Privacy Policy

Last updated: March 2025

1. What We Collect

When you install and use Dutycode, we collect and process:

• Shop domain and owner email — collected at install via Shopify OAuth. Used for account identification and transactional emails only.
• Product data — title, description, vendor, product type, tags, featured image URL. Read via Shopify Admin GraphQL API solely to perform HS code classification.
• Classification results — HS code, confidence score, rationale, EU CN8 / UK commodity / US HTS extensions. Stored in our database and written to Shopify product metafields.
• Server logs — IP address, timestamp, request path. Standard Railway/infrastructure logs, not app-level tracking.

We do not collect customer personal data (no orders, no buyer names/emails/addresses), payment data, or any information about your customers.

2. How We Use Your Data

• Shop email — transactional emails only (batch completion notifications, tariff update alerts). Never used for marketing. Never shared.
• Product data — solely to perform HS code classification. Not used for any other purpose.
• Classification results — to provide classification history, enable export, and sync HS codes to Shopify metafields.

We do not use your data for advertising, profiling, or any purpose other than providing the classification service. No data is sold, rented, or shared for advertising purposes.

3. Data Retention

• Classification data is retained while the app is installed on your Shopify store.
• When you uninstall Dutycode, we process a deletion request within 30 days. All classification records, shop data, and cached data associated with your store are permanently deleted.
• We handle all three Shopify compliance webhooks: customers/redact, shop/redact, customers/data_request.

4. Data Location

All data is stored in the EU — Railway europe-west4 (Google Cloud, Belgium). Data does not leave the EU except when sent to Anthropic's API for classification (see Third Parties below).

5. Third Parties

• Anthropic (claude.ai / API) — product title/description/type sent for AI classification. See Anthropic's privacy policy.
• Resend (resend.com) — transactional email delivery. Merchant email address shared with Resend solely for email delivery. See Resend's privacy policy.
• Railway (railway.app) — hosting and database infrastructure in EU.

6. Merchant Rights (GDPR / Czech PDPA)

Under GDPR and Czech data protection law, you have the right to:

• Access your data — email support@dutycode.app
• Delete your data — email support@dutycode.app or uninstall the app
• Data portability — export available within the app (CSV, Excel)

We are established in the EU and comply with GDPR as a data processor. We implement Shopify's mandatory compliance webhooks for customer data requests, customer data erasure, and shop data erasure.

7. Contact

support@dutycode.app