DutyFlow
Get started free
Back to home
Legal

Privacy Policy

How DutyFlow collects, uses, and protects your personal data.

Last updated: June 21, 2026

1. Introduction

This Privacy Policy explains how DutyFlow (“DutyFlow”, “we”, “us”, or “our”) processes personal data when you use our customs duty and import tax calculation platform, including our website at DutyFlow.com, our web application, and our REST API (collectively, the “Service”).

DutyFlow is a business-to-business (B2B) tool used by e-commerce companies, importers, exporters, and logistics providers. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable data protection laws.

2. Data Controller

For the purposes of the GDPR, the data controller responsible for your personal data is the operator of DutyFlow. You can contact our Data Protection Officer (DPO) at any time:

Service: DutyFlow

Website: DutyFlow.com

Data Protection Officer: contact.dutyflow@gmail.com

3. Data We Collect

We collect the following categories of personal data:

3.1 Account data

When you register, we collect your name, email address, hashed password, company name (optional), and billing details. Payment card data is collected and processed directly by Stripe and is never stored on our servers.

3.2 Usage data

We collect technical data generated when you use the Service: IP address, browser type, device information, pages visited, API endpoints called, request volumes, timestamps, and diagnostic logs.

3.3 HTS query & transaction data

When you use the calculator or API, we process the data you submit for each lookup: HTS codes, product descriptions, declared values, countries of origin and destination, and the resulting duty, VAT/GST, and landed-cost calculations. This data is associated with your account so we can provide history, reporting, and billing. It is business data and generally does not identify individuals, but it may be linked to your account holder identity.

4. Purposes of Processing

  • To create and administer your account and authenticate access.
  • To provide the core Service: calculating duties, taxes, and landed costs.
  • To meter API usage, enforce plan limits, and bill you for paid subscriptions.
  • To provide customer support and respond to your requests.
  • To maintain security, prevent fraud and abuse, and ensure service reliability.
  • To improve and develop new features through aggregated, statistical analysis.
  • To send service-related and, where permitted, marketing communications.
  • To comply with legal, accounting, and tax obligations.

6. Sharing With Third Parties

We do not sell your personal data. We share data only with vetted sub-processors who act on our instructions under data processing agreements:

ProviderPurposeData shared
StripePayment processing & subscription billingName, email, billing details, payment card data
ResendTransactional & account emailsName, email address

We may also disclose data to hosting and infrastructure providers, and where required to comply with a legal obligation, court order, or to protect our rights and the safety of our users.

7. International Transfers

Some of our sub-processors are located outside the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework, to ensure your data receives an equivalent level of protection.

8. Data Retention

  • Account data: for the lifetime of your account, then deleted within 90 days of account closure.
  • HTS query & transaction history: retained for the duration of your subscription to provide reporting; deletable on request.
  • Usage & diagnostic logs: typically retained for up to 12 months.
  • Invoicing & accounting records: retained for the period required by applicable tax law (generally up to 10 years).

9. Your Rights

Under the GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure (“right to be forgotten”), subject to legal retention obligations.
  • Restriction of processing in certain circumstances.
  • Data portability — receive your data in a structured, machine-readable format.
  • Object to processing based on legitimate interests or direct marketing.
  • Withdraw consent at any time, without affecting prior processing.

To exercise any of these rights, contact contact.dutyflow@gmail.com. You also have the right to lodge a complaint with your local supervisory authority (in France, the CNIL).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information. DutyFlow does not sell personal information. We will not discriminate against you for exercising your privacy rights. To make a request, contact contact.dutyflow@gmail.com.

11. Cookies & Tracking

We use strictly necessary cookies to keep you signed in and to secure the Service. With your consent, we may use analytics cookies to understand how the Service is used so we can improve it. You can manage non-essential cookies through your browser settings or our cookie banner. Disabling strictly necessary cookies may prevent parts of the Service from functioning.

12. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), hashed passwords, access controls, and least-privilege practices for our sub-processors. No method of transmission or storage is completely secure, but we continuously work to protect your information and will notify you and the relevant authorities of any breach as required by law.

13. Children

The Service is a B2B product intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has provided us with personal data, please contact us so we can delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or through the Service. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

15. Contact & DPO

For any privacy questions or to exercise your rights, contact our Data Protection Officer:

contact.dutyflow@gmail.com