1. Who we are#
Fufills (the "Platform", "we", "us") is a B2B Cash-on-Delivery fulfillment platform operated by Fufills. We provide merchants with warehousing, last-mile delivery, AI-assisted call-center confirmation, COD collection, and merchant settlement across 16+ countries in Latin America and the Middle East / North Africa region.
This policy explains how we handle Personal Data when (a) you visit fufills.com, drop.fufills.com, or any related sub-domain; (b) you register or operate a merchant account on the Platform; (c) we deliver orders on behalf of a merchant whose customer is you; or (d) you interact with us by email, WhatsApp, or phone.
For all merchant-account interactions Fufills is the *data controller*. For end-customer (your buyer) order data, Fufills is the *data processor* and the merchant is the controller — a separate Data Processing Addendum (DPA) governs that relationship.
2. The data we collect#
We collect only what we need to deliver the service, run the business safely, and comply with the law.
Account data
- Identity — first name, last name, business name, country of operation.
- Contact — work email, phone number (with country code).
- Credentials — password (stored as a bcrypt hash; we never see the plain text), optional TOTP 2FA secret (encrypted at rest), recovery codes (hashed).
- Verification artefacts — IP address, user-agent, operating system, coarse-grained geolocation (city / country) at the moment of email verification or password reset.
Business + onboarding data
- Operator profile — years in e-commerce, COD stage (exploring / running ads / launching / scaling), monthly order band, current confirmation rate, current delivery rate, average price band.
- Market intent — selected countries you ship to today, strongest country, target country to grow.
- Track preference — Seller (your own SKUs), Drop (our catalog), Both, or Undecided.
- Pain points + 90-day goals you select on the qualification step.
- Currently-using stack — whether you operate Shopify, WooCommerce, an in-house team, another COD partner, or nothing yet.
- Acquisition channel — how you found us (YouTube, Instagram, referral, paid ad, etc.).
Order + fulfillment data (we process this as a processor on behalf of the merchant)
- End-customer name, phone number, and shipping address — required to confirm and deliver the order.
- Product purchased, quantity, declared value, currency.
- Call-centre confirmation transcripts (AI-assisted) — used to compute confirmation rate, train product quality, and resolve disputes.
- Delivery status events (in transit, attempted, delivered, returned, RTO).
- Settlement amount, currency, payout method, invoice line items.
Technical + security data
- Cookies — first-party session cookie (required for login), Cloudflare bot-mitigation cookies, optional analytics cookies (only set after explicit consent in the cookie banner).
- Cloudflare Turnstile token — to distinguish humans from bots on registration and password-reset endpoints. Cloudflare receives the request URL and a fingerprint of the browser environment. They do not receive your form contents.
- Honeypot + time-to-fill signals on public forms (registration, contact) — discarded after the request is validated.
- Sentry error reports — when a bug crashes a page we capture a stack trace, the URL, anonymised user ID, and the browser. We strip request bodies before sending.
- Audit log — security-relevant actions (login, password change, email change, payout method change, admin actions) with timestamp, actor ID, IP, and user-agent. Retained 7 years for incident response and forensics.
Communications + marketing
- WhatsApp Business messages (covered in detail in §4 below).
- Email — transactional (verification, password reset, invoices, payout notices) and product updates (you can unsubscribe from product updates without losing transactional emails).
- In-app notifications + support tickets.
- UTM parameters and referrer at registration — used to attribute marketing channels.
3. Why we use it (and our legal basis)#
GDPR and LGPD require us to declare a legal basis for every processing purpose. CCPA and the MENA PDPLs require us to declare the business purpose. We do both.
| Purpose | Legal basis (GDPR / LGPD) | CCPA business purpose |
|---|---|---|
| Deliver the COD fulfillment service to you (account, orders, settlements). | Performance of the contract you accept when you register. | Providing the service the consumer requested. |
| Operate the AI-assisted call-centre confirmation on end-customer orders. | Performance of the contract between you and your end-customer; our DPA with you authorises us as processor. | Providing the service. |
| Prevent fraud, abuse, and account takeover (rate limits, honeypots, Turnstile, 2FA, audit log, IP/UA logging). | Legitimate interest in operating a secure platform. | Security and fraud detection. |
| Comply with tax, finance, anti-money-laundering, and consumer-protection regulators in the countries we serve. | Compliance with a legal obligation. | Compliance with legal obligation. |
| Send transactional WhatsApp / email messages tied to your account or your orders. | Performance of the contract. | Providing the service. |
| Send product-update WhatsApp / email after you opt in. | Your consent (opt-in, revocable any time). | N/A — consent-based. |
| Measure ad performance with the Meta Pixel + Conversions API. | Your consent via the cookie banner. | Marketing (only after opt-in). |
| Internal analytics, product research, benchmarking (aggregated and anonymised before analysis). | Legitimate interest in improving the service. | Internal research. |
Where we rely on legitimate interest we have run a Legitimate Interest Assessment (LIA) and conclude the processing is proportionate, expected, and balanced against your rights. You can request a summary of the LIA by emailing privacy@fufills.com.
4. WhatsApp Business messagingMeta / WhatsApp BSP disclosure#
Fufills uses WhatsApp Business Platform (operated by Meta Platforms Ireland Ltd. for EEA / UK residents and Meta Platforms Inc. elsewhere) to communicate with merchants who explicitly opt in. This section is our formal disclosure under the WhatsApp Business Messaging Policy and Meta's Commerce Policy.
When and how you opt in
- During onboarding (Step 5 of 5), a clearly labelled "Message me on WhatsApp" checkbox is presented next to a plain-language description of what messages we will send. The box is unticked by default.
- When you tick the box and submit Step 5, our server stamps `whatsapp_consent = true` and `whatsapp_consent_at = NOW()`. We retain the timestamp + the IP and user-agent that submitted it as evidence of consent.
- Inside the app, you can revoke consent at any time from Profile → Notifications. Revocation is honoured immediately for all message templates.
- You can also opt out by replying STOP, BAJA, ARRÊT, إلغاء, ANNULLA, or СТОП to any of our WhatsApp messages. The opt-out is recorded against your phone number and survives account deletion.
What we send (and what we do not send)
- Account-management messages — welcome, your account-manager introduction, onboarding nudges, password-reset codes.
- Service / transactional messages — order confirmation, delivery status updates on orders we fulfil for you, payout notices, settlement summaries, invoice availability, billing failures.
- Support replies — when you message us first, we reply in the same WhatsApp thread within our customer-service window.
- Product updates — new feature launches, country expansions, Academy content. Only after a separate opt-in inside the app, never bundled with transactional notices.
- We do NOT send promotional content on behalf of third parties, affiliate offers, or marketing for unrelated products. We do not use WhatsApp for cold outbound to people who never opted in.
- We do not message your end-customers on WhatsApp for promotional purposes — call-centre confirmation calls use the telephone network unless your end-customer has separately opted in to a WhatsApp confirmation flow.
Phone number storage + sharing
- We store your WhatsApp number in our database, encrypted at rest. The number is shared with Meta's WhatsApp Business Platform only as the message envelope — Meta needs the recipient address to deliver the message.
- Meta processes the message content per the WhatsApp Business Solution Terms and the WhatsApp Business Messaging Policy. We do not authorise Meta to use your number for advertising audiences. We do not export WhatsApp message data to ad platforms.
- If you opt out (STOP / Profile toggle / revoking via privacy@fufills.com), we stop sending — but Meta retains delivery metadata per their own policies, which we do not control.
Message templates + 24-hour window
- When you have not messaged us in 24 hours, we may only send pre-approved WhatsApp message templates. Each template is reviewed by Meta before activation.
- Inside the 24-hour customer-service window after you message us, we may reply with free-form text within the topic you raised.
- We do not chain a customer-service reply into a marketing outreach inside the same 24-hour window.
5. Meta Pixel + Conversions APICookie + ads disclosure#
On the fufills.com marketing site (not inside the authenticated app), we may load the Meta Pixel and send a parallel server-side event stream via Meta's Conversions API. Both fire ONLY after you accept marketing cookies in the cookie banner.
What is measured
- Page views, button clicks, scroll depth on marketing pages.
- Sign-up completion (`CompleteRegistration`).
- Onboarding step completion (`Subscribe` event, used to measure cost per qualified lead).
- Account upgrades + payouts (`Purchase` event with the gross-revenue value).
How PII is handled
- Email and phone number, where present, are hashed with SHA-256 before being sent to Meta's Conversions API. This is the Meta-recommended setup for the Advanced Matching feature and limits what Meta can learn about you.
- We never send unhashed PII to the Pixel or Conversions API.
- We never send card numbers, bank details, or end-customer (your buyer) data to Meta.
Opting out
- Reject "Marketing" in the cookie banner — the Pixel never loads and CAPI events are suppressed.
- Inside Meta itself, you can manage activity at https://www.facebook.com/off_facebook_activity/.
- Use a Global Privacy Control (GPC) signal — we honour GPC as an opt-out for sale / share under CCPA.
7. Sub-processors and third parties we share with#
We are conservative about who touches your data. The list below is exhaustive for the categories of recipients. An up-to-date sub-processor list is available on request from privacy@fufills.com — material additions are notified 30 days in advance to merchant clients on our DPA.
| Recipient | Purpose | Where they process | Transfer safeguard |
|---|---|---|---|
| DigitalOcean LLC | Application hosting + database | EU (primary), US (failover) | EU SCCs (2021/914) |
| Cloudflare Inc. | CDN, WAF, Turnstile, DDoS protection | Global edge | EU SCCs + UK IDTA |
| Meta Platforms Ireland Ltd. / Inc. | WhatsApp Business + Pixel + CAPI | EEA / US | EU SCCs + Data Privacy Framework |
| Functional Software, Inc. (Sentry) | Error monitoring | US | EU SCCs + DPF |
| Postmark (ActiveCampaign) | Transactional email | US | EU SCCs + DPF |
| Local last-mile carriers (per country) | Order delivery | Country of delivery | Per-carrier DPA |
| Local call-centre operators (per country) | Order confirmation (where AI is supplemented by humans) | Country of operation | Per-operator DPA + NDA |
| Banking + payout partners | Settlement to your bank account | Country of payout | Regulatory (banking secrecy) |
| Professional advisors (auditors, lawyers, accountants) | Statutory audit + dispute defence | Country of professional | Confidentiality agreement + professional privilege |
We do not sell or share Personal Data for cross-context behavioural advertising under CCPA / CPRA. The "Sale" definition in CCPA is broad — even the Meta Pixel can be considered a "sale" or "share". You can disable that via the cookie banner or by sending a Global Privacy Control signal.
8. End-customer (your buyer's) data — Fufills as processor#
When you submit an order through your store or the Platform, we receive your customer's name, phone number, shipping address, and order content. For this data, the *merchant* is the controller under GDPR / LGPD; Fufills acts as a *processor*.
We will only use end-customer data to deliver the service the merchant requested — call-centre confirmation, dispatch, delivery, COD collection, and the resulting settlement. We will not market to end-customers, and we will not use their data to train AI models that are sold outside the Fufills service.
Our merchant terms include a Data Processing Addendum (DPA) that mirrors GDPR Art. 28 and LGPD Art. 39. Merchants serving EEA / UK / Brazil consumers should rely on the DPA for cross-border specifics. A signed DPA is provided on request to privacy@fufills.com.
Sub-processors used for end-customer data (carriers, call-centre operators, payout banks) are listed in §7 above. Material additions are notified 30 days in advance to merchant clients with a right to object.
9. International data transfers#
Fufills serves merchants and end-customers across LATAM, MENA, Europe, and the US. Data inevitably crosses borders. We use the following safeguards:
EEA / UK → outside
- EU Standard Contractual Clauses (2021/914) + UK International Data Transfer Addendum (IDTA) with each sub-processor.
- Transfer Impact Assessment (TIA) for each destination, with supplementary measures (encryption, pseudonymisation) where local law requires.
- For Meta transfers, the EU-US Data Privacy Framework (DPF) plus SCCs as fallback.
Brazil (LGPD) → outside
- We rely on ANPD-approved standard contractual clauses where finalised; pending those we rely on Art. 33 of the LGPD (specific consent or contractual necessity) and contractual safeguards equivalent to GDPR SCCs.
KSA / UAE → outside
- KSA: cross-border transfer per PDPL Art. 29 and the SDAIA Cross-Border Transfer Regulation — we maintain a transfer register and rely on a SDAIA-approved adequacy determination or our DPO's impact assessment.
- UAE: Federal Decree-Law No. 45/2021 — we rely on the recipient country's adequacy decision, the recipient's contractual commitments, or your explicit consent.
10. How long we keep your data#
We keep data only as long as we need it for the purpose we collected it, plus the period statutes of limitation and tax / finance regulators require.
| Data | Retention | Why |
|---|---|---|
| Active account data (profile, settings, API tokens). | For the life of the account. | Service delivery. |
| Closed-account data. | 90 days post-closure, then anonymised or deleted. | Allow account reactivation, audit trail. |
| Order data + invoices (yours and end-customer's). | 7 years from invoice issuance. | Tax + finance regulators across LATAM and MENA. |
| Settlement + payout records. | 10 years. | Anti-money-laundering recordkeeping. |
| Audit logs (login, security events). | 7 years. | Incident response + forensics. |
| WhatsApp consent timestamp + opt-out records. | For the life of the phone number on file, plus 5 years after deletion. | Proof of compliance with WhatsApp Business Policy. |
| Sentry crash reports. | 90 days. | Engineering troubleshooting only. |
| Application logs (web, queue). | 90 days hot, archived 12 months. | Operations + incident response. |
| Marketing email / WhatsApp opt-out lists. | Indefinite. | So we never message you again after you opt out. |
11. Your rights#
You have rights over your Personal Data. The exact list varies by jurisdiction — we honour the most generous list applicable to you.
GDPR / UK GDPR
- Access — request a copy of the Personal Data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure ("right to be forgotten") — ask us to delete data where the legal grounds apply.
- Restriction — ask us to limit processing while a dispute is resolved.
- Portability — receive data in a machine-readable format and transmit it to another controller.
- Objection — object to processing based on legitimate interest, including profiling for marketing.
- Withdraw consent — at any time, for any processing based on consent (WhatsApp marketing, Pixel).
- Lodge a complaint with your local supervisory authority. For EEA / UK users we list the Irish DPC as our lead authority.
LGPD (Brazil)
- Confirmation of existence + access.
- Correction + anonymisation, blocking, or deletion of unnecessary / excessive / non-compliant data.
- Portability + information about sharing with public or private entities.
- Withdraw consent and request review of automated decisions.
- Lodge a complaint with the ANPD (Autoridade Nacional de Proteção de Dados).
CCPA / CPRA (California)
- Right to Know — categories and specific pieces of Personal Information collected.
- Right to Delete.
- Right to Correct.
- Right to Opt Out of Sale / Sharing for cross-context behavioural advertising — honoured via cookie banner + GPC.
- Right to Limit Use of Sensitive Personal Information — we do not use SPI beyond providing the service requested.
- Right to Non-Discrimination — no degraded service if you exercise a right.
KSA PDPL + UAE PDPL
- Right to be informed, right to access, correction, deletion, restriction, objection, and to withdraw consent.
- For KSA — direct supervisory complaint to SDAIA.
- For UAE — direct supervisory complaint to the UAE Data Office.
How to exercise a right
- Email privacy@fufills.com from the email address on your account. We verify identity (so we don't hand your data to an impersonator) by asking you to confirm your phone or by sending a verification email to the registered address.
- Standard response time: 30 days (15 days under LGPD for the initial response). We may extend by 60 days for complex requests and we will tell you why.
- Requests are free of charge, except for repeated requests where we may charge a reasonable admin fee per local law.
12. Security#
We treat security as a product feature, not a checkbox. The list below is what we do today; the actual security posture is enforced + audited internally.
In transit + at rest
- TLS 1.2+ on every public endpoint. HSTS + preload. Cloudflare in front for DDoS + WAF.
- Database column-level encryption for source-system API tokens — the encryption key lives outside the database.
- Passwords stored as bcrypt (cost factor ≥ 12) — we cannot recover a plain-text password.
- TOTP 2FA secrets encrypted at rest. Recovery codes hashed.
Access control
- Admin accounts require 2FA. Roles + permissions enforced server-side (Spatie/laravel-permission).
- Production database access is limited to named on-call engineers via short-lived credentials.
- All admin actions land in the audit log with actor, timestamp, IP, user-agent, and target.
Abuse prevention
- Cloudflare Turnstile on registration, login, password-reset, and email-edit.
- Account-lockout and rate-limits on every authentication endpoint.
- Honeypot + time-to-fill on public forms.
- CSP (enforcing), SRI, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin.
- Daily composer + npm audit. Material CVEs are patched within the SLA defined by our security policy.
Incident response
- We notify affected merchant clients within 72 hours of a confirmed personal-data breach impacting them, with the information required by GDPR Art. 33–34 / LGPD Art. 48 / KSA PDPL Art. 20.
- We notify the relevant supervisory authority where the threshold is met.
- Post-incident, we publish a root-cause analysis to affected clients.
13. AI + automated decisions#
Fufills uses AI in two ways that touch Personal Data: (a) the AI-assisted call-centre confirmation of end-customer orders, and (b) the conversational AI agent that messages newly-onboarded merchants on WhatsApp.
Neither flow makes legally significant decisions without a human being in the loop. The AI suggests the optimal confirmation script and the optimal outreach moment; the merchant's assigned Account Manager (human) makes final commercial decisions about your account.
You can request human review of any automated decision that affects you under GDPR Art. 22 / LGPD Art. 20. Email privacy@fufills.com.
We do not use end-customer Personal Data to train AI models that are sold outside the Fufills service. Aggregated, anonymised metrics may be used for internal model improvement.
14. Children#
Fufills is a B2B platform built for merchants and operators aged 18 or older. We do not knowingly collect Personal Data from children under 18.
If you believe a child has registered or that we are processing a child's data, write to privacy@fufills.com and we will delete the account.
15. Changes to this policy#
When we change this policy in a way that materially affects your rights or our practices, we will notify you by email + in-app banner at least 30 days before the change takes effect.
Non-material changes (typo fixes, clarifications, sub-processor list updates within the same category) take effect on publication. The "Last updated" date at the top of this page reflects the most recent revision.
A history of material revisions is available on request from privacy@fufills.com.
16. Contact#
Data Protection Officer + Privacy contact: privacy@fufills.com
General support: hello@fufills.com
WhatsApp (support): +44 7418 310214
For EEA / UK users, our lead supervisory authority is the Irish Data Protection Commission. You can also complain to your local authority.
For LGPD users, you can complain to the ANPD at https://www.gov.br/anpd/.
For California residents, designated agent for privacy requests: privacy@fufills.com.
