Privacy Policy

Last updated: April 2, 2026

1. Scope and Applicability

This Privacy Policy applies to the Mailroom application ("the Service"), operated by Oliver Lucky Industries Corporation ("OliCorp," "we," "us," or "our"), and the website at mailroom.software. It describes how we collect, use, share, and protect information when you use the Service or visit our website.

This policy does not apply to third-party services that integrate with Mailroom, including Slack, UPS, and FedEx, each of which maintains its own privacy policy. We encourage you to review those policies separately.

2. Data Controller and Processor

When your organization installs Mailroom into a Slack workspace, the organization (the "Customer") acts as the data controller for shipping data created by its team members — including recipient addresses, shipment records, and carrier account information. Mailroom acts as a data processor, handling this data on the Customer's behalf and in accordance with the Customer's instructions.

To exercise data rights regarding shipment records created within your organization, contact your workspace administrator. For questions about how Mailroom processes data, contact us directly at hello@mailroom.software.

3. Information We Collect

Information You Provide

• Account information: When you install Mailroom via Slack, we receive your Slack workspace ID, user ID, display name, and email address through Slack's OAuth flow.
• Shipping information: Recipient names, addresses, phone numbers, package details (weight, dimensions, declared value), and shipping preferences you enter when creating shipments.
• Carrier account credentials: If you connect your own UPS or FedEx account, we store your account numbers in encrypted form (AES-256-GCM).
• Contact information: Recipient address book entries, including names, addresses, phone numbers, and delivery preferences.
• Early access signups: If you sign up for early access on our website, we collect your email address.

Information Collected Automatically

• Usage data: We collect analytics on how you interact with the Service, including commands used, shipment volume, and feature usage. We use PostHog for this purpose.
• Website analytics: When you visit mailroom.software, we collect page views, referral sources, and general interaction data via PostHog.
• Log data: Server logs may include IP addresses, timestamps, and request details for debugging and security purposes.

Slack Permission Scopes

Mailroom requests the following Slack permission scopes during installation. Each scope is used only for the purposes described:

• commands: To register and respond to slash commands (/ship, /track, /contacts, /mailroom, /report).
• chat:write: To send shipping confirmations, tracking updates, and notifications via Slack messages.
• im:write: To send label PDFs and tracking updates to users via direct message.
• files:write: To upload shipping label PDF files to Slack.
• users:read / users:read.email: To identify team members by name and email for shipping workflows.
• team:read: To read workspace information for organization setup.

4. Legal Basis for Processing

We process personal information under the following legal bases, as applicable under the General Data Protection Regulation (GDPR) and similar laws:

• Contractual necessity: Processing shipping data is necessary to provide the Service — creating shipments, generating labels, and delivering tracking updates.
• Legitimate interests: We process usage analytics to improve the Service, maintain security, and prevent abuse. These interests do not override your fundamental rights and freedoms.
• Consent: We process your email address for early access communications based on your consent, which you may withdraw at any time by contacting us.
• Legal obligation: We may process data where required to comply with applicable laws or regulations.

5. How We Use Your Information

• To provide and operate the Service — creating shipments, generating labels, tracking packages, and delivering notifications via Slack.
• To validate addresses and obtain shipping rates from carriers (UPS, FedEx) on your behalf.
• To save your contacts and addresses for faster future shipments.
• To send you tracking updates and delivery notifications.
• To improve the Service through aggregated, anonymized usage analytics.
• To communicate with you about the Service, including early access updates if you signed up.
• To enforce our terms and protect against fraud, abuse, or security incidents.

6. How We Share Your Information

We do not sell your personal information. We share information only in the following circumstances:

• Shipping carriers: We transmit recipient addresses, package details, and your carrier account information to UPS and FedEx to process shipments. These carriers act as independent controllers of the data they receive.
• Slack: The Service operates within Slack and exchanges data through Slack's APIs. Slack's use of your data is governed by Slack's Privacy Policy.
• Infrastructure providers: We use Amazon Web Services (AWS) to host the Service and store data. AWS acts as a sub-processor under our instructions.
• Analytics: We use PostHog for product analytics. PostHog processes usage data on our behalf as a sub-processor.
• Legal requirements: We may disclose information if required by law, regulation, legal process, or governmental request.
• Business transfers: In connection with any merger, acquisition, sale of assets, or bankruptcy, your information may be transferred to the acquiring entity. We will notify affected users of any such transfer and any choices you may have.

Sub-Processors

The following third-party sub-processors handle data on our behalf:

• Amazon Web Services (AWS) — Infrastructure, database, file storage (US regions)
• PostHog — Product analytics
• Supabase — Website email signup storage
• Vercel — Website hosting

7. Data Retention

We retain different categories of data for different periods:

• Shipment records: Retained for the lifetime of your organization's account, or until deletion is requested.
• Shipping label PDFs: Retained for 90 days, after which they are automatically deleted from storage.
• Address book contacts: Retained until manually deleted by the user or until the organization's account is removed.
• Carrier account credentials: Retained in encrypted form until the organization removes them or uninstalls Mailroom.
• Usage analytics: Retained in aggregated form for up to 24 months.
• Server logs: Retained for up to 90 days.
• Early access signups: Retained until the Service launches or you request removal.

8. Workspace Uninstall

When Mailroom is uninstalled from a Slack workspace, we will:

• Revoke all Slack API tokens associated with the workspace.
• Retain shipment records and address data for 30 days to allow for reinstallation, after which they are permanently deleted.
• Immediately delete any stored carrier account credentials.
• Remove the organization and user records from our active database after the 30-day retention period.

Workspace administrators may request immediate deletion of all data by contacting us at hello@mailroom.software.

9. Data Storage and Security

• All data is stored on AWS infrastructure in the United States.
• Carrier account credentials are encrypted at rest using AES-256-GCM.
• All data in transit is encrypted via TLS 1.2 or higher.
• Database access is restricted to private subnets with no direct public internet exposure.
• Application infrastructure runs in a Virtual Private Cloud (VPC) with multi-availability-zone deployment.

While we implement commercially reasonable security measures, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your information.

10. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the legal mechanism for data transfers. By using the Service, you acknowledge that your data will be processed in the United States.

11. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that we correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal information. We will comply within 30 days, except where retention is required by law.
• Data portability: Request an export of your shipment history in a machine-readable format.
• Objection: Object to processing based on legitimate interests.
• Restriction: Request that we limit processing of your data in certain circumstances.
• Withdraw consent: Where processing is based on consent, you may withdraw it at any time.
• Complaint: You have the right to lodge a complaint with a data protection authority in your jurisdiction.

To exercise any of these rights, contact us at hello@mailroom.software. We will respond within 30 days.

12. California Privacy Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information.

Categories of personal information we collect:

• Identifiers (name, email, Slack user ID, IP address)
• Commercial information (shipping records, carrier account numbers)
• Internet or electronic network activity (usage analytics, log data)
• Geolocation data (shipping addresses)

We do not sell (as defined by the CCPA) personal information we collect, nor do we share personal information for cross-context behavioral advertising purposes.

As a California resident, you have the right to:

• Know what personal information we collect about you and how it is used.
• Request deletion of your personal information.
• Opt out of the sale or sharing of personal information (not applicable, as we do not sell or share).
• Non-discrimination for exercising your privacy rights.

To exercise these rights, contact us at hello@mailroom.software.

13. Cookies and Tracking

The mailroom.software website uses PostHog for analytics, which may set cookies to track sessions and identify returning visitors. The Slack application itself does not use cookies.

You can disable cookies in your browser settings or use browser extensions to block tracking. Disabling cookies will not affect the functionality of the Slack-based Service.

14. Third-Party Links

The Service may contain links to third-party websites, including carrier tracking pages and Slack's website. We are not responsible for the privacy practices of these external sites and encourage you to review their privacy policies.

15. Children's Privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have collected information from a child under 16, we will delete it promptly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we may also notify workspace administrators via Slack or email.

17. Contact Us

If you have questions about this Privacy Policy, your data, or wish to exercise your rights, contact us at:

Oliver Lucky Industries Corporation
Ardsley, NY
hello@mailroom.software

For privacy-specific inquiries, you may also reach our privacy team at privacy@mailroom.software.