Privacy Policy

Effective Date: February 23, 2026  |  Last Updated: February 23, 2026

This Privacy Policy ("Policy") describes how eCompliance, Inc. ("Company," "we," "us," or "our") collects, uses, stores, processes, discloses, and protects information obtained through our website located at customsgenius.com (the "Site"), our platform, application programming interfaces, integrations, and any related software, tools, or services (collectively, the "Services"). By accessing or using the Services, you ("User," "you," or "your") acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree with any part of this Policy, you must immediately discontinue use of the Services.

1. Scope & Applicability

This Policy applies to all information collected through the Services, including information provided by or on behalf of our enterprise customers ("Customers"), their authorized end-users, and any visitors to the Site. This Policy applies regardless of the means of collection, including through the Site, platform uploads, APIs, email, integrations with third-party systems (including but not limited to customs broker enterprise resource planning systems, CBP Automated Commercial Environment exports, and other trade data systems), or any other method by which information is transmitted to us.

Where we process data on behalf of a Customer pursuant to a Data Processing Agreement ("DPA") or similar agreement, such agreement shall control to the extent of any conflict with this Policy with respect to that Customer's data.

2. Definitions

"Personal Information" means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with an identifiable natural person or household.

"Customer Data" means all data, files, documents, records, and information that a Customer or its authorized users submit, upload, transmit, or otherwise make available to or through the Services, including but not limited to customs entry summaries, commercial invoices, import/export documentation, tariff classification data, duty payment records, broker records, and any other trade compliance data.

"Derived Data" means any data, insights, models, algorithms, statistics, indices, benchmarks, or other information created by or on behalf of the Company through the processing, analysis, aggregation, de-identification, or transformation of Customer Data or any other data collected through the Services.

"Usage Data" means information generated by the use of the Services, including but not limited to log data, analytics data, feature usage patterns, performance metrics, click-stream data, and interaction data.

3. Information We Collect

3.1 Information You Provide Directly

• Account & Contact Information: Name, email address, phone number, company name, job title, business address, and billing information.
• Customer Data: All documents, records, and data uploaded to or processed through the Services, including customs entry documentation (e.g., CF-7501 entry summaries, CF-28 requests, CF-29 notices), commercial invoices, bills of lading, packing lists, HTS classification data, ACE data exports, duty payment records, broker system exports, correspondence with CBP, Court of International Trade filings, and any other trade compliance or customs documentation.
• Communications: Information provided when you contact us, submit a support request, participate in a survey, or otherwise communicate with us.

3.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on pages, clicks, scrolls, search queries, documents processed, and workflow patterns within the Services.
• Device & Technical Data: IP address, browser type and version, operating system, device identifiers, screen resolution, language preferences, referring URLs, and access timestamps.
• Log Data: Server logs recording all requests made to our systems, including API calls, authentication events, file uploads, processing events, error reports, and system performance data.
• Cookies & Similar Technologies: Information collected through cookies, web beacons, pixel tags, local storage, and similar technologies as described in Section 11.

3.3 Information from Third Parties

• Information from integration partners, including customs broker platforms, ERP systems, and trade management software.
• Publicly available trade data, tariff schedules, CBP rulings, and Court of International Trade records.
• Information from identity verification and fraud prevention services.
• Information from analytics providers and advertising networks.

4. Use of Information

We may use the information we collect for any lawful purpose, including but not limited to:

• Providing, maintaining, operating, and improving the Services.
• Processing, analyzing, and classifying customs entries, tariff data, and duty payment records to identify refund eligibility and calculate potential recovery amounts.
• Generating claim documentation, filing packets, protests, post-summary corrections, and other refund-related outputs.
• Developing, training, testing, improving, and validating machine learning models, algorithms, optical character recognition systems, natural language processing systems, classification engines, and other artificial intelligence or automated decision-making systems.
• Creating Derived Data, including aggregated benchmarks, industry indices, statistical analyses, and market intelligence products.
• Conducting research and development, including developing new products, features, and services.
• Communicating with you regarding the Services, including sending service-related notices, updates, security alerts, and administrative messages.
• Marketing and promoting the Services and related offerings, including through targeted advertising, email campaigns, and content personalization.
• Detecting, preventing, and investigating fraud, security incidents, and illegal activities.
• Enforcing our Terms of Service and other agreements.
• Complying with applicable laws, regulations, legal processes, and governmental requests.
• Any other purpose described to you at the time of collection or for which you provide consent.

5. Derived & Aggregated Data

You acknowledge and agree that the Company shall own all right, title, and interest in and to all Derived Data. Without limiting the foregoing, the Company retains the unrestricted right to use, modify, distribute, commercialize, license, sublicense, and otherwise exploit Derived Data for any purpose whatsoever, including but not limited to:

• Training, improving, and validating the Company's machine learning models, algorithms, and AI systems, whether used in the Services or in separate products and services.
• Creating and commercializing aggregated benchmarks, industry reports, market intelligence, statistical analyses, and data products.
• Improving the Services generally and developing new products and features.
• Providing aggregated or de-identified insights to third parties.

Derived Data shall not be considered Customer Data or confidential information of any Customer, provided that the Company shall use commercially reasonable efforts to ensure that Derived Data does not identify any individual Customer or its specific entries without such Customer's consent.

The rights granted in this Section survive any termination or expiration of your account, any agreement between you and the Company, or this Policy.

6. Disclosure to Third Parties

We may share information as follows:

• Service Providers & Sub-processors: Third-party vendors, consultants, and service providers that perform services on our behalf, including cloud hosting, data storage, analytics, payment processing, customer support, and professional services.
• Professional Partners: Customs brokers, licensed customs house brokers, trade compliance consultants, freight forwarders, and international trade attorneys engaged in connection with the Services or the processing of refund claims, in each case as directed or authorized by the applicable Customer.
• Government Agencies: U.S. Customs and Border Protection, the Court of International Trade, the U.S. Court of Appeals for the Federal Circuit, and any other governmental or regulatory authority as required or permitted by law or as necessary to process refund claims.
• Affiliates & Subsidiaries: Our parent company, subsidiaries, and affiliates, for purposes consistent with this Policy.
• Business Transfers: In connection with, or during negotiations of, any merger, acquisition, sale of assets, financing, reorganization, bankruptcy, receivership, dissolution, or similar transaction involving all or a portion of our business or assets. You acknowledge that such transactions may occur and that a transferee may continue to use your information as set forth in this Policy.
• Legal & Compliance: Where required by law, subpoena, court order, or other legal process, or where we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a governmental request.
• With Consent: With your consent or at your direction.
• Aggregated or De-Identified Information: We may share aggregated, de-identified, or anonymized information that cannot reasonably be used to identify you with any third party for any purpose, without restriction.

7. Sub-processors

We use third-party sub-processors to assist in providing the Services. A current list of sub-processors is available upon request. We reserve the right to engage new sub-processors at any time. Where required by applicable data protection laws or a DPA, we will provide advance notice of new sub-processors. Your continued use of the Services following such notice constitutes acceptance of the new sub-processor.

8. International Data Transfers

Your information may be transferred to, stored in, and processed in the United States and any other country in which the Company, its affiliates, or its sub-processors operate. These countries may have data protection laws that differ from the laws of your jurisdiction. By using the Services, you consent to the transfer of your information to the United States and other jurisdictions as described in this Policy. Where required by applicable law, we will implement appropriate safeguards for cross-border transfers, such as Standard Contractual Clauses approved by the European Commission, binding corporate rules, or reliance on the EU-U.S. Data Privacy Framework, as applicable.

9. Data Retention

We retain information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting obligations. Our retention practices are subject to the following:

• Customer Data: Retained for the duration of the Customer's account and for a period of seven (7) years following account termination, or such longer period as required by applicable law or regulation, including U.S. customs and trade recordkeeping requirements (19 U.S.C. § 1508).
• Derived Data: Retained indefinitely. As noted in Section 5, Derived Data is owned by the Company and is not subject to deletion requests.
• Usage Data & Log Data: Retained for up to seven (7) years from the date of collection.
• Account Information: Retained for the duration of the account and for seven (7) years following closure.

Upon expiration of the applicable retention period, we will delete or de-identify the information in accordance with our data management practices, unless retention is required by applicable law. We reserve the right to retain any information in de-identified or aggregated form indefinitely.

10. Security

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect information against unauthorized access, alteration, disclosure, or destruction. These measures include, as applicable, encryption in transit and at rest, access controls, audit logging, vulnerability management, and periodic security assessments. However, no method of transmission over the Internet or electronic storage is completely secure. We cannot and do not guarantee the absolute security of your information. You acknowledge that you transmit information to us at your own risk.

11. Cookies & Tracking Technologies

We use cookies, web beacons, pixel tags, local storage objects, and similar technologies (collectively, "Tracking Technologies") to collect information, personalize the Services, and for analytics and advertising purposes. These include:

• Strictly Necessary Cookies: Required for the operation of the Services, including authentication, security, and session management.
• Analytics Cookies: Used to collect information about how you interact with the Services, including pages visited, time spent, and navigation paths. We may use third-party analytics providers, including Google Analytics, Mixpanel, Amplitude, or similar services.
• Functional Cookies: Used to remember your preferences, settings, and customizations.
• Advertising & Marketing Cookies: Used to deliver targeted advertisements and measure the effectiveness of advertising campaigns. These may be placed by third-party advertising networks.

You may manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Services. We honor Global Privacy Control (GPC) signals as required by applicable law. We do not currently respond to Do Not Track (DNT) browser signals, as no uniform standard for responding to such signals has been established.

12. Your Rights

Depending on your jurisdiction, you may have certain rights regarding your information, which may include the right to access, correct, delete, or port your Personal Information, the right to restrict or object to certain processing, and the right to withdraw consent. To exercise any such rights, please contact us using the information in Section 20. We will respond to your request within the timeframe required by applicable law. We may require you to verify your identity before processing your request. We reserve the right to deny requests where permitted by law, including where the request is manifestly unfounded, excessive, or would adversely affect the rights of others.

Notwithstanding the foregoing, deletion and similar rights do not apply to Derived Data (see Section 5), information retained for legal compliance, or information that has been de-identified or aggregated such that it no longer constitutes Personal Information.

13. Additional Disclosures for California Residents

This Section applies to residents of California, as required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 ("CCPA").

Categories of Personal Information Collected: Identifiers; commercial information; Internet or other electronic network activity; professional or employment-related information; geolocation data; inferences drawn from the foregoing.

Business Purpose for Collection: As described in Section 4.

Sale or Sharing: We do not "sell" Personal Information as defined by the CCPA. We may "share" Personal Information (as defined by the CCPA) with third-party advertising partners for purposes of cross-context behavioral advertising. You may opt out of such sharing by contacting us or by using the Global Privacy Control signal.

Your Rights Under the CCPA: You have the right to know what Personal Information we collect, the right to delete, the right to correct, the right to opt out of the sale or sharing of your Personal Information, and the right to non-discrimination for exercising your rights. To exercise these rights, contact us using the information in Section 20 or submit a request through customsgenius.com/privacy-request. You may designate an authorized agent to make a request on your behalf.

Retention: As described in Section 9.

Financial Incentive Programs: We do not offer financial incentive programs in exchange for the retention or sale of Personal Information.

14. Additional Disclosures for EEA & UK Residents

If you are located in the European Economic Area ("EEA") or the United Kingdom ("UK"), this Section applies in addition to the rest of this Policy.

Legal Bases for Processing: We process Personal Information on one or more of the following legal bases: (a) your consent; (b) performance of a contract to which you are a party; (c) compliance with a legal obligation; (d) our legitimate interests, including the operation, improvement, and security of the Services, fraud prevention, and direct marketing, provided such interests are not overridden by your fundamental rights and freedoms.

Your Rights: In addition to the rights described in Section 12, you may have the right to lodge a complaint with a supervisory authority in your jurisdiction.

Data Transfers: Transfers outside the EEA/UK are governed by Section 8. We rely on Standard Contractual Clauses and/or adequacy decisions as appropriate.

Data Controller: eCompliance, Inc. is the data controller for Personal Information collected through the Site. Where we process Customer Data on behalf of a Customer, the Customer is the data controller and we act as a data processor.

15. Children's Privacy

The Services are not directed to individuals under the age of 18 and are intended for use by businesses and professionals. We do not knowingly collect Personal Information from children under the age of 16 (or the applicable age of consent in your jurisdiction). If we become aware that we have collected Personal Information from a child under the applicable age, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a minor, please contact us immediately.

16. Third-Party Links & Integrations

The Services may contain links to third-party websites, services, or integrations that are not owned or controlled by us. This Policy does not apply to any third-party services. We are not responsible for the privacy practices, content, or data collection of any third-party services. We encourage you to review the privacy policies of any third-party services you access through the Services.

17. Changes to This Policy

We reserve the right to modify this Policy at any time in our sole discretion. If we make material changes to this Policy, we will notify you by posting the updated Policy on the Site and updating the "Last Updated" date. We may, but are not obligated to, provide additional notice through email or in-product notifications. Your continued use of the Services following any changes to this Policy constitutes your acceptance of such changes. It is your responsibility to review this Policy periodically. If you do not agree with any changes, you must discontinue use of the Services.

18. Disclaimer & Limitation of Liability

TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW, THE COMPANY DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE SECURITY, CONFIDENTIALITY, OR INTEGRITY OF ANY INFORMATION PROCESSED THROUGH THE SERVICES. THE COMPANY SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS TO, ALTERATION OF, OR LOSS OF ANY INFORMATION, EXCEPT TO THE EXTENT DIRECTLY CAUSED BY THE COMPANY'S GROSS NEGLIGENCE OR WILLFUL MISCONDUCT. IN NO EVENT SHALL THE COMPANY'S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS POLICY EXCEED THE AMOUNTS PAID BY YOU TO THE COMPANY IN THE TWELVE (12) MONTHS PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR ONE HUNDRED U.S. DOLLARS ($100), WHICHEVER IS GREATER. THIS LIMITATION APPLIES TO THE FULLEST EXTENT PERMITTED BY LAW, REGARDLESS OF THE THEORY OF LIABILITY.

19. Governing Law & Dispute Resolution

This Policy shall be governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of laws provisions. Any dispute arising out of or relating to this Policy or the processing of your information shall be resolved exclusively in the state or federal courts located in Harris County, Delaware, and you hereby consent to the personal jurisdiction and venue of such courts. To the fullest extent permitted by applicable law, you agree that any claim or cause of action arising out of or related to this Policy must be filed within one (1) year after such claim or cause of action arose, or be forever barred.

20. Contact Us

If you have questions about this Policy, wish to exercise your privacy rights, or need to report a concern, please contact us at:

eCompliance, Inc.
Attn: Privacy
5913 Annapolis St.
Houston, TX 77005
Email: privacy@customsgenius.com

For data protection inquiries from the EEA or UK, you may contact our designated representative at: eCompliance, Inc., 5913 Annapolis St., Houston, TX 77005, or email dpo@customsgenius.com.