Privacy Policy
DutyDeclared Limited — Customs Declaration Management Platform
Last Updated: February 2026
1. Who We Are
DutyDeclared Limited is a UK-registered company providing a customs declaration management platform. Our platform enables businesses to prepare, validate, and submit customs declarations to HMRC's Customs Declaration Service (CDS).
| Detail | Value |
|---|---|
| Company name | DutyDeclared Limited |
| Companies House number | 16188124 |
| Registered address | 45 Pall Mall, London, SW1Y 5JG, United Kingdom |
| Website | https://dutydeclared.com |
| Platform URL | https://app.dutydeclared.com |
| Data protection contact | privacy@dutydeclared.com |
| Data Protection Officer | [TO BE CONFIRMED] |
| ICO registration number | [TO BE CONFIRMED] |
For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, DutyDeclared Limited is the data controller for the personal data we collect about you when you use our platform, visit our website, or communicate with us.
When we process customs declaration data on your behalf for submission to HMRC, we act as a data processor under your instructions. In this capacity, we process the data solely for the purpose of facilitating your customs declarations and in accordance with applicable data protection legislation.
2. What Personal Data We Collect
We collect different categories of personal data depending on how you interact with our platform. Below is a detailed breakdown of each category.
2.1 Account Data
When you create an account on DutyDeclared, we collect the following data:
- Identity data: Full name, profile image (if provided)
- Contact data: Email address, phone number (if provided)
- Account data: Email verification status, onboarding progress, account preferences
- Authentication data:Password (hashed and managed by Supabase — we never store or have access to plaintext passwords), session tokens, authentication provider details
2.2 Lead and Enquiry Data
When you submit an enquiry or request access via our website, we collect:
- Identity data: Full name
- Contact data: Email address, phone number
- Business data: Company name, customs activity type, estimated declaration volume
- Technical data: Consent checkbox status, submission timestamp, source URL
We collect this data based on your explicit consent, indicated by the consent checkbox on our enquiry form.
2.3 Organisation and Workspace Data
When you set up an organisation or workspace, we collect:
- Business identity: Organisation name, trading name
- Contact details: Business email, phone number, registered address
- Regulatory identifiers: EORI number, deferment account numbers
- Account details: Workspace name, team member roles, invitation records
2.4 Customs Declaration Data
When you create and submit customs declarations through our platform, we process the following data, which may include personal data:
- Exporter/Importer details: Names, addresses, EORI numbers, contact information
- Goods information: Commodity codes, descriptions, values, quantities, country of origin
- Transport details: Mode of transport, carrier information, route details
- Payment configuration: Method of payment, deferment account references
- Supporting documents: Uploaded files (invoices, licences, certificates), document metadata
- Collaboration messages: Internal notes and messages between team members working on declarations
2.5 Payment Data
Payment processing is handled entirely by Stripe. We store only:
- Stripe customer identifier
- Stripe subscription identifier
- Subscription status and plan details
We do not store credit card numbers, CVVs, or full payment card details. Stripe maintains PCI DSS Level 1 compliance for all payment data processing.
2.6 AI Chat Data (HSGenie)
When you use our AI-powered commodity classification feature (HSGenie), we collect:
- Chat messages: Your questions and descriptions of goods
- Session data: Conversation history within a session
- Classification data: Suggested HS codes and classification reasoning
- Feedback data: Any feedback you provide on classification suggestions
2.7 Technical and Usage Data
We collect technical data in two ways:
- Server-side product events (no consent required): We log key product events server-side (e.g., declaration submitted, workspace created) for essential platform operations, security, and service improvement. These events are processed under our legitimate interest and do not require cookie consent.
- Client-side interaction data (consent required): With your consent, we collect browser-based analytics data such as page views, feature usage patterns, and UI interactions. This data is collected via Amplitude and requires your explicit cookie consent.
- Log data: IP addresses (anonymised where possible), browser type, operating system, referring URLs, access times, and error logs for system reliability and security purposes.
3. How We Use Your Personal Data
3.1 Processing Activities and Lawful Bases
The following table sets out the main ways we process your personal data and the lawful basis for each:
| Processing Activity | Categories of Data | Lawful Basis | Details |
|---|---|---|---|
| Account management | Identity, Contact, Account, Authentication | Contract performance (Art. 6(1)(b)) | Necessary to provide you with access to the platform |
| Customs declaration processing | Declaration data, Organisation data | Contract performance (Art. 6(1)(b)) | Core service delivery: preparing and submitting declarations to HMRC |
| Payment processing | Payment data (Stripe identifiers) | Contract performance (Art. 6(1)(b)) | Processing subscription payments for the service |
| AI classification features (HSGenie) | AI Chat data, goods descriptions | Contract performance (Art. 6(1)(b)) | Providing AI-assisted commodity classification as part of the service |
| Lead and enquiry management | Lead data (identity, contact, business) | Consent (Art. 6(1)(a)) | Responding to your enquiry and providing information about our services |
| Server-side analytics | Product events, usage data | Legitimate interest (Art. 6(1)(f)) | Understanding platform usage to maintain and improve our service |
| Client-side analytics | Browser interaction data | Consent (Art. 6(1)(a)) | Analysing user interactions to improve the user experience |
| Product improvement | Aggregated/anonymised usage data | Legitimate interest (Art. 6(1)(f)) | Improving features, performance, and reliability of our platform |
| Email marketing | Contact data | Consent (Art. 6(1)(a)) or Legitimate interest for existing customers (soft opt-in under PECR) | Sending product updates, tips, and marketing communications |
| Security and fraud prevention | Technical data, log data, authentication data | Legitimate interest (Art. 6(1)(f)) | Protecting our platform and users from unauthorised access and misuse |
| Legal obligations | All categories as required | Legal obligation (Art. 6(1)(c)) | Complying with applicable laws, regulations, and regulatory requirements |
3.2 Automated Decision-Making
Our AI features (including HSGenie) provide suggestions and recommendations to assist you with commodity classification. These AI features provide suggestions only — no automated decisions with legal or similarly significant effects are made without human review. You always retain full control over the data submitted in your customs declarations.
4. Who We Share Your Data With
4.1 HMRC
When you submit a customs declaration, the full declaration data is transmitted to HMRC via the Customs Declaration Service (CDS) API. This is a legal requirement for customs declarations in the United Kingdom. HMRC acts as an independent data controller for the data it receives.
4.2 Data Processors
We use the following third-party service providers who process personal data on our behalf:
| Service Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Authentication and database | Account data, authentication data, all platform data | EU |
| Google Cloud Platform | Hosting, storage, and KMS | All platform data, encryption keys | europe-west2 (London, UK) |
| Stripe | Payment processing | Payment data, billing information | EU/US |
| Amplitude | Product analytics | Usage data, product events | EU server zone |
| Pirsch | Website analytics | Anonymised website traffic data | EU |
| OpenAI | AI classification features | Chat messages, goods descriptions | US |
| LangSmith | AI observability and monitoring | AI interaction logs, performance data | US |
| Llama OCR | PDF data extraction | Uploaded document content | US |
| n8n | Workflow automation | Lead data, notification data | EU |
| Loops | Email marketing | Contact data, email engagement data | US |
Note on Amplitude: Amplitude is used in dual capacity. Server-side events are sent without cookie consent as they do not involve client-side tracking. Client-side analytics (browser-based) are only enabled after you provide cookie consent.
4.3 Non-Personal Data Sharing
We query the UK Trade Tariff API (operated by HMRC) to retrieve commodity code information, duty rates, and trade measures. These queries contain commodity codes and tariff-related parameters only — no personal data is shared with this service.
4.4 Other Disclosures
We may also share your personal data in the following circumstances:
- Legal requirements: Where we are required to disclose data by law, regulation, legal process, or enforceable governmental request
- Protection of rights: Where necessary to protect the rights, property, or safety of DutyDeclared, our users, or the public
- Business transfers: In connection with a merger, acquisition, reorganisation, or sale of assets, where your data may be transferred as a business asset
- With consent: Where you have provided specific consent for a particular disclosure
5. International Data Transfers
5.1 Transfers to EU/EEA
Several of our service providers process data within the EU/EEA. These transfers are protected by the UK adequacy decision for the EU/EEA, which means the European Commission has determined that these countries provide an adequate level of data protection.
5.2 Transfers to the United States
Where our processors are based in or transfer data to the United States, we ensure appropriate safeguards are in place:
| Processor | Safeguard |
|---|---|
| Stripe | UK-US Data Bridge [TO BE CONFIRMED] |
| OpenAI | Standard Contractual Clauses (SCCs) [TO BE CONFIRMED] |
| LangSmith | Standard Contractual Clauses (SCCs) [TO BE CONFIRMED] |
| Llama OCR | Standard Contractual Clauses (SCCs) [TO BE CONFIRMED] |
| Loops | Standard Contractual Clauses (SCCs) [TO BE CONFIRMED] |
5.3 Primary Data Residency
Our primary infrastructure is hosted on Google Cloud Platform in the europe-west2 (London, UK) region. This means your core platform data is stored and processed within the United Kingdom.
6. How We Keep Your Data Secure
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it.
6.1 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | All data transmitted over TLS (HTTPS) |
| Encryption at rest | All stored data encrypted at rest using platform-level encryption |
| Token encryption | Sensitive tokens (e.g., HMRC API tokens) encrypted using Google Cloud KMS with hardware security modules (HSM) |
| API key security | API keys hashed using SHA-256; only hash values stored |
| Session security | HTTP-only cookies for session management, preventing client-side script access |
| Input validation | Comprehensive input validation using Zod schemas at all external boundaries |
6.2 Organisational Measures
| Measure | Implementation |
|---|---|
| Role-based access control (RBAC) | 8 distinct roles with granular permissions controlling access to features and data |
| Multi-tenant isolation | Workspace-level data isolation ensuring organisations cannot access each other's data |
| Audit trail | Comprehensive logging of declaration submissions and key platform actions |
| Secure development | Secure coding practices, code reviews, and automated security testing in the development pipeline |
6.3 Incident Response
[TO BE CONFIRMED] — We are developing a formal incident response plan that will include procedures for detecting, reporting, and responding to personal data breaches in accordance with UK GDPR requirements, including notification to the ICO within 72 hours where required.
7. How Long We Keep Your Data
7.1 Retention Periods
We retain your personal data only for as long as necessary for the purposes for which it was collected:
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data | Duration of account + [TO BE CONFIRMED] after closure | Contract performance, legitimate interest for post-closure queries |
| Customs declaration data | Minimum [TO BE CONFIRMED — 4 years per HMRC requirements] | Legal obligation (customs records retention) |
| Submission audit records | Indefinite | Legal compliance and audit trail requirements |
| Payment records | [TO BE CONFIRMED — typically 7 years] | Tax and accounting obligations |
| Lead form data | [TO BE CONFIRMED — e.g. 24 months] | Legitimate interest in following up on enquiries |
| AI chat data | [TO BE CONFIRMED — e.g. 12 months] | Service improvement and support |
| Analytics data | [TO BE CONFIRMED — e.g. 26 months] | Product improvement and trend analysis |
| Server logs | [TO BE CONFIRMED — e.g. 90 days] | Security monitoring and debugging |
7.2 Deletion and Anonymisation
Our platform currently uses a soft-delete approach for most data, meaning records are marked as deleted but retained in the database. We are developing a hard-delete capability that will permanently remove personal data upon request or when retention periods expire. Where possible, data may be anonymised rather than deleted so that aggregated insights can be retained without identifying individuals.
8. Your Rights Under UK GDPR
8.1 Summary of Rights
Under the UK GDPR, you have the following rights in relation to your personal data:
| Right | Description | How to Exercise |
|---|---|---|
| Right of access (Art. 15) | Request a copy of the personal data we hold about you | Email privacy@dutydeclared.com |
| Right to rectification (Art. 16) | Request correction of inaccurate or incomplete personal data | Update via platform settings or email privacy@dutydeclared.com |
| Right to erasure (Art. 17) | Request deletion of your personal data (subject to legal retention requirements) | Email privacy@dutydeclared.com |
| Right to restrict processing (Art. 18) | Request restriction of processing in certain circumstances | Email privacy@dutydeclared.com |
| Right to data portability (Art. 20) | Receive your personal data in a structured, commonly used, and machine-readable format | Email privacy@dutydeclared.com |
| Right to object (Art. 21) | Object to processing based on legitimate interest or for direct marketing purposes | Email privacy@dutydeclared.com or unsubscribe from marketing emails |
| Right to withdraw consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent | Cookie consent banner, email privacy@dutydeclared.com, or unsubscribe links |
| Right not to be subject to automated decision-making (Art. 22) | Not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects | Not applicable — we do not make solely automated decisions with legal effects (see Section 3.2) |
8.2 How to Make a Request
To exercise any of your rights, please contact us at privacy@dutydeclared.com. When making a request, please note:
- We will respond to your request within one month of receipt. This period may be extended by a further two months for complex or numerous requests, in which case we will inform you within the first month.
- We may need to verify your identity before processing your request to ensure we are responding to the correct individual.
- There is normally no fee for exercising your rights. However, we may charge a reasonable fee for manifestly unfounded, repetitive, or excessive requests.
8.3 Right to Lodge a Complaint
If you are not satisfied with how we handle your personal data or your rights request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
| Contact Method | Details |
|---|---|
| Website | https://ico.org.uk |
| Helpline | 0303 123 1113 |
| Live chat | Available via ico.org.uk/global/contact-us/live-chat |
| Post | Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF |
We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us first at privacy@dutydeclared.com.
9. Cookies
9.1 What Are Cookies
Cookies are small text files placed on your device when you visit a website. They are widely used to make websites work efficiently, to provide information to website operators, and to enable certain features.
9.2 Cookies We Use
| Category | Purpose | Examples | Consent Required |
|---|---|---|---|
| Strictly necessary | Authentication and session management | Supabase JWT authentication cookies | No |
| Analytics | Understanding how users interact with the platform | Amplitude cookies | Yes |
| Website analytics | Privacy-friendly website traffic analysis | Pirsch analytics | [TO BE CONFIRMED] |
9.3 Managing Cookies
When you first visit our platform, you will be presented with a cookie consent banner that allows you to accept or reject non-essential cookies. You can change your cookie preferences at any time through the cookie settings accessible from our platform. You can also control cookies through your browser settings, although disabling certain cookies may affect the functionality of our platform.
9.4 Legal Basis
Strictly necessary cookies are set under Regulation 6 of the Privacy and Electronic Communications Regulations (PECR), which permits cookies that are essential for providing a service explicitly requested by the user. All other cookies are set only with your explicit consent, in accordance with PECR and UK GDPR.
10. Children's Privacy
DutyDeclared is a business-to-business (B2B) service designed for use by customs professionals and businesses. Our platform is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we discover that we have inadvertently collected personal data from a child under 18, we will take steps to delete that data as soon as reasonably practicable.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by:
- Sending a notification to the email address associated with your account
- Displaying a prominent notice within the platform
We encourage you to review this policy periodically to stay informed about how we are protecting your data. The "Last Updated" date at the top of this policy indicates when it was most recently revised.
12. How to Contact Us
12.1 Data Protection Contact
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
- Email: privacy@dutydeclared.com
- Post: Data Protection, DutyDeclared Limited, 45 Pall Mall, London, SW1Y 5JG, United Kingdom
- Data Protection Officer: [TO BE CONFIRMED]
12.2 Supervisory Authority
Our supervisory authority is the Information Commissioner's Office (ICO). For details on how to contact the ICO, please see Section 8.3 above.
Appendix A: Glossary
The following terms are used throughout this Privacy Policy:
| Term | Definition |
|---|---|
| CDS | Customs Declaration Service — HMRC's system for processing customs declarations in the United Kingdom |
| Controller | The organisation that determines the purposes and means of processing personal data |
| EORI | Economic Operators Registration and Identification number — a unique identifier for businesses involved in customs activities |
| HMRC | His Majesty's Revenue and Customs — the UK government department responsible for tax collection and customs |
| HS Code | Harmonized System Code — an international standard for classifying traded goods |
| ICO | Information Commissioner's Office — the UK's independent authority for data protection and information rights |
| Processor | An organisation that processes personal data on behalf of a controller |
| SCCs | Standard Contractual Clauses — pre-approved contract terms that provide safeguards for international data transfers |
| UK GDPR | The United Kingdom General Data Protection Regulation — the UK's data protection law, retained from the EU GDPR after Brexit |
| PECR | Privacy and Electronic Communications Regulations — UK regulations that sit alongside the UK GDPR and govern electronic communications, including cookies and direct marketing |