Legal
Privacy policy
Last updated 19 April 2026 — draft pending legal review
This policy explains what personal data TariffFlow collects, why, and what rights you have over it. We are the data controller for the information described below. You can ask us about any of it at support@tariffflow.app.
Who we are
TariffFlow is operated by Daniel Hamilton (trading as TariffFlow), based in Earl Shilton, Leicestershire, United Kingdom. If we incorporate as a UK limited company, this section will be updated with the company number. We are registered with the UK Information Commissioner's Office (ICO) as a data controller (registration number pending).
What we collect and why
We keep data collection to what we actually need to run the service you've signed up for.
Account data
- Email address, name, company name, and role — supplied during sign-up or in Settings. Used to authenticate you, contact you about the service, and personalise Case Packs.
- Authentication is handled by Clerk (see Subprocessors below). Clerk stores password hashes / OAuth tokens. We never see your password.
Classification data
- Product descriptions you type, datasheets you upload, and images you attach. These are processed to produce a commodity code recommendation and then stored on your account for re-classification and audit-trail export.
- Structured attributes extracted by AI (material, function, use case, etc.), candidate codes considered, and the final recommendation. Stored on the case so you can export or review it.
Billing data
- If you subscribe, Stripe stores your payment method and billing history. We keep only your Stripe customer ID and subscription status locally. We never see your card number.
Usage data
- Counts of classifications per month, per plan, kept to enforce tier quotas and reconcile Stripe metered usage.
- With your consent, PostHog analytics events capturing which pages you visit and which buttons you click — never your classification content. You can opt in or out at any time via .
- If you arrived via a marketing UTM link, we store the utm_source, utm_campaign, utm_medium, utm_content on your user record so we can understand which channels bring which customers. Not shared with third parties.
Lawful basis for processing
- Contract — we need to process your classification data and account information to deliver the service you signed up for.
- Consent — for analytics and any marketing email that goes beyond transactional notices. You can withdraw consent at any time.
- Legitimate interests — error monitoring (Sentry) and security logging, balanced against your right to privacy. We minimise the data collected and never use it to profile you.
- Legal obligation — HMRC requires us to retain invoice data for six years (Finance Act 1998 and VAT Act 1994). Billing records survive account deletion for this period.
Subprocessors
We use the following providers to run the service. Each has their own privacy policy; each processes your data only under our instruction via a Data Processing Agreement (DPA).
| Provider | Purpose | Data location |
|---|---|---|
| Clerk | Authentication, user management | United States (SCCs) |
| Neon (Postgres) | Application database | European Union |
| Vercel | Application hosting, edge delivery | United States + EU edge |
| Cloudflare R2 | Uploads storage (datasheets, images) | Global edge with EU primary |
| Ollama Cloud | AI model inference (classification reasoning) | United States (SCCs) |
| OpenAI | Text embeddings for retrieval | United States (SCCs) |
| Stripe | Subscription billing, card processing | United Kingdom + United States |
| Resend | Transactional email | United States (SCCs) |
| Sentry | Error monitoring | United States (SCCs) |
| PostHog | Product analytics (consent-gated) | European Union (eu.i.posthog.com) |
For US-based subprocessors, data transfers are governed by the UK International Data Transfer Agreement or EU Standard Contractual Clauses (UK addendum) as appropriate. We do not transfer data to any jurisdiction that lacks an adequacy decision or appropriate safeguards.
How long we keep data
- Free tier: cases older than 7 days are deleted automatically each day.
- Paid tiers: cases retained until you delete them individually or delete your account.
- Account deletion: all personal data is purged on request except invoicing records, which UK tax law requires us to retain for six years.
- Analytics: PostHog events retained for 12 months then aggregated.
- Error logs: Sentry retains event data for 30 days on our plan.
Your rights
Under UK GDPR you have the following rights. Most are available self-serve from your Settings page; for the rest, email support@tariffflow.app and we'll respond within one calendar month.
- Access — download a JSON export of your data from Settings → Your data → Export.
- Erasure — delete your account from Settings → Your data → Delete your account. Permanent, cascades to all owned data.
- Rectification — edit your profile in Settings.
- Portability — the JSON export is in a standard machine-readable format.
- Restriction — tell us to pause processing pending a dispute resolution.
- Objection — withdraw consent for analytics via .
- Complaint — you can complain to the UK ICO at ico.org.uk. We ask that you raise concerns with us first.
Cookies
TariffFlow uses two classes of cookies:
- Essential — session cookies set by Clerk and Stripe to keep you signed in and complete payments. These cannot be turned off without breaking the service.
- Analytics — PostHog cookies capture usage events. These are only set after you click Accept all on the cookie banner. at any time to change your choice.
AI data handling
Classification inputs (your product description, uploaded datasheets, image vision descriptions) are sent to Ollama Cloud for AI reasoning and to OpenAI for embedding generation. Neither provider trains their models on inbound customer data under their current enterprise terms. Your inputs are transmitted over TLS 1.3 and are not persisted by the AI providers beyond short-term caching for rate-limit enforcement. See AI disclosure for more.
Security
Data in transit is encrypted via TLS 1.3. Data at rest is encrypted by our storage providers (Neon AES-256, Cloudflare R2 AES-256). Passwords are never stored by us — Clerk holds authentication material. We enforce tiered access and review admin actions in our audit log. If we become aware of a data breach affecting your personal data, we will notify you and the ICO within 72 hours as required by UK GDPR Article 33.
Updates to this policy
We update this policy when we change subprocessors, add new data collection, or change retention. The "Last updated" date at the top reflects the current version. Substantive changes are announced by email to your registered address. Continued use of the service after a change constitutes acceptance of the new policy.
Contact
Questions, access requests, or concerns: support@tariffflow.app. We respond to privacy queries within 7 working days.
This is a first-draft policy produced in good faith. Before commercial launch it will be reviewed by a UK SaaS solicitor. If anything here conflicts with UK law, UK law prevails and the offending clause is deemed severed.