Privacy Policy
Contents
1. Who we are
TariffRadar is operated by EmberStack LLC, a New Jersey limited liability company. EmberStack LLC is the controller of the personal information collected through the Service.
2. What we collect
Account information
- Email address — you provide this when you create your account.
- Password — you provide this when you create your account. We do not store your password directly; it is hashed and stored by Firebase Authentication (a Google service).
Customer Data you upload
- Bill-of-materials data — part numbers, descriptions, HS codes, country of origin, unit cost, annual volume, sell price, target margin, supplier names and lead times, free-form notes, and tags. You upload this via CSV or enter it in the Service.
- This data is stored in your TariffRadar account and is visible only to you.
Payment information
- We do not store your payment card information. Payment is processed by Stripe, Inc. (our payment processor). We receive a record of the transaction (amount, date, last four digits of the card, billing address) so we can show you a billing history and respond to support requests, but we never see or store the full card number, expiration, or CVC.
Usage and operational data
- Server logs — standard request logs (IP address, user agent, request URL, response status, timestamp) generated by Cloudflare and our application. Used for security monitoring, debugging, and abuse prevention.
- Email events — delivery, open, and click events for transactional emails we send you (e.g., monitor alerts), provided by Resend.
Support correspondence
- If you email us for support, we keep the correspondence so we can follow up.
What we do not collect: we do not collect special-category data (health, biometrics, religion, etc.). We do not buy personal data about you from third parties.
3. Why we use it
- To provide the Service — authenticate you, render your dashboards, calculate the analytics on your Customer Data.
- To process payments — via Stripe.
- To send you transactional email — account verification, billing receipts, monitor alerts, security notices.
- To support and improve the Service — respond to your questions, debug issues, monitor for abuse, plan product improvements.
- To comply with law — tax records, responses to lawful subpoenas or court orders.
We do not use your Customer Data to train any AI model. We do not sell your personal information.
4. Who we share with
We use the following service providers (subprocessors) to operate the Service. Each is contractually bound to protect your information.
| Subprocessor | What they do for us | Their privacy policy |
|---|---|---|
| Cloudflare, Inc. | Hosting (Workers, KV, D1, Pages), edge security, request routing | cloudflare.com/privacypolicy |
| Google LLC (Firebase) | User authentication and password hashing | firebase.google.com/support/privacy |
| Stripe, Inc. | Payment processing and subscription billing | stripe.com/privacy |
| Resend, Inc. | Transactional email delivery (alerts, receipts) | resend.com/legal/privacy-policy |
Beyond these subprocessors, we do not share your personal information with third parties except:
- To comply with a lawful legal request (subpoena, court order, etc.);
- To protect our rights, property, or safety, or that of our users or the public;
- In connection with a merger, acquisition, or sale of all or substantially all of EmberStack LLC’s assets, in which case the acquirer will be bound by terms at least as protective as this Policy and we will give you advance notice.
5. How long we keep it
- Account information and Customer Data — for as long as your account is active. After you cancel and request deletion, within 30 days.
- Billing records — up to 7 years to comply with US tax and financial-record retention rules.
- Server logs — up to 90 days for security monitoring; aggregate, de-identified statistics may be retained longer.
- Support correspondence — up to 3 years.
6. Your rights
You can:
- Access the information we hold about you. Most of it is visible to you in your account; for anything else, email us.
- Correct inaccurate information. Update it in your account or email us.
- Delete your account and Customer Data. Email us, or use the Clear Data + Sign Out + cancellation flow.
- Export your Customer Data. Use the Export Full Report button in the dashboard, or email us for a structured export.
- Object to or restrict certain processing.
- Withdraw consent for processing that relies on consent.
To exercise any of these rights, email [email protected]. We respond within 30 days.
7. California residents (CCPA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information. The rights described in Section 6 apply to you, plus:
- Right to know the categories and specific pieces of personal information we have collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom we have shared it. The information in Sections 2–5 above answers these questions.
- Right to non-discrimination for exercising your CCPA rights. We will not deny service, change pricing, or provide a different level of service because you exercise these rights.
- Right to opt out of “sale” of personal information: EmberStack LLC does not sell your personal information. We do not engage in the “sharing” of personal information for cross-context behavioral advertising.
To submit a CCPA request, email [email protected] with “CCPA Request” in the subject. We may need to verify your identity by confirming you control the email associated with your account.
8. International users
The Service is operated from the United States and is intended for US-based importers and manufacturers. If you access the Service from outside the US, you understand that your information will be processed in the United States, which may have data-protection laws different from those in your jurisdiction.
If you are in the European Economic Area, the United Kingdom, or another jurisdiction with comprehensive data-protection laws, we encourage you to contact us before subscribing so we can confirm whether the Service is appropriate for your situation. Standard contractual clauses or other transfer mechanisms can be put in place where required.
9. Cookies & tracking
We use only the cookies necessary to operate the Service:
- A Firebase Authentication session token, so you stay signed in across page loads.
- A theme preference (dark/light), if you set one.
We do not use third-party advertising cookies. We do not currently use third-party analytics cookies. If we add analytics in the future, we will update this Policy and, where required, present a cookie banner.
10. Security
We protect your information using industry-standard security practices, including:
- Encryption in transit (HTTPS/TLS for every request);
- Encryption at rest at our hosting provider (Cloudflare KV and D1 are encrypted at rest);
- Password hashing via Firebase Authentication (we never see your plaintext password);
- Restricted access to administrative tools, gated by Firebase UID allowlist;
- Cloudflare-managed edge security (DDoS protection, bot detection, WAF rules where appropriate).
No system is perfectly secure. If we become aware of a security breach affecting your information, we will notify you without undue delay and as required by applicable law.
11. Children
The Service is not intended for individuals under 18 years old. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
12. Changes to this policy
We may update this Policy from time to time. The “Effective date” at the top of the page indicates the most recent version. If we make material changes, we will notify you by email at least 30 days before they take effect.
13. Contact
EmberStack LLC
A New Jersey limited liability company
Privacy questions: [email protected]