DutyDeclared Privacy Policy

1. Who We Are

DutyDeclared Limited ("DutyDeclared", "we", "us", "our") is a UK-registered company that provides a customs declaration management platform for UK imports.

Company name	DutyDeclared Limited
Companies House number	16188124
Registered address	45 Pall Mall, London, SW1Y 5JG, United Kingdom
Website	https://dutydeclared.com
Platform URL	https://app.dutydeclared.com
Data protection contact	privacy@dutydeclared.com

We are the data controller for the personal data described in this policy, meaning we determine the purposes and means of processing your personal data.

Where we process personal data contained within customs declarations on behalf of our business customers (importers, exporters, and customs agents), we may act as a data processor on their behalf. In those cases, our customers are the data controllers and are responsible for ensuring they have a lawful basis to provide that data to us.

2. What Personal Data We Collect

We collect and process the following categories of personal data.

2.1 Account Data

When you register for a DutyDeclared account, we collect:

Identity data: Full name, profile image
Contact data: Email address (used as your unique account identifier), phone number
Account data: Email verification status, onboarding completion status
Authentication data: Password (hashed and stored by our authentication provider, Supabase — we never have access to your plaintext password), session tokens

2.2 Lead and Enquiry Data

When you submit an enquiry or register interest through our website, we collect:

Identity data: First name, last name
Contact data: Email address, phone number
Business data: Company name
Technical data: Session ID (for form tracking)

You are asked to provide explicit consent when submitting the lead form by ticking a checkbox confirming: "I agree that DutyDeclared may collect and process my personal data in accordance with the Privacy Policy."

2.3 Organisation and Workspace Data

When you set up or join an organisation (workspace) on our platform, the following data is collected:

Business identity: Company name, email domain
Business contact: Address, city, country, postcode, phone number
Regulatory identifiers: EORI number
Account details: Subscription status, plan type, feature flags

Some of this data may include personal data where the organisation is a sole trader or the details relate to an identifiable individual.

2.4 Customs Declaration Data

When you create customs declarations on our platform, the following data is collected:

Exporter details: Name, EORI number, tax ID, full address
Importer details: Name, EORI number, tax ID, full address
Goods information: Product descriptions, HS codes, values, quantities, origins, weights
Transport details: Mode of transport, transport identifiers
Payment configuration: Duty payment method preferences
Supporting documents: Commercial invoices, packing lists (stored in Google Cloud Storage)
Collaboration messages: Team messages within the declaration workspace

2.5 Payment Data

We use Stripe to process subscription payments. We store:

Stripe identifiers: Stripe customer ID, subscription ID, price ID, subscription status

We do not store your credit card numbers, bank account details, or other sensitive payment information. All payment data is processed by Stripe in accordance with PCI DSS.

2.6 AI Chat Data (HSGenie)

Chat messages: Questions about commodity codes and AI responses
Session data: Anonymous session ID or workspace user ID
Classification data: Commodity codes discussed
Feedback data: Optional feedback ratings on AI responses

2.7 Technical and Usage Data

Server-side product event data (no consent required): When you take actions on our platform, our servers log structured product events (user ID, workspace ID, action type). Sent directly to Amplitude, does not involve placing anything on your device. Collected on the basis of legitimate interests.

Client-side interaction data (analytics cookies, consent required): If you accept analytics cookies, we collect richer behavioural data through Amplitude (page views, UI patterns). If declined, none of this is collected.

Log data: Server logs and error reports generated for security monitoring. May incidentally contain IP addresses.

3. How We Use Your Personal Data

We only process your personal data where we have a lawful basis to do so under UK GDPR.

3.1 Processing Activities and Lawful Bases

Processing Activity	Categories of Data	Lawful Basis	Details
Creating and managing your account	Account, identity, contact	Contract	Necessary to provide you with access to our service.
Submitting declarations to HMRC	Declaration, goods, documents	Legal Obligation Contract	Required by UK customs law; necessary to deliver core service.
Subscription payments	Payment, contact	Contract	Necessary to process subscription and collect payment.
Server-side product event logging	User ID, workspace ID, actions	Legitimate Interest	Understanding platform usage to operate and improve it. Server-to-server.
Client-side product analytics	Page views, UI interactions	Consent	Activated only after accepting cookies.

3.2 Automated Decision-Making

Our AI-powered features use automated processing to suggest data values. These suggestions are not binding decisions — they are presented as recommendations that you review and confirm. No solely automated decisions with legal or significant effects are made about you.

4. Who We Share Your Data With

4.1 HMRC

When you submit a customs declaration, the data is transmitted to HMRC via the Customs Declaration Service (CDS) API. This sharing is a legal requirement.

Recipient	HMRC Customs Declaration Service (CDS)
Data shared	Full declaration XML (EORI, addresses, goods, values)
Basis	Legal obligation and contract performance

4.2 Data Processors

Service Provider	Purpose	Location
Supabase	Authentication and database hosting	EU
Google Cloud Platform	Application hosting, file storage, KMS	UK (London)
Stripe	Subscription payment processing	EU/US
OpenAI	AI document extraction & classification	US
Loops	Email marketing & transactional	US

6. How We Keep Your Data Secure

Technical Measures

Encryption in transit: HTTPS/TLS for all data.
Encryption at rest: Database and Cloud Storage encryption.
Token encryption: OAuth tokens encrypted via Google Cloud KMS with HSM.
Input validation: Strict schemas (Zod) at API boundaries.

Organisational Measures

RBAC: 8 distinct workspace roles to ensure appropriate access.
Data isolation: Strict multi-tenant isolation.
Audit trail: Immutable records of declaration submissions.
Secure development: TypeScript strict mode, linting, reviews.

7. How Long We Keep Your Data

Data Category	Retention Period
Account data	Duration of account + 12 months after closure
Customs declaration data	At least 4 years from declaration date (HMRC requirement)
Payment records	7 years for tax and accounting
Server logs	90 days

8. Your Rights Under UK GDPR

Right of access (Art. 15)

You can view much of your data directly in the portal. For a full SAR, email privacy@dutydeclared.com

Right to erasure (Art. 17)

Email privacy@dutydeclared.com. Note: we may need to retain certain data for legal reasons (e.g., submitted declarations).

Right to object & withdraw consent

You can object to processing based on legitimate interests or withdraw consent via platform controls or email.

Right to Lodge a Complaint

If unhappy, you can contact the Information Commissioner's Office (ICO):

Web: https://ico.org.uk

Helpline: 0303 123 1113

9. Cookies

Category	Purpose	Consent
Strictly necessary	Required for platform function (authentication, security via Supabase).	No
Analytics	Help us understand interactions to improve the platform (Amplitude).	Yes

Privacy Policy