Privacy Policy

Courrex is a delivery management platform operated by Courrex and licensed to companies that employ drivers (“Operators”). Your employer is the data controller for personal data processed about you under GDPR; Courrex acts as a data processor on the Operator's behalf. This policy describes the processing Courrex performs and how we keep your data secure.

Contact the Courrex privacy team at privacy@courrex.com. For questions about how your specific employer uses Courrex, contact your employer's data protection officer first.

We only collect data needed to operate the delivery platform:

• Location data (drivers only): precise GPS coordinates, heading, and speed while a delivery route is active. Sampled approximately every three seconds.
• Account data: your email (administrators) or a 6-digit driver code (drivers), plus a display name.
• Operational data: the delivery stops assigned to you, their status (pending, completed, failed), timestamps, and optional delivery confirmation photos.
• Chat content: text messages, voice messages (audio), and photos exchanged between drivers and operators.
• Device data: app version, operating system, and coarse battery status used to warn drivers about GPS throttling.
• Push notification tokens: the identifier your device provides (APNs token on iOS, FCM token on Android) so we can deliver notifications.

We do not collect: contacts, browsing history, advertising identifiers, health data, financial account details, precise off-route location when no delivery is active, or data from third-party services outside Courrex.

Under the EU General Data Protection Regulation, we rely on the following lawful bases:

• Performance of a contract (Art. 6(1)(b)) for account data, location data during active routes, operational data, and chat content. Without these we cannot provide the delivery management service your employer has subscribed to.
• Legitimate interest (Art. 6(1)(f)) for operational logging, fraud prevention, and abuse detection. Our interest is keeping the service secure and reliable; we balance this against your privacy rights and only retain logs for the minimum necessary period.
• Consent (Art. 6(1)(a)) for push notifications, voluntary delivery confirmation photos, and voice messages — all of which require your explicit opt-in via the operating system permission prompts and the in-app voice-record button.

• Show drivers their assigned stops and guide them to each address.
• Share the driver's live position with the Operator while a route is active.
• Deliver chat messages between drivers and operators, translating across languages on request.
• Send push notifications about new stops, route changes, and incoming messages.
• Produce operational reports for the Operator (completion rates, average delivery time).
• Detect abuse and protect the service against unauthorized access.

Courrex does not sell your data, does not use it for advertising, and does not use it to train machine-learning models.

All operational data is stored with Supabase (PostgreSQL + object storage) in the European Union (Frankfurt region). Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). No personal data is transferred outside the EU/EEA without appropriate safeguards (Standard Contractual Clauses).

Courrex uses only strictly necessary browser storage to operate the service:

• Authentication token (localStorage,sb-*-auth-token) — keeps you logged in. Required by GDPR's “strictly necessary” exemption from consent under ePrivacy Directive Art. 5(3).
• Session lock (localStorage, deliv_pin_*) — stores your encrypted PIN preference for re-locking the app after inactivity.
• Application state cache (localStorage, cache:*) — speeds up first paint by reusing the previous session's data offline; expires within minutes.
• Onboarding flags + UI preferences(localStorage) — remembers which welcome screens you've seen and your language choice.

We do not use any analytics cookies, advertising cookies, social-media cookies, or third-party tracking. Because all storage is strictly necessary, no cookie consent banner is legally required.

We rely on these providers to deliver the service:

• Supabase (EU) — authentication, database, realtime, and file storage. Acts as our sub-processor under a Data Processing Agreement.
• Mapbox — map tiles, geocoding, and turn-by-turn directions. Queried with anonymous coordinates only.
• Google Maps Platform — alternative route engine the driver can optionally choose. Queried with anonymous coordinates only.
• Google Translate — chat auto-translation when requested. Only the message text is sent, no identifiers.
• Apple Push Notification service (APNs) + Firebase Cloud Messaging (FCM) — delivery of push notifications to your iOS and Android devices.
• Vercel — hosts the web version of the Operator dashboard.

• Live location: retained for 30 days after a delivery route ends, then permanently deleted.
• Completed deliveries and chat:retained for 12 months, then anonymized or deleted at the Operator's request.
• Account data: retained for as long as the account is active. Deleted within 30 days of account deletion.
• System logs: retained for 90 days for security monitoring, then deleted.

As a resident of the European Union or European Economic Area you have the right to:

• access the personal data we hold about you (Art. 15);
• correct data that is inaccurate or incomplete (Art. 16);
• delete your data — the “right to be forgotten” (Art. 17);
• restrict or object to processing (Art. 18 + 21);
• receive your data in a portable format (Art. 20);
• withdraw consent at any time, where processing is based on consent;
• lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) at aki.ee, or with the supervisory authority in your country of residence.

To exercise any of these rights, email privacy@courrex.com. We respond within 30 days, free of charge for reasonable requests.

For account deletion specifically, the fastest path is the self-serve flow described at courrex.com/account-deletion.

We use industry-standard security practices including TLS 1.2+ for all network traffic, AES-256 encryption at rest for data stored in Supabase, role-based access control (only authorized personnel can access production data), and continuous security monitoring. We perform regular vulnerability scans and follow a documented incident response procedure for any data breach.

In the unlikely event of a personal-data breach affecting your rights and freedoms, we will notify the Estonian Data Protection Inspectorate within 72 hours and inform affected users without undue delay, as required by GDPR Art. 33-34.

Courrex is a workplace tool and is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it.

Material changes will be communicated through the app and by updating the effective date above. Continued use of Courrex after a change constitutes acceptance of the revised policy.

Privacy questions: privacy@courrex.com
General support: support@courrex.com

For our complete legal entity, registration, and contact information, see Selskabsoplysninger.