Privacy Policy

1. Introduction

Downstream Recovery ("we," "us," "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and protect personal data when providing our depot-hold monitoring and intervention service to 3PL fulfilment partners and e-commerce brands (collectively, "Clients").

Downstream Recovery complies with the requirements of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller vs. Data Processor

Our Role

Downstream Recovery acts as a data processor. We process personal data on behalf of our Clients (the data controllers) strictly in accordance with their instructions and our Data Processing Agreement (DPA).

Client Responsibilities

Our Clients remain the data controllers for all end-customer data. They are responsible for:

• Establishing and maintaining an appropriate lawful basis for processing customer contact data (commonly legitimate interests or contract necessity for delivery communications)
• Ensuring customers are informed about data processing activities via privacy notices
• Maintaining records of processing activities
• Handling data subject access requests (DSARs)

3. Website Enquiries and Recovery Audit Requests

Downstream Recovery also collects limited personal data directly from website visitors who submit enquiries or request a Recovery Audit through the website.

This information may include:

• Name
• Email address
• Company name
• Approximate shipment volume
• Any additional information voluntarily submitted through the enquiry form.

This information is used solely for the purpose of responding to enquiries, scheduling consultation calls, and evaluating whether the Depot-Hold Recovery System may be suitable for the visitor's fulfilment operation.

For this specific processing activity, Downstream Recovery acts as the data controller.

The lawful basis for processing this information is legitimate interest, specifically responding to business enquiries and evaluating potential service deployments.

Enquiry data is retained for up to 12 months, unless a commercial relationship is established.

4. Client Data Responsibility

Clients are responsible for ensuring that they have an appropriate lawful basis to process and share customer contact information with Downstream Recovery.

Downstream Recovery processes personal data strictly on the documented instructions of the data controller and does not independently determine the purposes or means of processing.

5. What Data We Process

We process the following categories of personal data on behalf of our Clients:

Customer Data

• Name: First name and last name (for operational parcel notification personalisation)
• Phone Number: Mobile phone number (for operational parcel notification delivery)
• Order Reference: Order number or tracking ID (for delivery exception context)
• Courier Details: Carrier name, tracking number, depot-hold status

Operational Data

• Depot-hold status and timestamps
• Collection/RTS transition events
• Operational delivery communication status and timestamps
• Aggregated reporting metrics (anonymized)

Data We Do NOT Collect

• Full addresses (beyond what's in courier tracking data)
• Payment information
• Email addresses (unless provided for reporting purposes)
• Sensitive personal data (health, religion, ethnicity, etc.)

6. Legal Basis for Processing

We process personal data on behalf of our Clients under the lawful basis determined by the data controller, which typically includes:

Legitimate Interests (Article 6(1)(f) UK GDPR)

Many clients rely on legitimate interests for depot-hold recovery communications because they:

• Prevent parcel returns and associated costs
• Improve customer service by proactively resolving delivery issues
• Reduce operational waste and environmental impact
• Support delivery of purchased goods

Contract Necessity (Article 6(1)(b) UK GDPR)

Some clients may process under contract necessity, where communications are required to fulfill the delivery of goods purchased by the customer.

These messages are sent as operational delivery communications rather than marketing. In most cases they fall under service or transactional communications under PECR, subject to the retailer's compliance obligations.

7. How We Use Personal Data

Personal data is used exclusively for the following purposes:

1. Operational Parcel Notifications: Sending timed, brand-sent operational parcel notifications to customers about depot-hold delivery exceptions
2. Live Tracking Validation: Checking real-time courier status to ensure parcels are still awaiting collection
3. Operational Reporting: Generating weekly and monthly reports on depot-hold monitoring metrics, intervention activity, and parcel outcome tracking
4. Service Improvement: Analyzing anonymized data to refine intervention timing and depot-hold detection logic

Messages sent through the Depot-Hold Recovery System are operational service communications relating to an existing parcel delivery. These messages are not marketing communications and are sent solely to assist customers in recovering parcels held at courier depots.

We do NOT:

• Use customer data for marketing purposes
• Sell, rent, or share personal data with third parties (except sub-processors as disclosed below)
• Retain data longer than necessary
• Process data outside the scope of our DPA with Clients

8. Data Sharing & Sub-Processors

We may engage trusted infrastructure providers as sub-processors to support the delivery of our service. These providers may include operational notification infrastructure providers, cloud hosting infrastructure providers, and courier tracking data services.

SMS Infrastructure Provider: Twilio

• Purpose: SMS delivery infrastructure used to transmit operational parcel notifications
• Data Shared: Customer phone number, message content, and delivery status
• Safeguards: Processed under contractual data protection obligations
• Location: UK/EU regions where available

Cloud Infrastructure Provider

• Purpose: Data storage, processing, and hosting
• Data Shared: All customer and operational data
• Location: Configured to process data in UK/EU regions wherever available
• Security: Appropriate encryption measures are in place.

Courier Tracking Services

• Purpose: Live validation of parcel status
• Data Shared: Tracking numbers only (read-only access)
• Location: UK-based courier portals

Sub-processors operate using appropriate data protection measures and contractual safeguards.

9. Data Security

We implement industry-standard security measures to protect personal data:

Technical Measures

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit, and secure infrastructure.

Organizational Measures

• Staff training on UK GDPR compliance and data protection
• Confidentiality agreements with all employees and contractors
• Incident response plan for data breaches
• Periodic review of data protection policies and procedures

Data Breach Notification

In the event of a personal data breach, we will notify affected Clients within 72 hours of becoming aware of the breach, in accordance with Article 33 UK GDPR. Clients are responsible for onward notification to supervisory authorities and data subjects as required.

10. Data Retention

We retain personal data only as long as necessary to fulfill our contractual obligations:

Active Processing

• Depot-Hold Data: Depot-hold monitoring records are retained for the duration necessary to track parcel outcomes and support operational reporting.
  
  Courier tracking records may remain unresolved for extended periods. Monitoring data may therefore be retained for up to 12 months to support recovery analysis, performance measurement, and operational reporting.
  
  Where possible, data used for long-term analytics is aggregated or pseudonymised.
• Operational Notification Records: Retained for 90 days for operational reporting and dispute resolution

Reporting & Analytics

• Aggregated Data: Anonymized metrics retained for 12 months for service improvement
• Operational Reports: Depot-hold monitoring reports and parcel outcome records retained for duration of contract + 6 months

Deletion Upon Request

Clients may request deletion of specific customer data at any time. We will permanently delete the data within 30 days, except where retention is required by law (e.g., accounting, tax, dispute resolution).

11. Data Subject Rights

End customers have the following rights under UK GDPR. As a data processor, we facilitate these rights on behalf of our Clients:

• Right of Access (Article 15): Request a copy of their personal data
• Right to Rectification (Article 16): Request correction of inaccurate data
• Right to Erasure (Article 17): Request deletion of data ("right to be forgotten")
• Right to Restriction (Article 18): Request temporary suspension of processing
• Right to Data Portability (Article 20): Request data in a structured, machine-readable format
• Right to Object (Article 21): Object to processing based on legitimate interests

Customers should direct data subject access requests (DSARs) to the Client (data controller), who will coordinate with us to fulfill the request within the statutory 30-day timeframe.

12. ICO Registration

Downstream Recovery is in the process of completing registration with the UK Information Commissioner's Office (ICO). We comply with UK GDPR and the Data Protection Act 2018.

You can search the ICO register at: https://ico.org.uk/ESDWebPages/Search

13. International Data Transfers

We configure sub-processors to process data within UK/EU regions wherever available. Where international transfers occur, appropriate safeguards such as Standard Contractual Clauses or adequacy decisions are implemented in accordance with UK GDPR.

If future business requirements necessitate international transfers, we will implement appropriate safeguards (e.g., Standard Contractual Clauses, adequacy decisions) and notify Clients in advance.

14. Children's Privacy

Our service is not directed at children under the age of 16. We do not knowingly collect or process personal data from individuals under 16 without parental consent. If we become aware that we have inadvertently collected such data, we will delete it immediately.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal obligations, or service offerings. Material changes will be communicated to Clients via email.

The "Last Updated" date at the top of this policy indicates when it was last revised. Continued use of our service after changes constitutes acceptance of the updated policy.

16. Contact & Complaints

Privacy Contact

For privacy-related enquiries, please contact:

Email: abenezer@downstreamrecovery.co.uk

Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

• Website: https://ico.org.uk/make-a-complaint/
• Phone: 0303 123 1113
• Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF