Privacy Notice
This notice explains how [TRADELINT LEGAL ENTITY NAME] ("Tradelint", "we", "us"), company number [COMPANY NUMBER], registered at [REGISTERED ADDRESS], handles personal data in connection with the Tradelint ICS2 goods-description compliance service and the tradelint.co.uk website.
1. Our two roles
Our data-protection role depends on the data:
- Processor — for the contents of commercial invoices a customer sends us. The customer (the freight forwarder) decides what data is in those invoices and is the controller; we process it strictly on their documented instructions to produce a compliant goods-description CSV.
- Controller — for data about our own website visitors, demo users, and the business-contact details of the people we deal with at customer organisations.
2. The personal data we process
From customer invoices (we are processor)
Commercial invoices may incidentally contain personal data, typically: shipper and consignee names and addresses (often companies, sometimes sole traders), and the email address of the person who forwarded the invoice. We do not seek out personal data; we process whatever the invoice contains in order to perform the service.
From our customers and demo users (we are controller)
Business contact details (name, work email, company), notification email addresses, and the content of any invoice forwarded to our public demo address.
We do not process
Special-category data (Article 9) — invoices do not contain it — and we do not knowingly process children's data.
3. Lawful bases (UK GDPR Article 6)
| Purpose | Lawful basis |
|---|---|
| Processing invoices a customer sends us | Performance of a contract (Art 6(1)(b)) |
| Sending transactional emails (results, review notices) | Performance of a contract (Art 6(1)(b)) |
| Security and audit logging | Legitimate interests (Art 6(1)(f)) — keeping the service secure and providing a compliance trail |
| One upgrade message after a demo | Legitimate interests / consent (Art 6(1)(f)/(a)), with an opt-out in every message |
For people named on invoices, the customer is the controller and is responsible for the lawful basis of including that data in a customs declaration.
4. How we use the data
Solely to provide and operate the service: extracting line items from invoices, checking descriptions against the EU ICS2 stop-word list, generating suggested compliant descriptions for human review, producing the output CSV, notifying your team, and maintaining a security and compliance audit trail. We never use customer invoice data to train or fine-tune any AI model, and we never use it for our own analytics or sell it.
5. AI transparency
Suggested descriptions and HS-code candidates are produced by an automated AI system (Claude, by Anthropic). They are advisory only: your compliance team reviews and approves each flagged item before a production CSV is generated, and the model's stated reasoning is not legally binding. This is disclosed in line with the EU AI Act transparency obligations (Article 50).
6. Sub-processors
We use the following sub-processors to deliver the service. A current list is available on request and forms part of our Data Processing Agreement.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, file storage, serverless functions | EU region |
| Amazon Web Services | Underlying infrastructure (via Supabase) | EU region |
| Resend | Inbound and outbound email | EU / US |
| Anthropic, PBC | AI extraction and rewrite (Claude) | EU endpoint where available, US |
| OpenAI | Text embeddings (matching only) | US |
| Airtable | Human review interface | US |
| n8n | Workflow orchestration | EU |
| Cloudflare | DNS / edge | Global |
We give customers reasonable prior notice of any material change to this list.
7. International transfers
Where data is transferred outside the UK/EEA (for example to US-based AI providers), we rely on UK/EU Standard Contractual Clauses and the providers' data-processing terms, together with transfer-risk assessments held on file. We do not transfer data to countries lacking adequacy without additional safeguards.
8. How long we keep data
| Data | Retention |
|---|---|
| Original invoice files | 30 days from receipt |
| Generated CSV output | 90 days |
| Submission metadata & audit logs (no invoice text) | 7 years (UK customs record-keeping & AI Act record-keeping) |
AI providers (Anthropic, OpenAI) retain API inputs only briefly under their own policies (typically up to 30 days) and then delete them; we cannot delete from their systems directly, which we disclose in our DPA.
9. Your rights
Subject to UK GDPR, you have the right to access, rectification, erasure, restriction, portability, and to object. To exercise any of these, email dpo@tradelint.co.uk. We respond within one month. Where we act as processor for invoice data, we will forward your request to the relevant customer (the controller) and assist them in responding.
10. Security
We apply measures appropriate to the risk, including: encryption in transit (TLS) and at rest, row-level data isolation between customers, cryptographic verification of inbound webhooks, least-privilege access, audit logging of every state change, and a documented incident-response process.
11. Personal-data breaches
If a breach occurs that is likely to result in a risk to individuals, we will notify the UK Information Commissioner's Office (ICO) without undue delay and, where required, within 72 hours, and we will inform affected customers so they can meet their own obligations.
12. Cookies
Our website uses only essential cookies needed to serve the page; we do not use advertising or cross-site tracking cookies. [If you add analytics, update this section and add a cookie banner.]
13. Complaints & contact
Questions or complaints: dpo@tradelint.co.uk. You also have the right to complain to the ICO (ico.org.uk). We are registered with the ICO under registration number [ICO REGISTRATION NUMBER].
14. Changes
We may update this notice; the "last updated" date above shows the current version, and we will notify customers of material changes.