1. Who We Are

Shipito LLC, ("Shipito"), provides logistics and assisted purchasing services to its Customers, enabling international delivery of purchased products. Shipito is a wholly owned subsidiary of Global Access Group, LLC. Shipito services include: product purchase, logistics, insurance, storage, re-packaging, package forwarding, freight, customs and tax.

Shipito provides domestic delivery, insurance, storage, re-packaging and international delivery of goods purchased. Delivery of products may be to our customer or to the person provided by our customer as the ship-to party. Shipito confirms that products can be shipped and also confirms that a 'ship-to' party is not restricted from shipping by U.S. regulatory authorities. Shipito facilitates customs and tax associated with international delivery. An additional service offered is the "assisted purchase" program where Shipito facilitates the actual purchase of a product that the end-user client is unable to purchase themselves directly from the retailer. Data is collected directly from the customer via www.shipito.com.

Shipito maintains corporate offices and warehouses in the United States. Shipito utilizes third-party Processors to provide services, including: logistics, payments, insurance and communication. Local regulations for customs and tax require the sharing of Personal Data with regulatory authorities.

2. Link to the Global Data Privacy Policy of Global Access Group, LLC.

As a wholly owned subsidiary of Global Access Group, LLC, we comply with the Global Data Privacy Policy, which can be viewed by accessing the link below:

https://www.globalaccess.com/about/Global-Data-Privacy-Policy

This Privacy Statement details specific information related directly to Shipito.

3. Personal Data We Process

We collect Personal Data that (a) you actively submit to us as a customer, and (b) we receive from our Customers. We may process your Personal Data with or without automatic means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of your Personal Data

1. Actively submitted data. You submit Personal Data to us when you register an account with us through our websites, purchase our services, or engage in other interactions or communications with our organization. We generally process name, physical address, telephone number, e-mail address, and payment information.

   We may also process identification information in order to verify your identity in the event that there is a risk of fraud or a regulatory requirement to verify such. Identification information may include photo, passport number, photocopy or electronic copy of the passport, driver's license number, driver's license photocopy or electronic copy, national ID number, photocopy or electronic copy of utility bills or other documentation requested for this purpose. Identification information is collected only as needed. A failure to provide identification information as requested may impact the status of your account with us.

   You may provide us with additional information to participate at your own initiative in surveys, feedback comments, online chat services, promotions or other activities. Participation in surveys, feedback comments, online chat services, promotion or other similar activities is optional. If you do not wish to participate in, or provide Personal Data in connection with such activities, this will not affect your account status or ability to use available services. In each such case you will know what Personal Data you provide us with because you actively and voluntarily submit the data.

   We also offer our Customers registered under our Affiliate Program commissions for referring new Customers to us who use our services. Upon registration in the affiliate program they are assigned a URL with a unique Affiliate ID to use in their own marketing efforts. That affiliate ID is then tied to any new account registration sourced from the affiliate's URL. The data of customers who sign-up through an Affiliate is treated the same as if the customer sought us out directly.

2. Data received from our Customers. Customers identify a 'Ship-to' party and delivery destination for packages that we ship at their request. The 'Ship-to' party and delivery address do not need to match the personal information provided by the customer upon registration. The main reasons for the personal information differing is where the customer is purchasing and shipping products on behalf of another person, as a gift for another person, or to another person who will receive the products on their behalf. Where a Customer provides Personal Data of another person, they assume the role of a data Controller and Shipito acts in the role of a data Processor. The personal information collected generally includes the name, physical address and phone number of the 'Ship-to' party. Processing of this Personal Data is performed on behalf of the Customer and for the purpose of providing the services requested by the Customer. No active marketing is performed on Personal Data of the 'Ship-to' party.

3. Personal Data not actively collected or Processed. We do not actively collect or otherwise Process Personal Data from minors and include in our Terms and Conditions a condition that the customer is not a minor and does not provide Personal Data of minors. The age of a minor varies by country. For the purposes of Personal Data collected from the European Union, the age of a minor is under age sixteen (16).

   We do not actively collect or otherwise process special categories of Personal Data as identified in the GDPR including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

   We do not actively collect or otherwise process Personal Data relating to criminal convictions and offences.

If you or someone else has provided us with your personal contact information and you would like to request that we do not contact you further, please follow the unsubscribe or opt-out procedures provided on the specific site, newsletter, e-mail notification, or contact us via the contact details provided at the end of this Privacy Statement.

4. Tracking Technologies, Cookies and Clear GIFs

We use tracking technologies, cookies and clear GIFs to collect information. Tracking technologies are used to collect information from your web browser through our servers or filtering systems when you visit any of our sites. Cookies are small bits of data used to transfer information to your computer's hard drive or your web browser for record-keeping purposes, including recognizing your web browser when you return to our sites. A clear GIF is a transparent graphic image placed on a website. The use of clear GIFs allows us to monitor your actions when you open a web page and makes it easier for us to follow and record the activities of recognized browsers. Clear GIFs are used in combination with cookies to obtain information on how visitors interact with our websites.

Information collected may include but is not limited to your browser type, your operating system, your language preference, any referring web page you were visiting before you came to our site, the date and time of each visitor request, and information you search for on our sites. We can also track the path of page visits on a website and monitor aggregate usage and web traffic routing on our sites. We collect this information to better understand how you use and interact with our sites in order to improve your experience. We also collect this information to better understand what services and marketing promotions may be more relevant to you. We may also share this information with our employees, service providers and customer affiliates as well as between affiliated entities.

You can change your web browser settings to stop accepting cookies or to prompt you before accepting a cookie from the sites you visit. If you do not accept cookies, however, you may not be able to use some sections or functions of our sites.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit http://www.allaboutcookies.org.

To opt out of being tracked by Google Analytics across all websites visit https://tools.google.com/dlpage/gaoptout.

5. Purposes for Processing Personal Data

We process Personal Data for logistics, payment, insurance, customs, tax, other regulatory requirements, communication, customer service, marketing, web analytics, system monitoring, data security and other operational and administrative purposes.

We use Personal Data to provide logistics and other related services to enable international product purchase and delivery for our Customers while meeting the regulatory requirements of the relevant countries. We may use Personal Data to (a) purchase product for you, (b) package and inventory product for you, (c) store product for you, (d) deliver product to you, (e) insure product, (f) submit customs or other regulatory forms on your behalf, (g) contact you, (h) create and maintain an account profile, (i) fulfill requests you make. (j) seek your voluntary feedback, (k) customize features or content on our websites and software, (l) evaluate eligibility to participate in promotions, (m) verify identity, or (n) administer our services, including through use of third-party services providers.

In this context, the legal basis for our Processing of your Personal Data is either the necessity to perform contractual and other obligations that we have towards you or carrying out our legitimate activities as a logistics organization.

We may also use your data to comply with applicable laws and exercise legal rights as the basis for our data Processing.

We may also use your Personal Data for internal purposes, including auditing, data analysis, system troubleshooting, and research. In these cases, we base our Processing on legitimate interests in performing the activities of the organization.

Personal Data is also used in order to send regular marketing communications to Customers via email. The process applied to marketing communication differs by country. Historically, an opt-out process was applied, with Customers being offered the choice to deselect the checkbox at the time of registration if they did not wish to receive these communications. Going forward, an informed opt-in process will be applied to certain countries, including the European Economic Area ("EEA"), in order to comply with the GDPR.

For Customers outside of the EEA, an opt-out process will continue to apply for marketing communications and will continue to be offered at the time of account registration. An 'unsubscribe' option is provided in the footer of every marketing communication. In addition, you may contact us directly to unsubscribe. Our contact details are provided at the end of this Privacy Statement.

For Customers from the EEA who are already receiving marketing communications based upon their previous registration under the opt-out process, the Customers will not be required to opt-in. The legal basis relied upon for these Customers is carrying out legitimate activities as a logistics organization. For these Customers, the legitimate interest of the organization in maintaining its existing mailing list is not overridden by the interests or fundamental rights and freedoms of the Customer, who is the Data Subject, as the Customer has chosen not to opt-out when receiving marketing communications in the past. An 'unsubscribe' option is provided in the footer of every marketing communication. In addition, we may be contacted directly to unsubscribe. Our contact details are provided at the end of this Privacy Statement.

For Customers from the EEA who register after May 25, 2018, upon registration of an account, we offer you the opportunity to receive regular marketing communication from us. The legal basis for this marketing communication, including surveys initiated through our email communication, is based upon your consent to Processing your Personal Data for this specific purpose. In order to consent, you must opt-in by selecting the check-box. You do not have to consent to receipt of marketing communication in order to access our services. You have the right to withdraw your consent to Processing your Personal Data for marketing communication at any time. Withdrawal of your consent is achieved by 'unsubscribing' to the marketing communication through any of the emails received. The 'unsubscribe' option is provided in the footer of every marketing communication. In addition, we may be contacted directly to unsubscribe. Our contact details are provided at the end of this Privacy Statement.

6. Sharing of Personal Data

We share your Personal Data with other parties in the following circumstances:

1. Third-Party Providers. We may provide Personal Data to third parties for their Processing in performing functions on our behalf as data Processors (for example, logistics, insurance, payments, security, data analysis, surveys, and so forth). In such instances, the providers will be contractually required to protect Personal Data from additional Processing (including for marketing purposes) and transfer in accordance with this Data Privacy Policy and applicable laws. This may include transfers or onward transfers to third parties that are outside of the EEA and outside of the United States. In these circumstances, relevant protections approved under the GDPR will be undertaken to protect your Personal Data. Under certain data protection laws, including the GDPR, Shipito is liable if a third-party provider that we have engaged to Process Personal Data fails to fulfil its data protection obligations.

2. Organizational Entities. We may transfer Personal Data from Shipito to Global Access, LLC, in order to facilitate logistics and related services. In this event, Global Access, LLC, will process Personal Data on behalf of Shipito as a data Processor. A data sharing and Processing agreement has been concluded between the two entities to ensure that Global Access, LLC, is contractually required to protect Personal Data from additional Processing and transfer outside of the purposes stipulated by Shipito as a Personal Data Controller.

3. Legal Requirements. We may access and disclose your Personal Data to regulatory bodies if we have a good-faith belief that doing so is required under regulation. This may include screening against the Consolidated Screening List for which the United States Government maintains restrictions on certain exports, re-exports or transfers of items. This may also include submitting Personal Data required by local customs authorities and tax authorities. Additionally, we may disclose your Personal Data and other information as required by law, including in response to lawful requests by public authorities or to meet national security or law enforcement requirements. We may also disclose your Personal Data to exercise or defend legal rights; to take precautions against liability; to protect the rights, property, or safety of the resource, of any individual, or of the general public; to maintain and protect the security and integrity of our services or infrastructure; to protect ourselves and our services from fraudulent, abusive, or unlawful uses; or to investigate and defend ourselves against third-party claims or allegations.

7. Storage of Personal Data

We may store your Personal Data in data centers in the United States, cloud storage solutions, or on our premises, including corporate offices and warehouses. To ensure the adequacy of protection of data that we transfer between Shipito and Global Access, LLC, we have concluded a data transfer and Processing agreement between these entities. You may be entitled to review our data sharing and Processing agreements if you contact us per the contact details provided at the end of this Privacy Statement. We endeavor to utilize third-party service providers from the United States that have certified with the EU-U.S. Privacy Shield Framework

8. Personal Data Security

Shipito uses technical and organizational measures to protect the Personal Data received against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. We regularly consider appropriate new security technology and methods as we maintain and develop our software and systems. Security measures implemented include:

1. SSL is used on all pages where Personal Data is collected;
2. Data requiring a higher level of protection, such as payment card account numbers and passport numbers, is encrypted prior to transmission to the database for storage;
3. Web and database servers are protected using firewalls;
4. Passwords used for account registration cannot be 'defaulted';
5. User access is tracked;
6. Role-based security is applied to system access;
7. All employees are contractually obligated to maintain the confidentiality of Personal Data accessible through their employment;
8. Regular system backups are made;
9. Regular maintenance is performed on systems; and
10. Systems are monitored for security.

9. Retention of Personal Data

Shipito retains collected Personal Data for a reasonable period of time to fulfill the Processing purposes mentioned above. Personal Data is then archived for time periods required or necessitated by law or legal considerations. When archival is no longer required, Personal Data is deleted from our records.

Shipito offers you a choice to sign up with a free Standard account or a paid Premium account. The Premium account offers either monthly or annual subscription payment options.

For Standard accounts, the account is automatically deactivated and deleted if there has not been any activity on the account for a 2-year period. The time period of 2 years is selected based upon typical Customer trends, where some Customers may only choose to use the services on occasion. This period is also necessary to accommodate Customers who have been required to verify their identity so that this process does not have to be started over with a new account unnecessarily. If you wish us to deactivate your account sooner than this time period, please contact us. Our contact details are provided at the end of this Privacy Statement.

For Premium accounts, fees are automatically charged to the account on file per the monthly or annual subscription option selected. At any time, you may choose to change your account to a Standard account. If the account fees are unpaid, the Premium account automatically changes to a Standard account, which automatically deactivates and deletes if there has not been any activity on the account for a 2-year period. If you wish us to deactivate your account sooner than this time period, please contact us. Our contact details are provided at the end of this Privacy Statement.

We continue to retain Personal Data that we are required to retain in order to meet our regulatory obligations including tax records and transaction history. We comply with the Retention Policy of our parent company Global Access Group, LLC, which is regularly reviewed to ensure compliance with our obligations under data protection laws and other regulatory requirements. We regularly audit our databases and archived information to ensure that Personal Data is only stored and archived in alignment with the Retention Policy.

10. Personal Data Rights

Where we act as the Personal Data Controller, we rely upon our Customers maintaining the accuracy of the Personal Data they provide through our website, www.shipito.com, including the ability to add, edit and delete contact, payment and delivery information. Where you are the account holder, you may view and edit the Personal Data you have provided by accessing your account online under the Account Profile menu online.

Where you are not the account holder, we act as the Personal Data Processor. The Customer that provided your Personal Data to us is the Personal Data Controller. You may reach out to the Customer that provided your Personal Data and request that they make any required update under the Account Profile menu of their registered account, including deletion of your Personal Data. This typically occurs where you have received delivery of a package that was arranged by another person.

You may also contact us with your Personal Data inquiries or for assistance in modifying or updating your Personal Data and to exercise additional statutory rights such as: access, rectification, data portability, objection, Processing restriction, and erasure of your Personal Data. Our contact details are provided at the end of this Privacy Statement.

11. Effective Date and Amendments

This document is effective May 25, 2018. This document may be amended from time to time.

12. Contact Details

Inquiries may be made to:

EU Representative

Please note that organizations participating in the EU-U.S. Privacy Shield Framework must respond within 45 days of receiving a complaint.