Privacy Policy

[PLACEHOLDER — Legal review required] We collect the following categories of information when you use DutyRecoverAI: • Account data: First name, last name, email address, organization name, job role. • Import entry data: CBP entry numbers, HTS codes, dutiable values, duty amounts paid, country of origin, importer names, broker names, port of entry data, liquidation dates. • Payment data: Billing email address (Stripe handles all card processing — DutyRecoverAI never stores raw card numbers, CVVs, or bank account details). • Usage data: Feature usage, audit runs, recovery case activity, pages visited, session duration (via Vercel Analytics — no cookies, no cross-site tracking). • Documents: Commercial invoices, bills of lading, CBP correspondence, and other customs documents uploaded by users to the Document Vault. • Communication data: Support emails and in-app messages you send to us. We do not collect Social Security numbers, driver's license numbers, biometric data, or precise geolocation data.

[PLACEHOLDER — Legal review required] We use your information to: • Provide the DutyRecoverAI platform, including running AI-powered duty recovery analysis on your import entry data. • Process payments and manage your subscription via Stripe. • Send transactional emails (audit completion, deadline alerts, invoice receipts) via Resend. • Monitor platform performance and fix errors via Vercel and Sentry. • Improve our AI detection algorithms using aggregated, anonymized patterns (never individual customer data without explicit consent). • Comply with applicable laws and respond to lawful requests from government authorities. We do not sell, rent, or share your personal information with third parties for their commercial purposes or advertising.

[PLACEHOLDER — Legal review required] We share your information only with the following service providers, who process it solely to deliver our service: • Supabase (database hosting, authentication) — SOC 2 Type II certified • Stripe (payment processing) — PCI DSS Level 1 certified • Resend (transactional email delivery) • Vercel (application hosting, edge network) — SOC 2 Type II certified • Anthropic (AI classification via API) — input data is not retained for model training per Anthropic's API data policy • Sentry (error monitoring) — receives anonymized error logs only Each provider processes data under a Data Processing Agreement. We do not permit service providers to use your data for their own purposes. We may disclose your information if required by law, court order, or government authority, or to protect the rights and safety of DutyRecoverAI, our users, or the public.

[PLACEHOLDER — Legal review required] • Account and entry data: Retained for the life of your account and deleted within 30 days of account deletion, subject to the exceptions below. • Billing records and invoices: Retained for 7 years to comply with U.S. tax and financial record-keeping requirements. • Recovery filing packets: Retained for 7 years (the statute of limitations period for CBP claims). • Audit logs: Retained for 7 years in anonymized form after account deletion. • Session data (Vercel): Retained for 90 days per Vercel's default log policy. You may request early deletion of your data at any time — see Section 6 (Your Rights).

[PLACEHOLDER — Legal review required] If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you. • Right to Delete: Request deletion of your personal information, subject to certain exceptions (see Section 4). • Right to Correct: Request correction of inaccurate personal information. • Right to Opt-Out of Sale/Sharing: DutyRecoverAI does not sell or share your personal information. To confirm your opt-out, visit: /privacy/ccpa-opt-out. • Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. To submit a California privacy request, email privacy@dutyrecover.ai with the subject line "California Privacy Request." We will respond within 45 days.

[PLACEHOLDER — Legal review required] Regardless of your location, you have the right to: • Access: Request a copy of the personal information we hold about you. • Correction: Request correction of inaccurate or incomplete data. • Deletion: Request deletion of your personal information (right to erasure). • Portability: Request your data in a machine-readable format (CSV export of your import entries is available in Settings). • Objection: Object to certain processing activities. • Restriction: Request that we restrict processing of your data in certain circumstances. To exercise any of these rights, contact us at privacy@dutyrecover.ai. We will respond within 45 days. Some requests may be subject to retention exceptions described in Section 4.

[PLACEHOLDER — Legal review required] To submit any data request (access, deletion, correction, portability): 1. Email privacy@dutyrecover.ai with the subject line "Data Request." 2. Include your name, email address, and organization name. 3. Describe the specific request (e.g., "Please delete all data associated with my account"). We will verify your identity before processing the request. Response time: within 45 days (up to 90 days for complex requests, with notice). Self-service: You may delete your own account from Settings → Account. This queues a full data deletion within 30 days.

[PLACEHOLDER — Legal review required] We implement the following technical and organizational security measures: • Encryption at rest: AES-256 encryption for all database data (Supabase default). • Encryption in transit: TLS 1.2+ for all data transmitted between your browser and our servers. • Row-Level Security (RLS): Supabase RLS policies ensure each organization can only access its own data. • Signed URLs: Documents stored in Supabase Storage are accessed only via time-limited signed URLs. • Authentication: Email/password authentication with Supabase Auth. Passwords are hashed with bcrypt. • Access controls: Staff access to production data is restricted to the minimum necessary. No security system is impenetrable. In the event of a data breach affecting your rights, we will notify you within 72 hours of discovery in accordance with applicable law.

[PLACEHOLDER — Legal review required] DutyRecoverAI uses: • Session cookies: Required for authentication. These are first-party, HttpOnly cookies set by Supabase Auth. • Vercel Analytics: A privacy-preserving analytics service that does not use cookies or track users across sites. It collects page views and performance metrics at an aggregate level. We do not use third-party advertising cookies, cross-site tracking pixels, or social media tracking widgets.

[PLACEHOLDER — Legal review required] We may update this Privacy Policy to reflect changes to our practices or applicable law. When we make material changes, we will: • Update the "Effective Date" at the top of this page. • Send an email notification to account holders at least 14 days before the change takes effect. Your continued use of DutyRecoverAI after the effective date constitutes acceptance of the updated policy.

For privacy questions, data requests, or concerns, contact us at: Email: privacy@dutyrecover.ai Support: support@dutyrecover.ai DutyRecoverAI [PLACEHOLDER: Company legal name, address, state of incorporation]