Privacy Policy
Last updated: 29 March 2026
This privacy policy explains how Phlo Systems Limited ("we", "us", "our") collects, uses, and protects your personal data when you use customs-compliance.ai (the "Service").
Summary: We collect only what we need to provide the Service. We do not sell your data. We do not store raw email content. We use industry-standard security to protect your information.
1. Who We Are
Phlo Systems Limited is a company registered in England and Wales. We operate customs-compliance.ai, a customs intelligence platform that provides duty rate lookups, HS code classification, trade opportunity alerts, and ERP integrations.
Contact: saurabh.goyal@phlo.io
2. What Data We Collect
Account data
- Email address and name (when you sign up)
- Company name and trade details (during onboarding)
- Subscription plan and payment information (processed by Stripe)
Usage data
- API calls made (endpoint, timestamp, country codes queried)
- Features used within the application
- HS codes and product descriptions submitted for classification
ERP integration data
- When you connect Xero or Acumatica, we access invoice and order data in read-only mode
- We store structured summaries: supplier names, product descriptions, amounts, country codes
- We do not modify or write to your ERP system
Email integration data
- When you connect Gmail or Outlook, we scan emails matching trade-related keywords only
- We never store raw email content. We extract structured data (supplier, product, country, HS code) and discard the original
- You review and approve each extraction before it is saved
- OAuth scopes are read-only — we cannot send emails on your behalf
3. How We Use Your Data
- To provide customs duty lookups and landed cost calculations
- To classify your products into HS codes
- To generate personalised trade opportunities and alerts
- To calculate trade insights from your ERP and email data
- To improve the Service (aggregated, anonymised analytics)
- To communicate service updates and changes
4. Data We Do Not Collect
- We do not collect or store payment card numbers (Stripe handles all payment processing)
- We do not store raw email bodies or attachments
- We do not access ERP data beyond what is needed for trade analysis
- We do not use tracking pixels or third-party advertising cookies
5. Data Sharing
We do not sell, rent, or share your personal data with third parties, except:
- Stripe — for payment processing (stripe.com/privacy)
- Supabase — for database hosting (supabase.com/privacy)
- Anthropic (Claude AI) — for HS code classification and content analysis. Product descriptions may be sent to the Claude API for classification. Anthropic does not use API inputs for model training.
- Vercel — for application hosting (vercel.com/privacy)
- Law enforcement — if required by law or valid legal process
6. Data Security
- All data is encrypted in transit (TLS 1.2+) and at rest
- API keys are stored hashed — never in plaintext
- OAuth credentials reference secure vault names, not raw secrets
- Sanctions data is always queried fresh and never cached
- Access to production systems is restricted to authorised personnel
7. Data Retention
- Account data: retained while your account is active, deleted within 30 days of account closure
- Usage logs: retained for 12 months for analytics, then aggregated and anonymised
- ERP/email extracts: retained while your integration is connected. Deleted within 7 days of disconnection
- Classification cache: retained indefinitely to improve service accuracy (contains HS codes and product descriptions only)
8. Your Rights
Under GDPR and applicable data protection laws, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Portability — receive your data in a machine-readable format
- Restriction — limit how we process your data
- Objection — object to processing based on legitimate interests
To exercise any of these rights, email saurabh.goyal@phlo.io. We will respond within 30 days.
9. Cookies
We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. No cookie consent banner is required as we do not use non-essential cookies.
10. International Transfers
Your data may be processed in the United States (Supabase, Vercel, Anthropic) and the European Union. All transfers are covered by appropriate safeguards including Standard Contractual Clauses.
11. Children
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children.
12. Changes to This Policy
We may update this policy from time to time. Material changes will be notified via email to registered users. The "last updated" date at the top reflects the most recent revision.
13. Contact
For privacy-related questions or concerns:
Phlo Systems Limited
Email: saurabh.goyal@phlo.io
Website: customs-compliance.ai