Privacy Policy
How we collect, use, and protect your data.
1. Who we are
PickPointio LLC ("PickPoint," "we," "us," "our") provides geolocation APIs - geocoding, routing, address search, and device tracking - accessible at api.pickpoint.io and managed through the dashboard at pickpoint.io (collectively, the "Service"). This Privacy Policy explains how we handle personal data in connection with the Service.
Data controller: PickPointio LLC, 651 North Broad Street, Suite 206, Middletown, DE 19709, United States. Contact: privacy@pickpoint.io
2. Data we collect
Account data - when you register, we collect your email address and, optionally, your name and company. Billing details are handled entirely by Stripe; we do not store any card data.
API usage logs - every API request generates a log entry that includes the timestamp, the API key used, the endpoint, the HTTP response code, and the source IP address. Request payloads (addresses, coordinates) are logged transiently and are not retained beyond 30 days.
Device tracking data - if you use the Device Tracking API, the GPS coordinates and timestamps you transmit are stored on our infrastructure under your account for the retention period defined by your plan. This data belongs to you.
Support communications - messages you send to our support team (email, live chat) are retained to manage your request and improve the Service.
Website analytics - we use self-hosted, cookieless analytics that collect only aggregated, anonymized data (page views, referrer, country). No cross-site tracking or advertising cookies are used.
3. How we use your data
- Delivering API responses and operating the Service
- Processing billing and sending invoices via Stripe
- Detecting, investigating, and preventing abuse
- Sending transactional notifications (billing receipts, API key changes, incident alerts)
- Responding to support requests
- Improving geocoding accuracy and infrastructure performance using anonymized aggregate query statistics
We do not use your data to train third-party AI models, sell to data brokers, or send marketing emails without your explicit opt-in.
4. Data sharing
We do not sell personal data. We share data only with:
- Stripe - payment processing (governed by Stripe's Privacy Policy)
- Infrastructure providers - cloud hosting, CDN, and monitoring services bound by data processing agreements and confidentiality obligations
- Law enforcement - only in response to a valid legal request (subpoena, court order); we will notify you where legally permitted
5. Cookies
The dashboard uses a single session cookie to maintain authentication after login. This cookie is strictly necessary and contains no personally identifiable information beyond your session token. It is cleared when you log out or after 30 days of inactivity. We do not use advertising, tracking, or third-party analytics cookies.
6. Data retention
| Data type | Retention |
|---|---|
| API request logs (payloads) | 30 days |
| API request metadata (codes, latency) | 90 days |
| GPS track history | Per plan: 30 days (Starter), 1 year (Business), configurable (Enterprise) |
| Account data | Until account deletion, then 30 days for backup purge |
| Billing records | 7 years (statutory requirement) |
| Support correspondence | 3 years from last interaction |
7. Security
All data in transit is protected by TLS 1.2 or higher. Sensitive data at rest is encrypted with AES-256. Access to production systems is restricted to authorized personnel via MFA-protected credentials. We conduct periodic security reviews and penetration tests. In the event of a breach materially affecting your personal data, we will notify affected users within 72 hours of discovery.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access - request a copy of the personal data we hold about you
- Correction - request correction of inaccurate data
- Deletion - request erasure of your personal data (subject to retention obligations)
- Portability - receive your data in a machine-readable format
- Restriction - request that we limit how we process your data
- Objection - object to processing based on our legitimate interests
To exercise any right, email privacy@pickpoint.io. We respond within 30 days.
9. International transfers
PickPoint infrastructure is hosted in the European Union and the United States. If you access the Service from outside these regions, your data may be transferred internationally. Where required, we apply appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Children
The Service is not directed to individuals under 16 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact privacy@pickpoint.io and we will delete it promptly.
11. Changes to this policy
We may update this policy periodically. Minor changes take effect immediately upon posting. Material changes (changes to what data we collect, how we use it, or who we share it with) will be announced by email and a notice on the Service at least 30 days before taking effect.
12. Contact
For privacy questions or to exercise your rights: privacy@pickpoint.io