Brunel Momentum Inc. ("Brunel Momentum", "we", "us") operates a last-mile delivery platform. This policy explains what personal data we collect from merchants and their customers, why, how long we keep it, and who we share it with.
1. Data we collect from merchants
When you sign up for the Brunel Momentum merchant portal we collect: business name, contact name, email address, phone number, pickup address, authentication credentials (bcrypt-hashed passwords + email-OTP enrollment records), and billing information required by our payment processor.
2. Data we receive from your storefront (Shopify + WooCommerce)
When you connect a Shopify or WooCommerce store, we ingest the following fields from each order:
- Customer name, email, and phone number
- Customer shipping address (line 1, line 2, city, province/state, postal code, country, latitude/longitude)
- Order metadata: order number, line items, package weights, service level, and (optionally) delivery instructions
We do not receive or retain payment card numbers, browsing behavior, IP addresses of your customers, or marketing data.
3. How we use this data
- Delivery routing: address + coordinates feed the routing engine to build the driver’s schedule.
- Carrier label generation: name + address are printed on the shipping label so the driver knows who to deliver to.
- Delivery notifications: email + phone are used to send transactional updates (dispatched, out-for-delivery, delivered) and to unlock proof-of-delivery when a signature is required.
- Merchant portal + reporting: order + shipment data is surfaced back to the merchant in their portal for fulfillment and returns.
We do not sell, rent, license, or share personal data with third parties for marketing or advertising purposes. We do not use personal data to train machine learning models unrelated to delivery routing.
4. How long we retain it
Customer personal data (name, email, phone, address) is retained for 90 days after the delivery is completed or the order is cancelled, then automatically deleted. Aggregate delivery metrics (with all personal identifiers removed) are retained longer for operational analytics.
Merchant account records (business name, pickup address, billing history) are retained while your Brunel Momentum account is active. When you close your account we retain financial records for the period required by Canadian tax law (currently seven years) and delete everything else.
5. GDPR / CCPA + Shopify Protected Customer Data
If you sell into the EU, UK, or California, Brunel Momentum honors the following on your behalf, per Shopify’s Protected Customer Data agreements:
- Data-access requests from your customers — on receipt of Shopify’s
customers/data_requestwebhook, we compile and return the data we hold about the customer within 30 days. - Deletion requests from your customers — on receipt of Shopify’s
customers/redactwebhook, we delete the data within 30 days. - Uninstall deletion — on receipt of Shopify’s
shop/redactwebhook (fired 48 hours after you uninstall the Brunel Momentum app), we delete every shop-scoped record we hold.
6. Data storage + security
All data is stored in AWS (Aurora Postgres, ca-central-1). Data is encrypted at rest using AWS KMS and in transit using TLS 1.2+. Sensitive fields (banking, government IDs) are additionally encrypted at the application layer using AES-256-GCM. Access is role-based, scoped per merchant, and logged.
Backups are automated daily, retained for 7 days, and encrypted. Staging and production data are stored in separate database clusters.
7. Sub-processors
We rely on the following sub-processors to operate our service. Each is bound by their own data protection commitments:
- Amazon Web Services — hosting, database, backups
- Mapbox — geocoding + navigation
- SendGrid — transactional email
- Twilio — transactional SMS
- Helcim — payment processing
8. Access controls + incident response
Access to production data by Brunel Momentum employees is limited by role and audit-logged. We maintain an incident response plan and disclose data-security incidents to affected merchants within 72 hours of confirmation. Reach our security team at security@brunelmomentum.ai.
9. Your rights
You can request a copy of your data, correct it, or delete it at any time by emailing privacy@brunelmomentum.ai. We respond within 30 days.
10. Changes to this policy
Material changes will be announced by email to merchant account owners at least 30 days before they take effect.
11. Contact
Brunel Momentum Inc.
Privacy: privacy@brunelmomentum.ai
Security: security@brunelmomentum.ai
General: hello@brunelmomentum.ai
