1. Introduction
This Privacy Policy explains how DutyFlow (“DutyFlow”, “we”, “us”, or “our”) processes personal data when you use our customs duty and import tax calculation platform, including our website at DutyFlow.com, our web application, and our REST API (collectively, the “Service”).
DutyFlow is a business-to-business (B2B) tool used by e-commerce companies, importers, exporters, and logistics providers. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and other applicable data protection laws.
2. Data Controller
For the purposes of the GDPR, the data controller responsible for your personal data is the operator of DutyFlow. You can contact our Data Protection Officer (DPO) at any time:
3. Data We Collect
We collect the following categories of personal data:
3.1 Account data
When you register, we collect your name, email address, hashed password, company name (optional), and billing details. Payment card data is collected and processed directly by Stripe and is never stored on our servers.
3.2 Usage data
We collect technical data generated when you use the Service: IP address, browser type, device information, pages visited, API endpoints called, request volumes, timestamps, and diagnostic logs.
3.3 HTS query & transaction data
When you use the calculator or API, we process the data you submit for each lookup: HTS codes, product descriptions, declared values, countries of origin and destination, and the resulting duty, VAT/GST, and landed-cost calculations. This data is associated with your account so we can provide history, reporting, and billing. It is business data and generally does not identify individuals, but it may be linked to your account holder identity.
4. Purposes of Processing
- To create and administer your account and authenticate access.
- To provide the core Service: calculating duties, taxes, and landed costs.
- To meter API usage, enforce plan limits, and bill you for paid subscriptions.
- To provide customer support and respond to your requests.
- To maintain security, prevent fraud and abuse, and ensure service reliability.
- To improve and develop new features through aggregated, statistical analysis.
- To send service-related and, where permitted, marketing communications.
- To comply with legal, accounting, and tax obligations.
5. Legal Basis (GDPR Art. 6)
We rely on the following legal bases under Article 6(1) GDPR:
- Contract (Art. 6(1)(b)): to provide the Service, manage your account, and process payments.
- Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent abuse, analyse usage, and improve our product — balanced against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)): to retain invoicing and accounting records as required by law.
- Consent (Art. 6(1)(a)): for non-essential cookies and optional marketing emails, which you may withdraw at any time.
7. International Transfers
Some of our sub-processors are located outside the European Economic Area. Where personal data is transferred internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework, to ensure your data receives an equivalent level of protection.
8. Data Retention
- Account data: for the lifetime of your account, then deleted within 90 days of account closure.
- HTS query & transaction history: retained for the duration of your subscription to provide reporting; deletable on request.
- Usage & diagnostic logs: typically retained for up to 12 months.
- Invoicing & accounting records: retained for the period required by applicable tax law (generally up to 10 years).
9. Your Rights
Under the GDPR, you have the right to:
- Access the personal data we hold about you.
- Rectification of inaccurate or incomplete data.
- Erasure (“right to be forgotten”), subject to legal retention obligations.
- Restriction of processing in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Object to processing based on legitimate interests or direct marketing.
- Withdraw consent at any time, without affecting prior processing.
To exercise any of these rights, contact contact.dutyflow@gmail.com. You also have the right to lodge a complaint with your local supervisory authority (in France, the CNIL).
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, to request deletion, to correct inaccurate information, and to opt out of the “sale” or “sharing” of personal information. DutyFlow does not sell personal information. We will not discriminate against you for exercising your privacy rights. To make a request, contact contact.dutyflow@gmail.com.
12. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), hashed passwords, access controls, and least-privilege practices for our sub-processors. No method of transmission or storage is completely secure, but we continuously work to protect your information and will notify you and the relevant authorities of any breach as required by law.
13. Children
The Service is a B2B product intended for businesses and is not directed at children. We do not knowingly collect personal data from anyone under the age of 16. If you believe a minor has provided us with personal data, please contact us so we can delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you by email or through the Service. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
15. Contact & DPO
For any privacy questions or to exercise your rights, contact our Data Protection Officer:
contact.dutyflow@gmail.com