Skip to main content

Privacy Policy

Effective date: March 23, 2026 · Last updated: March 23, 2026

This privacy policy is provided for transparency. It is not a substitute for legal advice. We recommend consulting with a qualified privacy professional for specific questions.

1. Overview

TariffTrail is operated by [Company Name], a company based in British Columbia, Canada. TariffTrail is a tariff compliance information tool for Canadian small and medium-sized importers. It monitors surtax orders, calculates landed costs, manages CUSMA origin documentation, and generates audit trails for CBSA review.

TariffTrail is a compliance information tool only. It does not constitute customs brokerage services, and it does not submit data to CBSA or CARM on behalf of users.

This policy explains what personal information we collect, how we use it, and your rights under Canadian privacy legislation.

2. Information We Collect

Account Information

When you create an account, we collect your email address, password (stored as a cryptographic hash — we never store plaintext passwords), organization name, and optionally your business number.

Product Portfolio Data

You may enter product information including HS codes, product descriptions, country of origin, and import values. This data is used to provide tariff compliance calculations and alerts.

Usage Data

We collect information about how you use the service, including pages visited, features used, and calculation history. We do not use third-party analytics or tracking scripts.

Payment Information

Payment processing is handled by Stripe. We do not store credit card numbers or full payment details on our servers. Stripe is PCI DSS Level 1 compliant.

Email Consent Records

When you provide consent to receive commercial emails, we record the consent timestamp, your IP address, the page URL where consent was given, and the consent language version. These records are maintained for CASL compliance.

3. How We Use Your Information

  • Provide, maintain, and improve the TariffTrail service
  • Perform tariff calculations, surtax determinations, and CUSMA impact assessments
  • Send transactional emails, including account confirmations, surtax alerts, and service notifications
  • Send commercial emails only when you have provided express consent under CASL
  • Generate and maintain immutable audit trail records for CBSA compliance
  • Process subscription payments through Stripe

We do not sell, rent, or share your personal information with third parties for their marketing purposes.

4. Data Storage and Residency

All customer data is stored in Canada. Our database is hosted on Supabase in the ca-central-1 region (Montreal). Our application is hosted on Vercel in the yul1 region (Montreal).

We do not store customer data outside Canada without your explicit consent.

Our data handling practices comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal private sector privacy law.

5. Third-Party Services

We use the following third-party services to operate TariffTrail:

  • Supabase database hosting and user authentication, hosted in the Canada (ca-central-1) region
  • Stripe payment processing, PCI DSS Level 1 compliant
  • Resend transactional and marketing email delivery
  • Inngest background job processing (no customer data is stored by Inngest)
  • Vercel application hosting in the Montreal (yul1) region

We do not use third-party analytics services or embed third-party tracking scripts on our website or application.

6. Data Retention

  • Account data is retained while your account is active.
  • Audit trail records are retained for a minimum of 7 years to meet CBSA compliance requirements. These records are immutable and cannot be modified or deleted.
  • Email consent records are retained indefinitely to demonstrate CASL compliance.
  • Account deletion upon request, we will delete your account data within 30 days, except for audit trail records that must be retained for regulatory compliance.

7. Your Rights Under PIPEDA

Under PIPEDA, you have the following rights regarding your personal information:

  • Access you can request a copy of the personal information we hold about you.
  • Correction you can request that we correct any inaccurate personal information.
  • Withdraw consent you can withdraw your consent to receive commercial marketing emails at any time.
  • Account deletion you can request that we delete your account and associated personal information, subject to our legal retention obligations.

To exercise any of these rights, contact us at privacy@tarifftrail.ca. We will respond within 30 days.

8. CASL Compliance

TariffTrail complies with Canada's Anti-Spam Legislation (CASL). Our practices include:

  • Commercial emails are sent only with your express consent. Consent is collected through an unchecked checkbox with a clear purpose statement.
  • Every commercial email includes a one-click unsubscribe mechanism.
  • Unsubscribe requests are honoured within 10 business days.
  • Consent records are maintained with the timestamp, IP address, page URL, and consent language version.

Transactional emails — such as account confirmations, password resets, and surtax alerts related to your portfolio — do not require express consent under CASL and may be sent as part of normal service operation.

9. Cookies and Local Storage

TariffTrail uses cookies strictly for authentication and session management. These cookies are httpOnly and secure, meaning they cannot be accessed by client-side JavaScript and are only transmitted over encrypted connections.

We do not use advertising cookies, social media tracking pixels, or any third-party tracking cookies.

10. Data Security

We implement the following security measures:

  • Row-level security (RLS) in our database ensures strict multi-tenant data isolation — your data is never accessible to other organizations.
  • All data is encrypted in transit using TLS and encrypted at rest.
  • Service credentials and secret keys are never exposed to client-side code.
  • We conduct regular security reviews of our application and infrastructure.

11. Children's Privacy

TariffTrail is a business-to-business service and is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@tarifftrail.ca and we will delete it.

12. Changes to This Policy

We may update this privacy policy from time to time. If we make material changes, we will notify you by email or through a notice within the application. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

13. Contact

If you have questions about this privacy policy or how we handle your personal information, contact us at:

[Company Name]

Email: privacy@tarifftrail.ca

Mailing address: [To be determined]