Privacy Policy
Last updated: 3 July 2026
On this page
Who we areContactWhat we collect & whyProcessorsRetentionYour rightsInternational transfersComplaintsChanges1. Who we are
Tariff Lexicon Ltd, registered in England and Wales [Company No: XXXXXXXX], is the data controller for personal data processed through www.tarifflexicon.com and the Tariff Lexicon API. We are registered with the UK Information Commissioner's Office [ICO Reg: XXXXXXXX].
2. Contact
3. What we collect and why
| Data | Purpose | Legal basis (UK GDPR) |
|---|---|---|
| Account data — your email address and a hashed password (Argon2id; we never store the password itself) | Creating and managing your account; sending essential service email (verification, password reset, billing and quota notices) | Art. 6(1)(b) — performance of a contract |
| API usage logs — timestamps, endpoint paths, response codes, client IP address | Billing and quota enforcement; abuse, fraud and scraping prevention | Art. 6(1)(b) — contract; Art. 6(1)(f) — legitimate interests (protecting the service) |
| Payment data — handled entirely by Stripe; card numbers never reach our systems | Subscription billing | Art. 6(1)(b) — contract; see Stripe's privacy policy |
| Cookies & local storage — a session token (authentication) plus theme and language preferences | Keeping you logged in; remembering UI preferences. These are strictly necessary / functional — we set no advertising or analytics cookies | PECR strictly-necessary exemption (no consent required; we tell you anyway) |
Classification lookups themselves (the codes and product descriptions you query) are not personal data and are not linked to advertising or profiling of any kind.
4. Processors we use
- Stripe — payment processing (US; Standard Contractual Clauses + UK Addendum in place).
- Resend — transactional email delivery (US provider; emails can be routed via an EU sending region, but account data is stored in the US — SCCs + UK Addendum in place).
- Cloudflare — CDN, DNS and network security in front of our origin (US; Data Processing Addendum in place).
We do not sell personal data, and we do not share it with anyone beyond the processors above.
5. How long we keep data
- Account data — deleted within 30 days of account closure.
- API usage logs — pruned after 90 days (rolling window).
- Billing records — kept for 6 years as required by UK tax law (held by Stripe and in our accounting records).
6. Your rights
Under UK GDPR you can ask us for access to your data, rectification, erasure, portability, restriction of processing, or object to processing based on legitimate interests. Email [email protected] — we respond within one month.
7. International transfers
Where a processor handles data outside the UK/EEA (Stripe, Resend and Cloudflare operate US infrastructure), transfers are safeguarded by Standard Contractual Clauses with the UK International Data Transfer Addendum.
8. Complaints
You have the right to complain to the Information Commissioner's Office: ico.org.uk · 0303 123 1113 · Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. We'd appreciate the chance to help first — email [email protected].
9. Changes to this policy
We'll post any changes here and update the date at the top. For material changes affecting account holders we'll email you in advance.