ImportPreflight

These pages are drafts, not final legal text. They are published for review only. ImportPreflight's legal documentation is not complete until a qualified attorney has reviewed and approved it. Nothing on these pages is legal advice. For current contractual terms, contact us.

Contact us

Privacy Policy

Last updated: April 24, 2026. Subject to revision pending legal review. Not a substitute for legal advice.

ImportPreflight processes data to help customs brokers, importers, and compliance teams pre-screen product catalogs for U.S. customs and related compliance signals. We collect the minimum data needed to run the service, we do not sell your personal information, and we give you practical control over your account and notifications.

Controller & contact

[COMPANY LEGAL NAME] is the data controller for personal data described here, unless we tell you otherwise in a separate agreement. Business address: [REGISTERED ADDRESS]. If you are in the EEA, UK, or other regions with data-protection representatives, we will publish those details when applicable—verify with your counsel. General policy questions: see Contact.

What we collect

  • Account information — email address, name, and organization context as collected by our authentication and profile flows (e.g. Supabase Auth).
  • Product catalogs — files you upload (commonly CSV or JSON) and any product fields present in them (e.g. descriptions, SKUs, countries of origin) that you choose to include.
  • Analysis results — classifications, flags, recommendations, audit output, and related metadata that our pipeline derives from your catalogs to deliver the service.
  • Usage and product data — which app areas you use, support interactions, and in-product actions (such as dismissing a job or changing queue views) to operate and improve the product.
  • Technical data — IP address, user agent, and similar signals used for security, anti-abuse, and reliability (not for ad targeting across the web).

How we use it

  • Providing the classification, screening, export, and collaboration features of ImportPreflight.
  • Account management — sign-in, invitations, roles, and organization settings.
  • Operational monitoring — service availability, error diagnosis, and abuse detection.
  • Transactional email through our email provider (e.g. product notifications such as optional drift alerts; account- and support-related messages).
  • We do not sell your personal data, use it for interest-based advertising, or build cross-site marketing profiles. We do not use your product text to train third-party models for unrelated purposes.

Data storage, security, and access

Customer data is processed using Supabase (database, authentication, and file storage) in a U.S. region, unless and until we support additional regions. Transport uses HTTPS. Access to your organization’s rows is designed to be enforced with row-level security: users under your org typically see only your org’s data. The worker and API use a controlled service role with least-privilege design; end users are not given those credentials. See the Security page for a high-level control overview, and the checklist for what your security team should verify in your deployment.

Retention

Completed analysis jobs and associated stored catalog files are generally retained for 90 days from completion, subject to organization-level configuration and operational needs—confirm your settings with your account owner. Account records and authentication identifiers are kept while the account is active, then removed or de-identified within a reasonable period (target: 30 days after a confirmed deletion or closure request) unless a longer hold is required by law or dispute handling. Your counsel should align these numbers with the operator’s real retention tooling.

Third-party processors (illustrative)

The operator may add or change vendors. Verify the live list for your instance. As of this draft, the service commonly relies on:

  • Supabase (database, Auth, object storage) — see Supabase’s published security & compliance materials, including DPA/ SCC options where offered.
  • Resend (transactional email) — refer to their documentation for certifications and data handling.
  • Vercel (frontend hosting) — your counsel should link to the correct agreement for the operator’s Vercel account.
  • Fly.io or a comparable host for the Python API and background worker in production. If you use another IaaS/PaaS, update this list before publication.

Your rights and choices

Depending on where you live, you may have rights to access, correct, delete, or export personal data, and to object to or limit certain processing. U.S. residents may have state-specific rights (e.g. California), and EEA/UK users may have GDPR/UK-GDPR rights. We aim to honor these requests in line with our role as processor or controller, as appropriate.

How to exercise your rights — use the contact form on Contact, or email [IMPORTPREFLIGHT_SUPPORT_EMAIL] if configured for your environment. You may also use the in-app Report issue form for product-related requests. We may need to verify your identity.

Marketing & optional email — product emails are primarily operational in nature. Where we offer product notifications, you can manage preferences in-app where available. We do not send third-party ad networks your catalog text.

Children

The service is intended for business users. It is not directed to children. Do not use it if you are under 16, or the higher age required in your jurisdiction, unless a parent and counsel say otherwise in writing.

Changes to this policy

We will post updated drafts here. For material changes that affect you, we intend to provide notice in-product and/or by email, where we have a contact. Review with counsel before you rely on this for regulated industries.

More help

Contact · Help · FAQ

Privacy — ImportPreflight