Privacy Policy

This Privacy Policy explains how ECCN.help ("ECCN.help", "We", "Us", or "Our") collects, processes, stores, protects, and discloses information when You access or use our website, the 7-step Guided Classification Workflow, Quick Lookup tools, AI-driven classification and screening services, export license determination features, OFAC and restricted-party screening features, ELENA compliance assistant, and related features (collectively, the "Service"), accessible at https://eccn.help.

The Service provides structured export control guidance under the U.S. Export Administration Regulations (EAR) and related regulatory frameworks through AI-assisted analytical workflows and curated regulatory reference systems. This Privacy Policy applies to all interactions with our publicly accessible website, authenticated workspace, the case-based 7-step Guided Classification Workflow, the nine Quick Lookup tools, the ELENA compliance assistant (both the global chatbot and the per-case ELENA Consultation), contact submissions, and account management functionalities.

We are committed to transparency, data minimization, lawful processing, and appropriate technical and organizational safeguards in accordance with applicable data protection laws worldwide, including but not limited to the General Data Protection Regulation (EU GDPR and UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Brazilian General Data Protection Law (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Indian Digital Personal Data Protection Act (DPDPA), and other applicable state, federal, and international privacy regulations.

1. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

• "Personal Data" means any information that relates to an identified or identifiable natural person, including information that can directly or indirectly identify a user, as defined under applicable data protection laws.
• "Service" refers to the ECCN.help website, authenticated workspace, the 7-step Guided Classification Workflow, AI-assisted ECCN classification features, export license determination features, OFAC and restricted-party screening features, the nine Quick Lookup tools, the ELENA compliance assistant (global and per-case), account management features, and all related functionality provided through the platform.
• "Account Data" refers to information provided during registration or account management, including name, email address, professional information, account status, password hashes (where email-based registration is used), and authentication-related metadata.
• "Case" refers to a single classification run within the 7-step Guided Classification Workflow, identified by a unique Case ID (format ECC-YYYY-MMDD-NNNN), and comprising the inputs, AI outputs, user decisions, and supporting documentation associated with that run. Cases are persistently stored and appear in Your Classification History.
• "Classification Data" refers to product part numbers, product names, manufacturer or vendor names, HS / Schedule B codes (where provided), product descriptions, technical specifications, follow-up answers, per-case ELENA Consultation transcripts and summaries, AI-generated classification outputs including candidate ECCN shortlists, ECCN codes, confidence indicators, justification notes, mass-market and dual-use determinations, ITAR flag assessments, user corrections, expert-review decisions, and related compliance documentation submitted or generated within the classification workflow.
• "Attachment Data" refers to technical datasheets and supporting documents You upload during the workflow, including product datasheets attached in Step 1 (up to 5 files in PDF, DOCX, XLSX, PNG, or JPG format) and the signed End-User Statement attached in Step 5 (a single PDF), together with AI-generated text summaries of those attachments used for analytical processing.
• "License Determination Data" refers to ECCN codes, destination countries, end-use descriptions, end-user types, end-use declarations, item value, transaction type indicators (re-export, temporary, replacement), and the resulting license requirement outcomes, license exception analyses, and regulatory summaries generated by the export license determination features.
• "Party Screening Data" refers to information You submit about parties to an export transaction for OFAC and restricted-party screening, including each party's legal entity type, role in the transaction (End User, Ultimate Consignee, Intermediate Consignee, Purchaser, or Freight Forwarder), legal name, DBA / trade names, aliases, website or domain, and registered address, together with the screening outcomes produced by the Service.
• "Engineer Invitation Data" and "Expert Review Data" refer to information related to one-time email invitations You may send from within the workflow to an external engineer (Step 2) or external expert (Step 4), including the invitee's email address, any note You include, the one-time access token associated with the invitation, token lifecycle metadata, and any answers, classification opinions, or comments the invitee submits through the one-time link.
• "Chat Data" refers to user-submitted messages and AI-generated responses exchanged through the global ELENA compliance assistant (accessible from the workspace), including associated session metadata. Per-case ELENA Consultation transcripts are governed by "Classification Data" because they are stored as part of a case.
• "Usage Data" means technical and interaction-related information automatically collected when users access or interact with the Service, including device information, log entries, session data, and activity metadata.
• "Temporary Processing Data" refers to transient analytical data generated during the AI classification, license determination, or screening process, containing intermediate results and regulatory reference material used to support a single analytical request. Temporary processing data is automatically deleted upon completion or after 24 hours, whichever occurs first.
• "Audit Trail" refers to the chronological, structured log of actions and decisions recorded against a Case — including submissions, Q&A answers, AI analysis events, user corrections, engineer and expert responses, approval decisions, skips, and screening results — that is embedded in the final report and retained with the Case.
• "Security and Audit Logs" refers to structured system logs generated for operational monitoring, security enforcement, service execution tracking, and compliance auditing purposes. These system logs are separate from the per-Case Audit Trail.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, structuring, retrieval, use, disclosure, restriction, deletion, or destruction.
• "User", "You", or "Your" refers to any individual or entity accessing or using the Service, whether as a visitor, authenticated account holder, or invited reviewer (engineer or expert) accessing the Service through a one-time link.
• "Third-Party AI Provider" refers to external artificial intelligence service providers whose commercial services are used to perform natural language processing tasks within the Service, as identified in Section 7.

2. Categories of Personal Data Collected

We collect and process different categories of Personal Data depending on how you interact with the Service. The categories described below reflect authenticated access, the 7-step Guided Classification Workflow (including Product Info, Compliance Q&A, ELENA Consultation, Classification Review, License, OFAC & Restricted-Party Screening, and Final Report), the Quick Lookup tools, the ELENA compliance assistant, logging systems, and security monitoring.

2.1 Identity and Account Data

• Full name
• Email address
• Account status and lifecycle state
• LinkedIn OAuth authentication identifiers (LinkedIn user ID), where LinkedIn sign-in is used
• Password hash (Argon2ID), where email-based registration is used; ECCN.help never stores plain-text passwords
• One-Time Password (OTP) hash and expiry metadata, used during email-based registration for initial account verification
• Authentication and session identifiers
• Failed login attempt count and account lock status

2.2 Professional and Profile Data

• Professional experience in trade compliance or ECCN classification (self-reported)
• Self-assessed skill ratings
• LinkedIn profile URL (if voluntarily provided)
• Survey responses and onboarding information

2.3 Classification and AI Submission Data

• Product part numbers, product / item names, manufacturer or vendor names, and HS / Schedule B codes (where provided)
• Product descriptions and additional technical parameters submitted in the workflow or the Quick ECCN Classification tool
• Structured inputs and follow-up question responses from Compliance Q&A
• Per-case ELENA Consultation messages, answers, and the resulting consultation summary
• AI-generated classification outputs — candidate ECCN shortlists, confidence indicators, justification notes, mass-market and dual-use determinations, and ITAR flag assessments
• User classification corrections, including the ECCN You provide and Your regulatory justification
• User feedback regarding classification accuracy (Correct / Incorrect) and free-text feedback submitted through the feedback form
• Case metadata — Case ID, current step, status, draft state, and timestamps
• Audit Trail entries recording actions and decisions taken within the Case

Classification Data is stored under Your account to support the case-based workflow, draft save and resume, account functionality, compliance documentation, audit traceability, quality improvement, and access to Your Classification History.

2.4 Attachment Data

• Technical datasheets uploaded in Step 1 — up to 5 files per Case, each up to 20 MB, in PDF, DOCX, XLSX, PNG, or JPG format
• The signed End-User Statement (End User Certificate, DLA Form, or equivalent) uploaded in Step 5 — a single PDF up to 10 MB per Case
• File metadata — original filename, stored filename, MIME type, size, upload timestamp, and a unique per-file identifier
• AI-generated text summaries of attachment contents, used by the analytical workflow

Attachments are stored on our server infrastructure, scoped to the owning account, and accessible only through the authenticated workspace or through explicit one-time engineer / expert invitation links issued by the account owner. Attachment summaries (but not raw attachment files) are used as inputs to AI analytical processing as described in Section 6.

2.5 License Determination Data

• ECCN codes used for license determination (either pre-filled from the classification result or entered manually in the Quick Lookup tool)
• Destination country selections
• End-use type, end-user type, item value (optional), and transaction-type indicators (re-export, temporary, replacement)
• End Use Declaration narrative text
• Additional context You provide as free text
• AI-generated license requirement outcomes, exception analyses, and regulatory summaries

2.6 Party Screening Data (OFAC & Restricted-Party Screening)

When You use the OFAC & Restricted-Party Screening step of the workflow or the OFAC Quick Lookup tool, You may provide information about third parties to the transaction. For each party you submit, we process:

• Role in the transaction (End User, Ultimate Consignee, Intermediate Consignee, Purchaser, or Freight Forwarder)
• Legal entity type (Company, Individual, Government Entity, Partnership, NGO, Other)
• Legal name, DBA / trade name, and aliases
• Website or domain
• Registered address — street, city, state or province, postal code, and country
• Screening outcome — match results, matched list source (OFAC SDN, Consolidated Sanctions, BIS Entity List, Unverified List, Denied Persons List, 50% Rule), confidence score, and any AI-generated screening narrative

2.7 Engineer and Expert Invitation Data

When You choose to send Compliance Q&A questions to an external engineer (Step 2) or to submit a case for external expert review (Step 4), we process:

• The invitee's email address (supplied by You) and any short note You include
• A one-time access token issued to the invitee, together with token lifecycle metadata (issued time, used time, revocation status)
• The invitee's submitted response — answers to the Q&A questions (engineer) or classification opinion, proposed ECCN, and comments (expert)
• Basic logs of the invitee's access to the one-time link (e.g., time the link was opened and submitted)

Engineer and expert invitees access only the minimum case information required to provide their response. They do not receive account credentials, Your other cases, or any other user's data. By submitting an invitee email, You confirm that You are authorized to share the relevant case information with that individual for the stated purpose.

2.8 Chat and Communication Data

• User-submitted messages within the global ELENA compliance assistant and AI-generated assistant responses, together with associated session metadata (timestamps, session identifiers)
• Per-case ELENA Consultation transcripts are stored as part of the Case (see Section 2.3)
• Contact form messages
• Email correspondence related to account or service activity
• Records of automated service communications sent to Your email (e.g., account setup reminders, classification feedback requests, activity summaries, engineer/expert invitation notifications, and final-report email deliveries)

2.9 Usage and Technical Data

• IP address
• Approximate geographic location (country, region, city derived from IP address)
• Browser type and version
• Device type and operating system
• User agent string
• Referring pages and navigation paths
• Interaction metadata (feature usage, tool engagement events, step transitions within the workflow)
• Session timestamps and duration

2.10 Security and Audit Log Data

• Service execution events and response codes
• Authentication attempts (successful and failed), including LinkedIn OAuth and email-based login attempts
• Account deletion request events, LinkedIn authentication events, password reset events, and account lock/unlock events
• Rate limiting and IP-based enforcement events
• System error events
• Workflow lifecycle events — case creation, step submissions, draft saves, engineer/expert invitations issued and consumed, screening executions, and final-report generation
• Automated email delivery events (type of communication, delivery status, timestamp)

Security and audit logs are structured for operational monitoring, forensic analysis, compliance auditing, and system integrity protection. Logs do not store authentication tokens, service credentials, LinkedIn access tokens, plain-text passwords, OTP values, raw attachment contents, full AI analytical content, or full AI-generated response content.

2.11 Cookies and Session Data

• Session cookies required for authentication and state management
• CSRF protection tokens
• Analytics cookies (deployed only with consent where required by applicable law)

For detailed information about cookies, see Section 13.

2.12 Data We Do Not Collect

We do not collect government-issued identifiers, payment card or financial account information, biometric identifiers, genetic data, health-related data, racial or ethnic origin data, religious or philosophical belief data, trade union membership data, sexual orientation data, or data revealing political opinions, unless explicitly and voluntarily provided by You through contact communications or uploaded attachment content that You choose to include.

3. How We Collect Data

We collect Personal Data through structured, secure, and purpose-limited mechanisms. Data collection occurs through direct user input, automated system processes, authentication workflows (LinkedIn OAuth 2.0 and email-based registration with OTP verification), AI-assisted interactions, and security monitoring systems.

3.1 Information You Provide Directly

We collect information that you voluntarily submit when you:

• Create or manage an account
• Complete onboarding surveys
• Submit product information, technical parameters, and descriptions in the Guided Workflow or the Quick ECCN Classification tool
• Upload technical datasheets in Step 1 or a signed End-User Statement in Step 5
• Submit ECCN codes and destination data for license determination
• Respond to AI-generated follow-up questions in Step 2 or during the per-case ELENA Consultation (Step 3)
• Submit party details (names, addresses, roles) for OFAC and restricted-party screening
• Send Compliance Q&A questions to an engineer, or submit a case for expert review, by providing the invitee's email address
• Interact with the global ELENA compliance assistant
• Send contact messages or feedback regarding AI-generated classifications, license determinations, or screening outcomes

3.2 Information Submitted by Invited Engineers and Experts

When an engineer or expert whom You have invited opens a one-time invitation link and submits their response, we receive the answers or classification opinion they enter, together with minimal delivery metadata (access time, submission time). Invited reviewers do not create ECCN.help accounts and are identified only through the one-time token You issued.

3.3 Automated Collection Through System Operation

When you access or use the Service, certain technical and usage-related information is collected automatically through secure server processes, including IP address, browser and device information, session identifiers and timestamps, navigation patterns, workflow step transitions, and service request lifecycle data. This information is generated as part of normal system operation and is used for authentication enforcement, abuse prevention, performance optimization, audit traceability, and security monitoring.

3.4 AI Processing Interactions

When you submit classification inputs, license determination requests, screening queries, or assistant messages, the content you provide is processed within a controlled AI analytical workflow. This may include structured interpretation of product descriptions, retrieval of relevant regulatory reference data, analytical processing against curated compliance datasets, generation of candidate ECCN shortlists and justifications, per-case ELENA Consultation turns, and response generation. AI processing occurs only in response to user-initiated requests and is never performed passively or without user action.

3.5 Security and Monitoring Systems

We collect structured audit and log data through automated security systems that monitor service access, authentication attempts (LinkedIn OAuth and email-based login), session lifecycle events, workflow execution, invitation token activity, and system errors. These logs are generated programmatically and are used exclusively for operational stability, compliance monitoring, forensic analysis, and fraud prevention. We do not collect sensitive authentication credentials (such as LinkedIn access tokens, plain-text passwords, OTP values, or session secrets) through logging systems.

4. Legal Basis for Processing

Where the GDPR or similar data protection laws apply, we process Personal Data only where we have a valid legal basis. The legal bases we rely upon depend on the nature of the interaction with the Service and the specific processing activity involved.

4.1 Contractual Necessity

We process Personal Data where necessary to perform our contractual obligations or to take steps at your request prior to entering into a contract. This includes account registration and authentication, provision of AI-assisted ECCN classification and license determination services, access to dashboard functionality and tools, storage and retrieval of classification and license determination history, and processing contact requests initiated by users.

4.2 Legitimate Interests

We process certain Personal Data based on our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. These interests include:

• Maintaining system security and preventing fraud or abuse
• Operating structured logging and audit systems
• Monitoring classification and license determination performance and accuracy
• Improving platform functionality and user experience
• Ensuring infrastructure stability and service reliability
• Defending legal claims and protecting our legal rights

4.3 Consent

We rely on your consent where required by applicable law, including use of non-essential cookies and analytics technologies and optional marketing or newsletter communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

4.4 Legal Obligations

We may process Personal Data where necessary to comply with applicable legal or regulatory obligations, including obligations related to export compliance documentation, fraud prevention, law enforcement requests, or court orders.

4.5 Protection of Vital or Public Interests

In limited circumstances, we may process Personal Data where necessary to protect vital interests or where processing is required for reasons of substantial public interest, as permitted by applicable law.

5. How We Use Personal Data

We use Personal Data strictly for defined, lawful, and operationally necessary purposes consistent with the functionality and security of the Service.

5.1 To Provide and Maintain the Service

Creating and managing user accounts; authenticating users via LinkedIn OAuth or email-based credentials and maintaining secure sessions; providing access to the authenticated workspace, the 7-step Guided Classification Workflow, AI-assisted classification features, license determination features, OFAC and restricted-party screening, the Quick Lookup tools, and the ELENA compliance assistant; persistently storing Cases (including drafts, attachments, per-case ELENA Consultation transcripts, and Audit Trails) for draft save-and-resume, Classification History, and audit purposes; issuing and validating one-time invitation tokens for engineer and expert review; generating printable and downloadable final reports; and delivering structured export-control guidance based on user-submitted information.

5.2 To Operate the AI Classification, License, and Screening Systems

Processing product descriptions, technical specifications, HS codes, and attachment summaries submitted for ECCN analysis; interpreting product attributes for regulatory alignment; retrieving relevant regulatory reference data from curated compliance datasets; generating candidate ECCN shortlists, AI-assisted classification outputs, and structured justifications; conducting per-case ELENA Consultation turns; determining export license requirements based on ECCN codes, destination countries, end-use descriptions, and applicable regulatory controls; managing follow-up question workflows; operating OFAC and restricted-party screening against sanctions and restricted-party lists; capturing user feedback, classification corrections, and expert decisions for accuracy evaluation and case documentation; and processing global ELENA compliance assistant interactions.

5.3 To Ensure Security and Prevent Abuse

Monitoring authentication attempts (including LinkedIn OAuth and email-based login) and detecting unauthorized access; enforcing rate limiting and IP-based protective mechanisms; enforcing account lockout policies after repeated failed login attempts; validating one-time invitation tokens and preventing token reuse; maintaining structured audit and security logs; investigating suspicious or anomalous activity; and protecting system integrity and infrastructure stability.

5.4 To Improve and Monitor System Performance

Analyzing usage patterns and feature engagement; monitoring classification accuracy trends, escalation rates, and ELENA Consultation outcomes; evaluating infrastructure health and operational reliability; and conducting internal analytics for quality improvement.

5.5 To Communicate with You and Invited Reviewers

Sending registration confirmations and OTP delivery emails; delivering onboarding communications; delivering account-related notifications; sending service updates and security alerts; sending engineer and expert invitation emails (when You initiate such invitations); sending confirmation emails to invited reviewers after they submit a response; delivering final-report emails when You request them; responding to contact requests and support inquiries; and sending optional informational communications where permitted.

In addition, we may send automated lifecycle communications based on your account activity, including:

• Account setup reminders if your registration is not yet complete
• Follow-up requests for feedback on classification results you have received
• Periodic activity-based notifications such as usage milestones
• Re-engagement communications if your account has been inactive for an extended period

These communications are service-related and are sent to assist your use of the platform. Each type of automated communication is sent no more than once per triggering event. You may contact us at ask@eccn.help to opt out of non-essential automated communications at any time.

5.6 To Comply with Legal and Regulatory Requirements

Maintaining records necessary for export compliance documentation; responding to lawful requests from regulatory or governmental authorities; enforcing our terms, policies, and contractual rights; and defending against legal claims.

We do not sell Personal Data. We do not use Personal Data for behavioral advertising profiling or cross-context behavioral advertising.

6. AI and Automated Processing Disclosure

The Service includes AI-assisted processing components designed to support ECCN classification analysis, export license determination, and related regulatory research. This section explains how automated processing functions within the platform, what data is transmitted to AI providers, and the role of human oversight.

6.1 AI Processing Overview

The ECCN classification, license determination, and OFAC / restricted-party screening features operate through controlled, multi-stage analytical processes. When you submit product information or screening data, your input is processed through governed workflows that include interpretation of product or entity attributes, retrieval of relevant regulatory reference material from curated compliance datasets, analytical evaluation against applicable regulatory criteria, generation of candidate ECCN shortlists, targeted follow-up questions (including per-case ELENA Consultation turns), license determinations, and screening outcomes.

Throughout these processes, only the product-, transaction-, or party-related information you submit and regulatory reference material are used for analysis. The AI components do not receive your identity, account information, IP address, or other Personal Data about You.

The export license determination features follow a similar approach: regulatory outcomes (license required, license exception availability, embargo applicability) are determined through structured analysis against curated regulatory datasets. AI components assist with generating natural-language summaries of those pre-determined outcomes. The screening features combine entity-name matching against sanctions and restricted-party lists with AI-assisted narrative generation.

6.2 Data Transmitted to AI Providers

When AI processing is invoked, the following data may be transmitted to a Third-Party AI Provider, depending on the feature You use:

• Product part number, product name, manufacturer / vendor, HS / Schedule B code, product description, and additional technical parameters as submitted by You
• AI-generated text summaries of technical datasheets You uploaded in Step 1 (raw attachment files themselves are not transmitted — see Section 6.3)
• Your answers to Compliance Q&A follow-up questions and to per-case ELENA Consultation turns
• For license determination: ECCN, destination country, end-use type, end-user type, end-use declaration, and transaction context
• For OFAC / restricted-party screening: the party information You submit (names, DBA, aliases, website, registered address, role, entity type)
• For the global ELENA chatbot: the message text You submit
• Regulatory reference text retrieved from our curated compliance datasets (not Your Personal Data)
• Structured system instructions that define the analytical task

The following data is never transmitted to AI providers:

• Your name, email address, or account credentials
• Your IP address, device information, or geographic location
• Your user ID, Case ID, or session identifiers
• Raw attachment files (the platform extracts relevant text on our infrastructure and transmits only the derived summary)
• Engineer or expert email addresses You supplied, or invitation tokens
• Any data from other users or from cases You do not own

6.3 Attachment Processing

Technical datasheets uploaded in Step 1 and the End-User Statement uploaded in Step 5 are stored on our server infrastructure. The platform extracts text content from Step 1 datasheets solely for the purpose of producing a short analytical summary; that summary — not the raw file — is what feeds into AI processing. The End-User Statement (Step 5) is retained as part of the Case for audit and documentation purposes and is not transmitted to AI providers.

6.4 Temporary Processing Data

During the classification, screening, and per-case ELENA Consultation workflows, the platform generates temporary analytical data to support multi-stage processing for a single request. This temporary data:

• Is stored exclusively on our server infrastructure (not transmitted to third parties)
• Is automatically deleted upon successful completion of the associated workflow step
• Is automatically purged after 24 hours if not completed
• Is used solely to maintain analytical context within a single request

6.5 Advisory Nature of AI Outputs

AI-generated outputs — including candidate ECCNs, classification results, license determinations, screening narratives, and per-case ELENA Consultation summaries — are informational and analytical in nature. They are intended to assist users in regulatory research and internal compliance workflows. The Service does not provide legal advice, does not replace professional regulatory counsel, and does not guarantee regulatory outcomes. Users remain solely responsible for reviewing AI-generated results and making final export compliance determinations.

6.6 No Automated Legal or Similarly Significant Decisions

The Service does not engage in solely automated decision-making that produces legal effects or similarly significant impacts on individuals within the meaning of Article 22 of the GDPR or comparable provisions under the CCPA/CPRA (Automated Decision-Making Technology). AI-generated classifications, license determinations, and screening outcomes do not automatically approve, deny, restrict, or enforce legal rights. All outputs are presented to the user for independent review and judgment before application.

6.7 Human-in-the-Loop Mechanisms

The platform includes multiple human oversight mechanisms: structured feedback allowing users to confirm or contest AI-generated classifications; a user-driven classification correction workflow (Step 4); a user-approval gate when an invited expert proposes an ECCN different from the one in effect; automated consistency verification that detects potential analytical errors and routes edge cases for review; and an escalation pathway where results that fail consistency checks are flagged for further review rather than being presented as definitive results.

6.8 AI Model Training

We do not use your Personal Data, Classification Data, Attachment Data, License Determination Data, Party Screening Data, or Chat Data to train, fine-tune, or improve any AI or machine learning model. Data transmitted to Third-Party AI Providers is sent through their commercial service interfaces, which are contractually separate from model training activities. For details about each provider's data handling practices, see Section 7.

7. Third-Party Service Providers

The Service utilizes external service providers to perform specific technical functions. These providers act as data processors under applicable data protection law and process data solely to provide services to us.

7.1 AI Service Providers

The Service may use one or more of the following AI providers for natural language processing tasks (interpretation, classification analysis, and summary generation):

Only one AI provider is active for primary analytical tasks at any time. The active provider is configured at the system level. All AI providers are accessed through their respective commercial service interfaces. Data transmitted through these interfaces is subject to each provider's data usage policies, which generally provide that service inputs and outputs are not used to train models.

7.2 Regulatory Reference Infrastructure

The Service uses a cloud-hosted regulatory reference system to store and retrieve regulatory compliance data from official U.S. Bureau of Industry and Security (BIS) documents. This infrastructure contains only regulatory text and structured compliance reference entries. No Personal Data is stored in or transmitted to this system. When a classification or license determination is requested, the product description is used to retrieve relevant regulatory text. The retrieval process uses mathematical representations that do not contain readable personal information and cannot be reversed to reconstruct the original text.

7.3 Hosting and Infrastructure

• Web Hosting: The Service is hosted on managed hosting infrastructure. The hosting provider processes data as necessary to deliver hosting services, including storage of application files, database records, Case data, uploaded attachments, and log files.
• Email Delivery: Transactional emails (registration confirmations, OTP delivery, password reset links, security alerts), workflow emails (engineer invitations, expert review invitations, final-report email deliveries You request), and automated lifecycle communications (account setup reminders, feedback requests, activity notifications) are sent through email delivery infrastructure providers.

All third-party providers are selected with consideration for their data protection practices and are engaged under terms that require appropriate security measures and limit data use to the purposes of providing services to us.

8. Logging and Security Monitoring

The Service operates a structured, domain-segregated logging and security monitoring framework designed to preserve system integrity, ensure audit traceability, detect abuse, and maintain compliance-grade operational visibility.

8.1 Purpose of Logging

We generate and maintain structured logs for tracking service execution and system lifecycle events; monitoring authentication activity and session lifecycle events; detecting unauthorized access attempts or suspicious behavior; enforcing rate limiting and abuse-prevention mechanisms; recording classification and license determination workflow metadata; capturing system errors and operational anomalies; and maintaining security audit trails for forensic and compliance purposes.

8.2 Data Minimization in Logs

Logging systems are designed to minimize sensitive data exposure. Logs do not store LinkedIn access tokens; authentication tokens or session secrets; plain-text passwords or OTP values; full AI analytical content or complete AI-generated response content; service credentials; or complete product descriptions submitted by users. Authentication is handled by LinkedIn OAuth 2.0 or email-based credential verification using Argon2ID password hashing. No plain-text credentials are stored.

8.3 Domain Segregation

Logging domains are logically separated. Security events, classification lifecycle events, session events, and general service activity are recorded in distinct structured log categories to support controlled access, audit review, and forensic analysis.

8.4 Automated Monitoring

The platform includes automated monitoring processes that evaluate system health, error patterns, classification escalation rates, and infrastructure conditions. These monitoring mechanisms operate in a read-only capacity and are used exclusively for detecting anomalies, preventing service disruption, and identifying potential security risks.

9. Sharing and Disclosure

We do not sell, rent, or trade Personal Data. We do not share Personal Data for cross-context behavioral advertising.

We disclose Personal Data only where necessary to operate the Service, comply with legal obligations, protect legitimate interests, or facilitate business operations under appropriate safeguards.

9.1 Service Providers (Data Processors)

We may share limited Personal Data with third-party service providers that perform services on our behalf, including cloud hosting and infrastructure providers; AI processing service providers (as detailed in Section 7); email delivery infrastructure providers; and analytics service providers (where consent is provided). These providers process Personal Data only under contractual safeguards and are authorized to use data solely for the purpose of providing services to us.

9.2 Legal and Regulatory Disclosure

We may disclose Personal Data where required to comply with applicable law, regulation, court order, or lawful governmental request; enforce our Terms of Service or other agreements; investigate fraud, security incidents, or regulatory violations; or protect the rights, property, or safety of users, the Company, or the public.

9.3 Business Transfers

In the event of a merger, acquisition, restructuring, financing, asset sale, or other corporate transaction, Personal Data may be transferred to a successor entity. Any such transfer will remain subject to appropriate confidentiality and data protection safeguards. Where required by applicable law, we will provide notice to affected users prior to any such transfer.

9.4 Aggregated or De-Identified Data

We may use and disclose aggregated or de-identified information that does not identify individual users for analytics, research, performance monitoring, or reporting purposes.

10. International Data Transfers

The Service may involve the transfer, storage, or processing of Personal Data outside of your country of residence, including to the United States and other jurisdictions where our infrastructure providers and AI service providers operate.

10.1 Cross-Border Processing

Personal Data may be processed on servers located in the United States, European Union, and other jurisdictions. When AI processing is invoked, product description data is transmitted to the active AI provider's infrastructure, which may be located in a different jurisdiction from yours.

10.2 Safeguards for International Transfers

Where required under the GDPR, UK GDPR, or similar regulations, we rely on lawful transfer mechanisms including Standard Contractual Clauses (SCCs) approved by the European Commission; data processing agreements with appropriate confidentiality and security commitments; adequacy decisions where applicable; and additional contractual and technical safeguards where necessary.

10.3 User Acknowledgment

By using the Service, you acknowledge that your information may be transferred to and processed in countries outside your jurisdiction, subject to the safeguards described in this section. If you would like additional information regarding international data transfer safeguards, you may contact us at the address provided in Section 21.

11. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy. Retention periods vary depending on the category of data and the nature of processing.

When Personal Data is no longer required for the purposes described above, we will securely delete, anonymize, or restrict access to such data in accordance with our internal retention policies and applicable legal requirements.

12. Data Security Measures

We implement appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, alteration, disclosure, loss, or misuse.

12.1 Technical Safeguards

• Encrypted data transmission using HTTPS/TLS for all connections
• Secure session management with server-side validation and strict session configuration
• LinkedIn OAuth 2.0 for secure, passwordless authentication; and Argon2ID password hashing for email-based authentication with automatic account lockout after repeated failed attempts
• Cross-site request forgery (CSRF) protection on all state-changing requests
• Input sanitization controls on all user-submitted data
• Validation of uploaded attachments (type, size, and MIME checks) and scoped, per-account access to stored attachments
• Case-level ownership checks on every workflow operation, so that Cases and attachments are accessible only to the owning account (and to reviewers only via explicit one-time invitation links)
• One-time, single-use invitation tokens for engineer and expert review, with automatic invalidation on use or on workflow progression
• Rate limiting and automated IP-based protective mechanisms
• Structured logging for audit traceability, separate from Case-level Audit Trails
• Controlled AI processing with automated consistency verification
• Separation of public-facing application layer and private backend infrastructure
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)

12.2 Access Controls

Restricted server-level access to sensitive infrastructure, configuration, and log resources. Private data resources are not accessible via public interfaces. Role-based administrative access. Read-only monitoring systems for operational health assessment. Engineer and expert reviewers access only the specific Case slice relevant to their review task, through a single-use token, and only for the duration of that review.

12.3 Data Minimization

The Service is designed to minimize unnecessary data collection and segregate operational domains. Only the minimum data necessary is transmitted to AI providers (product, attachment summaries, party inputs, and regulatory reference text — never account data, IP addresses, session identifiers, raw attachment files, or invitation emails/tokens). Temporary processing data is automatically deleted upon completion. Logging systems exclude sensitive credential data, raw attachment contents, full AI analytical content, and complete response bodies.

12.4 Incident Response

In the event of a security incident involving Personal Data, we will investigate promptly and take appropriate remedial action. Where required by applicable law (including the GDPR 72-hour notification requirement), affected users and relevant supervisory authorities will be notified within the required statutory timeframes.

While we implement commercially reasonable safeguards, no method of electronic transmission or storage can be guaranteed to be completely secure. Users are responsible for maintaining the confidentiality of their account credentials and notifying us of any suspected unauthorized access.

13. Cookies and Tracking Technologies

13.1 Essential Cookies

The Service uses the following essential cookies that are required for platform functionality and security. These cookies cannot be disabled without impairing the Service:

• Session Cookie: Maintains your authenticated session. Expires when you close your browser or after server-defined session timeout.
• CSRF Token: Protects against cross-site request forgery attacks. Regenerated per session.

13.2 Analytics Cookies

We may use analytics cookies to understand how users interact with the Service. Analytics cookies are deployed only where consent is required and obtained under applicable law. You may control non-essential cookies through your browser settings or through consent preferences where a consent mechanism is presented.

13.3 No Third-Party Advertising Cookies

The Service does not use third-party advertising cookies, tracking pixels for advertising purposes, or cross-site tracking technologies. The Service is designed for regulatory compliance assistance, not advertising-based profiling.

14. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction where the GDPR or equivalent data protection laws apply, you may have the following rights, subject to applicable legal limitations:

14.1 Right of Access

You have the right to request confirmation as to whether we process your Personal Data and, where applicable, obtain a copy of the Personal Data we hold about you.

14.2 Right to Rectification

You have the right to request correction of inaccurate Personal Data or completion of incomplete Personal Data.

14.3 Right to Erasure

You may request deletion of your Personal Data where the data is no longer necessary for the purposes for which it was collected; you withdraw consent and no other legal basis applies; you object to processing and there are no overriding legitimate grounds; the data has been processed unlawfully; or deletion is required to comply with a legal obligation. This right is subject to exceptions, including where retention is necessary for legal compliance, security logging, or defense of legal claims.

14.4 Right to Restrict Processing

You may request that we restrict the processing of your Personal Data in certain circumstances, including while a dispute regarding accuracy or lawfulness is being resolved.

14.5 Right to Data Portability

Where processing is based on consent or contractual necessity and carried out by automated means, you may request to receive your Personal Data in a structured, commonly used, and machine-readable format.

14.6 Right to Object

You may object to processing based on legitimate interests. If you object, we will cease processing unless we demonstrate compelling legitimate grounds or where processing is required for legal claims.

14.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

14.8 Rights Related to Automated Decision-Making

The Service does not engage in solely automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR. AI-generated outputs are advisory and subject to user review. You may contact us if you have concerns regarding automated processing.

14.9 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your Personal Data has been processed in violation of applicable law.

14.10 Exercising Your GDPR Rights

To exercise any of the above rights, please contact us at [email protected]. We may require reasonable identity verification before responding. We will respond within 30 days as required by applicable law.

15. Your Rights Under the CCPA/CPRA

If you are a California resident, you may have specific privacy rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). This section describes those rights and how to exercise them.

15.1 Right to Know

You have the right to request that we disclose the categories of Personal Data we collect; the categories of sources from which Personal Data is collected; the business or commercial purposes for collecting Personal Data; the categories of third parties with whom we share Personal Data; and the specific pieces of Personal Data we hold about you.

15.2 Right to Delete

You may request deletion of Personal Data we have collected about you, subject to certain exceptions where retention is necessary for completing transactions, detecting security incidents, complying with legal obligations, exercising or defending legal claims, or maintaining internal records for lawful business purposes.

15.3 Right to Correct

You may request correction of inaccurate Personal Data maintained about you.

15.4 Right to Opt-Out of Sale or Sharing

We do not sell Personal Data. We do not share Personal Data for cross-context behavioral advertising. Therefore, there is no requirement to submit a "Do Not Sell or Share My Personal Information" request.

15.5 Automated Decision-Making Technology (ADMT)

Effective January 1, 2026, the CCPA/CPRA includes provisions regarding Automated Decision-Making Technology. The Service uses AI-assisted processing to generate classification and license determination outputs as described in Section 6. These outputs are informational and advisory only; they do not produce legal effects, deny services, determine pricing, or make decisions about access to services. All AI-generated outputs require user review and independent judgment before application. You may request information about how the Service uses automated processing by contacting us at [email protected].

15.6 Right to Non-Discrimination

We will not discriminate against you for exercising any applicable privacy rights. Exercising your rights will not result in denial of services, different pricing, or reduced service functionality, except where deletion or restriction of data makes continued service provision technically impossible.

15.7 Exercising California Privacy Rights

To submit a request under California privacy laws, please contact us at [email protected]. We may require reasonable identity verification. We will respond within the timeframes required by applicable California law (generally within 45 days).

16. Additional Jurisdiction-Specific Rights

16.1 Brazilian General Data Protection Law (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the rights to confirmation and access, correction, anonymization or deletion, data portability, information about shared data, revocation of consent, and the right to petition the Autoridade Nacional de Proteção de Dados (ANPD). To exercise these rights, contact us at [email protected].

16.2 Canadian Privacy Law (PIPEDA)

If you are located in Canada, your Personal Data may be protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) or equivalent provincial legislation. You have rights of access, correction, and the right to withdraw consent for non-essential processing. To exercise these rights, contact us at [email protected].

16.3 Indian Digital Personal Data Protection Act (DPDPA)

If you are located in India, you may have rights under the Digital Personal Data Protection Act, 2023, as its provisions become effective. These include rights of access, correction, erasure, and grievance redressal. We will update this section as implementing rules are published. Contact [email protected] for inquiries.

16.4 Other U.S. State Privacy Laws

Residents of U.S. states with comprehensive privacy legislation (including but not limited to Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Indiana, Tennessee, Kentucky, Rhode Island, and other states with privacy laws effective on or before January 1, 2026) may have similar rights to access, delete, correct, and opt out of the sale of Personal Data. We do not sell Personal Data and do not engage in targeted advertising. To exercise any applicable state privacy rights, contact us at [email protected].

17. Do Not Track and Opt-Out Preference Signals

Some web browsers and devices transmit "Do Not Track" (DNT) signals or Global Privacy Control (GPC) signals to websites.

The Service does not engage in cross-context behavioral tracking or sell Personal Data. Where we detect a GPC or equivalent universal opt-out preference signal, we will honor that signal as an opt-out of the sale or sharing of Personal Data, consistent with applicable state privacy laws, including the CCPA/CPRA. As the Service does not sell or share Personal Data for advertising purposes, this signal does not change our processing practices but is acknowledged and respected as required.

Users may manage cookie preferences through browser settings. Essential cookies required for authentication, security enforcement, and core platform functionality cannot be disabled without impairing the Service.

18. Children's Privacy

The Service is intended for use by professionals, exporters, manufacturers, compliance practitioners, and other individuals engaged in trade and regulatory activities. It is not directed to children.

We do not knowingly collect, solicit, or process Personal Data from individuals under the age of 18 (or the applicable age of digital consent in your jurisdiction, such as 16 under the GDPR or 13 under COPPA). If you are under the applicable age, you may not use or access the Service.

If we become aware that Personal Data has been collected from a child without appropriate authorization, we will take reasonable steps to delete such information promptly. If you believe that a child may have provided Personal Data through the Service, please contact us at [email protected].

19. Account Deletion and Data Removal

You may request deletion of your account at any time through the authenticated dashboard or by contacting us at [email protected].

19.1 Deletion Process

Account deletion requests are subject to identity verification and confirmation safeguards. Once confirmed, your account status will be transitioned to a deletion state; active sessions will be terminated; access to the workspace, Cases, and tools will be revoked; any active engineer or expert invitation tokens associated with Your Cases will be invalidated; and account credentials will be disabled.

19.2 Data Removal Scope

Upon confirmed deletion, Personal Data associated with your account — including Cases, attachments (Step 1 datasheets and Step 5 End-User Statements), Party Screening Data, per-case ELENA Consultation transcripts, global ELENA Chat Data, and Final Reports — will be removed, anonymized, or restricted from active processing within 90 days, except where retention is required for legal or regulatory compliance obligations; security logging and fraud prevention; defense of legal claims; resolution of disputes; or internal audit or compliance documentation related to export control records.

19.3 Classification and Compliance Records

Certain Case, classification, license determination, and screening records may be retained in restricted, de-identified form for audit traceability and legal defense purposes, as described in the Data Retention section. Where retained, these records are anonymized or pseudonymized to remove direct personal identifiers.

19.4 Log and Security Records

Structured system logs are not automatically erased upon account deletion where retention is required for legitimate security or legal purposes. These logs are maintained under restricted access and retention controls and are subject to periodic review and rotation.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, security practices, or business operations.

When we make material changes, we will update the "Last updated" date at the top of this page. Where required by applicable law, we will provide additional notice through email notification to registered users or a prominent notice on the Service. We will not make retroactive material changes to how we handle previously collected Personal Data without providing notice and, where required, obtaining consent.

Continued use of the Service after an updated Privacy Policy becomes effective constitutes acknowledgment of the revised terms, to the extent permitted by applicable law.

21. Contact Information

If you have questions, comments, or requests regarding this Privacy Policy or our handling of Personal Data — including requests to exercise any applicable privacy right described in Sections 14, 15, and 16 — please contact us at:

If you are unable to resolve a concern with us directly, you have the right to lodge a complaint with your local data-protection supervisory authority (see Section 14.9 for GDPR jurisdictions, Section 16.1 for Brazil / ANPD, and the applicable state-level authority for U.S. residents).