Privacy Policy

Last updated: 2026-06-28

This Privacy Policy explains how MentisLeap LLC (“Pick Up My Files,” “we,” “us,” or “our”), a Wyoming limited liability company, collects, uses, shares, and protects personal data across:

  1. The marketing website at pickupmyfiles.com
  2. The seller platform at app.pickupmyfiles.com
  3. Buyer download pages generated on behalf of sellers (e.g., secure.pickupmyfiles.com/d/…)

These are three distinct surfaces with three distinct audiences. This policy covers all of them.

1. Who We Are (Data Controller)

MentisLeap LLC is the data controller for personal data collected from:

  • Marketing site visitors
  • Sellers (account holders and team members)

For buyer data (download page visitors), MentisLeap LLC acts as a data processor on behalf of the seller, who is the data controller. Sellers determine how download pages are configured, what events are forwarded, and whether email capture is enabled. If you are a buyer with questions about how the seller uses your data, contact them directly via Etsy.

Contact: privacy@pickupmyfiles.com Postal: 1021 E Lincolnway Suite #6605, Cheyenne, Wyoming 82001, United States

2. Marketing Site Visitors

2.1 What We Collect

When you visit pickupmyfiles.com, we and our analytics partners automatically collect:

DataSource
IP address (truncated by GA4 by default)Server logs / analytics
Browser type and versionAnalytics SDK
Operating system and device typeAnalytics SDK
Pages visited, time on page, referrer URLAnalytics SDK
Mouse movements, scrolls, clicks, rage clicks, session recordingsMicrosoft Clarity
Geographic region (country / city, derived from IP)Analytics SDK
Interaction with forms (fields filled — no passwords)Microsoft Clarity

2.2 Cookies and Tracking on the Marketing Site

Cookie / TagProviderPurposeDuration
_ga_ga_*Google Analytics 4Site analytics — traffic, pages, engagement metrics2 years
_clck_clskCLIDMicrosoft ClaritySession recording, heatmaps, UX analysis1 year / session
_fbp_fbcMeta (Facebook)Conversion tracking and audience building for PUMF’s own ads3 months
Pinterest tag cookiesPinterestConversion tracking for PUMF’s own Pinterest ad campaigns6 months

What these do not do: We do not use cookies to track you across unrelated websites. Meta and Pinterest cookies are used to measure the effectiveness of Pick Up My Files’ own advertising campaigns, not to build third-party ad profiles.

Managing cookies: You can control cookies via your browser settings. Disabling analytics cookies does not affect your ability to browse the site. See Section 9 for your rights.

2.3 How We Use Marketing Site Data

  • Measure which content and traffic sources bring the most engaged visitors
  • Identify UX friction points to improve the site
  • Measure the effectiveness of our own advertising campaigns
  • Comply with legal obligations

We do not sell marketing site visitor data to any third party.

3. Sellers (Account Holders and Team Members)

3.1 What We Collect

When you create and use a Pick Up My Files account, we collect:

CategoryExamples
IdentityName, email address, profile picture (from Google/Etsy OAuth if used)
CredentialsHashed password (never stored in plain text); OAuth tokens for connected providers
Etsy dataShop name and ID, listing titles and descriptions, product categories, sale/order data (used for analytics and ad event forwarding)
Google dataGoogle account email (if OAuth login used); Google Drive file metadata and access tokens for files you designate for delivery
Billing dataStripe Customer ID, subscription plan and status, billing history. Full payment card details are held exclusively by Stripe — we never see or store card numbers
Usage dataFeatures used, pages built, API calls made, error events, login timestamps
CommunicationsEmails you send to support; chat logs if you contact us via live chat
AnalyticsGA4 events in the seller app (same data categories as Section 2.1 above); Microsoft Clarity session recordings in the seller app

3.2 How We Use Seller Data

PurposeLawful Basis (GDPR)
Providing the service (account management, page builder, PDF generation, Etsy sync, file delivery)Contract performance
Processing payments via StripeContract performance
Sending transactional emails (payment receipts, sync failures, password reset, grace-period notices)Contract performance / Legitimate interest
Providing customer supportContract performance / Legitimate interest
Analytics to improve the platform (GA4, Clarity)Legitimate interest
Sending product updates and marketing emails (only with consent; unsubscribe at any time)Consent
Complying with legal obligations (tax records, fraud prevention)Legal obligation
Protecting the security and integrity of the platformLegitimate interest

3.3 Team Members

Team members are invited to access an account by the account Owner. We collect the team member’s name and email address to manage their invitation and access. Team members’ data is processed under the same terms as account holders. Access is limited to features defined by their assigned role; team members never access the Owner’s payment information or OAuth credentials for connected services.

3.4 Connected Account Data

When you connect Etsy, Google Drive, MailChimp, MailerLite, Meta Ads, or Google Ads, we access those services using OAuth tokens you grant. Specifically:

  • Etsy: We read shop, listing, and order data. We write (upload, replace, delete) PDF files on your listings on your instruction or as part of the automated PDF management service
  • Google Drive: We read metadata and content of files you designate. Files are served to buyers via our proxy — buyers never receive a direct Drive link
  • MailChimp / MailerLite: We forward buyer email addresses captured on your download pages to the list you designate. We do not store buyer emails for marketing use beyond your own configured list
  • Meta Ads / Google Ads: We forward conversion events on your behalf as described in Section 4.3. You control which accounts receive events in your dashboard settings
  • Google Ads / Pinterest Ads: Same as above

We do not access connected accounts for any purpose beyond providing the services you have configured.

4. Buyers (Download Page Visitors)

Buyers are people who arrive at a Pick Up My Files download page after purchasing a digital product on Etsy from a seller who uses our platform. Buyers do not have an account with us and do not agree to our Terms of Use.

We process buyer data as a data processor acting on the seller’s behalf. The seller is the data controller for buyer data.

4.1 What We Collect from Buyers

DataHow It’s Used
IP addressDownload page serving; fraud prevention; geographic analytics for the seller
Browser type, device type, operating systemPage rendering and seller analytics
Timestamp of visit and download eventsSeller analytics (visits, downloads)
Pages visited within the download page (blocks interacted with)Seller analytics
Email address (if buyer submits the email-capture form)Forwarded to seller’s connected email platform (MailChimp or MailerLite); also logged in seller analytics
HTTP referrerSeller analytics (how buyers reached the page)

We do not require buyers to create an account, and we do not use buyer data for our own marketing.

4.2 How Buyer Data Is Used

  • Delivering the purchased files to the buyer (the primary purpose of the page)
  • Seller analytics: providing the seller with download counts, visit statistics, and email capture rates
  • Ad conversion event forwarding (see Section 4.3 below)

4.3 Ad Conversion Event Forwarding

If the seller has connected a Meta Ads or Google Ads account, we forward buyer engagement events (page visit, file download, email signup) and purchase-proxy events (anchored to Etsy order receipts) to that seller’s ad account.

What data is included in forwarded events:

The event payload sent to Meta (via Conversions API) and Google (via Google Ads Conversion API) may include:

  • IP address
  • Browser user agent
  • Browser cookies set by Meta or Google scripts on the page (click IDs, fbp/fbc values)
  • Hashed email address (if the buyer has submitted an email via the capture form, or if Etsy order data includes an email and Etsy has permitted us to use it)
  • Page URL of the download page

These fields are sent because Meta and Google require some or all of them for their respective Conversions API integrations. We do not send more data than each platform’s API requires. We do not transmit buyer financial data, Etsy order value, or file content.

Important: data sent to the seller’s Meta or Google ad account is governed by Meta’s and Google’s own privacy policies, and by the seller’s obligations to their buyers. Pick Up My Files acts as a technical conduit; the seller is responsible for having appropriate legal basis to collect and forward this data under applicable law.

Google Consent Mode v2: For download pages served to visitors in the European Economic Area (EEA), we implement Google Consent Mode v2, which limits how Google processes data until/unless the visitor provides consent. Where the seller’s ad forwarding requires consent under GDPR (e.g., Meta pixel events), we apply geographic gating so the consent mechanism is shown only to visitors who require it.

4.4 Buyer Data Retention

  • Download and visit event logs are retained for 24 months, then deleted
  • Buyer email addresses captured via the email-capture form are retained as long as the seller’s account is active, and deleted within 90 days of the seller’s account closure
  • Etsy order receipt data used for purchase event deduplication is retained for 24 months

5. How We Share Data

We do not sell personal data. We share data only as follows:

5.1 Service Providers (Sub-processors)

We use the following third-party service providers who process data on our behalf:

ProviderPurposeLocation
Stripe, Inc.Payment processing, subscription managementUS (PCI-DSS compliant)
Resend, Inc.Transactional email delivery (to sellers)US
Google LLCGA4 analytics; Google Drive integration; Google OAuth; Google Ads event forwarding (to seller’s account)US / EEA data residency options
Microsoft CorporationClarity session recording and heatmapsUS
Meta Platforms, Inc.Ad conversion event forwarding to seller’s Meta account; Meta pixel on marketing siteUS
Pinterest, Inc.Ad tracking on marketing siteUS
Etsy, Inc.Shop and listing data sync; PDF file upload/management; order data for analyticsUS
MailChimp (Intuit Inc.)Forwarding buyer emails to seller’s MailChimp listUS
MailerLite UABForwarding buyer emails to seller’s MailerLite listLithuania / US
Amazon Web Services / CloudflareInfrastructure, CDN, storageUS / Global

We enter into data processing agreements with each sub-processor as required by GDPR.

5.2 Sellers (For Buyer Data)

Seller-configured events and captured buyer emails are shared with the seller through our analytics dashboard and forwarded to their connected third-party accounts (email platforms, ad platforms) as described above.

5.3 Legal Requirements

We may disclose personal data if required by law, regulation, valid legal process (court order, subpoena), or government request, or if we believe in good faith that disclosure is necessary to protect rights, property, or safety.

5.4 Business Transfers

If MentisLeap LLC is acquired, merged, or sells substantially all of its assets, personal data may be transferred as part of that transaction. We will notify affected users by email before data is transferred under a materially different privacy policy.

6. Cookies in Detail

6.1 Essential Cookies

These cookies are necessary for the platform to function. They cannot be disabled without breaking core functionality.

CookiePurposeDuration
Session cookie (Laravel Sanctum)Seller authentication sessionBrowser session / up to 2 weeks (remember-me)
CSRF tokenSecurity — prevents cross-site request forgeryBrowser session
Cookie consent preferenceRemembers your consent decision12 months

6.2 Analytics Cookies (Marketing Site + Seller App)

CookieProviderPurpose
_ga_ga_[ID]Google Analytics 4Unique visitor identification; session tracking; behavioral analytics
_clck_clskCLIDMicrosoft ClaritySession recording; heatmap aggregation; user behavior analysis

These cookies are set when you first visit the site. You can opt out of GA4 using the Google Analytics Opt-out Browser Add-on. You can opt out of Clarity by visiting Microsoft’s privacy dashboard.

6.3 Marketing Cookies (Marketing Site Only)

These cookies are only set on [pickupmyfiles.com], not in the seller app or on buyer download pages.

CookieProviderPurpose
_fbp_fbcMeta (Facebook)Measuring effectiveness of Pick Up My Files’ own Facebook/Instagram ad campaigns
Pinterest tag cookiesPinterestMeasuring effectiveness of Pick Up My Files’ own Pinterest ad campaigns

6.4 Managing Cookies

  • Browser settings: You can block or delete cookies in your browser settings. Note that blocking essential cookies will prevent login and core platform functions
  • Do Not Track: We respect browser Do Not Track (DNT) signals for analytics cookies where technically feasible
  • Cookie consent banner: A cookie consent banner is presented to visitors from regions where consent is required by law (EEA, UK). You may withdraw consent at any time by clicking “Cookie Settings” in the site footer

7. Data Retention

Data TypeRetention Period
Seller account dataActive while account is open + 90 days after final cutoff or account closure, then permanently deleted
Billing and transaction records7 years from the transaction date (legal / tax obligation)
Email and support communications3 years from last communication
Buyer download / visit event logs24 months from the event
Buyer email capturesActive while seller’s account is active + 90 days after account closure
Etsy order data (dedup records)24 months
GA4 analytics dataAs configured in our GA4 property (standard: 14 months; Google’s data retention settings)
Clarity session recordings30 days (Clarity’s default); aggregated heatmap data is retained longer

8. Data Security

We implement industry-standard security measures including:

  • Encryption in transit: TLS 1.2+ on all surfaces
  • Encryption at rest: databases and file storage are encrypted at rest
  • Authentication security: hashed passwords (bcrypt), short-lived OAuth tokens, CSRF protection, secure session cookies (HttpOnly, SameSite)
  • Access controls: least-privilege database access; seller accounts are isolated by multi-tenancy controls
  • File proxying: your Google Drive files are never exposed directly to buyers — all downloads route through our server, so Drive links and credentials remain private
  • Monitoring: application errors and anomalies are logged and reviewed; Stripe handles PCI-DSS compliance for payment data

No system is perfectly secure. In the event of a data breach affecting your personal data, we will notify affected users and relevant supervisory authorities as required by applicable law.

9. Your Rights

9.1 All Users

You may:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your account (subject to legal retention obligations in Section 7)
  • Export your data in a portable format (account data and analytics)
  • Unsubscribe from marketing emails at any time via the unsubscribe link in any email or by emailing privacy@pickupmyfiles.com

9.2 EEA / UK / Swiss Users (GDPR and equivalent)

If you are located in the EEA, UK, or Switzerland, you have additional rights under GDPR (or the UK GDPR / Swiss DPA):

  • Right of access (Art. 15): Receive a copy of the personal data we process about you
  • Right to rectification (Art. 16): Have inaccurate data corrected
  • Right to erasure / “right to be forgotten” (Art. 17): Request deletion of your data where we have no overriding legal basis to retain it
  • Right to restriction of processing (Art. 18): Request that we limit how we use your data while a dispute is resolved
  • Right to data portability (Art. 20): Receive your data in a machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests, including profiling
  • Rights related to automated decision-making (Art. 22): We do not make solely automated decisions with significant legal effects on individuals

To exercise any right: email privacy@pickupmyfiles.com with your name, account email, and a description of the request. We will respond within 30 days.

Right to lodge a complaint: You have the right to lodge a complaint with your local data protection supervisory authority. In the EEA, find your authority at edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, contact the ICO.

9.3 Lawful Bases for Processing (GDPR)

Processing ActivityLawful Basis
Providing the subscription serviceArt. 6(1)(b) — Contract performance
Processing paymentsArt. 6(1)(b) — Contract performance
Transactional emailsArt. 6(1)(b) — Contract performance
Platform security and fraud preventionArt. 6(1)(f) — Legitimate interest
Analytics (GA4, Clarity) in seller appArt. 6(1)(f) — Legitimate interest
Analytics cookies on marketing siteArt. 6(1)(a) — Consent (where required by law)
Marketing emails to sellersArt. 6(1)(a) — Consent
Buyer file delivery (contractual necessity basis)Art. 6(1)(b) — Contract performance (the seller’s contract with the buyer)
Ad event forwarding (buyer data)Art. 6(1)(a) — Consent (where required; geo-gated) / Art. 6(1)(f) — Legitimate interest (where consent not required)
Retaining billing recordsArt. 6(1)(c) — Legal obligation

9.4 California Residents (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) / CPRA:

  • Right to know: What categories and specific pieces of personal data we collect about you, and how we use and share it
  • Right to delete: Request deletion of personal data we hold about you, subject to exceptions
  • Right to correct: Request correction of inaccurate personal data
  • Right to opt out of sale or sharing: We do not sell personal data, and we do not share it for cross-context behavioral advertising beyond what is described in this policy
  • Right to non-discrimination: We will not discriminate against you for exercising CCPA rights

To exercise CCPA rights, contact us at [privacy@pickupmyfiles.com] with the subject “CCPA Request.”

10. International Data Transfers

MentisLeap LLC is based in the United States. If you are located outside the US, your data is transferred to and processed in the US.

For EEA/UK users, transfers to the US rely on:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission (for transfers to our US sub-processors)
  • The sub-processor’s participation in the EU-US Data Privacy Framework (where applicable)

We enter into data processing agreements with all sub-processors that include appropriate transfer mechanisms.

11. Children’s Privacy

The platform is intended for business use by persons aged 18 and older. We do not knowingly collect personal data from anyone under 18. If we become aware that a person under 18 has created an account, we will delete that account and its associated data promptly.

If you believe a minor has used the platform, please notify us at privacy@pickupmyfiles.com.

12. Third-Party Links

The marketing site and seller platform may contain links to third-party websites (including Etsy, Google, Meta, and others). We are not responsible for the privacy practices of those sites. We encourage you to review the privacy policy of any site you visit.

13. Changes to This Policy

We may update this Privacy Policy at any time. We will notify you of material changes by email (for registered users) and by posting a notice on the site at least 14 days before the change takes effect.

The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after the effective date of a revised policy constitutes acceptance of the changes.

14. Contact

For privacy questions, data subject requests, or to exercise your rights:

MentisLeap LLC Wyoming, USA Email: privacy@pickupmyfiles.com Support: support@pickupmyfiles.com

For legal matters related to these policies: Email: legal@pickupmyfiles.com