AGREEMENT BETWEEN USERS AND SHIPSAVING.COM
ShipSaving.com reserves the right, in its sole discretion, to change the Terms and Privacy Policy under which ShipSaving.com is offered. The most current version of the will supersede all previous versions. ShipSaving.com encourages you to periodically review all information to stay up to date.
‍
PRIVACY POLICY
Users of ShipSaving.com are subjected to ShipSaving.com’s Privacy Policy which includes our data collection practices. ShipSaving.com reserves the right to change their Privacy Policy at all times. All modifications, edits, deletes and additions are effective immediately. Please read the Privacy Policy carefully and periodically review to stay up to date. Your continuous use of ShipSaving.com after updates to Privacy Policy means that you agreed to be bound by the modified and updated . As permitted by applicable law and regulations, we will retain your information as long as necessary to serve and maintain your account for as long as your account is active, or as otherwise needed to operate our business.
‍
PERSONAL INFORMATION COLLECTED
In order to access the features provided by ShipSaving.com, it is necessary for Users to provide us with Personal Information. It is the User’s voluntary decision whether or not to provide the request information to use ShipSaving.com. If no information or data is provided then use of ShipSaving.com would be severely limited as a result. ShipSaving.com collects personal information such as name, address, telephone numbers, email addresses, shipping information and payment details as part of your registration and use of ShipSaving.com’s products and services.
‍
NON-PERSONAL INFORMATION COLLECTED
ShipSaving.com may collect information on User based on use of ShipSaving.com. ShipSaving.com may store “cookies” in your computer to better serve you. Cookies can gather non-personal information such as the internet site that you have previously visited before ShipSaving.com, the website you visited after ShipSaving.com, the browser you are viewing ShipSaving.com from your IP address, location tracking and more. The purpose is to improve the quality of ShipSaving.com and increase ShipSaving.com’s marketing initiatives. You may limit the usage of cookies from your browser settings.
‍
HOW INFORMATION IS SHARED
We will not use your Personal and Non-Personal Information for any reason beyond the legitimate business purposes defined by the law. ShipSaving.com reserves the right to share your information to guarantee the fulfillment of ShipSaving.com’s services which can include third-party companies that work with us to provide our Services such as couriers, insurance companies, and payment providers. ShipSaving.com uses the collected personal and non-personal information for reasons such as but not limited to: 1. Allow Users to register as members of ShipSaving.com 2. Contact User about products and services offered by ShipSaving.com and ShipSaving.com’s partners. 3. Contact User pertaining to administrative notices and updates relevant to accounts/services maintained with ShipSaving.com. 4. Follow up on service calls, questions, requests and complaints submitted by User. 5. Provide Tracking and Shipping Services to Users. Allows User to operate and use ShipSaving.com. 6. To gather and analyze data in respect to the use of ShipSaving.com and for ShipSaving.com’s internal use. 7. Solve disputes, troubleshoot problems, and enforce any agreements with ShipSaving.com including and not limited to ShipSaving.com’s Terms of Use and Privacy Policy. 8. Share information with ShipSaving.com’s partner in the event that a partner of ShipSaving.com is investigating or enforcing a violation of its policies, procedures, terms of agreement. ShipSaving.com will share information with ShipSaving.com’s partner to conduct in its investigation of a possible problem, issue or concern. 9. In the event that all or part of ShipSaving.com becomes part of a sale, merger or transfer, ShipSaving.com reserves the right to transfer any and all information that it collects to third parties. 10. In the event of a court order or cooperate with a law enforcement investigation, ShipSaving.com will disclose all requested information and reserve the right to report to law enforcement any activities that ShipSaving.com suspects to be unlawful.
‍
THIRD PARTY PRIVACY POLICIES AND DATA COLLECTION
ShipSaving.com’s Terms and Privacy Policy only addresses the collection, use and disclosure of information by ShipSaving.com and does not cover third party practices. ShipSaving.com is not responsible for the policies or practices of any third party.
‍
OTHERS TERMS AND USAGE AGREEMENTS
Account Information: Information provided during registration becomes part of ShipSaving.com’s business records. ShipSaving.com may retain past information as part of our business records. Minors: This website is directed to adults and not for children under 13. ShipSaving.com does not knowingly collect or use personally identifiable information from anyone under the age of 13. Children under 18 may use ShipSaving.com with guardian or parent permission. If you have any questions about this Privacy Policy, please contact ShipSaving.com.
‍
ELECTRONIC COMMUNICATIONS
User consent to receive electronic communications and user agree that all agreements, notices, disclosures and other communications that we provide to you electronically, via email and on the Site, satisfy any legal requirement that such communications be in writing upon visiting ShipSaving.com
‍
ACCOUNT SECURITY
ShipSaving.com follows industry standards to protect the personal information and data submitted by Users to the Website. However, no method of security is 100% secure. User is responsible for maintaining the confidentiality of User’s account or password and accepting responsibility for all activities that occur under User’s account or password. User acknowledges that ShipSaving.com is not responsible for third party access to accounts that results from theft or misappropriation of User’s account. ShipSaving.com and its associates reserve the right to refuse or cancel service, terminate accounts, or remove or edit content at our sole discretion.
‍
CANCELLATION/REFUND POLICY
You may close your account at any time, upon the fact that your account has no pending or negative balance. When you terminate or stop using your account, we may continue to communicate with you about our services, updates, and products. We may also continue to use some of your information for business purposes and to improve our business. We will retain and use your information as required by applicable law. ShipSaving.com’s information management policies will comply with legal and reporting obligations, resolve disputes, and enforce our agreements.
‍
LINKS TO THIRD PARTY SITES/THIRD PARTY SERVICES
ShipSaving.com may contain links to other websites ("Linked Sites"). The Linked Sites are not under the control of ShipSaving.com and ShipSaving.com is not responsible for the contents, links, terms of usage or services of any Linked Site. Certain services made available via ShipSaving.com are delivered by third party sites and organizations. By using any product, service or functionality originating from the ShipSaving.com domain, you hereby acknowledge and consent that ShipSaving.com may share such information and data with any third party with whom ShipSaving.com has a business relationship to provide the requested service on behalf of ShipSaving.com users and customers. By using any services or functionality of ShipSaving.com, you hereby acknowledge and comply with terms and conditions from any other third Party Businesses/Services/Websites/Companies/Organizations, including but not limited to: FedEx,UPS,USPS,eBay and Amazon.
‍
INTERNATIONAL USERS
The Service is controlled, operated and administered by ShipSaving.com from our offices within the USA. If you access ShipSaving.com outside the USA, you are responsible for compliance with all local laws. You agree that you will not use the ShipSaving.com in any country or in any manner prohibited by any applicable laws, restrictions or regulations.
‍
INDEMNIFICATION
You agree to indemnify, defend and hold harmless ShipSaving.com, its officers, directors, employees, agents and third parties, for any losses, costs, liabilities and expenses (including reasonable attorneys' fees) relating to or arising out of your use of or inability to use the Site or services. Any actions committed by User in violation of any terms of this ShipSaving.com’s, terms of a third party, any applicable laws, rules or regulations will result in ShipSaving.com the right, at its own cost, to assume the exclusive defense and control of any matter otherwise subject to indemnification by you, in which event you will fully cooperate with ShipSaving.com in asserting any available defenses.
‍
THIRD PARTY ACCOUNTS
In the event that You will be able to connect your ShipSaving.com account using a third party accounts, you acknowledge and agree that you are consenting to the continuous release of information about you to others (in accordance with your privacy settings on those third party sites). If you do not want information about you to be shared in this manner, do not connect your ShipSaving.com account using a third-party account.
LIABILITY DISCLAIMERThe information, software, products, and services included in or available through the site may include inaccuracies or typographical errors. Changes are periodically added to the information herein. ShipSaving.com and associates may make improvements and/or changes in the site at any time. ShipSaving.com and it’s partners make no representations about the reliability, usefulness, accuracy of the information, services, software and graphics contained on this site for any purpose. To the maximum extent permitted by applicable law, ShipSaving.com operates “as is” without warranty or condition of any kind for ShipSaving.com’s contents. This “as is” without warranty extends to all implied warranties or conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by applicable law, in no event shall ShipSaving.com and it’s partners be liable for any direct, indirect, punitive, incidental, special, consequential damages or any damages whatsoever including, without limitation, for loss of use, data or profits, arising out of or in any way connected with the use or performance of the site, with the delay or inability to use the site or related services, the provision of or failure to provide services, or for any information, software, services and contents obtained through the site, or otherwise arising out of the use of the site, whether based on contract, tort, negligence, strict liability or otherwise, even if ShipSaving.com and it’s partners has been advised of the possibility of damages. If you are dissatisfied with ShipSaving.com in any way, please discontinue using the site.
‍
TERMINATION/ACCESS RESTRICTION
ShipSaving.com reserves the right, in its sole discretion, to terminate your access to the Site and the related services without notice. You are not allowed to ship items that are prohibited by Carriers or by law or regulation of any federal, state or local government in the origin or destination countries. To the maximum extent permitted by law, this agreement is governed by the laws of the State of California and you hereby consent to the exclusive jurisdiction and venue of courts in California in all disputes arising out of or relating to the use of the Site. Use of the Site is unauthorized in any jurisdiction that does not give effect to all provisions of these Terms, including, without limitation, this section. Usage of ShipSaving.com does not have a partnership or employment relationship between ShipSaving.com and User. ShipSaving.com is subject to existing laws and is in compliance with governmental, court and law enforcement requests relating to the Site and information by ShipSaving.com in respect to legal use. If any part of these Terms and Privacy Policy is determined to be invalid then the invalid provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the rest of the Terms and Privacy Policy shall continue in effect. Unless otherwise specified herein, this Terms and Privacy Policy constitutes the entire agreement between the user and ShipSaving.com and it voids all prior communications and agreements between the user and ShipSaving.com. These Terms and Privacy Policy and any additional Terms and Privacy Policies in English shall be admissible in judicial or administrative proceedings based upon or relating to this agreement to the same extent and subject to the same conditions as other business documents and records originally generated and maintained in printed form.







‍

‍DATA SECURITY
ShipSaving works diligently to ensure the confidentiality, integrity, and availability of your data.
‍
· Encryption in transit protects the confidentiality, integrity, and authenticity of your data. As an industry best-practice, we use HTTPS to encrypt customer data sent and received by our servers. This includes, but is not limited to, all data transmitted over the RESTful JSON API that communicates with our backend microservice architecture. This protects your information from tampering and unauthorized disclosure. We also implement AES-GCM (an authenticated encryption algorithm based on a pre-shared key) to protect both the confidentiality and integrity of data transmissions.

· Database access controls restrict access to authorized users and IP addresses. Developers undergo strict account management. Auditing and robust log records provide relevant insights to personnel who regularly review database access for signs of malicious operation. Database passwords must adhere to internal standards for complexity. Database contents are encrypted both at rest and in transit.

· Field-level encryption with the AES-GCM algorithm protects sensitive database entries from unauthorized tampering or disclosure. When the application writes data to the database, sensitive fields are encrypted with an additional key. When the contents of an encrypted database field are retrieved, the results cannot be deciphered without the respective key. This second line of defense significantly reduces the potential impact of leaked data. Our software developers and database administrators (DBAs) operate by default on encrypted fields. Access to the original contents of encrypted fields is granted to staff only on a "need-to-know" basis.

· Data desensitization protects sensitive customer data such as phone numbers, email addresses, and payment card information. Predefined rules tokenize, hide, or mask this data. For extremely sensitive data such as payment card information, we only persist a subset of the original, significantly increasing customer safety.
‍
‍ACCESS CONTROL
Role-based access control (RBAC) assigns functional and data permissions to designated roles, and one or more roles to individual user accounts. A "super administrator," for instance, not only possesses global access to all actions and data, but will also typically customize other roles as needed and assign them to users. Our system administrators apply specific role assignments to customers. This ensures that customers possess functional authority and data authority over only their own data. Malicious actions may attempt to tamper with input parameters to conceal executable commands or cross trust boundaries. This can lead to the unauthorized acquisition of server permissions and the unauthorized disclosure of customer data. The system addresses these concerns as follows:

· Cross-site scripting (XSS) occurs when untrusted JavaScript or other scripting code is supplied from one source and rendered in an unexpected location, such as another user's browsing session. An XSS attack can tamper with or expose data, opening up customer accounts to compromise and endangering their normal operation. To prevent this class of attack, the system is designed to refuse unsafe inbound content. The system will check, filter, and escape any customer input with whitelists of trusted character sets and HTML tags. As an additional layer of defense, the system will filter and/or sanitize output before rendering HTML content to users.

· Buffer overflows occur when a system receives input of a length that overflows the memory area designated for its storage. A malicious user who succeeds at this attack may tamper with or expose data, or possibly gain system root access. To avoid receiving data that exceeds system capacity, we treat external data as untrusted input and perform boundary checks before committing to our systems.

· Cross-site request forgery (CSRF) can occur when an attacker causes a victim's browser to automatically submit a request. This attack is similar to, but different from, a cross-site scripting (XSS) attack. In the case of CSRF, the attacker crafts a malicious request directed at a particular website. If the customer has an active browsing session on that website, the request can be executed to create, read, update, or delete data as the customer themselves. This is equivalent to the attacker logging in with the customer's own credentials to carry out harmful actions within the scope of the customer's authority. To prevent CSRF attacks and protect customer accounts, the system validates CSRF tokens, HTTP referer headers, and CAPTCHA responses.

· Path traversal can occur when query parameters and server paths are not properly sanitized or validated before use in accessing a server-side file system location. An attacker may supply a string with directory navigation operators, possibly escaped (e.g., "../" or "%2E%2E%2F"), to gain unauthorized access to information systems. To prevent this, all customer input is validated and/or escaped after transmission.

· A web shell is a type of remote access trojan (RAT) that exploits a script upload vulnerability to create a command execution environment. An attacker will often use this shell environment through a web browser. This can lead to a series of hazards such as unauthorized information disclosure and tampering. To avoid receiving a web shell, we strictly limit and verify uploaded files. Customers may upload only static files and the system does not trust original filenames. In addition to restricting the upload of malicious code files, the system restricts the execution permissions of related directories.

· Unexpected data disclosure may occur when access logs record sensitive query parameters. To prevent this, the HTTP GET method is not used to transmit sensitive data into the system. When sensitive data must be transmitted into the system, the HTTP POST method is used, and sensitive data placed in the body of the request. The HTTP GET method may be used to transmit non-sensitive data to the system, and to retrieve both sensitive and non-sensitive data from the system.

LOGIN SECURITY
Customer password security promotes not only the security of customer information on our platform but also the stability of the system as a whole. Some customers may use the same password on multiple platforms; once this password is cracked, the risk of data leakage exists on any other platforms with which it is shared. We mitigate the potential for damage as follows:

· The system assigns an authentication token to customers at login. This token accompanies the customer throughout their session and grants the ability to access assigned functions and data. The system reduces the potential for unauthorized disclosure or tampering by requiring a valid token with requests for privileged functions and data.

· User authentication checks occur with every request. We encourage customers to log out manually when they are finished with the system. As a protection against abandoned sessions, if authentication credentials expire or the authentication process fails, the customer will be required to log in again to minimize the potential for data leakage.

· Cookies are protected from unauthorized disclosure and tampering with the HttpOnly and Secure attributes. The HttpOnly flag prevents customer information in cookies from being read by malicious JavaScript files. The Secure flag ensures that a client browser will submit the cookie only with HTTPS requests.

· The AES-GCM encryption algorithm promotes authenticity in the system with authentication codes and authenticated encryption with associated data (AEAD). If system decryption functions note authenticity issues during the decryption process, an exception will be thrown to prevent further processing of corrupted or tampered customer data.

· Customer password length and complexity requirements mitigate the likelihood of brute-force password cracking. We guarantee that customer passwords are not stored in plaintext. Customer passwords are salted and hashed on the frontend with a slow hash operation. Sensitive data, including authentication credentials, will be transmitted to the backend only over a connection encrypted with HTTPS.

· Two-factor verification validates customer ownership of email addresses used for website authentication. When we detect a customer account at risk of misappropriation, the affected customer must correctly supply both their password and a one-time code that the system will send to their email address. CAPTCHA affords an additional layer of protection for this process.

AUDIT LOGS
We are continuously strengthening our product security controls to ensure the maximum confidentiality, integrity, and availability of customer accounts and data.

The vast majority of customer operations trigger the creation of audit logs. This provides customers the ability to trace events when necessary. We provide operation logs for each event that include a timestamp, customer ID, the object being operated on, and the contents of the operation. To facilitate unified management, system administrators have the ability to view the operation logs of all customers.
‍
· We record operations performed by customers on their own data. If an operation involves sensitive data, such as password or payment card information, metadata attached to log entries will be encrypted to minimize the potential for data leakage.
· Customer requests for data will be approved or denied based upon credentials and additional security considerations. The results of these decisions will be recorded.
· Multiple customer user accounts may collaborate as a team. In these cases, a team administrator may be designated as an approver for purchase orders placed by other team members. For example, a warehouse manager who wishes to create a purchase order will submit an application to their administrator for approval. The administrator can then choose to deny or approve the application. If the application is approved, the purchase order will be created. The system records these decisions with per-application granularity.
· Potentially risky operations trigger alarms to be handled by dedicated personnel.
· Logs are retained for 180 days.

Developers are subject to sound auditing and log management. We mitigate the potential for developer credential misuse by logging the following events:
· Login and logout timestamps;
· Database and server access attempts;
· Data, file, and network access attempts;
· Changes to customer data, such as deletion or modification of sensitive info;
· Exceptions or other signs of abnormal activity, which may trigger alarms.
‍
SERVER SECURITY
Firewalls and network security policies deny or redirect data flow to reduce the efficacy of malicious network-based attacks. Security rules are optimized to establish a proper security perimeter for system components.

Network Access Control (NAC) restricts server access to authorized developers, originating from whitelisted IP addresses, who comply with pertinent security policies.

When network bandwidth becomes saturated it can exhaust server processing capacity, preventing legitimate users from being able to access resources. A distributed denial-of-service (DDoS) is one sort of malicious attack that can produce this result. To address this risk, we:
· Limit the frequency of requests from individual IP addresses;
· Apply load-balancing to shunt traffic toward available servers;
· Disable ICMP on security devices such as firewalls;
· Deny or redirect abnormal traffic with a hardware firewall that mitigates the potential for DDoS with rule-based packet-filtering, deep packet introspection (DPI), and Web Application Firewall (WAF) filtering based on request contents and disposition;
· Apply ISP near-source cleaning and operator traffic suppression to minimize the potential for incidents that could adversely affect service availability to customers;
· Strictly limit, at the application layer, the number of connections and CPU usage time from individual IP addresses;
· Reduce unnecessary dynamic database queries.

A competent patch management process regularly reviews and addresses operating system vulnerabilities. Timely application of patches minimizes the potential for malicious attacks.

Unnecessary service ports are closed as part of the system hardening process.

Audit logs record every server operation. Designated security personnel regularly review these logs and respond immediately when an incident is noted.

PAYMENT SECURITY
To protect customer financial information, we do not store data from payment cards.A third-party vendor, Stripe, acts as our payment processor. Please refer to Stripe for more information on their security policies and procedures.

DEVELOPER SECURITY
Developers regularly undergo training to improve security and privacy awareness.The use of external storage media (USB disks, portable hard drives, thumb drives, etc.) is prohibited on company computers.The use of unsecured public cloud applications, including file synchronization tools such as Dropbox and Google Drive, is also prohibited on company computers.

DATA BACKUPS
Our customers fulfill orders with the aid of transactional and other data ("Platform Data") synchronized into our system from third-party e-commerce platforms ("Marketplaces"). To ensure the availability of Platform Data when it is needed, we perform regular backups. Each Marketplace imposes its own policies on the use, protection, and retention of Platform Data.

ShipSaving treats Platform Data, and backups thereof, in strict accordance with the requirements of each Marketplace. We do not maintain Platform Data beyond the retention periods mandated by Marketplaces. We do not sell, share, or otherwise disclose customer data in any manner that would violate our agreements with Marketplaces.

Backup frequency
· Full database backups occur weekly at 23:59 on Sunday.
· Incremental database backups occur daily at 03:00, 09:00, 15:00, and 21:00.

Backup plan
· The database currently utilizes master-slave synchronization to promote data redundancy. Binary logging on the slave database is enabled for off-site backup.
· Future plans include database read-write separation ("master write, slave read") to promote scalability and high-availability. This master-slave synchronization architecture, with backups in accordance with the original backup scheme, may entail a split into separate databases and additional tables to further improve the ShipSaving recovery time objective (RTO) and recovery point objective (RPO) metrics.

SECURITY INCIDENT RESPONSE PLAN(SIRP)
We maintain a security incident response plan (SIRP) and we review and verify this plan every six months and after any major infrastructure or system change. When our backend engineering managers investigate security incidents, or when automation mechanisms trigger an alarm.
‍
· We identify the type and extent of any associated events.
· We disconnect any relevant systems from the network.
· We gather evidence. System logs may be viewed without shutting down associated servers, which promotes forensic analysis of potential evidence in memory, if required.
· In the event that a breach may affect passwords, we will lock down sensitive information and rotate any relevant passwords.
· The impact of a data breach will be assessed based upon logs and other available evidence. Once a root cause analysis is performed, remedial measures will be taken. These may include, but are not limited to, cryptographic erasure of affected systems, patching of relevant software or operating systems, reconfiguration of firewalls, isolation of subnets, malware scanning, and recalibration of automated alarm thresholds.






‍