Data drift detected in some tariff records — we're working on it. Check data status →
TariffsAPI

Privacy Policy

Last updated: April 24, 2026

Who we are

Tariffs API is operated by Brightworks Digital Pte. Ltd., a Singapore private limited company (UEN 202504662W), registered at 2 Venture Drive, #19-21, Vision Exchange, Singapore 608526 ("we", "us", or "our"). For privacy questions, contact us at privacy@tariffsapi.com.

This Privacy Policy explains what personal information we collect when you use tariffsapi.com and the Tariffs API service (the "Service"), why we collect it, who we share it with, how long we keep it, and what your rights are. Capitalized terms not defined here have the meanings given in our Terms of Service.

1. What we collect

1.1 Account data

When you create an account, we collect:

  • email address (required);
  • name or display name (optional);
  • company or organization name (optional);
  • password (stored only as a hashed, salted value — we cannot recover it);
  • account preferences (timezone, notification settings).

1.2 Payment data

Payments are processed by Stripe through the Pay gem. We do not store credit card numbers, bank account numbers, or CVV values on our servers. We store:

  • a Stripe customer identifier and subscription identifier;
  • plan, billing cycle, and renewal date;
  • invoice history (amounts, dates, last 4 digits of the card as surfaced by Stripe);
  • billing address and tax information where required for invoicing.

Card details are held directly by Stripe under its own privacy policy (stripe.com/privacy).

1.3 Usage data

When you use the Service, our servers and edge infrastructure log:

  • API requests (endpoint, response status, response time, timestamp);
  • web page requests (URL, referrer, status code);
  • search queries and HTS codes you look up through the Service;
  • IP address and coarse geolocation derived from it;
  • user agent string (browser, device, operating system);
  • session identifiers stored in a first-party cookie (see Section 8).

1.4 HTS Watch data

If you use HTS Watch, we store:

  • HTS codes you have saved;
  • the origin countries you associate with each code;
  • typical shipment values you enter for landed-cost estimates;
  • alert preferences (email frequency, triggers).

1.5 Communications

If you email us, reply to a transactional email, fill in a support form, or participate in a survey, we retain the content of your message to answer you and improve the Service.

1.6 What we do not collect

We do not knowingly collect sensitive personal information (health, biometric, precise geolocation, government ID numbers, or political/religious views). We do not fingerprint your device beyond the technical usage data in Section 1.3. We do not set advertising cookies and we do not track you across other websites.

2. Why we collect it (lawful bases)

We use the information above for the following purposes:

  • Operating the Service — authenticating you, serving requests, calculating duties, running HTS Watch alerts, and keeping the Service secure. Lawful basis under GDPR: performance of the contract between us (Article 6(1)(b)).
  • Billing and fraud prevention — processing subscription payments, detecting unusual charge patterns, preventing payment fraud. Lawful basis: performance of the contract (Article 6(1)(b)) and our legitimate interest in preventing fraud (Article 6(1)(f)).
  • Alerts — sending you HTS Watch rate-change notifications for codes you have saved. Lawful basis: performance of the contract (Article 6(1)(b)).
  • Transactional and service emails — account confirmations, password resets, billing receipts, material changes to these documents. Lawful basis: performance of the contract and our legitimate interest in keeping you informed.
  • Product improvement — aggregated, de-identified analytics about which features are used, which endpoints are slow, which queries fail. Lawful basis: our legitimate interest in improving the Service, balanced against your interests.
  • Legal compliance — tax and accounting records, responses to lawful requests from regulators, enforcement of our Terms of Service. Lawful basis: compliance with our legal obligations (Article 6(1)(c)) and our legitimate interest in enforcing our contracts.
  • Marketing emails (if any) — product announcements and occasional newsletters, only where you have opted in. You may unsubscribe at any time using the link in the email. Lawful basis: your consent (Article 6(1)(a)).

3. Who we share with

We share personal information with a limited set of service providers, acting as our processors under contract, strictly to operate the Service:

  • Stripe (Stripe, Inc. / Stripe Payments Europe) — payment processing and subscription management.
  • Email service provider — transactional emails (account, billing) and HTS Watch alert emails.
  • Hosting and infrastructure providers — application hosting, database hosting, object storage, edge CDN, DNS.
  • Error and performance monitoring — to diagnose application errors and latency issues.
  • Customer support tooling — to respond to support requests you send us.

The current list of sub-processors, including their identity and hosting region, is maintained at /status#sub-processors and we will update it before introducing a new sub-processor that materially affects the processing of your data.

We may also disclose personal information:

  • to legal or regulatory authorities where required by applicable law, a valid court order, or to protect our rights, safety, or property;
  • to a successor entity in connection with a merger, acquisition, or sale of substantially all of our assets, subject to equivalent protections;
  • with your explicit instruction or consent.

We do not sell personal information to advertisers or data brokers, we do not share personal information with other Customers, and we do not use Customer-identifiable data to train machine-learning models for third parties.

4. LLM and AI processing disclosure

Some content surfaced on the Service; notably product enrichment summaries and AI-assisted verification of parsed duty rates; is generated with the assistance of large language models ("LLMs"). We use LLMs as a tool for summarizing and verifying publicly sourced tariff schedule text (Federal Register notices, USTR announcements, CBP measure descriptions). These inputs are not personal information. The LLM runs on infrastructure we control and does not send your data to third-party model providers.

We do not:

  • send Customer-identifiable information to LLM providers (no account data, no saved HTS Watch lists, no API request patterns tied to a Customer);
  • allow LLM providers to use any data we send them to train their foundation models, where the provider offers a training-opt-out setting, which we enable;
  • use your data to train any model — ours, a third party's, or an open-source model.

Content fields produced with LLM assistance are identified in the Service UI and/or in API response metadata. These fields can contain parsing or classification errors and are treated as informational under Section 4 of our Terms of Service.

5. Data retention

We retain personal information only as long as needed for the purposes above:

  • Account data — for the life of your account. After you close your account, we retain invoice and tax-related records for up to seven (7) years to satisfy Singapore tax, accounting, and corporate record-keeping obligations, and equivalent obligations in your jurisdiction where applicable.
  • Usage logs — for up to 90 days, after which they are deleted or aggregated beyond re-identification. Security event logs may be retained longer where necessary to investigate incidents.
  • HTS Watch data — while the watch is active; we retain deleted watches and associated alert history for 30 days after deletion to allow recovery if you restore them, after which they are permanently deleted.
  • Support conversations — for up to 24 months after the last interaction, unless a longer period is required to resolve a specific dispute.
  • Aggregated analytics — indefinitely, as the data no longer identifies you.

Where retention periods in different jurisdictions conflict, we apply the longer period if required by law, or the shorter period if permitted.

6. Your rights

6.1 Rights available everywhere

Regardless of where you live, you can ask us to:

  • confirm what personal information we hold about you and give you a copy;
  • correct inaccurate personal information;
  • delete your account and the personal information associated with it (subject to retention obligations in Section 5);
  • stop sending you marketing emails (one-click via the footer of any marketing email, or by writing to us).

6.2 GDPR and UK GDPR rights

If you are in the European Economic Area, the United Kingdom, or Switzerland, you additionally have the right to:

  • data portability — receive your personal information in a structured, machine-readable format, or ask us to transmit it to another controller where technically feasible;
  • object to processing based on our legitimate interest, including for direct marketing, which will always be honored;
  • restrict processing in certain circumstances (for example, while we verify a correction request);
  • withdraw consent at any time, without affecting the lawfulness of processing before withdrawal;
  • lodge a complaint with your local data protection authority.

6.3 California (CCPA/CPRA) rights

If you are a California resident, you have the right to know what personal information we have collected, the right to request deletion, the right to correct inaccurate information, the right to opt out of the sale or sharing of personal information, and the right to limit the use of sensitive personal information.

We do not sell personal information and we do not share personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. We do not collect sensitive personal information beyond what is necessary to provide the Service.

6.4 Singapore PDPA rights

If you are in Singapore, you have the right to access and correct personal data under the Personal Data Protection Act 2012. You may also withdraw consent for processing that relies on your consent.

6.5 How to exercise your rights

Email privacy@tariffsapi.com with your request. We may ask you to verify your identity (for example, by confirming access to the email on the account). We will respond within the statutory deadline applicable to your jurisdiction (generally 30 days under GDPR and 45 days under the CCPA), and will extend the deadline only where necessary and with notice.

Exercising your rights is free. You will not be subject to discrimination or a lower quality of service for doing so.

7. International data transfers

Brightworks is established in Singapore. Our sub-processors may process personal information in the United States, the European Union, or other jurisdictions where they operate. When we transfer personal information outside the jurisdiction in which you reside, we rely on appropriate safeguards, which may include:

  • the European Commission's Standard Contractual Clauses (and, where relevant, the UK International Data Transfer Addendum) for transfers out of the EEA and the UK;
  • Singapore PDPA-compliant transfer terms with sub-processors receiving data from Singapore;
  • adequacy decisions where the receiving jurisdiction has been recognized as providing an equivalent level of protection.

You can request a copy of the transfer mechanism applicable to a specific sub-processor from privacy@tariffsapi.com.

8. Cookies

We use a small number of first-party cookies to keep you logged in, remember your preferences, and protect the Service against abuse. We do not set advertising cookies and we do not use third-party tracking pixels on the marketing site. For the complete list of cookies we set, their purpose, and their lifetime, see our Cookie Policy.

9. Children

The Service is intended for professional use by importers, ecommerce businesses, compliance staff, and developers. It is not directed at children under the age of 16, and we do not knowingly collect personal information from children under 16. If we learn that we have collected personal information from a child under 16 without verified parental consent, we will delete it. Contact us at privacy@tariffsapi.com if you believe a child has provided us with personal information.

10. How to contact us

For any privacy matter — to exercise a right, ask a question, or raise a concern — email privacy@tariffsapi.com or write to us at:

Brightworks Digital Pte. Ltd.
Attn: Privacy
2 Venture Drive, #19-21, Vision Exchange
Singapore 608526

We act as the controller of your personal information for the purposes of GDPR and UK GDPR. We have not yet appointed an Article 27 representative in the EU or a UK representative; this will be reviewed before we actively market the Service to EU or UK data subjects under the conditions that trigger the Article 27 requirement.

11. Changes to this Policy

We may update this Privacy Policy from time to time. If we make a material change — for example, a new purpose for processing or a new category of recipient — we will notify you by email to the address on file, or by an in-product notice, at least 30 days before the change takes effect. The "Last updated" date at the top of this page always reflects the most recent revision.