Version 2.0 — Effective April 13, 2026
We collect the following categories of information: (a) Account information: name, email address, company name, industry, and role when you register; (b) Lookup and classification data: product descriptions, HTS codes, origin/destination countries, duty rates, GRI analyses, and classification confidence scores; (c) Shipment data: shipment dates, invoice values, transport modes, and landed cost calculations; (d) Payment information: processed securely by Stripe — we do not store credit card numbers; (e) Usage analytics: features used, lookup frequency, module access patterns, and session data; (f) Technical data: IP address, browser type, device information, and access timestamps for security and performance; (g) Team data: team member names, emails, roles, and invitation status; (h) API and webhook data: API key metadata (keys are stored hashed), webhook endpoints, and event delivery logs; (i) Terms acceptance records: version accepted, timestamp, IP address, and user agent.
We use your information to: provide, maintain, and improve the Service; process tariff classifications using AI; cache lookup results for performance and accuracy improvement; send transactional emails (account notifications, tariff alerts, invitation emails, flag notifications); analyze usage patterns to improve AI classification accuracy; enforce rate limits and prevent abuse; process payments and manage subscriptions; facilitate team collaboration and Client Portal features; run automated tariff monitoring (alerts, Shopify sync, cron jobs); generate compliance logs and audit trails; and comply with legal obligations.
We do not sell your personal data or lookup data to third parties. We share data only with the following sub-processors necessary to provide the Service: Anthropic (AI classification processing — product descriptions are sent to Claude API for classification; Anthropic does not use API inputs to train models); Supabase (PostgreSQL database hosting, user authentication, and row-level security enforcement); Vercel (application hosting, serverless function execution, and cron job scheduling); Stripe (payment processing, subscription management, and billing portal); Resend (transactional email delivery for alerts, invitations, and notifications); and as required by law, legal process, or government request. Each sub-processor processes data only as necessary to provide their service to us and is contractually bound to protect your data.
When you connect your Shopify store to TariffIQ, we request the following permissions: read_products (to sync your product catalog for classification), write_products (to write HS code and duty rate metafields back to your products), and read_inventory (to prioritize classification of in-stock products). We do NOT request access to your orders, customers, or payment data. Data we collect from Shopify: product titles, descriptions, product types, vendors, tags, variant prices, cost per item, weights, dimensions, images, and inventory quantities. How we use Shopify data: to classify products with HS tariff codes, calculate import duty rates and real profit margins, monitor tariff rate changes affecting your products, recommend price adjustments to maintain target margins, and send alerts when tariff changes impact your products. Shopify data is stored encrypted in our Supabase database. Your Shopify access token is encrypted with AES-256-GCM at rest and is never logged or exposed. We write HS codes back to your Shopify products as metafields under the namespace "tariffiq" — this does not modify your product titles, descriptions, prices, or any other existing data unless you explicitly use the price adjustment feature. You can disconnect your Shopify store at any time from the TariffIQ dashboard. Disconnecting revokes our access token and deletes all synced product data from our systems. You can also uninstall the app from your Shopify admin, which triggers automatic cleanup of all stored data via our GDPR-compliant data deletion webhook.
When you use the Amazon FBA Calculator, we collect: product descriptions, sale prices, cost of goods, origin countries, weight, dimensions, and product categories that you manually enter. We do not connect to Amazon Seller Central or access any Amazon account data. Amazon product calculations are saved to your TariffIQ account if you are authenticated, or to browser localStorage if using the public calculator. No Amazon customer data, order data, or account credentials are collected or stored. The public Amazon FBA Calculator at /tools/amazon-fba-calculator is accessible without authentication and is rate-limited to 3 calculations per hour by IP address.
If you are a customs broker using the Client Portal feature, you act as a data controller for the client data you share through the portal. We act as a data processor on your behalf. Portal data includes: client names, email addresses, company names, tariff classifications and duty rates shared with clients, and portal usage analytics (views, exports, searches). Portal clients who create accounts provide: email address and a password (hashed with SHA-256 and a server-side salt). We store session tokens for portal authentication with a 30-day expiry. Portal analytics track: page views, lookup views, exports, and search activity — attributed to the client and visible to the broker. Brokers are responsible for ensuring they have appropriate authorization to share classification data with their clients through the portal.
Your lookup queries (product descriptions, HTS codes, origins, destinations) are sent to Anthropic's Claude API for AI-powered classification. Anthropic's API terms state that API inputs and outputs are not used to train their models. Your lookup data is stored in our database to: provide classification history and compliance logs; improve our prompt engineering and result caching systems; and generate aggregate, anonymized accuracy metrics. We do not share individual lookup records with other customers or third parties. Classification results may be cached to improve performance for similar queries across all users, but cached results do not contain personally identifiable information.
We retain your data as follows: Account data is retained for the duration of your active account. Lookup history and classification records are retained for the life of your account plus 90 days after deletion. Compliance log records are retained for 7 years to support customs audit requirements. Terms acceptance records are retained for 7 years for legal compliance. Portal analytics data is retained for 12 months on a rolling basis. Shopify product data is deleted immediately upon disconnecting your store or uninstalling the app. API keys and webhook configurations are deleted immediately upon account closure. Login event logs are retained for 12 months for security purposes. You may request deletion of your data at any time by contacting privacy@tariffmind.ai. Upon receiving a valid deletion request, we will delete your personal data within 30 days, except where retention is required by law.
We implement industry-standard security measures including: TLS encryption for all data in transit; row-level security (RLS) on our Supabase database ensuring you can only access your own data; hashed API keys (never stored in plaintext); encrypted Shopify access tokens (AES-256-GCM); rate limiting on all API endpoints to prevent abuse; HMAC-SHA256 signed webhooks; secure session management with expiry for portal authentication; Content Security Policy, HSTS, and X-Frame-Options headers on all pages; and regular security reviews. Admin access requires a verified admin role and is logged in an audit trail. We promptly notify affected users of any data breach affecting personal information, in accordance with applicable data breach notification laws.
We use: session cookies for authentication (managed by Supabase Auth); functional cookies to maintain your session state across pages; and localStorage for client-side preferences and portal session tokens. We do not use third-party advertising cookies, tracking pixels, or behavioral analytics cookies. We do not use Google Analytics or similar third-party analytics services. You can disable cookies in your browser, but this will prevent authentication and core Service functionality.
Your data is processed and stored in the United States. Our sub-processors (Supabase, Vercel, Anthropic, Stripe, Resend) primarily operate infrastructure in the United States. If you are located outside the United States (including in the European Economic Area, United Kingdom, or other jurisdictions with data transfer restrictions), your data will be transferred to and processed in the United States. We rely on the following safeguards for international transfers: Standard Contractual Clauses (SCCs) with our sub-processors where required; our sub-processors' own compliance frameworks (e.g., Stripe's and Vercel's data processing agreements); and contractual commitments in our agreements with sub-processors to maintain appropriate security measures.
Depending on your jurisdiction, you may have the following rights regarding your personal data: Right to access — request a copy of the personal data we hold about you; Right to rectification — correct inaccurate or incomplete data; Right to deletion — request deletion of your account and personal data; Right to data portability — receive your data in a structured, machine-readable format (CSV or JSON export); Right to restrict processing — request that we limit how we use your data; Right to object — object to processing based on legitimate interests; Right to withdraw consent — where processing is based on consent; Right to non-discrimination — we will not discriminate against you for exercising your privacy rights. For California residents (CCPA/CPRA): We do not sell personal information. We do not share personal information for cross-context behavioral advertising. You may designate an authorized agent to make requests on your behalf. To exercise any of these rights, contact privacy@tariffmind.ai. We will respond within 30 days (or sooner if required by applicable law). We may request identity verification before processing your request.
If you are a business customer requiring a Data Processing Agreement (DPA) for GDPR compliance or other regulatory requirements, we offer a standard DPA that covers: the categories of personal data processed; the purposes and duration of processing; our obligations as a data processor; sub-processor management and notification; data breach notification procedures; and audit rights. Contact legal@tariffmind.ai to request a DPA.
The Service uses AI-powered automated processing to generate tariff classifications, duty rate calculations, and trade compliance assessments. These automated outputs are decision-support tools and are not intended to be the sole basis for customs filing decisions. You have the right to: request human review of any AI-generated classification; understand the general logic behind AI classifications (GRI analysis and reasoning are provided with each classification); and override or disregard AI-generated outputs at your discretion. We do not make fully automated decisions that produce legal effects or similarly significant effects on you without human involvement.
TariffMind AI is a professional B2B service not directed at children under 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child under 18, we will promptly delete it.
We may update this Privacy Policy to reflect changes in our practices, the Service, or applicable law. We will notify you of material changes via email and require re-acceptance through the platform before you can continue using the Service. Non-material changes will be posted on this page with an updated effective date. We encourage you to review this policy periodically.
Privacy questions or data requests: privacy@tariffmind.ai — Data Protection Officer: legal@tariffmind.ai — TariffMind AI Inc., Fort Lauderdale, FL, United States