Trust

Security & Trust

How we protect your data and your customers'. Last updated 07 July 2026.

Overview

Skyfleet is a shipping/courier aggregation platform. Merchants connect their sales channels and stores so we can import orders, book couriers, and track deliveries on their behalf. We treat the data we process — especially buyers' personal information — as a responsibility, and protect it with layered technical and organisational controls. These practices are aligned with the Amazon Selling Partner API Data Protection Policy and India's Digital Personal Data Protection Act, 2023.

Purpose limitation & data minimisation

  • Channel and marketplace data is used only to create, label, dispatch, track and support that specific shipment.
  • We never use it for advertising, marketing, profiling, resale, or any secondary purpose.
  • We request only the data required to ship an order — for Amazon, buyer PII is fetched via a scoped Restricted Data Token limited to the orders we are actively shipping.

Encryption

  • In transit: all traffic to our APIs, to marketplaces, and to courier partners is protected with TLS/HTTPS.
  • At rest: data is stored in an access-controlled database encrypted with AES-256 using a managed key-management system with automatic key rotation.
  • Secrets: OAuth/API tokens and credentials are additionally encrypted at the application layer and stored only in platform secret stores — never in source code or logs.

Access control

  • Every operator has a unique, named account — no shared logins.
  • Multi-factor authentication (MFA) is enforced across our code, hosting, and database platforms.
  • Access to personal data is role-based and granted on a least-privilege, need-to-know basis, reviewed periodically and revoked on role change or exit.
  • Privileged actions are recorded in an audit log.

Data retention & deletion

  • Buyer personal information (name, phone, email, delivery address) is automatically anonymised or deleted a fixed window after the shipment (within 90 days), retaining only non-identifying data required for reporting and legal/tax obligations.
  • Merchants can disconnect a channel at any time, which deactivates the integration.
  • Deletion requests are honoured within statutory timelines.

Sub-processors & sharing

  • A buyer's ship-to name, address and phone are shared only with the courier the merchant selects, solely to deliver that order.
  • Infrastructure sub-processors (cloud hosting and database providers) process data under contract with equivalent safeguards.
  • We do not sell data, and we do not share it for marketing.

Vulnerability & change management

  • Dependencies and code are scanned for vulnerabilities on every change and on a recurring schedule; high/critical findings block release.
  • All changes are peer-reviewed and pass automated checks in a staging environment before reaching production; direct changes to production are restricted.
  • Credentials are never committed to source control; repositories are private with secret scanning enabled.

Incident response

We maintain a documented incident response plan with defined roles and a 6-month review cycle. On a suspected incident we triage, contain (rotating affected credentials and tokens), assess scope, remediate, and recover from encrypted backups. Security incidents involving marketplace data are reported to the relevant marketplace and authorities within required timelines (including Amazon within 24 hours where applicable).

Contact

To report a security concern or request data deletion, contact support@skyfleetnow.com.

See also our Privacy Policy and Terms of Service.