight/dimensions. Legal basis: Art. 6 (1)(b) GDPR.
  • Resend (USA) — Email delivery service for invoices, credit notes, password resets, and return labels. Data transmitted: recipient email address, email content. Legal basis: Art. 6 (1)(b) GDPR.
  • Stripe (USA) — Payment processing for subscription billing. Data transmitted: customer email, payment information. Legal basis: Art. 6 (1)(b) GDPR.
  • Anthropic (USA) — AI agent for customer communication (Claude API). Data transmitted: message content. Legal basis: Art. 6 (1)(b) GDPR.
  • Google / Apple / GitHub (OAuth) (USA) — Optional login providers. We receive: user ID, email, display name. We do not access further profile data. Legal basis: Art. 6 (1)(a) GDPR (consent).
  • Amazon / eBay / Shopify (USA/Kanada) — Marketplace API integrations for order synchronization. Data transmitted: OAuth tokens, order data. Legal basis: Art. 6 (1)(b) GDPR.

Third-Country Data Transfers

Some of our service providers are based in the USA (Stripe, Resend, Anthropic, Google, Apple, GitHub, Amazon, eBay). Data transfers to the USA are based on the EU-U.S. Data Privacy Framework (DPF), under which these companies are certified. This ensures an adequate level of data protection as recognized by the European Commission (Adequacy Decision of 10 July 2023). Shopify is based in Canada, which has an adequacy decision from the European Commission.

6. Cookies & Local Storage

LABELfleet uses the following cookies and local storage entries:

  • session — Session cookie (essential, HTTP-only). Required for authentication.
  • remember_token — Persistent login cookie (optional, 30 days). Only set when "Remember me" is selected.
  • lf-cookie-consent — Cookie consent preference (localStorage). Stores your accept/decline choice.
  • labelfleet-theme — Theme preference (localStorage). Light/dark mode setting.
  • labelfleet-api-key — API key for print agent (localStorage). Stored only on your device.

We do not use tracking cookies or advertising cookies. No third-party analytics services are used.

Product analytics: LABELfleet collects anonymized usage data (page views and feature usage such as label printing, shipment creation, invoicing) to improve the product. This data is processed server-side and contains no personally identifiable information — only your pseudonymous tenant ID, the page path, and a timestamp. Data is forwarded to our central operations server and retained for 90 days. Legal basis: Art. 6 (1)(f) GDPR (legitimate interest in product improvement). You can opt out by contacting support@labelfleet.com.

7. Data Retention

  • Account data: until account deletion
  • Invoices & credit notes: 10 years (German tax law, § 147 AO)
  • Shipping labels & order data: 6 years (§ 257 HGB)
  • Server logs: 30 days

8. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)

Contact us at info@labelfleet.com to exercise your rights. You also have the right to lodge a complaint with the supervisory authority:

Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20, 70173 Stuttgart
poststelle@lfdi.bwl.de

9. Security Measures

We implement the following security measures: TLS/HTTPS encryption for all connections, bcrypt password hashing, SHA-256 API key hashing, two-factor authentication (TOTP), WebAuthn/FIDO2 passkey support, rate limiting and account lockout protection, HTTP-only session cookies.

10. Data Processing Agreement

Insofar as LABELfleet processes personal data on behalf of its users (e.g., recipient addresses, buyer email addresses), we act as a data processor within the meaning of Art. 28 GDPR. Details are set out in our Data Processing Agreement (DPA).