Privacy Policy

1. Data Controller

The data controller for personal data collected through DeclareHQ is Product Guru IT Ltd, a company registered in England and Wales. For customs-declaration data processed on behalf of your organisation, we typically act as a data processor under your instructions — see our Data Processing Agreement for details.

For privacy-related questions or to exercise your rights, contact us at privacy@declarehq.com.

2. What Data We Collect

We collect the following categories of personal data:

• Account data — name, email address, password hash, organisation, role, and authentication identifiers.
• Business data you submit — customs declaration content, shipment details, client records, EORI numbers, documents, and any other information you provide to prepare and submit customs entries.
• Integration credentials — OAuth tokens and API credentials for HMRC CDS, port systems, and other connected services. These are encrypted at rest.
• Usage data — pages visited, actions performed, timestamps, IP addresses, user-agent strings, and similar diagnostic information.
• Billing data — Stripe customer ID and subscription records. Payment card details are handled directly by Stripe and never stored on our servers.
• Support correspondence — messages you send us via email or in-app support.

3. How We Use Your Data

We process personal data for the following purposes:

• Providing the service — creating accounts, processing declarations, transmitting data to HMRC CDS and port systems on your instructions.
• Authentication and security — verifying your identity, detecting suspicious activity, encrypting sensitive data.
• Communications — sending service notifications (e.g. declaration status updates), billing emails, and occasional product announcements.
• Billing — processing subscription payments and issuing invoices.
• Service improvement — analysing usage patterns, fixing bugs, developing new features.
• Legal compliance — complying with customs, tax, and data-protection regulations; responding to lawful requests from authorities.

4. Lawful Bases for Processing

Under the UK GDPR and Data Protection Act 2018, we rely on the following lawful bases:

• Contract — to provide the service you've subscribed to.
• Legitimate interests — to secure the platform, prevent fraud, and improve our products.
• Legal obligation — to comply with customs, tax, and anti-money-laundering laws.
• Consent — for optional marketing communications (you can withdraw at any time).

5. Who We Share Your Data With

We share personal data only with the following categories of recipients, under appropriate contractual safeguards:

• HMRC — for the sole purpose of submitting customs declarations you have authorised.
• UK port community systems (e.g. DESTIN8, CNS, CCS-UK) — when you use our UCN claim features.
• Infrastructure providers — Supabase (database and authentication), Vercel (hosting), all hosted in EU/UK regions.
• Stripe (Stripe Payments UK Ltd) — for payment processing, subscription billing, and tax-invoice generation. Stripe stores card data; we never see or store card numbers.
• AWS (Amazon Web Services EMEA Sàrl) — document storage (S3, eu-west-2) + transactional email delivery (SES).
• Anthropic (Anthropic PBC, USA) — large-language model inference for the AI features (commodity classification, document extraction, declaration anomaly review, regulator briefings). Inputs are sent to Anthropic's API for processing and are not retained for training under their commercial terms. You can use the platform without AI features by leaving the ANTHROPIC_API_KEY unset; mock-mode responses then keep all data inside our infrastructure.
• Sentry (Functional Software Inc.) — error monitoring (only when configured; we redact PII before sending).
• Professional advisers — accountants, lawyers, auditors, under confidentiality obligations.

We do not sell your personal data and we do not share it with third parties for their own marketing purposes.

6. International Transfers

Our primary infrastructure is hosted within the United Kingdom and European Economic Area. Where personal data is transferred outside the UK/EEA (for example, if a sub-processor is located in another jurisdiction), we rely on the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or an adequacy decision to ensure an equivalent level of protection.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected:

• Account data — for the duration of your subscription plus 6 years (to comply with UK accounting and tax record-keeping requirements).
• Declaration records — for 6 years from the date of submission, in line with HMRC record-keeping rules.
• Billing records — for 6 years.
• Support correspondence — for 2 years.
• Usage and diagnostic logs — for up to 12 months.

You may request deletion of your account at any time. On cancellation, we retain only what is required by law and delete the rest.

8. Your Rights

Under UK GDPR, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (where applicable).
• Restrict or object to processing.
• Data portability (receive a copy in a machine-readable format).
• Withdraw consent for any processing based on consent.
• Lodge a complaint with the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email us at privacy@declarehq.com. We will respond within 30 days.

9. Security

We take security seriously and apply industry-standard technical and organisational measures, including:

• TLS encryption for all data in transit.
• AES-256-GCM encryption for sensitive data at rest (e.g. HMRC OAuth tokens).
• Row-level security on all database tables.
• Access controls, strong authentication, and audit logging.
• Regular dependency updates and security reviews.

No system is perfectly secure, however. If you suspect a security incident, email security@declarehq.com.

10. Cookies

We use essential cookies to keep you signed in, remember your organisation selection, and secure the service. We do not use third-party advertising or tracking cookies. Analytics cookies (where used) are aggregated and anonymised.

11. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or in-app announcement at least 30 days before the change takes effect.