Privacy Policy
Effective 2026-04-19 · Version 1.1
Who we are
The Tariffi platform is operated by TARIFFI LLC, a Delaware limited liability company (the “Operator”). The Operator is the data controller for personal information collected through this Site and through your use of the Tariffi platform. For data-subject or privacy requests, contact privacy@tariffi.io.
Scope; U.S. users only
The Services are offered to U.S.-based importers of record and their authorized representatives. The Importer of Record on a CAPE declaration must be a U.S. entity under CBP rules. The Services are not directed to, and are not intended for use from within, the European Union, the United Kingdom, or any other jurisdiction outside the United States. If you access the Services from outside the United States, you do so on your own initiative and are responsible for compliance with local law. Personal information you submit is transferred to and processed on servers located in the United States.
Age restriction
The Services are intended for authorized business signatories aged 18 years or older. Tariffi does not knowingly collect personal information from individuals under the age of 18. If you believe that information from a person under 18 has been submitted through the Services, email privacy@tariffi.io and we will promptly delete it.
1. What we collect
- Identifying information: company name, EIN, state of incorporation, contact email, phone number.
- Customs records: CBP Form 7501 data, HTS codes, duty paid, entry numbers, broker references.
- Banking details: the routing/account number of your own bank account (linked via Plaid), used solely to debit Tariffi's authorized contingency fee after CBP deposits your refund into that account.
- Authentication data: Clerk-issued user IDs, session tokens, and MFA state.
- Usage and device data: IP address, user agent, referring URL, page views, interaction events, and session logs (for security, fraud prevention, and product analytics).
- Bot-defense telemetry: Cloudflare Turnstile challenge signals collected at intake to distinguish human users from automated traffic.
2. How we use it
- To prepare and coordinate CAPE declaration filings with our licensed broker partners.
- To collect Tariffi's contingency fee by pre-authorized ACH debit (via Plaid) from your own bank account after CBP deposits your refund directly to you. Tariffi does not route or hold your refund.
- To support your licensed broker partner in responding to CBP Form 28 / Form 29 audit requests (data retrieval and documentation only; the broker files all formal responses under 19 CFR § 111.36(c)).
- To operate, secure, monitor, and improve the platform.
- To deliver transactional communications about your engagement, including filing status, signature requests, and audit coordination.
3. Encryption, security, and breach notification
- Sensitive data (EIN, bank details, CBP entry identifiers) is encrypted at rest with AES-256-GCM.
- All API traffic is secured with TLS 1.2 or higher.
- Database access is role-scoped and audit-logged.
- Audit log retention: 7 years per 19 CFR Part 163.
Tariffi maintains commercially reasonable administrative, technical, and physical safeguards designed to protect personal information. No method of transmission or storage is perfectly secure, and Tariffi cannot guarantee that unauthorized third parties will never defeat those safeguards. In the event of a security incident involving personal information, Tariffi will notify affected users and applicable regulators within the time frames required by California Civil Code § 1798.82 and equivalent state breach-notification statutes.
4. Cookies, tracking, and Do-Not-Track
Tariffi uses cookies and similar technologies (local storage, web beacons, script-injected pixels) to operate the Services. Categories used:
- Strictly necessary: authentication session cookies (Clerk), CSRF tokens, and load-balancing identifiers required for the Services to function.
- Security: Cloudflare Turnstile bot-defense signals and Sentry error-monitoring context identifiers.
- Product analytics: PostHog event cookies used to measure funnel conversion, feature adoption, and platform-performance metrics in aggregate. Analytics identifiers are not used for cross-context behavioral advertising.
- Preference: cookies that remember your UI choices (e.g., dismissed banners).
Most browsers allow you to refuse or delete cookies through their settings. Disabling strictly necessary cookies will break authentication and core platform functions.
Do-Not-Track signals. Tariffi does not currently respond to “Do Not Track” (DNT) or Global Privacy Control (GPC) signals because the Services are B2B and do not share personal information with third parties for cross-context behavioral advertising. To exercise equivalent rights, use the contact path in Section 7 below.
5. Who we share with; subprocessors
We share your data with: (a) the licensed customs broker partner who files your CAPE declaration (under the Limited Power of Attorney you sign); (b) CBP via that partner's filing; (c) our payments processor (Plaid Inc.) to link your bank account and debit Tariffi's authorized fee after CBP deposits your refund directly to you — Tariffi does not route or hold your refund; (d) subprocessors bound by written data-processing agreements (listed below).
Tariffi does NOT sell personal information, and does NOT share personal information with third parties for cross-context behavioral advertising.
| Subprocessor | Purpose | Data handled |
|---|---|---|
| Clerk | Authentication, session, MFA | Email, user IDs, session tokens |
| Cloudflare Turnstile | Bot defense at intake | Browser challenge telemetry, IP |
| SpitShake | E-signature for LPOA and Contingency Fee Agreement | Signer name, email, signed PDFs |
| Resend | Transactional email delivery | Email, message content |
| Sentry | Application error monitoring | Error stack traces, user ID (pseudonymous) |
| PostHog | Product analytics (aggregate) | Interaction events, pseudonymous IDs |
| Plaid Inc. | Bank-account linking and authorized fee debit (ACH) | Bank routing/account number, fee-debit authorization |
Infrastructure hosting (frontend CDN, backend compute, database) is provided by commercially standard U.S.-based hosting vendors. The full infrastructure roster is disclosed in the enterprise diligence pack available on request at enterprise@tariffi.io. The subprocessor list is updated as relationships change. Customers with a data-processing agreement may request advance notice of material subprocessor changes by emailing privacy@tariffi.io.
6. Retention
Entry data and related records are retained for seven (7) years from claim disposition to support CBP post-refund audits (per 19 CFR Part 163 record-retention requirements). Account information is kept while your account is active; you may request deletion of non-regulated data at any time. We may continue to retain de-identified or aggregated data for analytics and platform improvement indefinitely.
7. Your rights; California residents
You may exercise the following rights by contacting privacy@tariffi.io. We will verify your identity before acting on requests involving personal information.
- Right to Know. Request confirmation of whether we process personal information about you and, if so, the categories of personal information collected, the categories of sources, the business or commercial purposes for collection, the categories of third parties with whom we share that information, and the specific pieces of personal information we hold about you (Cal. Civ. Code § 1798.100, § 1798.110, § 1798.115).
- Right to Delete. Request that we delete personal information we have collected from you, subject to regulatory-retention exceptions under 19 CFR Part 163 and statutory exceptions in § 1798.105(d).
- Right to Correct. Request correction of inaccurate personal information (Cal. Civ. Code § 1798.106).
- Right to Opt Out of Sale or Sharing. Tariffi does not sell personal information and does not share personal information for cross-context behavioral advertising. You may still submit an opt-out request, which we will honor on a forward-looking basis (Cal. Civ. Code § 1798.120).
- Right to Limit Use of Sensitive Personal Information. You may direct Tariffi to limit the use of sensitive personal information (such as bank account or government identifiers) to purposes necessary to provide the Services (Cal. Civ. Code § 1798.121).
- Right to Non-Discrimination. You will not receive discriminatory treatment for exercising any of the above rights (Cal. Civ. Code § 1798.125).
You may also submit a request via our Do Not Sell or Share My Personal Info page.
8. Third-party links
The Services may contain links to third-party sites (broker-partner portals, BetterStack status pages, analytics dashboards). Tariffi does not endorse and is not responsible for the privacy practices of those sites. You should review their policies before submitting information.
9. Changes
We will notify you by email of material changes to this policy and provide a revised effective date. Continued use of the Services after the effective date constitutes acceptance of the revised policy.