Trust, Legal & Security

Legal notice

Imprint

Company & registry

PODFY
Van Weede van Dijkveldstraat 25
2582KP 's-Gravenhage (The Hague), The Netherlands

Chamber of Commerce (KVK): 83714200
VAT ID: NL862966851B01
Email: [email protected]

The underlying company registration is maintained in Dutch. This English Imprint is provided for convenience. In case of conflict, the Dutch KVK registration prevails.

Domains & services covered

This Imprint applies to all services operated by PODFY:

• podfy.net — marketing website, information pages, legal documentation.
• podfy.app — operational Proof-of-Delivery platform and customer portals.
• Delivery portals reached via PODFY-generated links and email-based driver links.

Contacts

General & support: [email protected]
Security reports: [email protected]
Data protection / GDPR: [email protected] — subject: "Privacy request"

Last updated: 2026-04-14

Legal

Terms of Service

Last updated: 2026-04-14 · Provider: PODFY, Van Weede van Dijkveldstraat 25, 2582KP 's-Gravenhage, Netherlands · [email protected]

1. Parties, agreement & hierarchy

These Terms of Service ("Terms") are a legal agreement between you ("you", "Customer", "User") and PODFY ("we", "us"). If you use PODFY on behalf of an organisation, you represent that you are authorised to bind that organisation to these Terms.

By accessing or using podfy.net or podfy.app, you agree to these Terms. If you do not agree, you must not use the Services.

If you have signed a separate order form, subscription agreement or Data Processing Addendum (DPA) with PODFY, that document prevails over these Terms where they conflict. These Terms apply on a supplementary basis.

The Services are intended for business and professional use. Consumer laws may grant additional mandatory rights; these Terms are not intended to limit any rights that cannot lawfully be excluded.

2. Services & scope

Definitions: "Site" means podfy.net. "Application" or "Product" means podfy.app and related portals and APIs. "Services" means both together. "Customer Data" means any data you or your users provide, including POD documents, shipment references, and contact details.

The Site provides marketing information, documentation, legal pages and contact/demo forms. The Application is a SaaS platform for collecting, storing and sharing Proof-of-Delivery documents and related logistics information.

3. Acceptable use

You may use the Services only in accordance with these Terms and applicable law. You agree not to:

• Use the Services in violation of any applicable laws or regulations.
• Attempt to gain unauthorised access to the Services, Customer Data belonging to others, or underlying infrastructure.
• Interfere with or disrupt the integrity or performance of the Services.
• Upload or transmit malicious code, malware, or content that infringes third-party rights.
• Misrepresent your identity or use the Services for fraudulent or deceptive activity.
• Use the Services for high-risk activities where failure could lead directly to loss of life, personal injury, or environmental damage.

4. Intellectual property

All intellectual property rights in the Services (including software, designs, logos, text, and documentation) are owned by PODFY or its licensors. These Terms do not transfer ownership to you.

You retain ownership of Customer Data. You grant PODFY a non-exclusive, worldwide licence to process Customer Data solely to provide, secure and support the Services.

If you provide ideas, suggestions or feedback, you grant PODFY a worldwide, perpetual, irrevocable, royalty-free licence to use and incorporate that feedback without restriction.

5. Privacy & data protection

PODFY's processing of personal data is described in the Privacy Policy below and, where applicable, a Data Processing Addendum. For Customer Data in podfy.app, your organisation is generally the data controller and PODFY acts as data processor. For website and account-level data, PODFY is the data controller.

For EU/EEA customers, PODFY offers a DPA with processor obligations and, where relevant, Standard Contractual Clauses. Use of browser-side storage is described in the Cookie Policy.

6. podfy.app — accounts, configuration & fees

You are responsible for keeping login credentials confidential and for actions taken under your accounts. You will promptly notify PODFY of any unauthorised access.

You are responsible for configuring retention periods, access rights and workflows to match your legal and operational requirements. PODFY provides configuration options but does not give legal advice on how long you must retain PODs.

If your use of podfy.app is subject to fees, pricing and payment terms are defined in your order form or commercial agreement.

7. Warranties & liability

Access to the Site and any free or trial use of the Services is provided on an "as is" and "as available" basis. To the maximum extent permitted by applicable law, PODFY provides no warranties of any kind, whether express, implied or statutory.

Any service-level or uptime commitments for paid subscriptions are defined in your order form. To the maximum extent permitted by applicable law, neither party will be liable for any indirect, incidental, consequential, special, exemplary or punitive damages, or for any loss of profits, revenue, goodwill or data.

PODFY's aggregate liability is limited to: for purely free use of the Site: zero euros; for paid subscriptions: the total amount paid by you in the 12 months preceding the first event giving rise to the claim. These exclusions do not apply to liability that cannot be excluded or limited under applicable law (intent, gross negligence, death or personal injury).

8. Indemnity

You agree to indemnify and hold harmless PODFY from any third-party claim arising from: your breach of these Terms; your misuse of the Services; or Customer Data you upload that infringes third-party rights or violates law.

9. Beta & trials

Beta or experimental features are provided "as is", without service-level commitments, may be changed or discontinued at any time, and may be subject to additional limitations. To the extent permitted by law, PODFY has no liability arising from your use of beta features.

10. Changes & termination

We may modify the Services from time to time, provided such changes do not materially reduce core functionality for paying customers during a subscription term, unless required by law or security. We may update these Terms periodically; your continued use after changes become effective constitutes acceptance.

You may stop using the Services at any time. PODFY may suspend or terminate access if you materially breach these Terms, use the Services in a way that creates unacceptable risk, or where required by law.

11. Governing law, company details & contact

These Terms are governed by the laws of the Netherlands. Any disputes will be submitted to the competent courts in The Hague, unless mandatory law provides otherwise.

• Entity: PODFY
• Address: Van Weede van Dijkveldstraat 25, 2582KP 's-Gravenhage, Netherlands
• KVK: 83714200 · VAT: NL862966851B01
• Support: [email protected]
• Security: [email protected]

Last updated: 2026-04-14

Data protection

Privacy Policy

This Privacy Policy explains how PODFY processes personal data on podfy.net and podfy.app. Controller: PODFY, Van Weede van Dijkveldstraat 25, 2582KP 's-Gravenhage, Netherlands. Contact: [email protected].

1. Controller, roles & scope

For GDPR purposes, PODFY is the data controller for personal data collected via podfy.net and for account-level data in podfy.app (for example, admin contact details and billing info).

For operational POD data inside podfy.app (driver names, recipient signatures, delivery references, uploaded POD images), PODFY acts as a data processor on behalf of the customer. Your organisation is the controller and determines purposes and means of processing.

2. Categories of personal data

Website visitors (podfy.net): contact form data (name, email, company, message); technical logs (IP address, date/time, URLs, device/user-agent); no marketing trackers or analytics cookies.

Customer admins and users (podfy.app): account information (name, email, organisation, role, authentication data); configuration data; usage data (login timestamps, upload/download events).

Drivers, recipients and delivery contacts (Customer Data): driver names or identifiers; recipient names or signatures; contact details; shipment references, license plates, POD images. This is treated as Customer Data, processed only on documented instructions from the customer.

Support and communications: support tickets and emails to [email protected]; feedback about the product.

3. Purposes & legal bases

Operating the product: creating and managing accounts, storing and retrieving POD documents, sending operational communications, providing audit trails. Legal bases: performance of contract (Art. 6(1)(b) GDPR) and legitimate interests (Art. 6(1)(f) GDPR).

Website, demos and sales: responding to contact and demo requests, monitoring for abuse. Legal bases: legitimate interests in promoting and protecting our services, and pre-contractual steps.

Service improvement: de-identified or aggregated usage data (upload counts, error rates) to diagnose issues and improve PODFY. We do not build advertising profiles and do not sell personal data.

Legal obligations: keeping invoices for tax and accounting, responding to lawful requests from authorities.

4. Retention

Website data: contact requests up to 12 months after closure; security logs up to 30 days unless needed for incident investigation.

Customer Data in podfy.app: POD documents retained according to your configuration (60 days, 1 year or longer); account information and audit logs retained for the duration of your subscription and a reasonable period afterwards.

5. Processors & international transfers

We use selected sub-processors including: cloud infrastructure and edge services (Cloudflare) for hosting, storage, DNS and security; email delivery providers for operational emails; support tooling. All processors operate under written contracts with data-protection obligations.

We aim to host production data in EU regions. Where personal data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms.

6. Security & data minimisation

All PODFY properties enforce HTTPS with modern TLS. Access to operational systems is restricted and audited. Customer Data is logically separated between tenants. We collect only data needed to operate PODFY and support customers. We follow a low-cookie approach — see the Cookie Policy.

7. Your rights

Where GDPR or similar laws apply, you may have rights of: access; rectification; erasure; restriction; data portability; objection; and withdrawal of consent. To exercise these rights, contact [email protected].

If you are a driver or recipient whose data is processed by a PODFY customer, please contact that customer first as they are the controller for that data.

You have the right to lodge a complaint with your local supervisory authority — in the Netherlands: Autoriteit Persoonsgegevens — or with the supervisory authority in your country of residence.

8. Children

PODFY is designed for professional use in logistics and related industries. It is not intended for use by children under 16.

9. Changes & contact

We may update this Privacy Policy to reflect changes in law, services or processing activities. For material changes, we will notify customers by email or in-app notice. The "Last updated" date always shows the current version.

Last updated: 2026-04-14

Cookies & browser storage

Cookie Policy

PODFY follows a strict "no unnecessary cookies" principle. We currently do not use marketing or analytics cookies on podfy.net or podfy.app.

1. How PODFY thinks about cookies

Our design follows three rules: minimal by default — we avoid storing data in the browser unless necessary for security or user experience; no tracking for sale — we do not use cookies for advertising, retargeting or profiling; transparent control — if we introduce non-essential cookies, they will be clearly disclosed and optional.

2. Cookies & related technologies

Where we set technical cookies (for example for sessions in podfy.app), they are configured with: Secure (HTTPS only); HttpOnly where possible; SameSite Lax or Strict to reduce cross-site risks. PODFY does not use third-party cookies.

3. Current usage at PODFY

podfy.net: we do not set analytics, advertising or tracking cookies. We do not embed third-party trackers (Google Analytics, Meta Pixel, etc.).

podfy.app: limited first-party cookies for authentication and form protection. These are strictly necessary, scoped to the app domain, and short-lived or session-based.

Delivery portals & driver links: drivers access POD documents via tokenised URLs. These tokens are validated server-side and not stored in cookies. They do not track behaviour across pages.

We do not use cookies to build behavioural profiles, sell usage data, or run third-party ad campaigns.

4. Legal bases & consent

Strictly necessary cookies may be set without consent but must be documented. Non-essential cookies require prior, freely given and revocable consent. Today, since we do not set analytics or marketing cookies, no separate cookie banner is required for podfy.net. If we introduce non-essential cookies in the future, we will present a clear consent interface and you will be able to refuse them without losing core functionality.

5. Managing cookies

All modern browsers provide control centres for cookies and site data: Chrome/Edge: Settings → Privacy and security; Firefox: Settings → Privacy & Security; Safari: Settings → Privacy. You can block third-party cookies globally (safe for PODFY), delete existing cookies per-site, and configure stricter rules for incognito windows.

6. Changes & contact

We will update this Cookie Policy whenever there is a material change in how we use browser storage. For questions: [email protected].

Last updated: 2026-04-14

Security posture

Security

This section describes PODFY's security posture in a way useful for customers, auditors, and security reviewers. Security contact: [email protected].

1. Governance & approach

Security at PODFY is treated as a product feature. We focus on: minimal stack (static front-end, edge functions, managed storage); tenant isolation (every customer's data logically separate); operational clarity (straightforward flows for uploads, portals and retention).

For formal researcher rules and safe harbor, see SECURITY.md and /.well-known/security.txt.

2. Infrastructure & transport

PODFY runs on Cloudflare Pages and Workers. POD documents are stored in Cloudflare R2 with encryption at rest. All PODFY domains enforce HTTPS; .app is an HSTS-preloaded TLD. We support TLS 1.2+ and HTTP/3/QUIC at the edge. Cloudflare DDoS protection, WAF and rate limiting provide first-line defence. Secrets are stored in the platform's encrypted secrets store, never in source control.

Security headers in use: HSTS, Content-Security-Policy, Referrer-Policy, X-Content-Type-Options.

3. Application security (podfy.app)

All customer data is logically isolated at the data layer using tenant IDs, scoped queries and access checks. Role-based access control governs who can configure settings, view documents, or export data. Authentication uses secure cookies or tokens with Secure and HttpOnly attributes. Sessions have reasonable expiry and may be invalidated on security events.

Uploads accept a controlled set of file types. Objects are stored in encrypted object storage; metadata in a database tied to the tenant. Retention windows are configurable per customer; after expiry, files are scheduled for deletion.

Drivers and partners access PODs via emailed links containing long, unguessable tokens, validated server-side and may be time-limited and scoped to specific PODs. Portal views are logged with timestamp, token reference and basic user-agent for auditability.

PODFY aims to store production POD data in EU regions. Data does not move outside the selected region for product functionality without appropriate safeguards.

4. Website security (podfy.net)

Deployed as a static site via Cloudflare Pages; dynamic behaviour handled by Workers functions. No direct database access from the browser; form submissions go through backend handlers. Contact and configuration forms use Cloudflare Turnstile to reduce automated abuse. Input is validated server-side before being written to storage or forwarded by email.

The marketing site and operational app are treated as separate surfaces. Sessions are not shared, databases are distinct, and issues in one do not automatically compromise the other.

5. Data protection & sub-processors

PODFY acts as data processor for POD documents in podfy.app, and data controller for website visitor data. Principles: minimisation (collect only what is needed); purpose limitation (no reuse for advertising); access limitation (need-to-know basis). DPA available with Standard Contractual Clauses for GDPR-regulated customers.

Sub-processors: cloud infrastructure and edge provider(s) (Cloudflare); email delivery provider(s); support tooling.

6. Incident response

Incident response lifecycle: detection (monitoring, customer reports, researcher reports); triage (severity: Critical / High / Medium / Low); containment (revoke tokens, rotate keys, roll back or hot-patch); eradication & recovery; post-incident review.

Remediation targets: Critical: 7 days. High: 30 days. Medium: 90 days. Low: 180 days. Where required by law, affected customers and authorities will be notified without undue delay in case of a personal data breach.

Last updated: 2026-04-14 · Scope: podfy.app and podfy.net

Security research

Responsible Disclosure

If you believe you have found a security issue in podfy.app or podfy.net, we want to hear from you. Responsible disclosure helps keep logistics data safe for everyone using PODFY.

How to report

• Email: [email protected]
• Include: a clear description, affected URLs/endpoints, reproduction steps, and impact assessment.
• If your report contains sensitive data, mark it clearly; we can arrange an encrypted channel if needed.

What to expect

• Acknowledgement within 3 business days.
• Initial triage within 7 business days.
• Remediation based on the severity targets in the Security section above.
• Coordinated disclosure: we prefer that details are shared publicly only after a fix or effective mitigation is in place.

Rules of engagement

• Do not access, modify or exfiltrate data that does not belong to you.
• Avoid impacting availability — no load tests, DoS or large-scale automated scanning against production.
• Do not use social engineering, phishing, or physical intrusion.
• Use test accounts and sample data wherever possible; stop immediately if you encounter real third-party personal data and report the issue.

Additional policy details, safe-harbor language and recognition guidelines:

• /.well-known/security.txt
• SECURITY.md on GitHub

We do not pursue legal action against researchers who follow these guidelines and act in good faith.

Last updated: 2026-04-14