GDPR Privacy Notice

1. Introduction

MyCustomsInfo® is committed to protecting your personal data and respecting your privacy rights in accordance with the EU General Data Protection Regulation (GDPR) and UK GDPR. This GDPR Privacy Notice explains how we collect, use, store, and protect your personal data when you use our customs compliance services.

This notice should be read in conjunction with our main Privacy Policy and applies specifically to individuals in the European Economic Area (EEA), Switzerland, and the United Kingdom.

2. Data Controller Information

3. Legal Basis for Processing

We process your personal data under the following lawful bases as defined by GDPR Article 6:

4. Personal Data We Collect

4.1 Identity Data

• Full name, job title, and professional credentials
• Company name and business registration details
• Date of birth (if required for identity verification)

4.2 Contact Data

• Business and personal email addresses
• Telephone numbers (mobile and landline)
• Business address and postal address

4.3 Financial Data

• Payment card details (processed securely by third-party payment processors)
• Bank account information (for invoice payments)
• Billing address and VAT registration number

4.4 Customs Declaration Data

• Import and export declaration documents
• HS codes and commodity descriptions
• Shipment values, quantities, and origin information
• Supplier and buyer information

4.5 Technical Data

• IP address and device identifiers
• Browser type and version
• Operating system and platform
• Cookie data and similar technologies

4.6 Usage Data

• Pages visited and features used
• Time and date of access
• Clickstream data and navigation patterns
• Search queries within the platform

5. Your Rights Under GDPR

Under GDPR, you have the following rights regarding your personal data:

6. Data Retention Periods

We retain your personal data for different periods depending on the type of data and legal requirements:

• Account Data: Duration of your account plus 30 days after closure (unless longer retention required by law)
• Customs Declaration Data: 7 years from the date of declaration (in compliance with customs record-keeping requirements)
• Financial Records: 7 years from the end of the financial year (tax and accounting requirements)
• Marketing Consent: Until consent is withdrawn, or 3 years of inactivity
• Technical/Usage Data: 24 months maximum
• Communication Records: 3 years from last interaction

After the retention period expires, we securely delete or anonymize your personal data unless we are required by law to retain it longer.

7. International Data Transfers

Your personal data is primarily stored and processed within the European Economic Area (EEA) and United Kingdom. If we transfer your data outside the EEA/UK, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions recognizing equivalent data protection standards
• Binding Corporate Rules (BCRs) for intra-group transfers
• Consent where appropriate and legally required

8. Automated Decision-Making and Profiling

We use AI and automated systems to analyze customs declarations and identify compliance issues. However, all final decisions regarding customs compliance are subject to human review by licensed customs professionals.

Your rights regarding automated processing:

• Right to request human intervention in automated decisions
• Right to express your point of view
• Right to contest automated decisions
• Right to obtain an explanation of the decision reached

9. Data Security Measures

We implement technical and organizational measures to protect your personal data:

• 256-bit AES encryption for data at rest
• TLS 1.3 encryption for data in transit
• Multi-factor authentication and access controls
• Regular security audits and penetration testing
• ISO 27001 and ISO 28000 compliant security frameworks
• Data breach notification procedures
• Staff training on data protection and security

10. Third-Party Data Processors

We work with carefully selected third-party processors who assist us in providing our services. All processors are bound by Data Processing Agreements (DPAs) that meet GDPR requirements:

• Cloud hosting providers (AWS, Azure) - data storage and infrastructure
• Payment processors - secure payment handling
• Email service providers - communications
• Analytics providers - usage analysis and improvement
• Licensed customs brokers - expert validation services

11. Data Breach Procedures

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms:

• We will notify the relevant supervisory authority within 72 hours of becoming aware
• We will notify affected individuals without undue delay if the breach poses a high risk
• Notifications will include the nature of the breach, likely consequences, and measures taken
• We maintain detailed records of all data breaches

12. Children's Data

Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child without parental consent, we will take steps to delete it promptly.

13. Exercising Your Rights

To exercise any of your GDPR rights, please contact us:

We will respond to your request within one month. In complex cases, we may extend this by two additional months, in which case we will inform you of the extension and the reasons.

14. Supervisory Authority Contact

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with your local supervisory authority:

15. Changes to This Notice

We may update this GDPR Privacy Notice from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by email or through a prominent notice on our website. The "Last updated" date at the top of this notice indicates when it was last revised.