Privacy Policy
Last Updated: March 4, 2026
Effective Date: March 4, 2026
1. Introduction and Scope
DocuAce LLC (“DocuAce,” “Company,” “we,” “us,” or “our”) is committed to protecting the privacy and security of your personal information. This Privacy Policy describes the types of information we collect from and about you when you access or use the DocuAce platform, including the website located at docuace.com and all associated applications, tools, and services (the “Service”). It also explains how we use, disclose, and safeguard that information, and the choices available to you regarding our use of your information.
This Privacy Policy applies to all Users of the Service, regardless of geographic location. Certain sections of this Policy provide additional information and rights applicable to residents of specific jurisdictions, including California (Section 11) and the European Economic Area, United Kingdom, and Switzerland (Section 12).
By using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. This Privacy Policy should be read in conjunction with our Terms of Service.
2. Information We Collect
2.1 Information You Provide Directly
We collect information that you voluntarily provide when using the Service, including:
| Category | Data Elements | When Collected |
|---|---|---|
| Account Information | Email address, password (stored as a salted cryptographic hash), company name (optional) | Account registration, profile updates |
| Product and Trade Data | Product descriptions, HTS codes, declared values, countries of origin, destination countries, invoice data, shipping costs, FTA selections | Calculator usage, classification requests |
| Uploaded Documents | Commercial invoices, CBP 7501 entry summaries, packing lists, bills of lading, and other trade documents in image or PDF format | AI classification, recovery scan feature |
| Refund Data | Import values, entry dates, entry status, HTS codes, origin countries, estimated refund amounts | IEEPA Refund Estimator usage |
| Saved Records | Calculation results, refund estimates, filing statuses, notes, and history | Dashboard save actions |
| Communications | Email content, support inquiries, feedback | When you contact us |
2.2 Information Collected Automatically
When you access or use the Service, we automatically collect certain technical and usage information, including:
| Category | Data Elements | Purpose |
|---|---|---|
| Device Information | Browser type and version, operating system, device type, screen resolution | Service optimization and compatibility |
| Log Data | IP address, access timestamps, pages viewed, referring URL, HTTP status codes | Security, diagnostics, abuse prevention |
| Usage Data | Features accessed, calculation frequency, session duration, interaction patterns | Service improvement and analytics |
| Session Data | Session identifiers (cookies), authentication tokens | Maintaining login state |
2.3 Information from Third-Party Sources
We may receive information from third-party services that you use in connection with the Service, including authentication providers (if single sign-on is implemented in the future) and publicly available tariff data from the U.S. International Trade Commission and other government sources.
3. How We Use Your Information
We use the information we collect for the following purposes:
| Purpose | Description | Legal Basis (GDPR) |
|---|---|---|
| Service Delivery | Providing tariff classification, duty calculation, refund estimation, and document analysis services | Performance of contract |
| Account Management | Creating and maintaining your account, authenticating access, processing your saved data | Performance of contract |
| AI Classification | Transmitting product descriptions and document images to AI models for HTS classification. Document content is sent to Google’s Gemini API for processing. | Performance of contract |
| Service Improvement | Analyzing usage patterns to improve accuracy, performance, and user experience. This may include aggregate analysis of classification accuracy and common error patterns. | Legitimate interest |
| Security | Detecting, preventing, and responding to fraud, abuse, security incidents, and technical issues | Legitimate interest |
| Communications | Sending service-related notifications (e.g., deadline reminders, policy change alerts, account security notices). We do not send marketing emails without your express consent. | Legitimate interest / Consent |
| Legal Compliance | Complying with applicable laws, regulations, legal processes, or enforceable governmental requests | Legal obligation |
| Anonymized Analytics | Creating aggregate, de-identified datasets for trend analysis, research, and public reporting on trade policy impacts. No individual User can be identified from this data. | Legitimate interest |
4. Legal Bases for Processing (EEA/UK Users)
If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your personal data only when we have a valid legal basis to do so. The applicable legal bases are identified in the table above and include:
- Performance of Contract: Processing necessary to provide the Service as described in our Terms of Service;
- Legitimate Interest: Processing necessary for our legitimate business interests, such as improving the Service, ensuring security, and performing analytics, provided such interests are not overridden by your data protection rights;
- Legal Obligation: Processing necessary to comply with a legal obligation to which we are subject;
- Consent: Where we have obtained your explicit consent for a specific processing activity (e.g., optional marketing communications). You may withdraw consent at any time.
5. Information Sharing and Disclosure
5.1 We Do Not Sell Your Data
DocuAce does not sell, rent, lease, or trade your personal information or User Content to any third party for monetary or other valuable consideration. We have not sold personal information in the preceding twelve (12) months.
5.2 Limited Disclosure
We may disclose your information only in the following limited circumstances:
- Service Providers and Sub-Processors: We share data with third-party service providers who assist in operating the Service, subject to contractual obligations to protect your data and use it only as directed by us (see Section 6);
- Legal Requirements: We may disclose information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that such disclosure is reasonably necessary to comply with applicable law, protect the rights or safety of any person, or prevent fraud;
- Business Transfers: In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service of any change in ownership or uses of your personal information;
- With Your Consent: We may share your information with third parties when you have given us explicit consent to do so;
- Aggregate or De-Identified Data: We may share aggregate or de-identified information that cannot reasonably be used to identify you, without restriction.
6. Third-Party Service Providers and Sub-Processors
The Service relies on the following categories of third-party service providers. Each provider processes data only as necessary to perform their designated function and is bound by contractual data protection obligations:
| Provider Category | Provider | Data Processed | Purpose |
|---|---|---|---|
| AI Classification | Google Cloud (Gemini API) | Product descriptions, document images | Automated HTS classification and document data extraction |
| Cloud Hosting | Vercel / Cloud Provider | All Service data (encrypted at rest and in transit) | Application hosting, database storage |
| Currency Data | Exchange rate API providers | No personal data; only currency pair requests | Real-time currency conversion |
| DNS and CDN | Domain registrar and CDN provider | IP addresses, request metadata | Domain resolution and content delivery |
We maintain a current list of sub-processors and will update this section as providers change. We conduct due diligence on all sub-processors to ensure adequate data protection standards.
6.1 AI Classification — Special Considerations
When you use the AI classification feature (uploading documents or submitting product descriptions), the content is transmitted to Google’s Gemini API for processing. Google processes this data pursuant to its Cloud API Terms of Service and Data Processing Addendum. We recommend that you do not include sensitive personal information (such as Social Security numbers, financial account numbers, or personal health information) in uploaded documents. If your commercial invoices contain such information, please redact it before uploading.
7. Data Retention
7.1 Retention Periods
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account Information | Duration of account plus 30 days after deletion request | Service delivery; grace period for account recovery |
| Saved Calculations and Refund Estimates | Duration of account | User-requested storage for compliance records |
| Uploaded Documents | Processed in real-time; not stored on our servers after classification is complete. Document images are retained in memory only during the classification API call. | Minimization principle |
| Server Logs | 90 days | Security monitoring and debugging |
| Anonymized Analytics | Indefinitely | Aggregate trend analysis; no personal data |
7.2 Deletion
Upon account deletion, we will delete or anonymize your personal information within thirty (30) days, except where retention is required by law (e.g., tax records, anti-fraud obligations) or for the establishment, exercise, or defense of legal claims.
8. Data Security
We implement and maintain reasonable administrative, technical, and physical security measures designed to protect your information from unauthorized access, disclosure, alteration, and destruction. These measures include:
- Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS);
- Encryption at Rest: Database contents and stored files are encrypted at rest using AES-256 encryption;
- Password Security: User passwords are hashed using industry-standard cryptographic algorithms with unique salts. We never store passwords in plaintext;
- Access Controls: Access to production systems and user data is restricted to authorized personnel on a need-to-know basis;
- Infrastructure Security: Our hosting provider maintains SOC 2 Type II compliance and implements physical, network, and application-level security controls.
No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security. In the event of a security incident, we will comply with applicable breach notification laws (see Section 16).
9. International Data Transfers
The Service is hosted in the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
For Users in the European Economic Area, United Kingdom, or Switzerland, we rely on the following transfer mechanisms to ensure adequate protection of your personal data:
- The EU-U.S. Data Privacy Framework (DPF) and UK Extension, where applicable to our sub-processors;
- Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914) incorporated into our data processing agreements with sub-processors;
- Your explicit consent to the transfer, provided at the time of account registration.
You may request a copy of the applicable transfer safeguards by contacting us at the address provided in Section 18.
10. Your Rights and Choices
Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal information:
| Right | Description |
|---|---|
| Access | Request a copy of the personal data we hold about you |
| Rectification | Request correction of inaccurate or incomplete personal data |
| Erasure (“Right to be Forgotten”) | Request deletion of your personal data, subject to legal retention obligations |
| Restriction of Processing | Request that we limit the processing of your data in certain circumstances |
| Data Portability | Request your data in a structured, commonly used, machine-readable format (JSON or CSV) |
| Objection | Object to processing based on legitimate interests |
| Withdraw Consent | Withdraw previously given consent at any time, without affecting the lawfulness of prior processing |
| Lodge a Complaint | File a complaint with your local data protection supervisory authority |
To exercise any of these rights, contact us at privacy@docuace.com. We will respond to verified requests within thirty (30) days, or within the timeframe required by applicable law. We may require you to verify your identity before processing your request.
11. California Privacy Rights (CCPA/CPRA)
11.1 Applicability
This section applies to California residents and supplements the information provided elsewhere in this Privacy Policy, as required by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA”).
11.2 Categories of Personal Information Collected
In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers: Email addresses, IP addresses, account names;
- Commercial Information: Records of products researched (product descriptions, HTS codes, declared values), calculation history;
- Internet or Electronic Network Activity: Browsing history on the Service, interaction with features, log data;
- Professional or Employment-Related Information: Company name (if provided);
- Inferences: Inferences drawn from the above to create a profile reflecting preferences and characteristics (e.g., frequently imported product categories).
11.3 Your California Rights
As a California resident, you have the following rights under the CCPA:
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected, the categories of sources, the business purpose for collecting the information, and the categories of third parties with whom we share the information;
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions;
- Right to Correct: You may request correction of inaccurate personal information;
- Right to Opt-Out of Sale or Sharing: We do not sell or share (as defined by the CCPA) your personal information. Accordingly, no opt-out mechanism is required;
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.
To exercise these rights, contact us at privacy@docuace.com or write to us at the address in Section 18. We will verify your identity using your account email before processing your request. You may also designate an authorized agent to submit a request on your behalf.
11.4 Financial Incentive Disclosure
We do not offer financial incentives or price or service differences related to the collection, retention, or sale of personal information.
12. European Economic Area, United Kingdom, and Swiss Users (GDPR)
12.1 Data Controller
For purposes of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the UK GDPR, the data controller is:
DocuAce LLC
Email: privacy@docuace.com
12.2 Legal Bases for Processing
See Section 4 above for the legal bases upon which we process your personal data.
12.3 Data Protection Rights
In addition to the rights described in Section 10, EEA/UK/Swiss users have the right to lodge a complaint with their local supervisory authority.
12.4 Data Protection Impact Assessments
We conduct data protection impact assessments where required by the GDPR, including in connection with our use of AI-powered classification tools that process User Content.
12.5 Representative
If required under Article 27 of the GDPR, we will appoint a representative in the European Union. Contact details will be published here when applicable.
13. Cookies and Tracking Technologies
13.1 Cookies We Use
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
| session | Strictly necessary | Maintains your authenticated login state | Session (cleared on browser close) or up to 30 days |
13.2 What We Do Not Use
We do not use:
- Third-party advertising or remarketing cookies;
- Cross-site tracking pixels or web beacons;
- Social media tracking plugins;
- Analytics platforms that track individual user behavior across websites (e.g., Google Analytics, Facebook Pixel, or similar services).
13.3 Your Cookie Choices
Because we use only strictly necessary session cookies required for the Service to function, no cookie consent banner is required. You may configure your browser to refuse cookies, but doing so may prevent you from using authenticated features of the Service.
14. Children’s Privacy
The Service is not directed to, and we do not knowingly collect personal information from, children under the age of 13 (or the applicable age of digital consent in your jurisdiction). If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us at privacy@docuace.com.
15. Do Not Track Signals
Some browsers transmit “Do Not Track” (DNT) signals to websites. Because there is no universally accepted standard for how to respond to DNT signals, we do not currently respond to them. However, as stated in Section 13, we do not engage in cross-site tracking of our users.
16. Data Breach Notification
In the event of a security breach that results in the unauthorized access, disclosure, or acquisition of your personal information, we will:
- Investigate the breach and take reasonable steps to contain and remediate it;
- Notify affected Users via email within seventy-two (72) hours of becoming aware of the breach, or as otherwise required by applicable law;
- Notify the relevant supervisory authority (for EEA/UK users) within seventy-two (72) hours as required by Article 33 of the GDPR;
- Provide information about the nature of the breach, the types of data affected, the likely consequences, and the measures taken or proposed to address the breach;
- Where required by state law (including the California Civil Code § 1798.82), post a notice on the Service if the breach affects more than 500 residents of a single state.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Material changes will be communicated to registered Users via email or through a prominent notice on the Service at least thirty (30) days prior to the effective date. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy. If you do not agree, you must discontinue use of the Service.
18. Contact Information and Data Protection Officer
For questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact:
DocuAce LLC
Email: privacy@docuace.com
General inquiries: support@docuace.com
We will endeavor to respond to all privacy-related inquiries within thirty (30) days.