Privacy Policy

1. Information We Collect

1a. Information You Provide Directly

When you interact with us, you may voluntarily provide personal information, including:

• Contact Form: Name, email address, subject, and message content submitted through our website's contact form.
• Product Inquiry Form: Name, email address, company name, requested quantity, preferred delivery date, and any notes you provide, along with product, brand, or UPC context relevant to your inquiry.
• Direct Email: Any information you include when emailing us directly at universususa@gmail.com.

1b. Information Collected Automatically

When you visit our website, certain information may be collected automatically:

• Server Logs: Our hosting provider (Vercel) collects standard server logs, including your IP address, browser type and version, referring pages, pages visited, and timestamps.
• Cookies: Our website does not currently use cookies for tracking or advertising purposes. If we implement analytics tools in the future, we will update this policy and provide appropriate notice.

1c. Information from Third-Party Platforms

In the course of fulfilling orders placed through third-party marketplace platforms, we may receive and process the following information:

• Marketplace Order Data: Buyer name, shipping address, order details, and transaction information provided by Amazon Seller Central, Walmart Marketplace, or other marketplace platforms for the purpose of order fulfillment.
• Shipping and Tracking Data: Shipment tracking numbers, delivery status, and related logistics data received from USPS and UPS APIs in connection with our fulfillment operations.

2. How We Use Your Information

We use the personal information we collect for the following purposes:

• To respond to inquiries submitted through our contact form or via email.
• To fulfill orders placed through marketplace platforms, including processing, packaging, and shipping.
• To generate shipping labels and process shipments through USPS and UPS.
• To comply with tax reporting and other legal obligations.
• To detect and prevent fraud, unauthorized access, and other security threats.
• To improve our operations, website functionality, and customer experience.
• To maintain records as required by applicable law and our marketplace agreements.

We do not use marketplace order data for marketing, advertising, or any purpose unrelated to order fulfillment, customer service, tax compliance, or legal obligations.

3. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our specific retention periods are as follows:

When personal information is no longer needed for its original purpose and is not subject to a legal retention requirement, we securely delete or anonymize it.

4. Data Security

We implement appropriate technical and organizational measures to protect personal information against unauthorized access, alteration, disclosure, or destruction. Our security practices include:

• Encryption at Rest: All personally identifiable information (PII) is encrypted at rest using AES-128 or stronger encryption standards.
• Encryption in Transit: All data transmitted between our systems and external services is protected using TLS 1.2 or higher.
• Key Exchange: We use RSA with a key size of 2048 bits or greater for secure key exchange.
• Access Controls: Access to personal information is restricted on a role-based, need-to-know basis. Only authorized personnel with a legitimate business need may access PII.
• API Security: Integrations with third-party APIs (including Amazon SP-API, Walmart Marketplace API, USPS Web Tools, and UPS APIs) use OAuth 2.0 authentication and secure credential storage. API credentials are never stored in source code or exposed in client-side applications.
• Credential Management: All API keys, tokens, and credentials are stored securely using environment variables or encrypted secrets management solutions.
• Security Reviews: We conduct regular reviews of our security practices and access controls to identify and address potential vulnerabilities.

While we take reasonable measures to protect your information, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to industry-standard protections.

5. Data Sharing and Third-Party Service Providers

We do not sell, rent, or trade your personal information to third parties. We may share personal information only in the following circumstances:

• Vercel: Our website hosting provider, which processes standard server logs for operational and security purposes.
• Formspree: Our contact form service provider, which processes form submissions on our behalf.
• Amazon (Seller Central / SP-API): We receive and process order data from Amazon to fulfill purchases. We handle this data in accordance with Amazon's Data Protection Policy (DPP).
• Walmart (Marketplace API): We receive and process order data from Walmart Marketplace to fulfill purchases. We handle this data in accordance with Walmart's developer agreement and data use policies.
• USPS (Web Tools API): We share shipping information (recipient name and address) with USPS solely for the purpose of generating shipping labels and tracking shipments. We do not use USPS data for datamining, address list creation, or any purpose beyond mail processing and delivery.
• UPS (APIs): We share shipping information with UPS solely for the purpose of generating shipping labels, calculating rates, and tracking shipments. We do not disclose personal information received from UPS to any third party without prior authorization from UPS, except as required to perform shipping services.

All third-party service providers are contractually obligated to protect personal information and use it only for the specific purposes for which it was shared. We do not share personal information with third parties for their own marketing or advertising purposes.

6. Data Subject Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Correction: You may request that we correct inaccurate or incomplete personal information.
• Right to Deletion: You may request that we delete your personal information, subject to legal retention requirements.
• Right to Know: You may request information about the categories of personal information we collect, the purposes for which we use it, and the categories of third parties with whom we share it.
• Right to Opt-Out: You may opt out of the sale or sharing of your personal information (note: we do not sell personal information).

To exercise any of these rights, please contact us at universususa@gmail.com with the subject line "Privacy Request." We will verify your identity before processing any request and will respond within 30 days. We will not discriminate against you for exercising your privacy rights.

7. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with additional rights regarding your personal information:

• Right to Know: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business purpose for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request the deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request the correction of inaccurate personal information.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
• Sale of Personal Information: We do not sell personal information as defined under the CCPA/CPRA.

To submit a CCPA/CPRA request, please email universususa@gmail.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days of receiving your request.

8. Children's Privacy (COPPA)

Our website and services are not directed at children under the age of 13. We do not knowingly collect, use, or disclose personal information from children under 13 in accordance with the Children's Online Privacy Protection Act (COPPA). If we become aware that we have inadvertently collected personal information from a child under 13, we will take prompt steps to delete such information. If you believe a child has provided us with personal information, please contact us immediately at universususa@gmail.com.

9. CAN-SPAM Compliance

We comply with the CAN-SPAM Act. We do not send unsolicited commercial email. If we implement email marketing or transactional email communications in the future, all such communications will:

• Clearly identify Universus LLC as the sender.
• Include our physical business address.
• Provide a clear and conspicuous mechanism to unsubscribe.
• Honor unsubscribe requests within 10 business days.
• Not use deceptive subject lines or misleading header information.

10. Breach Notification

We maintain a documented data breach response plan. In the event of a security breach involving personal information, we will take the following actions:

• USPS: We will notify USPS at cybersafe@usps.gov within 72 hours of discovering a breach that involves USPS-provided data or credentials.
• UPS: We will immediately notify UPS of any security breach involving UPS data or API credentials, in accordance with UPS technology agreement requirements.
• Marketplace Platforms: We will notify Amazon and/or Walmart in accordance with their respective data protection policies and developer agreements.
• Affected Individuals: We will notify affected individuals in accordance with Arizona law (A.R.S. § 18-552), which requires notification without unreasonable delay.

Breach notifications will include, to the extent known: a description of the incident, the types of information involved, steps we are taking to address the breach, and recommendations for affected individuals to protect themselves.

11. API and Technical Data Practices

In connection with our e-commerce operations, we integrate with various third-party APIs. Our technical data practices include:

• Read-Only Endpoints: Certain API integrations (such as product, UPC, or brand lookup) are read-only and do not collect or transmit personally identifiable information.
• Credential Security: All API credentials, access tokens, and secret keys are stored securely and are never embedded in client-side code, public repositories, or unencrypted files.
• USPS Data Use Restrictions: We do not use USPS data or APIs for datamining, creation of address lists for sale, or any purpose beyond processing and delivering mail and packages.
• Minimal Data Collection: We collect and transmit only the minimum data necessary to fulfill orders, generate shipping labels, and provide customer service.

12. Cross-Border Data Transfers

Universus LLC is based in the United States, and our data processing operations are conducted within the United States. We do not routinely transfer personal information outside of the United States. In the event that cross-border data transfers become necessary, we will implement appropriate safeguards, including contractual protections, to ensure that personal information receives an adequate level of protection consistent with applicable law.

13. Audit and Accountability

We maintain records of our data processing activities and security practices. We are committed to accountability and transparency in our data handling. Upon reasonable request from our marketplace or logistics partners, we will cooperate with audits and provide documentation of our data protection practices within 30 days of receiving such a request.

14. Do Not Track Signals

Our website does not currently use cookies or tracking technologies that would respond to "Do Not Track" (DNT) browser signals. As we do not track users across third-party websites, we do not currently respond to DNT signals. If our tracking practices change in the future, we will update this policy accordingly.

15. Third-Party Links

Our website may contain links to third-party websites, including marketplace platforms where our products are sold. We are not responsible for the privacy practices or content of these third-party sites. We encourage you to review the privacy policies of any third-party websites you visit.

16. Marketplace Data Processing

When we process data received from marketplace platforms (including Amazon and Walmart), we adhere to the following principles:

• Permitted Uses: We use marketplace data solely for order fulfillment, customer service (e.g., handling returns or delivery issues), tax compliance, and legal obligations.
• No Marketing Use: We do not use marketplace order data for marketing, advertising, or promotional purposes.
• Platform Compliance: We adhere to Amazon's Data Protection Policy (DPP) and Walmart's developer agreement regarding the handling, storage, and deletion of marketplace data.
• Data Minimization: We only request and retain the minimum marketplace data necessary to fulfill our operational obligations.

17. Governing Law

This Privacy Policy and any disputes related to it shall be governed by and construed in accordance with the laws of the State of Arizona, without regard to its conflict-of-law principles. Any legal proceedings arising from this policy shall be brought in the state or federal courts located in Maricopa County, Arizona.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or marketplace partner policies. Any changes will be posted on this page with an updated "Last updated" date. Your continued use of our website or services after any changes to this policy constitutes your acceptance of the updated terms.

19. Contact Information

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or need to report a data concern, please contact us:

For privacy-related inquiries, please use the subject line "Privacy Request" in your email. We will acknowledge receipt of your request within 5 business days and provide a substantive response within 30 days.