Privacy Policy

1. Information We Collect

1.1 Account and Identity Data

When you register for Tarixo.AI, we collect information you provide directly, including your full name, business email address, company name, country of incorporation, phone number, and password (stored in hashed form only). If you register via Google or Microsoft SSO, we receive the profile information authorised by those services.

1.2 Trade and Compliance Data

To deliver our core services, we process trade data that you upload or submit. This includes commercial invoices, product descriptions, HS/HTS classification requests, shipment details, counterparty names and addresses, country of origin, declared values, and any documents you generate through our platform (packing lists, certificates of origin, etc.). This data belongs to you — see Section 8 (Data Ownership) in our Terms of Service.

1.3 Billing and Payment Data

Payment transactions are processed by Stripe. We do not store full credit card numbers, CVV codes, or raw bank account details on our servers. We retain Stripe customer IDs, subscription plan identifiers, invoice records, and API credit balances for billing reconciliation purposes.

1.4 Usage and Technical Data

We automatically collect certain technical data when you interact with our platform: IP address, browser type and version, operating system, device identifiers, pages visited, feature usage patterns, API call logs (endpoint, timestamp, response code), session duration, and error logs. This data is used for service improvement, security monitoring, and abuse prevention.

1.5 Communications Data

If you contact our support team or use the in-app AI compliance chat, we retain records of those communications to resolve your issues and improve our AI models (in anonymised and aggregated form only).

2. How We Use Your Information

We use your information for the following purposes, each grounded in a lawful basis under applicable data protection law:

• Service delivery: Performing HS/HTS classification, sanctions screening, duty calculations, FTA qualification checks, and document generation as contracted.
• Account management: Creating and maintaining your account, processing authentication, and managing your organisation's settings and user roles.
• Billing: Processing subscription payments, API credit purchases, and issuing invoices through Stripe.
• Platform improvements: Analysing usage patterns in aggregate to improve classification accuracy, compliance rule quality, and user experience.
• Security and fraud prevention: Detecting unauthorised access, abuse of API credits, and other fraudulent or harmful activity.
• Legal compliance: Meeting our obligations under UAE law, responding to lawful government requests, and enforcing our Terms of Service.
• Communications: Sending service notifications, security alerts, tariff change alerts (where you have subscribed), and (with your consent) product updates and promotional materials.

3. Data Storage & Security

Tarixo.AI is hosted on Google Cloud Platform (GCP). Your data is stored in cloud infrastructure that may be provisioned in the UAE, EU, or other regions depending on your plan. We apply the following security measures:

• Encryption at rest: All data stored in our databases and cloud storage buckets is encrypted using AES-256.
• Encryption in transit: All data transmitted between your browser or API client and our servers uses TLS 1.2 or higher.
• Access controls: Access to production systems is restricted to authorised personnel using multi-factor authentication. Role-based access controls (RBAC) are enforced throughout the platform.
• Multi-tenancy isolation: All data is logically isolated by Organisation ID. No cross-tenant data access is possible by design.
• Breach notification: In the event of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law, without undue delay.

While we employ industry-standard security measures, no method of transmission over the internet is 100% secure. We encourage you to use strong, unique passwords and enable multi-factor authentication on your account.

4. Third-Party Services

We engage the following third-party service providers who may process your data on our behalf. These providers are selected for their compliance with applicable data protection standards and are bound by appropriate data processing agreements.

We do not sell your personal data to third parties. We do not share your trade data with any third party except as required to deliver the service or as required by law.

5. Data Retention

We retain your data only for as long as necessary for the purposes described in this policy, or as required by law.

• Account data: Retained for the duration of your active account plus 30 days following account deletion, after which it is permanently purged.
• Trade and compliance data: Retained for the duration of your subscription. Upon account termination, you have 60 days to export your data. After this period, trade data is permanently deleted.
• Billing records: Retained for seven (7) years to comply with UAE commercial and tax record-keeping requirements.
• API credit transaction logs: Retained for two (2) years for dispute resolution and audit purposes.
• Usage and technical logs: Retained for ninety (90) days for security and operational purposes.

6. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data. To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days of receiving your request.

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete personal data.
• Right to erasure: Request deletion of your personal data where we have no legitimate grounds to retain it.
• Right to data portability: Request your data in a structured, machine-readable format (JSON or CSV) for transfer to another service.
• Right to restrict processing: Request that we limit how we use your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

EU residents may also lodge a complaint with their national data protection supervisory authority. UAE residents may contact the UAE Data Office established under Federal Decree-Law No. 45 of 2021.

7. Cookies & Analytics

We use cookies and similar technologies to operate the platform and understand how it is used. The types of cookies we deploy are as follows:

• Strictly necessary cookies: Required for authentication sessions, security tokens, and core platform functionality. These cannot be disabled.
• Functional cookies: Remember your preferences such as language settings and UI state.
• Analytics cookies: Collect anonymised usage data to help us understand platform performance and feature adoption. You may opt out of analytics cookies through your account settings.

We do not use third-party advertising cookies or behavioural tracking technologies. You can manage cookie preferences in your browser settings, though disabling strictly necessary cookies will impair platform functionality.

8. International Data Transfers

Tarixo.AI is a global platform and your data may be processed in countries outside your country of residence, including the UAE, the United States, and the European Economic Area, depending on where our infrastructure and third-party providers are located.

Where personal data is transferred from the EU/EEA to a country not recognised as providing an adequate level of data protection, we rely on the EU Standard Contractual Clauses (SCCs) as the appropriate safeguard. Where data is transferred from the UAE, we ensure transfers are consistent with the requirements of the UAE PDPL, including ensuring the recipient jurisdiction provides an adequate level of protection or that appropriate contractual safeguards are in place.

You may request details of the specific safeguards applied to any international transfer of your personal data by contacting us at [email protected].

9. Children's Privacy

Tarixo.AI is a professional B2B trade compliance platform intended exclusively for businesses and individuals who are 18 years of age or older. We do not knowingly collect personal data from children under the age of 18. If you become aware that a minor has provided us with personal data without appropriate consent, please contact us immediately at [email protected] and we will take prompt steps to delete such data.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other operational factors. When we make material changes, we will:

• Update the “Last updated” date at the top of this page.
• Send you an email notification to the address associated with your account.
• Display a prominent notice within the platform dashboard.

Your continued use of Tarixo.AI after the effective date of the updated policy constitutes your acceptance of the changes. If you do not agree with the updated policy, you should discontinue using the service and request deletion of your data.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or the handling of your personal data, please contact us through any of the following channels:

We aim to respond to all privacy-related inquiries within 30 days. For urgent matters involving potential data security incidents, please mark your email subject as “URGENT: Privacy Incident” and we will prioritise your request.