Privacy Policy
Last updated: 2026-06-28
This Privacy Policy explains how MentisLeap LLC (“Pick Up My Files,” “we,” “us,” or “our”), a Wyoming limited liability company, collects, uses, shares, and protects personal data across:
- The marketing website at pickupmyfiles.com
- The seller platform at app.pickupmyfiles.com
- Buyer download pages generated on behalf of sellers (e.g., secure.pickupmyfiles.com/d/…)
These are three distinct surfaces with three distinct audiences. This policy covers all of them.
1. Who We Are (Data Controller)
MentisLeap LLC is the data controller for personal data collected from:
- Marketing site visitors
- Sellers (account holders and team members)
For buyer data (download page visitors), MentisLeap LLC acts as a data processor on behalf of the seller, who is the data controller. Sellers determine how download pages are configured, what events are forwarded, and whether email capture is enabled. If you are a buyer with questions about how the seller uses your data, contact them directly via Etsy.
Contact: privacy@pickupmyfiles.com Postal: 1021 E Lincolnway Suite #6605, Cheyenne, Wyoming 82001, United States
2. Marketing Site Visitors
2.1 What We Collect
When you visit pickupmyfiles.com, we and our analytics partners automatically collect:
| Data | Source |
|---|---|
| IP address (truncated by GA4 by default) | Server logs / analytics |
| Browser type and version | Analytics SDK |
| Operating system and device type | Analytics SDK |
| Pages visited, time on page, referrer URL | Analytics SDK |
| Mouse movements, scrolls, clicks, rage clicks, session recordings | Microsoft Clarity |
| Geographic region (country / city, derived from IP) | Analytics SDK |
| Interaction with forms (fields filled — no passwords) | Microsoft Clarity |
2.2 Cookies and Tracking on the Marketing Site
| Cookie / Tag | Provider | Purpose | Duration |
|---|---|---|---|
_ga, _ga_* | Google Analytics 4 | Site analytics — traffic, pages, engagement metrics | 2 years |
_clck, _clsk, CLID | Microsoft Clarity | Session recording, heatmaps, UX analysis | 1 year / session |
_fbp, _fbc | Meta (Facebook) | Conversion tracking and audience building for PUMF’s own ads | 3 months |
| Pinterest tag cookies | Conversion tracking for PUMF’s own Pinterest ad campaigns | 6 months |
What these do not do: We do not use cookies to track you across unrelated websites. Meta and Pinterest cookies are used to measure the effectiveness of Pick Up My Files’ own advertising campaigns, not to build third-party ad profiles.
Managing cookies: You can control cookies via your browser settings. Disabling analytics cookies does not affect your ability to browse the site. See Section 9 for your rights.
2.3 How We Use Marketing Site Data
- Measure which content and traffic sources bring the most engaged visitors
- Identify UX friction points to improve the site
- Measure the effectiveness of our own advertising campaigns
- Comply with legal obligations
We do not sell marketing site visitor data to any third party.
3. Sellers (Account Holders and Team Members)
3.1 What We Collect
When you create and use a Pick Up My Files account, we collect:
| Category | Examples |
|---|---|
| Identity | Name, email address, profile picture (from Google/Etsy OAuth if used) |
| Credentials | Hashed password (never stored in plain text); OAuth tokens for connected providers |
| Etsy data | Shop name and ID, listing titles and descriptions, product categories, sale/order data (used for analytics and ad event forwarding) |
| Google data | Google account email (if OAuth login used); Google Drive file metadata and access tokens for files you designate for delivery |
| Billing data | Stripe Customer ID, subscription plan and status, billing history. Full payment card details are held exclusively by Stripe — we never see or store card numbers |
| Usage data | Features used, pages built, API calls made, error events, login timestamps |
| Communications | Emails you send to support; chat logs if you contact us via live chat |
| Analytics | GA4 events in the seller app (same data categories as Section 2.1 above); Microsoft Clarity session recordings in the seller app |
3.2 How We Use Seller Data
| Purpose | Lawful Basis (GDPR) |
|---|---|
| Providing the service (account management, page builder, PDF generation, Etsy sync, file delivery) | Contract performance |
| Processing payments via Stripe | Contract performance |
| Sending transactional emails (payment receipts, sync failures, password reset, grace-period notices) | Contract performance / Legitimate interest |
| Providing customer support | Contract performance / Legitimate interest |
| Analytics to improve the platform (GA4, Clarity) | Legitimate interest |
| Sending product updates and marketing emails (only with consent; unsubscribe at any time) | Consent |
| Complying with legal obligations (tax records, fraud prevention) | Legal obligation |
| Protecting the security and integrity of the platform | Legitimate interest |
3.3 Team Members
Team members are invited to access an account by the account Owner. We collect the team member’s name and email address to manage their invitation and access. Team members’ data is processed under the same terms as account holders. Access is limited to features defined by their assigned role; team members never access the Owner’s payment information or OAuth credentials for connected services.
3.4 Connected Account Data
When you connect Etsy, Google Drive, MailChimp, MailerLite, Meta Ads, or Google Ads, we access those services using OAuth tokens you grant. Specifically:
- Etsy: We read shop, listing, and order data. We write (upload, replace, delete) PDF files on your listings on your instruction or as part of the automated PDF management service
- Google Drive: We read metadata and content of files you designate. Files are served to buyers via our proxy — buyers never receive a direct Drive link
- MailChimp / MailerLite: We forward buyer email addresses captured on your download pages to the list you designate. We do not store buyer emails for marketing use beyond your own configured list
- Meta Ads / Google Ads: We forward conversion events on your behalf as described in Section 4.3. You control which accounts receive events in your dashboard settings
- Google Ads / Pinterest Ads: Same as above
We do not access connected accounts for any purpose beyond providing the services you have configured.
4. Buyers (Download Page Visitors)
Buyers are people who arrive at a Pick Up My Files download page after purchasing a digital product on Etsy from a seller who uses our platform. Buyers do not have an account with us and do not agree to our Terms of Use.
We process buyer data as a data processor acting on the seller’s behalf. The seller is the data controller for buyer data.
4.1 What We Collect from Buyers
| Data | How It’s Used |
|---|---|
| IP address | Download page serving; fraud prevention; geographic analytics for the seller |
| Browser type, device type, operating system | Page rendering and seller analytics |
| Timestamp of visit and download events | Seller analytics (visits, downloads) |
| Pages visited within the download page (blocks interacted with) | Seller analytics |
| Email address (if buyer submits the email-capture form) | Forwarded to seller’s connected email platform (MailChimp or MailerLite); also logged in seller analytics |
| HTTP referrer | Seller analytics (how buyers reached the page) |
We do not require buyers to create an account, and we do not use buyer data for our own marketing.
4.2 How Buyer Data Is Used
- Delivering the purchased files to the buyer (the primary purpose of the page)
- Seller analytics: providing the seller with download counts, visit statistics, and email capture rates
- Ad conversion event forwarding (see Section 4.3 below)
4.3 Ad Conversion Event Forwarding
If the seller has connected a Meta Ads or Google Ads account, we forward buyer engagement events (page visit, file download, email signup) and purchase-proxy events (anchored to Etsy order receipts) to that seller’s ad account.
What data is included in forwarded events:
The event payload sent to Meta (via Conversions API) and Google (via Google Ads Conversion API) may include:
- IP address
- Browser user agent
- Browser cookies set by Meta or Google scripts on the page (click IDs,
fbp/fbcvalues) - Hashed email address (if the buyer has submitted an email via the capture form, or if Etsy order data includes an email and Etsy has permitted us to use it)
- Page URL of the download page
These fields are sent because Meta and Google require some or all of them for their respective Conversions API integrations. We do not send more data than each platform’s API requires. We do not transmit buyer financial data, Etsy order value, or file content.
Important: data sent to the seller’s Meta or Google ad account is governed by Meta’s and Google’s own privacy policies, and by the seller’s obligations to their buyers. Pick Up My Files acts as a technical conduit; the seller is responsible for having appropriate legal basis to collect and forward this data under applicable law.
Google Consent Mode v2: For download pages served to visitors in the European Economic Area (EEA), we implement Google Consent Mode v2, which limits how Google processes data until/unless the visitor provides consent. Where the seller’s ad forwarding requires consent under GDPR (e.g., Meta pixel events), we apply geographic gating so the consent mechanism is shown only to visitors who require it.
4.4 Buyer Data Retention
- Download and visit event logs are retained for 24 months, then deleted
- Buyer email addresses captured via the email-capture form are retained as long as the seller’s account is active, and deleted within 90 days of the seller’s account closure
- Etsy order receipt data used for purchase event deduplication is retained for 24 months
5. How We Share Data
We do not sell personal data. We share data only as follows:
5.1 Service Providers (Sub-processors)
We use the following third-party service providers who process data on our behalf:
| Provider | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, subscription management | US (PCI-DSS compliant) |
| Resend, Inc. | Transactional email delivery (to sellers) | US |
| Google LLC | GA4 analytics; Google Drive integration; Google OAuth; Google Ads event forwarding (to seller’s account) | US / EEA data residency options |
| Microsoft Corporation | Clarity session recording and heatmaps | US |
| Meta Platforms, Inc. | Ad conversion event forwarding to seller’s Meta account; Meta pixel on marketing site | US |
| Pinterest, Inc. | Ad tracking on marketing site | US |
| Etsy, Inc. | Shop and listing data sync; PDF file upload/management; order data for analytics | US |
| MailChimp (Intuit Inc.) | Forwarding buyer emails to seller’s MailChimp list | US |
| MailerLite UAB | Forwarding buyer emails to seller’s MailerLite list | Lithuania / US |
| Amazon Web Services / Cloudflare | Infrastructure, CDN, storage | US / Global |
We enter into data processing agreements with each sub-processor as required by GDPR.
5.2 Sellers (For Buyer Data)
Seller-configured events and captured buyer emails are shared with the seller through our analytics dashboard and forwarded to their connected third-party accounts (email platforms, ad platforms) as described above.
5.3 Legal Requirements
We may disclose personal data if required by law, regulation, valid legal process (court order, subpoena), or government request, or if we believe in good faith that disclosure is necessary to protect rights, property, or safety.
5.4 Business Transfers
If MentisLeap LLC is acquired, merged, or sells substantially all of its assets, personal data may be transferred as part of that transaction. We will notify affected users by email before data is transferred under a materially different privacy policy.
6. Cookies in Detail
6.1 Essential Cookies
These cookies are necessary for the platform to function. They cannot be disabled without breaking core functionality.
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie (Laravel Sanctum) | Seller authentication session | Browser session / up to 2 weeks (remember-me) |
| CSRF token | Security — prevents cross-site request forgery | Browser session |
| Cookie consent preference | Remembers your consent decision | 12 months |
6.2 Analytics Cookies (Marketing Site + Seller App)
| Cookie | Provider | Purpose |
|---|---|---|
_ga, _ga_[ID] | Google Analytics 4 | Unique visitor identification; session tracking; behavioral analytics |
_clck, _clsk, CLID | Microsoft Clarity | Session recording; heatmap aggregation; user behavior analysis |
These cookies are set when you first visit the site. You can opt out of GA4 using the Google Analytics Opt-out Browser Add-on. You can opt out of Clarity by visiting Microsoft’s privacy dashboard.
6.3 Marketing Cookies (Marketing Site Only)
These cookies are only set on [pickupmyfiles.com], not in the seller app or on buyer download pages.
| Cookie | Provider | Purpose |
|---|---|---|
_fbp, _fbc | Meta (Facebook) | Measuring effectiveness of Pick Up My Files’ own Facebook/Instagram ad campaigns |
| Pinterest tag cookies | Measuring effectiveness of Pick Up My Files’ own Pinterest ad campaigns |
6.4 Managing Cookies
- Browser settings: You can block or delete cookies in your browser settings. Note that blocking essential cookies will prevent login and core platform functions
- Do Not Track: We respect browser Do Not Track (DNT) signals for analytics cookies where technically feasible
- Cookie consent banner: A cookie consent banner is presented to visitors from regions where consent is required by law (EEA, UK). You may withdraw consent at any time by clicking “Cookie Settings” in the site footer
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Seller account data | Active while account is open + 90 days after final cutoff or account closure, then permanently deleted |
| Billing and transaction records | 7 years from the transaction date (legal / tax obligation) |
| Email and support communications | 3 years from last communication |
| Buyer download / visit event logs | 24 months from the event |
| Buyer email captures | Active while seller’s account is active + 90 days after account closure |
| Etsy order data (dedup records) | 24 months |
| GA4 analytics data | As configured in our GA4 property (standard: 14 months; Google’s data retention settings) |
| Clarity session recordings | 30 days (Clarity’s default); aggregated heatmap data is retained longer |
8. Data Security
We implement industry-standard security measures including:
- Encryption in transit: TLS 1.2+ on all surfaces
- Encryption at rest: databases and file storage are encrypted at rest
- Authentication security: hashed passwords (bcrypt), short-lived OAuth tokens, CSRF protection, secure session cookies (HttpOnly, SameSite)
- Access controls: least-privilege database access; seller accounts are isolated by multi-tenancy controls
- File proxying: your Google Drive files are never exposed directly to buyers — all downloads route through our server, so Drive links and credentials remain private
- Monitoring: application errors and anomalies are logged and reviewed; Stripe handles PCI-DSS compliance for payment data
No system is perfectly secure. In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities as required by applicable law.
9. Your Rights
9.1 All Users
You may:
- Access the personal data we hold about you
- Correct inaccurate data
- Delete your account (subject to legal retention obligations in Section 7)
- Export your data in a portable format (account data and analytics)
- Unsubscribe from marketing emails at any time via the unsubscribe link in any email or by emailing privacy@pickupmyfiles.com
9.2 EEA / UK / Swiss Users (GDPR and equivalent)
If you are located in the EEA, UK, or Switzerland, you have additional rights under GDPR (or the UK GDPR / Swiss DPA):
- Right of access (Art. 15): Receive a copy of the personal data we process about you
- Right to rectification (Art. 16): Have inaccurate data corrected
- Right to erasure / “right to be forgotten” (Art. 17): Request deletion of your data where we have no overriding legal basis to retain it
- Right to restriction of processing (Art. 18): Request that we limit how we use your data while a dispute is resolved
- Right to data portability (Art. 20): Receive your data in a machine-readable format
- Right to object (Art. 21): Object to processing based on legitimate interests, including profiling
- Rights related to automated decision-making (Art. 22): We do not make solely automated decisions with significant legal effects on individuals
To exercise any right: email privacy@pickupmyfiles.com with your name, account email, and a description of the request. We will respond within 30 days.
Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. In the EEA, find your authority at edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, contact the ICO.
9.3 Lawful Bases for Processing (GDPR)
| Processing Activity | Lawful Basis |
|---|---|
| Providing the subscription service | Art. 6(1)(b) — Contract performance |
| Processing payments | Art. 6(1)(b) — Contract performance |
| Transactional emails | Art. 6(1)(b) — Contract performance |
| Platform security and fraud prevention | Art. 6(1)(f) — Legitimate interest |
| Analytics (GA4, Clarity) in seller app | Art. 6(1)(f) — Legitimate interest |
| Analytics cookies on marketing site | Art. 6(1)(a) — Consent (where required by law) |
| Marketing emails to sellers | Art. 6(1)(a) — Consent |
| Buyer file delivery (contractual necessity basis) | Art. 6(1)(b) — Contract performance (the seller’s contract with the buyer) |
| Ad event forwarding (buyer data) | Art. 6(1)(a) — Consent (where required; geo-gated) / Art. 6(1)(f) — Legitimate interest (where consent not required) |
| Retaining billing records | Art. 6(1)(c) — Legal obligation |
9.4 California Residents (CCPA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) / CPRA:
- Right to know: What categories and specific pieces of personal data we collect about you, and how we use and share it
- Right to delete: Request deletion of personal data we hold about you, subject to exceptions
- Right to correct: Request correction of inaccurate personal data
- Right to opt out of sale or sharing: We do not sell personal data, and we do not share it for cross-context behavioral advertising beyond what is described in this policy
- Right to non-discrimination: We will not discriminate against you for exercising CCPA rights
To exercise CCPA rights, contact us at [privacy@pickupmyfiles.com] with the subject “CCPA Request.”
10. International Data Transfers
MentisLeap LLC is based in the United States. If you are located outside the US, your data is transferred to and processed in the US.
For EEA/UK users, transfers to the US rely on:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (for transfers to our US sub-processors)
- The sub-processor’s participation in the EU-US Data Privacy Framework (where applicable)
We enter into data processing agreements with all sub-processors that include appropriate transfer mechanisms.
11. Children’s Privacy
The platform is intended for business use by persons aged 18 and older. We do not knowingly collect personal data from anyone under 18. If we become aware that a person under 18 has created an account, we will delete that account and its associated data promptly.
If you believe a minor has used the platform, please notify us at privacy@pickupmyfiles.com.
12. Third-Party Links
The marketing site and seller platform may contain links to third-party websites (including Etsy, Google, Meta, and others). We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policy of any site you visit.
13. Changes to This Policy
We may update this Privacy Policy at any time. We will notify you of material changes by email (for registered users) and by posting a notice on the site at least 14 days before the change takes effect.
The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date of a revised policy constitutes acceptance of the changes.
14. Contact
For privacy questions, data subject requests, or to exercise your rights:
MentisLeap LLC Wyoming, USA Email: privacy@pickupmyfiles.com Support: support@pickupmyfiles.com
For legal matters related to these policies: Email: legal@pickupmyfiles.com