Privacy Policy

1. Introduction

POTAL ("we," "our," or "us") is a Total Landed Cost calculation infrastructure platform operated by EUNTAE JANG. We help e-commerce merchants and AI shopping agents calculate accurate import duties, taxes, and fees for international orders across 240 countries. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website at potal.app, our Shopify app, our API services, and all related services, features, and functionality (collectively, the "Service").

2. Information We Collect

We collect information in several ways depending on how you interact with our Service:

• Account Information: When you sign up as a merchant, we collect your email address and authentication credentials (via email/password or Google OAuth through Supabase Auth).
• API Usage Data: When you use our API, we log API requests including endpoints called, request parameters (product descriptions, HS codes, origin/destination countries), response times, and usage counts for billing and service improvement purposes.
• Shopify Store Data: When you install our Shopify app, we receive your store domain, access tokens, and basic store information through Shopify's OAuth process. We store this securely to provide our service to your store.
• Billing Information: Payment processing is handled by Paddle.com, our Merchant of Record. We do not store credit card numbers or full payment details on our servers. Paddle may collect billing address, payment method, and tax information as required for processing payments and issuing invoices.
• Device and Usage Data: We automatically collect information about your device (type, OS, browser), IP address, pages visited, and usage analytics to improve our platform.

3. How We Use Your Information

We use the information we collect for the following purposes:

• To provide, maintain, and improve the Service including Total Landed Cost calculations
• To process API requests and deliver accurate duty, tax, and fee calculations
• To manage your merchant account and API keys
• To process billing and subscription management through Paddle
• To monitor API usage and enforce rate limits per your subscription plan
• To improve HS code classification accuracy through aggregated, anonymized usage patterns
• To detect, prevent, and address fraudulent activity and security issues
• To comply with legal obligations
• To communicate service updates and important notices

4. Shopify App Data

When you install the POTAL Shopify app:

• We access your store's product data (names, descriptions, prices) solely to calculate landed costs
• We access order and shipping information to provide accurate duty and tax estimates
• We do not access or store customer personal information (names, addresses, payment details) from your Shopify store
• All data access is limited to the scopes explicitly granted during app installation (read_orders, read_products, read_shipping)

We comply with Shopify's API Terms of Service and Partner Program Agreement. You can revoke our access at any time by uninstalling the app from your Shopify admin.

5. Data Storage and Technology Partners

We use the following technology partners to operate our Service:

• Supabase: Database storage and authentication. Implements industry-standard encryption and security measures.
• Vercel: Application hosting and deployment with edge network delivery.
• Paddle: Payment processing, subscription management, invoicing, and global tax compliance (Merchant of Record). PCI DSS compliant. See Paddle's Privacy Policy.
• Shopify: E-commerce platform integration via OAuth and API.
• OpenAI: AI-powered HS code classification (product descriptions are sent for classification; no personal data is shared).

6. Data Security

We implement reasonable technical, administrative, and physical security measures to protect your information. All data transmission uses HTTPS/TLS encryption. API keys are hashed before storage. Shopify access tokens are stored encrypted in our database. However, no method of transmission over the Internet is 100% secure, and we cannot guarantee absolute security.

7. Data Retention

We retain account data for as long as your account is active. API usage logs are retained for billing verification and service improvement for up to 12 months. Cached tariff data (HS codes, duty rates) is retained to improve service performance. When you delete your account or uninstall our Shopify app, we will delete your personal data within 30 days, except where retention is required by law.

8. Data Sharing and Third Parties

We do not sell your personal data to third parties. We may share information with:

• Service Providers: Supabase, Vercel, Paddle, and OpenAI who process data on our behalf under strict confidentiality obligations
• Legal Compliance: Government authorities when required by law or to protect our rights and safety
• Business Transitions: In the event of merger, acquisition, or sale of assets, your data may be transferred as part of that transaction

9. GDPR and International Data Protection

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with data protection laws, you have the following rights:

• Access: Request a copy of the data we hold about you
• Correction: Request correction of inaccurate data
• Deletion: Request deletion of your data (right to be forgotten)
• Portability: Request your data in a portable format
• Restriction: Request restriction of processing of your data
• Objection: Object to processing of your data

We process data based on contractual necessity (providing the Service), legitimate interest (improving our Service), and consent (where applicable). To exercise any of these rights, please contact us at the email below.

10. Shopify Data Protection Requests

We support Shopify's mandatory data protection webhooks including: customer data request, customer data erasure, and shop data erasure. When a customer or merchant requests data deletion through Shopify, we process these requests promptly and delete all associated data from our systems.

11. Children's Privacy

POTAL is a B2B service designed for e-commerce merchants and developers. It is not directed to individuals under the age of 13. We do not knowingly collect personal information from children under 13.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date at the top of this policy. Your continued use of the Service after modifications constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy, please contact us at: