Privacy Policy

Last updated: 15 April 2026

1. Who we are

InstaDuty (“we”, “us”) operates the customs duty calculation service available at instaduty.io. For GDPR purposes, we are the data controller of the personal data you submit to us.

2. Data we collect

  • Account data: email, name, company, hashed password.
  • Usage data: uploaded commercial invoices, HS classifications, duty calculations, API logs.
  • Billing data: handled by Stripe; we store only the customer and subscription identifiers.
  • Technical data: IP address, browser user agent, request timestamps for security and audit purposes.

3. How we use it

  • Deliver the duty calculation service and store your history.
  • Authenticate you and protect the account.
  • Send service emails (invoice completion, password reset, billing receipts).
  • Improve classification accuracy via anonymised aggregates.
  • Comply with accounting, tax, and fraud-prevention obligations.

4. Sub-processors

We rely on the following sub-processors, each bound by a data-processing agreement:

  • AWS / Hetzner for hosting and object storage (EU region).
  • Stripe for payment processing.
  • Resend (or configured SMTP provider) for transactional email.
  • OpenAI / Anthropic for HS classification inference when AI classification is enabled.

5. Retention

Uploaded invoices and derived reports are retained for as long as your account is active and for up to 12 months after deletion, unless a longer retention period is required by tax law. You can delete invoices from the dashboard at any time.

6. Your rights (EU/UK GDPR)

You have the right to access, rectify, export, restrict, or delete your personal data, and to object to processing. Write to privacy@instaduty.io with your request. We respond within 30 days.

7. Security

Passwords are hashed with bcrypt. Data in transit is encrypted with TLS 1.2+. Access to production systems is limited to authenticated staff on audited devices. We notify affected users within 72 hours of any confirmed personal-data breach.

8. International transfers

Where data leaves the EEA (e.g., to US-based AI sub-processors), transfers are covered by the EU Standard Contractual Clauses and, where applicable, the UK Addendum.

9. Contact

Questions? privacy@instaduty.io. You may also lodge a complaint with your local data protection authority.