ENZH
Get Started
Home / Privacy

Privacy Policy

We treat your queries, uploads, and account data as yours. This policy explains exactly what we collect, why, how long we keep it, and the rights you can exercise at any time.

Last updated · 2026-05-20

This Privacy Policy explains how HSCodeLab ("we", "us") collects, uses, retains, and protects information when you use HSCodeLab (the "Service"). We collect the minimum we need to operate the Service well, we do not sell personal information, and we never use your uploads to train machine-learning models.

1. Summary

We collect three categories of data: account data you give us (email, name), usage data from the Service (queries, classifications, uploads), and technical metadata (IP address, browser, timestamps). Queries and uploads are deleted after 30 days unless you opt to save them. Analytics is done with a privacy-friendly tool that does not use cookies and does not profile you. You can export or delete your data at any time.

2. What we collect

Account information: email address and (optionally) name and company you provide on sign-up.

Usage information: product descriptions, URLs, and photos you submit; the HS codes returned to you; tariff calculations you run; saved history you create; API keys and call metadata.

Technical metadata: IP address, approximate location derived from IP at country level, browser and OS, timestamps, referrer.

Payment information: handled directly by our payment processor. We receive only the last four digits of your card and the billing country — we never store the full card number.

3. Why we collect it

To operate the Service: classify products you submit, compute tariffs, deliver results, and prevent abuse.

To improve the Service: aggregate and de-identified analytics on which features people use and where they get stuck.

To communicate with you: transactional emails (sign-in, receipts), and the Policy Radar weekly digest if you subscribe.

To comply with law: respond to legal process, prevent fraud, enforce our Terms.

4. What we do not do

We do not train machine-learning models on Your Content. Your queries and uploads are not added to any training set, full stop.

We do not sell personal information.

We do not share your queries with other customers or with the public.

We do not use third-party advertising trackers, fingerprinting, or behavioral profiling.

5. Retention

Queries and uploads: deleted after 30 days unless you save them to your history. Saved history persists until you delete it.

Account data: retained for the life of your account, plus a short grace window after deletion for backup recovery.

Logs and technical metadata: retained for up to 90 days for security and abuse-prevention purposes.

Invoices and tax records: retained for the period required by applicable tax law (typically 7 years).

6. Cookies and analytics

We use Plausible Analytics, a privacy-focused tool that does not set tracking cookies, does not collect personal data, and does not enable cross-site tracking. No consent banner is required because we set no profiling cookies.

Strictly necessary cookies (session cookies for authentication, CSRF tokens) are used only while you are signed in.

7. Service providers

We use a small number of vendors to operate the Service: a cloud hosting provider, a payment processor (Stripe), a transactional email provider, an error-tracking provider, and Plausible Analytics. Each is bound by a data processing agreement and processes data only on our instructions.

8. International transfers

We operate from the United States. If you are in the EU, UK, or another jurisdiction with cross-border transfer rules, your data may be transferred to and processed in the United States. We rely on standard contractual clauses and equivalent mechanisms where required.

9. Your rights

Subject to applicable law, you can: access the data we hold about you, correct it, delete it, restrict or object to certain processing, port it to another provider, and withdraw consent at any time.

To exercise any of these rights, email privacy@hscodelab.com. We respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.

California residents: you have additional rights under the CCPA/CPRA, including the right to opt out of "selling" or "sharing" personal information. We do neither.

10. Security

Data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted with AES-256. Access to production systems is restricted to a small number of personnel with role-based authentication and audit logs.

No system is perfectly secure. If we become aware of a breach affecting your data, we will notify you and the relevant authorities as required by law.

11. Children

The Service is not directed at children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, email privacy@hscodelab.com and we will delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to registered users and posted on this page with a new "Last updated" date.

13. Contact

Privacy questions or requests: privacy@hscodelab.com. General inquiries: hello@hscodelab.com.

Built for the people who ship globally. HS codes, tariffs, and policy — all in one place.

Product

Resources

Company

Legal

© 2026 HSCodeLab. Built for the people who ship globally.

HSCodeLab is an information and decision-support tool. Results are for reference only and do not constitute legal, tax, or customs advice. Always verify classifications with a licensed customs broker before declaration.