Legal

Privacy Policy

Last updated 2026-06-03

How Customs OS collects, uses, stores, shares, and protects personal data — and the rights you have over it.

1. Who we are and what this covers

Customs OS, Inc. (“Customs OS”, “we”, “us”) builds software for licensed customs brokers. This policy explains how we handle personal data. We act in two different roles, and it matters which one applies:

  • As a controller— for the personal data of the people who hold accounts with us (your name, work email, organization, sign-in and security data, and how you use the product). For this data we decide the purposes and means, and this policy governs.
  • As a processor— for the contents of the document packets our customers upload for validation. Here our customer is the controller and decides what to send and why; we process it only on their documented instructions under our Data Processing Agreement. If you are an individual whose data appears inside a packet, please direct your requests to the broker who uploaded it; we will assist them.

2. The personal data we process

  • Account & identity data (controller): name, work email, organization and your role, password (stored only as a salted hash), authentication and security metadata (2FA status and encrypted secrets, passkeys, Google sign-in tokens stored encrypted), session records including IP address and user-agent, and your language preference.
  • Usage & device data (controller): product events (uploads, runs, approvals), performance and error telemetry, and approximate, aggregate analytics. We do not build advertising profiles.
  • Support & communications (controller): messages you send us and messages we send you.
  • Packet content (processor): the documents customers upload (commercial invoices, packing lists, bills of lading, ISFs, arrival notices), the fields and results extracted from them, and customer-managed records such as client names, contact emails, and notes. These may contain personal data of third parties; the uploading organization is the controller for it.

We do not intentionally collect special-category data and ask customers not to upload it. We do not knowingly process the data of children.

3. Why we process it, and our legal basis

  • Provide and run the product(account + packet data) — performance of a contract, and, for packet data, the controller's basis under our DPA.
  • Operate, secure, monitor, debug, and prevent abuse(account, usage, session/IP) — our legitimate interests in a reliable, secure service.
  • Service, security, and billing communications— contract / legitimate interests.
  • Non-essential product updates— consent, which you can withdraw at any time.
  • Legal, tax, and accounting obligations— compliance with a legal obligation.

Where we rely on legitimate interests, we have balanced them against your rights; you can object (see section 8).

4. What we never do

  • We do not sell or rent personal data. We never have.
  • We do not use packet contents to train our own or third-party AI models. Inference calls required to deliver the product (to Google Gemini, via the Vercel AI Gateway) are configured so that customer content is not retained for training by the provider.
  • We do not place advertising cookies or third-party marketing trackers on product surfaces. See our Cookie Policy.

5. AI processing

To extract and validate documents we send packet content to Google's Gemini models through the Vercel AI Gateway. This is automated processing in support of your broker's review — not a decision that produces legal effects without human involvement. Outputs are tools your licensed broker reviews before acting. The provider processes content only to return results and does not train on it.

6. Who we share it with (sub-processors)

We run on a small, vetted set of infrastructure providers who process data on our behalf under contract. The current, versioned list — purpose, location, and safeguards for each — is at /subprocessors. We give at least 30 days' notice before adding or replacing a sub-processor that touches customer data, and customers may object. We also disclose data when required by law or to protect rights and safety, and in a merger or acquisition (with notice).

7. International transfers

We are US-based and our primary infrastructure is in US regions. When we process personal data originating in the EEA, the UK, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, for the UK, the UK International Data Transfer Addendum, together with supplementary technical measures (encryption in transit and at rest, access controls). These clauses are built into our DPA. A copy is available on request.

8. Your rights

If you are in the EEA, UK, or Switzerland you have the right to access your data; have it rectified; have it erased; restrict or object to processing; data portability; and to withdraw consent at any time without affecting prior processing. You also have the right to lodge a complaint with a supervisory authority — in the EU, your local Data Protection Authority; in the UK, the Information Commissioner's Office (ico.org.uk).

To exercise these rights for your account data, use the in-app controls or contact privacy@customsos.com. We respond within 30 days. If your data sits inside a customer's packet, contact that organization (the controller); we will support them. We do not discriminate against you for exercising any right.

9. Retention

We keep account data for as long as your account is active. After account or data deletion, residual copies may persist in backups for up to 30 days before being overwritten, to allow recovery from accidental loss. Packet data retention is governed by the customer's instructions under the DPA. We retain limited records longer where law requires (e.g. tax/accounting). On request we will erase data earlier unless we are legally required to keep it.

10. Security

  • Encryption in transit (TLS 1.2+) and at rest (AES-256).
  • Tenant isolation at the application and database layer; least-privilege internal access.
  • Secrets (OAuth tokens, 2FA secrets and backup codes) encrypted at rest.
  • Rate limiting and bot protection on authentication.
  • Incident response: if a breach affects your personal data, we notify the account's primary contact, and where required the relevant authority, within 72 hours of becoming aware.

11. Cookies

We use only essential cookies in the product (session and language preference) and privacy-friendly, cookieless analytics on the marketing site. Full detail and choices are in our Cookie Policy.

12. Changes

We will post material changes here and, where appropriate, notify you. The “last updated” date above always reflects the current version.

13. Contact

Privacy requests and DSARs: privacy@customsos.com. Security and responsible disclosure: security@customsos.com. Anything else: support@customsos.com. If you are reviewing this before a security questionnaire, you can also book a short call.