GDPR-compliant shipment tracking for EU businesses

If your e-commerce business operates in the EU, GDPR is not an optional feature — it's the law. Every third-party service that processes personal data must be compliant. Shipment tracking providers process tracking numbers, customer references, and potentially delivery addresses — all personal data under the GDPR definition.

This article covers what to look for when evaluating a tracking provider from a GDPR perspective.

Data residency: where your data is stored

The GDPR does not outright prohibit data transfers outside the EU, but it makes them significantly more complicated. The simplest path to compliance: choose a provider that stores and processes all data within the EU/EEA. This eliminates the need for Standard Contractual Clauses (SCCs), Transfer Impact Assessments (TIAs), and the ongoing legal uncertainty around international data transfers.

When evaluating a provider, ask specifically:

• Where are your application servers located?
• Where is the database hosted, and in which region?
• Do you use any sub-processors outside the EU/EEA?
• Does any employee outside the EU have access to production data?

Sub-processor transparency

Your tracking provider likely uses its own service providers: cloud hosting, databases, email delivery, error monitoring. Under the GDPR, you have the right to know who these sub-processors are and where they are located. A compliant provider publishes a sub-processor list and notifies you before adding new ones.

Data minimization

Article 5(1)(c) of the GDPR requires that personal data be adequate, relevant, and limited to what is necessary for the processing purpose. A shipment monitoring service needs tracking numbers and carrier identifiers. It may need customer references for your internal correlation. It does not need customer email addresses, phone numbers, full delivery addresses, or order contents.

Data retention and deletion

How long does the provider keep shipment data after monitoring is complete? Under the GDPR, data should not be retained longer than necessary for its purpose. A delivered shipment does not need to be stored indefinitely. Look for providers that offer configurable retention periods or automatic deletion of completed shipment data.

Tenant isolation

In a multi-tenant SaaS application, your data is stored alongside other customers' data. Proper tenant isolation ensures that no API call, database query, or application bug can expose one tenant's data to another. This is both a security best practice and a GDPR requirement under Article 32 (security of processing).

Third-party scripts and tracking pages

Some tracking providers offer customer-facing tracking pages or embeddable widgets. These often load third-party scripts: analytics, advertising pixels, CDN resources from US servers. Every third-party script that processes visitor data is a potential GDPR issue. The cleanest approach: use a provider that does not inject third-party tracking scripts.

A compliance checklist for choosing a provider

How ShipTriage handles GDPR compliance

ShipTriage is built and hosted entirely within the EU. The application runs on Vercel (EU region), and the PostgreSQL database is hosted on Neon (EU region). There are no US-based sub-processors in the data path. The application does not load any third-party analytics, advertising, or tracking scripts — no Google Analytics, no Facebook Pixel, nothing.

Tenant isolation is enforced at the database level. Every query is scoped to the authenticated tenant. API keys are hashed with SHA-256 before storage. Session cookies are used only for authentication, with no tracking cookies. The service collects tracking numbers, customer references, and carrier status data — nothing more.

For EU e-commerce businesses, choosing a GDPR-compliant tracking provider is not just a legal obligation. It is a competitive advantage. Your customers and their data protection officers want to see that you take data protection seriously.