Privacy Policy

1. Information We Collect

1.1 Personal Information

When you create an account, we collect:

• Account Information: Name, email address, company name
• Authentication Data: Password (encrypted), MFA secrets
• Contact Information: Email for notifications and support

1.2 Business Information

To provide our services, we collect:

• Certificate Data: Export/import information, product details, HS codes
• Evidence Files: Documents you upload for compliance
• Digital Signatures: Signature information and timestamps
• Compliance Records: Audit logs and activity history

1.3 Technical Information

We automatically collect:

• Usage Data: Pages visited, features used, time spent
• Device Information: IP address, browser type, operating system
• Log Data: Server logs, error reports, performance metrics
• Cookies: Session cookies for authentication and preferences

2. How We Use Your Information

2.1 Service Provision

• Generate and manage Certificates of Origin
• Process digital signatures and compliance documents
• Store and organize your evidence files
• Provide analytics and reporting features
• Maintain your account and preferences

2.2 Communication

• Send service-related notifications
• Provide customer support
• Send security alerts and updates
• Notify you of changes to our service

2.3 Service Improvement

• Analyze usage patterns to improve our service
• Develop new features and functionality
• Ensure system security and performance
• Conduct research and analytics (anonymized)

2.4 Legal Compliance

• Comply with applicable laws and regulations
• Respond to legal requests and court orders
• Protect our rights and prevent fraud
• Maintain audit trails for compliance purposes

3. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA), we process your personal data based on:

3.1 Contract Performance

We process your data to provide our services under our Terms of Service agreement.

3.2 Legitimate Interests

We process data for our legitimate business interests, including:

• Improving our service quality
• Preventing fraud and abuse
• Ensuring system security
• Analyzing usage patterns

3.3 Consent

We may process certain data based on your explicit consent, which you can withdraw at any time.

3.4 Legal Obligation

We may process data to comply with legal obligations, such as tax reporting or audit requirements.

4. Information Sharing and Disclosure

4.1 We Do Not Sell Your Data

We never sell, rent, or trade your personal information to third parties.

4.2 Limited Sharing

We may share your information only in these limited circumstances:

• Service Providers: Trusted third parties who help us operate our service (hosting, analytics, email)
• Legal Requirements: When required by law or to protect our rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets
• Your Consent: When you explicitly authorize sharing

4.3 Data Processing Agreements

All third-party service providers are bound by strict data processing agreements that require them to:

• Use your data only for specified purposes
• Implement appropriate security measures
• Not disclose your data to other parties
• Delete data when services are terminated

5. Data Security

5.1 Security Measures

We implement industry-standard security measures:

• Encryption: Data encrypted in transit (TLS) and at rest (AES-256)
• Access Controls: Role-based access and multi-factor authentication
• Network Security: Firewalls, intrusion detection, and monitoring
• Regular Audits: Security assessments and penetration testing
• Staff Training: Regular security awareness training

5.2 Data Breach Response

In the unlikely event of a data breach, we will:

• Notify affected users within 72 hours (GDPR requirement)
• Notify relevant authorities as required by law
• Provide detailed information about the breach
• Take immediate steps to contain and remediate
• Offer support and guidance to affected users

6. Your Rights and Choices

6.1 Access and Portability

• Access your personal data we hold
• Download your data in a portable format
• Request a copy of your certificates and documents

6.2 Correction and Updates

• Correct inaccurate personal information
• Update your account information
• Modify your preferences and settings

6.3 Deletion and Restriction

• Request deletion of your personal data
• Restrict processing of your data
• Object to certain types of processing

6.4 Consent Withdrawal

• Withdraw consent for data processing
• Opt out of marketing communications
• Manage cookie preferences

7. Data Retention

7.1 Retention Periods

We retain your data for different periods depending on the type:

• Account Data: Until account deletion or 3 years of inactivity
• Certificate Data: 7 years (typical business record retention)
• Audit Logs: 3 years for security and compliance
• Support Communications: 2 years after resolution

7.2 Legal Requirements

Some data may be retained longer if required by:

• Applicable laws and regulations
• Legal proceedings or investigations
• Business compliance requirements
• Tax and financial reporting obligations

7.3 Secure Deletion

When data is deleted, we use secure deletion methods to ensure it cannot be recovered.

8. International Data Transfers

8.1 Data Location

Your data is primarily stored in secure data centers. We may transfer data internationally to provide our services.

8.2 Adequacy Decisions

We ensure appropriate safeguards for international transfers, including:

• Standard Contractual Clauses (SCCs)
• Adequacy decisions by the European Commission
• Certification schemes and codes of conduct

8.3 Cross-Border Compliance

We comply with applicable data protection laws in all jurisdictions where we operate.

9. Cookies and Tracking

9.1 Types of Cookies

• Essential Cookies: Required for basic site functionality
• Authentication Cookies: Remember your login session
• Preference Cookies: Remember your settings and choices
• Analytics Cookies: Help us understand site usage (anonymized)

9.2 Cookie Management

You can control cookies through:

• Your browser settings
• Our cookie preference center
• Opt-out mechanisms for analytics

9.3 Third-Party Services

We may use third-party services that set their own cookies. These services have their own privacy policies.

10. Children's Privacy

Our service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If we become aware that we have collected such information, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Email notification to your registered email address
• Prominent notice on our website
• In-app notification when you log in

Your continued use of our service after changes become effective constitutes acceptance of the updated policy.

12. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us: