Privacy Policy

When you use the un-tariff IEEPA Refund Calculator, we collect the following categories of data:

• ACE export data — entry numbers, HTS codes, declared values, entry dates, country of origin, and IEEPA classification status as contained in files you upload.
• Signup metadata — email address, IP address, signup timestamp, and the version of the Terms of Service accepted at the time of account creation.
• Usage events — actions taken within the Service (e.g., file upload, estimate generation, CAPE CSV download) logged to our audit trail with timestamps and tenant identifier.

We do not collect payment card numbers directly. Payment processing is handled by Stripe (see Section 4).

We use the data collected for the following purposes only:

• Calculating an IEEPA refund estimate based on your entry data.
• Generating a CAPE CSV file for your manual upload to CBP’s ACE Portal.
• Maintaining an audit trail that supports review, dispute resolution, and regulatory compliance.
• Sending transactional email (account confirmation, CAPE CSV delivery link, support responses).

We do not sell, rent, or share your data with third parties for marketing purposes.

Customer data — including uploaded ACE export files, generated CAPE CSVs, estimates, and associated audit events — is retained for 90 days following the end of your engagement, then permanently deleted from our systems.

Retention and deletion schedules are enforced by database migration 0015. Deletion confirmation is recorded in the audit_events log.

Anonymized aggregate statistics (e.g., total entries processed per month) may be retained indefinitely in non-attributable form.

We engage the following sub-processors to operate the Service. Each processes your data only as necessary to provide their respective service:

• Supabase (database & storage) — hosts the Postgres database containing entry data, estimates, and audit logs. Data is encrypted at rest and in transit. Located in AWS us-east-1.
• Vercel (application hosting) — serves the web application and API routes. Processes request metadata (IP, headers) for routing and rate-limiting.
• Stripe (payment processing) — handles payment card data for the one-time software fee. un-tariff does not receive or store card numbers. Stripe’s privacy policy governs payment data.
• Resend (transactional email) — delivers account and delivery notification emails. Processes your email address and email content.

Depending on your jurisdiction (including GDPR and CCPA), you may have the right to:

• Access — request a copy of the personal data we hold about you.
• Deletion — request deletion of your personal data prior to the standard 90-day retention window.
• Export — receive your data in a portable, machine-readable format.
• Correction — request correction of inaccurate personal data.

To exercise any of these rights, contact us at privacy@beverlyknits.com. We will respond within 30 days.

We implement the following technical and organizational measures to protect your data:

• Row-Level Security (RLS) — tenant isolation enforced at the database layer (migration 0007). No cross-tenant data access is possible via application queries.
• Encryption in transit — all connections to the Service use HTTPS/TLS.
• Encryption at rest — database storage encrypted via Supabase’s default AES-256 at-rest encryption.

No security measure is foolproof. If you discover a potential vulnerability, please disclose it responsibly to privacy@beverlyknits.com.