Privacy Policy – StartFill

Privacy Policy

StartFill — 3PL Fulfillment Platform

Operated by Blumental Bayern GmbH

Version 2.0 — June 2026 | GDPR / DSGVO compliant

1. Data Controller

The entity responsible for data processing on this platform within the meaning of Art. 4 No. 7 GDPR is:

Company: Blumental Bayern GmbH

Trading as: StartFill

Address: Melanchthonplatz 4–6, 90443 Nuremberg, Germany

Managing Director: Dr. Jalal Solati

E-Mail: info@startfill.com

Telephone: +49 911 47711390

Commercial Register: HRB 36602, Registration Court Nuremberg

VAT-ID: DE325297396

For all data protection inquiries please write to: info@startfill.com

2. Scope of This Privacy Policy

This policy covers all personal data processed in connection with the StartFill platform and website, including:

– Merchant clients who use StartFill to manage their fulfilment operations

– End customers of those merchants whose shipping data is processed by StartFill as a data processor

– Prospective clients who submit enquiry forms on the StartFill website (WordPress)

– Visitors to the StartFill website

– Employees and operational staff whose platform-activity data is logged in the warehouse management system

Where StartFill processes end-customer personal data on behalf of a merchant, the merchant is the data controller and StartFill is the data processor. A mandatory Data Processing Agreement (Auftragsverarbeitungsvertrag, AVV) under Art. 28 GDPR is signed with every merchant before any order is processed.

3. Categories of Personal Data Processed

3.1 Merchant Client Data (B2B Account Data)

Collected when a business registers as a StartFill client:

– Company name, legal form, registered address, VAT-ID, commercial register details

– Contact person: name, job title, business e-mail, telephone number

– Bank details and IBAN for invoicing and SEPA mandates

– API credentials and access tokens for connected selling platforms (see §3.4)

– Contract documents, signed AVV, correspondence

Legal basis: Art. 6(1)(b) GDPR – performance of contract; Art. 6(1)(c) – legal obligations (§257 HGB, §147 AO)

3.2 End-Customer Order & Shipping Data

Processed on behalf of merchant clients to fulfil orders:

– Recipient name and delivery address (street, city, postcode, country)

– E-mail address and/or phone number (if provided by the merchant for carrier notifications or returns)

– Order reference number and item contents

– Shipment tracking number and delivery status

– Return reason and inspection result

Legal basis: Art. 6(1)(b) GDPR – processed on behalf of the merchant (data controller) under Art. 28 GDPR. StartFill does not use this data for its own purposes.

3.3 Prospect Data (Website Enquiry Forms)

When a prospective client submits an enquiry via the WordPress contact form on the StartFill website:

– Company name, contact person name, e-mail address, telephone number

– Business details submitted voluntarily in the enquiry message

– IP address and timestamp of form submission

Legal basis: Art. 6(1)(b) GDPR – pre-contractual measures; Art. 6(1)(f) – legitimate interest in responding to business enquiries. Prospect data is deleted after 12 months if no contract is concluded.

3.4 Selling Platform API Credentials

To retrieve orders and update stock levels automatically, StartFill requires read/write API access to each merchant’s selling platforms:

– Amazon Seller Central – SP-API access token (grants read access to orders, inventory, returns, and seller account metadata)

– Shopify – private app API key and secret (grants access to orders, products, customers, and webhooks)

– WooCommerce – consumer key and secret (grants access to orders and product inventory)

– eBay – OAuth token (grants access to orders and listing data)

– Kaufland, Otto – platform-specific API tokens

These credentials are stored exclusively in an encrypted password vault (Bitwarden Teams) with hardware-key two-factor authentication. Access is strictly limited to authorised StartFill operators. The credentials are used solely for order processing and stock synchronisation and are deleted immediately upon contract termination.

Legal basis: Art. 6(1)(b) GDPR – essential for contract performance. Merchants may revoke tokens at any time via their platform’s developer settings.

3.5 Warehouse and Inventory Records

Operational data generated during fulfilment:

– SKU codes, EAN barcodes, product descriptions, bin locations, stock levels

– Inbound goods receipt, pick, pack, dispatch, and returns records tagged with operator ID

– Temperature and humidity logs from the climate-controlled storage area (TempStick sensor → EasyLog cloud)

– Incident records (temperature deviations, carrier issues, damaged goods)

Primarily non-personal; where records contain staff operator IDs, the legal basis is Art. 6(1)(b) GDPR – contract of employment.

3.6 Staff and Operator Activity Data

Employees and contracted operators using the JTL-Wawi warehouse management system and the JTL-WMS Mobile app generate activity logs:

– Operator login ID and session timestamps

– Pick, pack, and putaway actions attributed to the operator

– Mobile device identifier (for JTL-WMS Mobile sessions)

Legal basis: Art. 6(1)(b) GDPR – employment contract; Art. 6(1)(f) – legitimate interest in warehouse accuracy and incident investigation. Staff are informed of this logging separately.

3.7 Website and Platform Technical Data

– IP address (anonymised after session close)

– Browser type, operating system, device type

– Pages visited, session duration, referrer URL

– Server log files retained for 30 days

Legal basis: Art. 6(1)(f) GDPR – legitimate interest in platform security and error diagnosis.

4. Purposes of Processing

– Operating the StartFill platform and providing 3PL fulfilment services

– Retrieving orders from merchant selling platforms and processing them through the warehouse

– Generating shipping labels and transmitting delivery addresses to carriers

– Updating stock levels and tracking information back to merchant platforms via API

– Providing merchant clients with real-time dashboards (monday.com guest access)

– Sending operational alerts via WhatsApp Business (e.g. temperature deviations, order events)

– Invoicing clients and maintaining accounting records

– Responding to website enquiries from prospective clients

– Ensuring warehouse quality, accuracy, and temperature SLA compliance

– Complying with German commercial law, tax law, and packaging law (Verpackungsgesetz)

5. Data Sharing and Third-Party Recipients

5.1 Shipping Carriers (independent controllers)

End-customer name and delivery address are transmitted to carriers for parcel dispatch. Carriers process this data as independent controllers under their own privacy policies:

– DHL Paket GmbH – dhl.de/datenschutz

– DPD Deutschland GmbH – dpd.com/de/datenschutz

– GLS Germany GmbH & Co. OHG – gls-group.eu/datenschutz

All carriers are accessed via Sendcloud, which acts as a data processor under a DPA with StartFill.

5.2 Software Sub-Processors (Art. 28 GDPR)

The following service providers process personal data on StartFill’s behalf under signed data processing agreements:

– JTL-Software GmbH (Hagen, DE) – warehouse management system (JTL-Wawi, JTL-WMS Mobile); personal data: client and operator records, end-customer order data

– Sendcloud B.V. (Eindhoven, NL) – carrier integration, label printing, returns portal; personal data: end-customer delivery addresses

– Haufe-Lexware GmbH & Co. KG (Freiburg, DE) – invoicing and accounting (lexoffice); personal data: merchant billing data

– monday.com Ltd. (Tel Aviv, IL) – CRM, operational boards, client dashboards (guest access); personal data: client contact data, order summaries

– n8n GmbH (Berlin, DE) – workflow automation connecting all platform systems; personal data: all categories in transit between systems

– Bitwarden Inc. (Santa Barbara, US) – encrypted credential vault; personal data: API token metadata

– Google LLC (Mountain View, US) – Google Workspace (email, Drive document storage); personal data: client correspondence, onboarding documents

– Meta Platforms Ireland Ltd. – WhatsApp Business API; personal data: client phone numbers, message metadata

– Automattic Inc. – WordPress (website and lead-capture forms); personal data: prospect enquiry data, technical log data

– Thermco Systems Ltd. / Lascar Electronics – TempStick / EasyLog cloud (IoT temperature logging); no personal data, sensor readings only

All sub-processors in third countries (US, IL) are covered by EU Standard Contractual Clauses (SCCs) or operate in jurisdictions with an EU adequacy decision.

5.3 Merchant Client Dashboard Access

Each merchant client is invited as a read-only guest to their dedicated monday.com dashboard, which displays their own order summaries, stock levels, and KPIs. Clients have no access to data belonging to other clients.

5.4 Legal and Tax Authorities

Data may be disclosed to tax authorities, courts, or other public bodies where required by applicable law (Art. 6(1)(c) GDPR).

5.5 No Sale of Data

StartFill does not sell, license, or otherwise commercially exploit personal data to any third party.

6. International Data Transfers

Primary data processing takes place within the European Union. Transfers to sub-processors outside the EU/EEA (monday.com – Israel; Bitwarden, Google, Meta, Automattic – USA) are carried out on the basis of:

– EU–US Data Privacy Framework (adequacy decision) where applicable

– EU Standard Contractual Clauses (Module 2: controller to processor) for remaining transfers

Details of the applicable transfer mechanism for each sub-processor are available upon request at info@startfill.com.

7. Data Retention Periods

– Merchant client account and contract data: duration of the contract plus 10 years (§257 HGB, §147 AO)

– End-customer order, shipping, and returns data: 10 years for tax/commercial compliance; functional access removed after contract termination

– API credentials (merchant platform tokens): deleted immediately upon contract termination; all tokens must also be revoked by the merchant in their platform settings

– Prospect enquiry data: 12 months from the date of enquiry if no contract is concluded

– Warehouse and inventory records (GoBD): 10 years

– Staff activity logs in JTL: 3 years, in line with statute of limitations for employment disputes

– Temperature sensor logs: 5 years (relevant for regulated goods: cosmetics, supplements, specialty food)

– Server and access log files: 30 days, then deleted

– Website analytics: 14 months, then anonymised

8. Your Rights Under the GDPR

You have the following rights regarding your personal data. Requests should be sent to info@startfill.com:

– Right of access (Art. 15) – confirm whether we hold data about you and receive a copy

– Right to rectification (Art. 16) – correct inaccurate or incomplete data

– Right to erasure (Art. 17) – deletion where no legal retention obligation applies

– Right to restriction of processing (Art. 18)

– Right to data portability (Art. 20) – receive your data in a structured, machine-readable format

– Right to object (Art. 21) – particularly against processing based on legitimate interests

– Right to withdraw consent (Art. 7(3)) – where processing relies on consent; withdrawal does not affect prior lawful processing

We will respond to requests within one month (Art. 12(3) GDPR). Identity verification may be required.

You also have the right to lodge a complaint with the competent supervisory authority:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)

Address: Promenade 18, 91522 Ansbach, Germany

Website: https://www.lda.bayern.de

9. Cookies and Website Tracking

The StartFill website uses cookies in the following categories:

– Strictly necessary cookies – session management, security, login state. No consent required (Art. 6(1)(f) GDPR).

– Functional cookies – language and display preferences. Set only on first visit or change of preference.

– Analytics cookies – aggregate, anonymised usage statistics. Only set with your explicit consent (Art. 6(1)(a) GDPR).

Non-essential cookies are set only after you provide consent via the cookie banner. You may withdraw or adjust consent at any time via the cookie settings link in the website footer.

10. Technical and Organisational Security Measures

– TLS 1.2+ encryption for all data in transit to and from the platform and APIs

– AES-256 encrypted password vault (Bitwarden Teams) with hardware YubiKey two-factor authentication for all API credentials

– Role-based access controls in JTL-Wawi: operators have only the permissions required for their role

– Nightly automated SQL database backups stored in two geographically separate locations (local encrypted SSD + encrypted cloud)

– Warehouse PC on a static internal IP behind a firewall; no direct public internet exposure

– Data breach detection and response procedure; supervisory authority notification within 72 hours per Art. 33 GDPR where applicable

– Regular review of sub-processor security posture and DPA compliance

11. Merchant Data Processing Agreement (AVV)

Because StartFill processes end-customer personal data on behalf of each merchant, a Data Processing Agreement under Art. 28 GDPR is a mandatory pre-condition for onboarding. No orders will be processed, and no API connections will be activated, until the AVV has been fully executed. The AVV defines:

– Subject matter, duration, nature and purpose of processing

– Categories of personal data and data subjects

– Technical and organisational measures

– Sub-processor authorisation and notification obligations

– Audit rights and assistance obligations

– Data deletion or return upon contract termination

A copy of StartFill’s standard AVV template is available upon request at info@startfill.com.

12. Children’s Data

StartFill’s platform and services are directed exclusively at businesses (B2B). We do not knowingly collect personal data relating to children under the age of 16. If we become aware that such data has been transmitted as part of an end-customer order, it will be processed solely for the purpose of order fulfilment and deleted in accordance with the retention periods in §7.

13. Changes to This Privacy Policy

We may update this policy to reflect changes in our platform, services, or applicable law. The current version with its date is always published on this page. Where changes materially affect your rights or how we process your data, we will notify merchant clients by e-mail .

Last updated: June 2026 | Blumental Bayern GmbH – StartFill | info@startfill.com