Privacy Policy

Bocsit ("Company," "we," "us," or "our") is a Boston-based courier and logistics service provider operating primarily in the Commonwealth of Massachusetts and throughout the New England region. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you visit our website, use our mobile applications, or engage our courier delivery services.

This Privacy Policy applies to all users of our services, including customers, independent contractor drivers, job applicants, website visitors, and any other individuals whose personal information we process. By using our services, you acknowledge that you have read and understood this Privacy Policy.

This policy is designed to comply with applicable federal laws including the Federal Trade Commission Act (FTC Act), the Health Insurance Portability and Accountability Act (HIPAA), the Children's Online Privacy Protection Act (COPPA), the CAN-SPAM Act, and the Telephone Consumer Protection Act (TCPA), as well as applicable state privacy laws including but not limited to the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and Massachusetts data breach notification and security regulations (MGL Chapter 93H and 201 CMR 17.00).

For the purposes of this Privacy Policy:

• "Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
• "Sensitive Personal Information" means personal information that reveals Social Security numbers, driver's license or state identification numbers, financial account information, precise geolocation data, racial or ethnic origin, religious beliefs, health information, or biometric data.
• "Processing" means any operation or set of operations performed on personal information, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, or erasure.
• "Service Provider" means a third party that processes personal information on behalf of Bocsit pursuant to a written contract.
• "Consumer" means a natural person who is a resident of any U.S. state and whose personal information is processed by Bocsit.
• "De-identified Data" means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual.
• "Protected Health Information (PHI)" means individually identifiable health information transmitted or maintained in any form or medium, as defined under HIPAA.

3.1 Information You Provide Directly

• Account Information: Name, email address, phone number, mailing address, and account credentials when you create an account or request services.
• Order Information: Pickup and delivery addresses, package descriptions, special handling instructions, preferred delivery times, and recipient information.
• Payment Information: Credit card numbers, billing addresses, and payment preferences. Payment data is processed securely through our PCI-DSS compliant payment processor (Stripe) and is never stored on our servers.
• Communications: Messages, feedback, support requests, and chat communications sent through our platform.
• Driver Application Information: Employment history, driver's license details, vehicle information, insurance documentation, professional certifications (HIPAA, OSHA, DOT Physical, CDL), background check consent, and references.
• Business Account Information: Company name, tax identification number, business address, authorized contacts, and billing preferences.

3.2 Information Collected Automatically

• Device Information: IP address, browser type and version, operating system, device identifiers, screen resolution, and language preferences.
• Usage Data: Pages visited, time spent on pages, links clicked, referring URLs, and interaction patterns with our website and applications.
• Location Data: GPS coordinates from drivers during active deliveries for real-time tracking and delivery verification. Approximate location data from IP addresses for all users.
• Log Data: Server logs including access times, error reports, and system activity records.
• Cookies and Similar Technologies: Information collected through cookies, web beacons, pixels, and similar technologies as described in Section 8.

3.3 Information from Third Parties

• Payment Processors: Transaction confirmations and fraud screening results from Stripe.
• Mapping Services: Address validation, geocoding, and routing data from Google Maps.
• Background Check Providers: Employment verification and driving record information for driver applicants (with consent).
• Healthcare Clients: Limited shipment information necessary to perform medical courier services under Business Associate Agreements.

3.4 Categories of Sensitive Personal Information

We may collect the following categories of sensitive personal information:

• Driver's license numbers and state identification numbers (driver applicants)
• Precise geolocation data (drivers during active deliveries only)
• Financial account information (processed through secure third-party providers)
• Protected Health Information (in connection with medical courier services, under HIPAA)

We collect personal information through the following methods:

• Direct interactions: When you create an account, place an order, submit a quote request, contact customer service, apply for employment, or communicate with us.
• Automated technologies: When you browse our website or use our applications, through cookies, server logs, and similar technologies.
• GPS and location services: When drivers enable location sharing during active deliveries through our driver portal.
• Third-party sources: From payment processors, mapping services, background check providers, and business partners.
• Public sources: From publicly available databases and government records as permitted by law.

We use your personal information for the following purposes:

5.1 Service Delivery

• Processing and fulfilling courier delivery orders
• Providing real-time shipment tracking and delivery notifications
• Coordinating driver assignments and route optimization
• Generating waybills, invoices, and proof of delivery documentation
• Facilitating communication between senders, recipients, and drivers

5.2 Account Management

• Creating and maintaining user accounts
• Authenticating user identity and preventing unauthorized access
• Processing payments and managing billing
• Maintaining order history and address books

5.3 Safety and Compliance

• Detecting and preventing fraud, abuse, and security incidents
• Verifying driver qualifications, certifications, and compliance
• Monitoring driver safety including GPS tracking during active deliveries
• Complying with legal obligations, including tax reporting and regulatory requirements
• Responding to legal process and law enforcement requests

5.4 Communications

• Sending order confirmations, status updates, and delivery notifications
• Responding to customer service inquiries and support requests
• Sending administrative notices about account changes, policy updates, or security alerts
• With your consent, sending promotional communications about our services

5.5 Improvement and Analytics

• Analyzing usage patterns to improve our website and services
• Conducting internal research and development
• Generating aggregated, de-identified statistics about service performance
• Testing new features and functionality

We process your personal information based on the following legal grounds:

• Contractual Necessity: Processing necessary to fulfill our contractual obligations to you, such as delivering packages, processing payments, and providing account services.
• Legitimate Interests: Processing necessary for our legitimate business interests, such as fraud prevention, security, service improvement, and internal analytics, where these interests are not overridden by your privacy rights.
• Legal Compliance: Processing necessary to comply with applicable laws and regulations, including tax reporting, HIPAA requirements, and responses to lawful legal process.
• Consent: Processing based on your explicit consent, such as marketing communications and optional data collection. You may withdraw consent at any time.

We do not sell your personal information. We may share your information with the following categories of recipients:

7.1 Service Providers

We share information with trusted third-party service providers who assist us in operating our business, subject to contractual obligations to protect your data:

• Stripe: Payment processing and fraud prevention
• Google Maps Platform: Address validation, geocoding, routing, and distance calculations
• Cloud Hosting Providers: Secure data storage and application hosting
• Email Service Providers: Transactional email delivery and notifications
• Analytics Providers: Website analytics (Google Analytics) using anonymized or aggregated data

7.2 Delivery-Related Sharing

• Sharing sender and recipient information with assigned drivers to facilitate deliveries
• Sharing driver location and status information with customers for real-time tracking
• Sharing delivery confirmation and proof of delivery with senders

7.3 Legal and Safety Disclosures

We may disclose personal information when we believe in good faith that disclosure is necessary to:

• Comply with applicable law, regulation, legal process, or governmental request
• Enforce our Terms of Service and other agreements
• Protect the rights, property, or safety of Bocsit, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other sale of all or a portion of our assets, personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership, uses of your personal information, and choices you may have regarding your personal information.

7.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

8.1 Types of Cookies We Use

We do not use advertising or behavioral tracking cookies. We do not participate in ad networks or cross-site tracking.

8.2 Managing Cookies

You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling strictly necessary cookies may affect the functionality of our website, including the ability to log in or place orders.

8.3 Google Analytics

We use Google Analytics to collect anonymized data about website usage. Google Analytics uses cookies to track visitor interactions. The data collected is aggregated and anonymous — it does not identify individual visitors. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention periods are as follows:

After the applicable retention period expires, personal information is securely deleted or anonymized so that it can no longer be associated with you.

We implement and maintain reasonable administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, use, alteration, disclosure, or destruction. Our security measures include:

• Encryption: TLS/SSL encryption for all data transmitted between your browser and our servers. Encryption at rest for stored data.
• Access Controls: Role-based access controls (RBAC) limiting employee and contractor access to personal information on a need-to-know basis. Two-factor authentication (2FA) for administrative accounts.
• Payment Security: PCI-DSS compliant payment processing through Stripe. We never store, process, or transmit full credit card numbers on our servers.
• Infrastructure Security: Secure cloud hosting with firewalls, intrusion detection, and continuous monitoring. Regular security updates and patch management.
• Employee Training: Privacy and security awareness training for all employees and contractors who handle personal information.
• Incident Response: Documented incident response procedures for detecting, reporting, and responding to data breaches in compliance with applicable breach notification laws.

While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we are committed to promptly addressing any security vulnerabilities or breaches.

Depending on your state of residence and applicable law, you may have the following rights regarding your personal information:

• Right to Know / Access: You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, our purposes for collecting or using it, and the categories of third parties with whom we share it.
• Right to Delete: You have the right to request deletion of personal information we have collected from you, subject to certain exceptions permitted by law (such as legal compliance, fraud prevention, or completing a transaction).
• Right to Correct: You have the right to request correction of inaccurate personal information we maintain about you.
• Right to Opt Out of Sale: You have the right to opt out of the sale of your personal information. Note: Bocsit does not sell personal information.
• Right to Opt Out of Profiling: You have the right to opt out of automated decision-making and profiling that produces legal or similarly significant effects.
• Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, and machine-readable format.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. We will not deny you services, charge different prices, provide a different quality of service, or suggest that you will receive a different price or quality of service for exercising your rights.
• Right to Appeal: If we deny your privacy request, you have the right to appeal that decision. We will respond to appeals within 60 days.

How to Exercise Your Rights

You may submit a verifiable consumer request by:

• Emailing: privacy@bocsit.com
• Calling: (617) 807-0411
• Writing: Bocsit Privacy Office, Boston, MA

We will verify your identity before processing your request. For account holders, we will verify through your existing account credentials. For non-account holders, we will require sufficient information to verify your identity. We will respond to verifiable requests within 45 days of receipt, with an option to extend by an additional 45 days if necessary (with notice to you).

You may designate an authorized agent to submit requests on your behalf. Authorized agents must provide written authorization signed by you and may be required to verify their own identity.

This section provides additional disclosures required under the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA) for California residents.

12.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:

• Identifiers: Name, email, phone number, IP address, account name
• Personal information under Cal. Civ. Code §1798.80(e): Name, address, telephone number, credit card number
• Commercial information: Transaction records, order history, delivery preferences
• Internet or electronic network activity: Browsing history, search history, interaction with our website
• Geolocation data: Precise GPS coordinates (drivers during active deliveries)
• Professional or employment-related information: Driver application data, certifications, employment history
• Sensitive personal information: Driver's license numbers, precise geolocation, financial account information

12.2 Sale and Sharing of Personal Information

12.3 Sensitive Personal Information

We use sensitive personal information only for purposes permitted under the CPRA, specifically: performing services requested by the consumer, ensuring security and integrity, short-term transient use, and performing services on behalf of the business. We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the requested services.

12.4 Financial Incentives

We do not offer financial incentives or price or service differences in exchange for the retention or sale of personal information.

12.5 Shine the Light (Cal. Civ. Code §1798.83)

California residents who have an established business relationship with us may request information about the categories of personal information we shared with third parties for direct marketing purposes during the preceding calendar year. Bocsit does not share personal information with third parties for their direct marketing purposes.

In addition to the CCPA/CPRA, we comply with the following state privacy laws as applicable to residents of those states:

13.1 Massachusetts (MGL Ch. 93H & 201 CMR 17.00)

As a Massachusetts-based company, we comply with the Massachusetts data breach notification law (MGL Chapter 93H) and the Standards for the Protection of Personal Information (201 CMR 17.00). We maintain a Written Information Security Program (WISP), encrypt all personal information transmitted wirelessly or across public networks, and will notify affected residents and the Massachusetts Attorney General's Office in the event of a data breach involving personal information.

13.2 Virginia Consumer Data Protection Act (VCDPA)

Virginia residents have the right to access, correct, delete, and obtain a copy of their personal data, and to opt out of processing for targeted advertising, sale of personal data, or profiling. To exercise these rights or appeal a decision, contact us at privacy@bocsit.com.

13.3 Colorado Privacy Act (CPA)

Colorado residents have similar rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.

13.4 Connecticut Data Privacy Act (CTDPA)

Connecticut residents have the right to access, correct, delete, obtain a copy of, and opt out of the processing of personal data for targeted advertising, sale, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects.

13.5 Other State Laws

We also comply with applicable provisions of the Utah Consumer Privacy Act (UCPA), Texas Data Privacy and Security Act (TDPSA), Oregon Consumer Privacy Act (OCPA), Montana Consumer Data Privacy Act (MCDPA), and any other state privacy laws that may apply to our operations. Residents of these states may exercise their applicable rights by contacting us using the methods described in Section 11.

13.6 Nevada Privacy Law (SB 220)

Nevada residents may opt out of the sale of their personally identifiable information (as defined under Nevada SB 220) by emailing privacy@bocsit.com. As stated above, Bocsit does not sell personal information.

In connection with our medical courier services, we may process Protected Health Information (PHI) as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act).

• Business Associate Agreements: We enter into Business Associate Agreements (BAAs) with all covered entity clients before handling PHI.
• Minimum Necessary Standard: We limit access to PHI to the minimum necessary to accomplish the delivery service. Driver access to medical shipment details (such as drop-off addresses and recipient names) is restricted and only revealed at the appropriate stage of the delivery workflow.
• Safeguards: PHI is encrypted in transit and at rest, access-controlled through role-based permissions, and subject to audit logging. Only certified medical courier drivers with current HIPAA training have access to medical shipment information.
• Breach Notification: In the event of a breach of unsecured PHI, we will notify affected covered entities without unreasonable delay and no later than 60 days after discovery, in accordance with the HIPAA Breach Notification Rule (45 CFR §§ 164.400-414).
• Retention: PHI-related documentation is retained for 6 years from the date of its creation or the date when it last was in effect, whichever is later, in accordance with HIPAA requirements.

Our services are not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete such information as quickly as possible, in compliance with the Children's Online Privacy Protection Act (COPPA).

If you believe that we may have collected personal information from a child under 13, please contact us immediately at privacy@bocsit.com.

Additionally, our services are generally intended for users 18 years of age and older. Users between the ages of 13 and 17 may use our services only with the involvement and consent of a parent or legal guardian.

Some web browsers transmit "Do Not Track" (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, our website does not currently respond to DNT signals. However, as stated in this policy, we do not engage in cross-site tracking or behavioral advertising.

California law requires us to disclose how we respond to DNT signals. We honor the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA/CPRA where applicable.

Our website and applications may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access through our platform.

Key third-party services integrated with our platform include:

• Stripe: Payment processing — Stripe Privacy Policy
• Google Maps: Mapping and location services — Google Privacy Policy
• Google Analytics: Website analytics — Google Privacy Policy

We are not responsible for the privacy practices or content of these third-party services. Your use of these services is governed by their respective privacy policies and terms of service.

Bocsit is based in the United States, and your personal information is processed and stored in the United States. If you are accessing our services from outside the United States, please be aware that your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using our services, you consent to the transfer of your information to the United States. We will take appropriate measures to ensure that your personal information receives an adequate level of protection in accordance with applicable law.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this policy
• Post the revised policy on our website
• For material changes, notify registered users by email at least 30 days before the changes take effect
• Where required by law, obtain your consent before applying material changes to previously collected data

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our services after the effective date of any changes constitutes your acceptance of the revised policy.

If you have questions, concerns, or complaints about this Privacy Policy or our data practices, or wish to exercise your privacy rights, please contact us:

We will acknowledge your inquiry within 5 business days and provide a substantive response within 45 days (or such shorter period as may be required by applicable law).

If you are not satisfied with our response, you may file a complaint with your state's Attorney General office or the applicable data protection authority:

• Massachusetts: Office of the Attorney General, One Ashburton Place, Boston, MA 02108 — mass.gov/ago
• California: California Privacy Protection Agency (CPPA) — cppa.ca.gov
• Federal: Federal Trade Commission (FTC) — ftc.gov/complaint