Privacy Policy

This Privacy Policy explains how ECCN.help ("ECCN.help", "We", "Us", or "Our") collects, processes, stores, protects, and discloses information when You access or use our website, tools, AI-driven classification services, export license determination features, ECCN lookup utilities, ELENA compliance assistant, and related features (collectively, the "Service"), accessible at https://eccn.help.

The Service provides structured export control guidance under the U.S. Export Administration Regulations (EAR) through AI-assisted analytical workflows and curated regulatory reference systems. This Privacy Policy applies to all interactions with our publicly accessible website, authenticated dashboard, classification and license determination features, ELENA compliance assistant, contact submissions, and account management functionalities.

We are committed to transparency, data minimization, lawful processing, and appropriate technical and organizational safeguards in accordance with applicable data protection laws worldwide, including but not limited to the General Data Protection Regulation (EU GDPR and UK GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Brazilian General Data Protection Law (LGPD), the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the Indian Digital Personal Data Protection Act (DPDPA), and other applicable state, federal, and international privacy regulations.

1. Definitions

For the purposes of this Privacy Policy, the following definitions apply:

• "Personal Data" means any information that relates to an identified or identifiable natural person, including information that can directly or indirectly identify a user, as defined under applicable data protection laws.
• "Service" refers to the ECCN.help website, authenticated dashboard, AI-assisted ECCN classification features, export license determination features, ECCN lookup tools, ELENA compliance assistant, account management features, and all related functionality provided through the platform.
• "Account Data" refers to information provided during registration or account management, including name, email address, professional information, account status, and authentication-related metadata.
• "Classification Data" refers to product titles, descriptions, technical specifications, follow-up answers, AI-generated classification outputs including ECCN codes, justification notes, mass-market and dual-use determinations, ITAR flag assessments, and related compliance documentation submitted or generated within the ECCN classification workflow.
• "License Determination Data" refers to ECCN codes, destination countries, end-use descriptions, end-user types, and the resulting license requirement outcomes, license exception analyses, and regulatory summaries generated by the export license determination features.
• "Chat Data" refers to user-submitted messages and AI-generated responses exchanged through the ELENA compliance assistant, including associated session metadata.
• "Usage Data" means technical and interaction-related information automatically collected when users access or interact with the Service, including device information, log entries, session data, and activity metadata.
• "Temporary Processing Data" refers to transient analytical data generated during the AI classification process, containing intermediate results and regulatory reference material used to support a single classification request. Temporary processing data is automatically deleted upon classification completion or after 24 hours, whichever occurs first.
• "Security and Audit Logs" refers to structured system logs generated for operational monitoring, security enforcement, service execution tracking, and compliance auditing purposes.
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, structuring, retrieval, use, disclosure, restriction, deletion, or destruction.
• "User", "You", or "Your" refers to any individual or entity accessing or using the Service, whether as a visitor or authenticated account holder.
• "Third-Party AI Provider" refers to external artificial intelligence service providers whose commercial services are used to perform natural language processing tasks within the Service, as identified in Section 7.

2. Categories of Personal Data Collected

We collect and process different categories of Personal Data depending on how you interact with the Service. The categories described below reflect authenticated access, AI-assisted classification and license determination workflows, lookup tools, the ELENA compliance assistant, logging systems, and security monitoring.

2.1 Identity and Account Data

• Full name
• Email address
• Account status and lifecycle state
• Encrypted password credentials (hashed using industry-standard cryptographic algorithms; never stored in plaintext)
• Authentication and session identifiers

2.2 Professional and Profile Data

• Professional experience in trade compliance or ECCN classification (self-reported)
• Self-assessed skill ratings
• LinkedIn profile URL (if voluntarily provided)
• Survey responses and onboarding information

2.3 Classification and AI Submission Data

• Product titles and descriptions submitted for ECCN classification
• Product URLs (optional; stored for audit traceability but not transmitted to AI providers)
• Technical specifications and structured inputs
• Follow-up question responses
• AI-generated classification outputs (ECCN codes, justification notes, mass-market and dual-use determinations, ITAR flag assessments)
• User feedback regarding classification accuracy

Classification Data is stored to support account functionality, compliance documentation, audit traceability, quality improvement, and user access to historical records.

2.4 License Determination Data

• ECCN codes submitted for license determination
• Destination country selections
• End-use descriptions and end-user type selections
• AI-generated license requirement outcomes, exception analyses, and regulatory summaries

2.5 Chat and Communication Data

• User-submitted messages within the ELENA compliance assistant
• AI-generated assistant responses
• Session metadata (timestamps, session identifiers)
• Contact form messages
• Email correspondence related to account or service activity

2.6 Usage and Technical Data

• IP address
• Approximate geographic location (country, region, city derived from IP address)
• Browser type and version
• Device type and operating system
• User agent string
• Referring pages and navigation paths
• Interaction metadata (feature usage, tool engagement events)
• Session timestamps and duration

2.7 Security and Audit Log Data

• Service execution events and response codes
• Authentication attempts (successful and failed)
• Password reset and account deletion request events
• Rate limiting and IP-based enforcement events
• System error events
• Classification and license determination workflow metadata

Security and audit logs are domain-segregated and structured for operational monitoring, forensic analysis, compliance auditing, and system integrity protection. Logs do not store plaintext passwords, authentication tokens, service credentials, full AI analytical content, or full AI-generated response content.

2.8 Cookies and Session Data

• Session cookies required for authentication and state management
• CSRF protection tokens
• Analytics cookies (deployed only with consent where required by applicable law)

For detailed information about cookies, see Section 13.

2.9 Data We Do Not Collect

We do not collect government-issued identifiers, payment card or financial account information, biometric identifiers, genetic data, health-related data, racial or ethnic origin data, religious or philosophical belief data, trade union membership data, sexual orientation data, or data revealing political opinions, unless explicitly and voluntarily provided by You through contact communications.

3. How We Collect Data

We collect Personal Data through structured, secure, and purpose-limited mechanisms. Data collection occurs through direct user input, automated system processes, authentication workflows, AI-assisted interactions, and security monitoring systems.

3.1 Information You Provide Directly

We collect information that you voluntarily submit when you:

• Create or manage an account
• Complete onboarding surveys
• Submit product descriptions or technical data for ECCN classification
• Submit ECCN codes and destination data for license determination
• Respond to AI-generated follow-up questions
• Interact with the ELENA compliance assistant
• Send contact messages
• Provide feedback regarding AI-generated classifications or license determinations

3.2 Automated Collection Through System Operation

When you access or use the Service, certain technical and usage-related information is collected automatically through secure server processes, including IP address, browser and device information, session identifiers and timestamps, navigation patterns, and service request lifecycle data. This information is generated as part of normal system operation and is used for authentication enforcement, abuse prevention, performance optimization, audit traceability, and security monitoring.

3.3 AI Processing Interactions

When you submit classification inputs, license determination requests, or assistant messages, the content you provide is processed within a controlled AI analytical workflow. This may include structured interpretation of product descriptions, retrieval of relevant regulatory reference data, analytical processing against curated compliance datasets, and response generation. AI processing occurs only in response to user-initiated requests and is never performed passively or without user action.

3.4 Security and Monitoring Systems

We collect structured audit and log data through automated security systems that monitor service access, authentication attempts, session lifecycle events, classification workflow execution, and system errors. These logs are generated programmatically and are used exclusively for operational stability, compliance monitoring, forensic analysis, and fraud prevention. We do not collect sensitive authentication credentials (such as plaintext passwords or tokens) through logging systems.

4. Legal Basis for Processing

Where the GDPR or similar data protection laws apply, we process Personal Data only where we have a valid legal basis. The legal bases we rely upon depend on the nature of the interaction with the Service and the specific processing activity involved.

4.1 Contractual Necessity

We process Personal Data where necessary to perform our contractual obligations or to take steps at your request prior to entering into a contract. This includes account registration and authentication, provision of AI-assisted ECCN classification and license determination services, access to dashboard functionality and tools, storage and retrieval of classification and license determination history, and processing contact requests initiated by users.

4.2 Legitimate Interests

We process certain Personal Data based on our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. These interests include:

• Maintaining system security and preventing fraud or abuse
• Operating structured logging and audit systems
• Monitoring classification and license determination performance and accuracy
• Improving platform functionality and user experience
• Ensuring infrastructure stability and service reliability
• Defending legal claims and protecting our legal rights

4.3 Consent

We rely on your consent where required by applicable law, including use of non-essential cookies and analytics technologies and optional marketing or newsletter communications. You may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

4.4 Legal Obligations

We may process Personal Data where necessary to comply with applicable legal or regulatory obligations, including obligations related to export compliance documentation, fraud prevention, law enforcement requests, or court orders.

4.5 Protection of Vital or Public Interests

In limited circumstances, we may process Personal Data where necessary to protect vital interests or where processing is required for reasons of substantial public interest, as permitted by applicable law.

5. How We Use Personal Data

We use Personal Data strictly for defined, lawful, and operationally necessary purposes consistent with the functionality and security of the Service.

5.1 To Provide and Maintain the Service

Creating and managing user accounts; authenticating users and maintaining secure sessions; providing access to the dashboard, AI-assisted classification features, license determination features, ECCN lookup tools, and ELENA compliance assistant; storing and retrieving classification and license determination history; and delivering structured export control guidance based on user-submitted information.

5.2 To Operate the AI Classification and License Determination Systems

Processing product descriptions and technical specifications submitted for ECCN analysis; interpreting product attributes for regulatory alignment; retrieving relevant regulatory reference data from curated compliance datasets; generating AI-assisted classification outputs and structured justifications; determining export license requirements based on ECCN codes, destination countries, and applicable regulatory controls; managing follow-up question workflows; capturing user feedback for accuracy evaluation and quality monitoring; and processing ELENA compliance assistant interactions.

5.3 To Ensure Security and Prevent Abuse

Monitoring authentication attempts and detecting unauthorized access; enforcing rate limiting and IP-based protective mechanisms; maintaining structured audit and security logs; investigating suspicious or anomalous activity; and protecting system integrity and infrastructure stability.

5.4 To Improve and Monitor System Performance

Analyzing usage patterns and feature engagement; monitoring classification accuracy trends and escalation rates; evaluating infrastructure health and operational reliability; and conducting internal analytics for quality improvement.

5.5 To Communicate with You

Sending registration confirmations and onboarding communications; delivering password reset or account-related notifications; sending service updates and security alerts; responding to contact requests and support inquiries; and sending optional informational communications where permitted.

5.6 To Comply with Legal and Regulatory Requirements

Maintaining records necessary for export compliance documentation; responding to lawful requests from regulatory or governmental authorities; enforcing our terms, policies, and contractual rights; and defending against legal claims.

We do not sell Personal Data. We do not use Personal Data for behavioral advertising profiling or cross-context behavioral advertising.

6. AI and Automated Processing Disclosure

The Service includes AI-assisted processing components designed to support ECCN classification analysis, export license determination, and related regulatory research. This section explains how automated processing functions within the platform, what data is transmitted to AI providers, and the role of human oversight.

6.1 AI Processing Overview

The ECCN classification and license determination features operate through a controlled, multi-stage analytical process. When you submit product descriptions for classification, your input is processed through a governed workflow that includes interpretation of product attributes, retrieval of relevant regulatory reference material from curated compliance datasets, analytical evaluation against applicable regulatory criteria, and generation of structured classification guidance or targeted follow-up questions.

Throughout this process, only the product-related information you submit and regulatory reference material are used for analysis. The AI components do not receive your identity, account information, IP address, or other Personal Data.

The export license determination features follow a similar approach: regulatory outcomes (license required, license exception availability, embargo applicability) are determined through structured analysis against curated regulatory datasets. AI components assist with generating natural-language summaries of those pre-determined outcomes.

6.2 Data Transmitted to AI Providers

When AI processing is invoked, the following data may be transmitted to a Third-Party AI Provider:

• Product title and product description as submitted by you
• Your answers to follow-up questions (if applicable)
• Regulatory reference text retrieved from our curated compliance datasets (not your Personal Data)
• Structured system instructions that define the analytical task

The following data is never transmitted to AI providers:

• Your name, email address, or account credentials
• Your IP address, device information, or geographic location
• Your user ID or session identifiers
• Product URLs (these are stored locally for audit purposes only)
• Any data from other users

6.3 Temporary Processing Data

During the classification process, the platform generates temporary analytical data to support the multi-stage workflow for a single classification request. This temporary data:

• Is stored exclusively on our server infrastructure (not transmitted to third parties)
• Is automatically deleted upon successful classification completion
• Is automatically purged after 24 hours if not completed
• Is used solely to maintain analytical context within a single classification request

6.4 Advisory Nature of AI Outputs

AI-generated outputs are informational and analytical in nature. They are intended to assist users in regulatory research and internal compliance workflows. The Service does not provide legal advice, does not replace professional regulatory counsel, and does not guarantee regulatory outcomes. Users remain solely responsible for reviewing AI-generated results and making final export compliance determinations.

6.5 No Automated Legal or Similarly Significant Decisions

The Service does not engage in solely automated decision-making that produces legal effects or similarly significant impacts on individuals within the meaning of Article 22 of the GDPR or comparable provisions under the CCPA/CPRA (Automated Decision-Making Technology). AI-generated classifications and license determinations do not automatically approve, deny, restrict, or enforce legal rights. All outputs are presented to the user for independent review and judgment before application.

6.6 Human-in-the-Loop Mechanisms

The platform includes multiple human oversight mechanisms: a structured feedback system allowing users to confirm or contest AI-generated classifications; automated consistency verification that detects potential analytical errors and routes edge cases for review; and an escalation pathway where classifications that fail consistency checks are flagged for further review rather than being presented as definitive results.

6.7 AI Model Training

We do not use your Personal Data, Classification Data, License Determination Data, or Chat Data to train, fine-tune, or improve any AI or machine learning model. Data transmitted to Third-Party AI Providers is sent through their commercial service interfaces, which are contractually separate from model training activities. For details about each provider's data handling practices, see Section 7.

7. Third-Party Service Providers

The Service utilizes external service providers to perform specific technical functions. These providers act as data processors under applicable data protection law and process data solely to provide services to us.

7.1 AI Service Providers

The Service may use one or more of the following AI providers for natural language processing tasks (interpretation, classification analysis, and summary generation):

Only one AI provider is active for primary analytical tasks at any time. The active provider is configured at the system level. All AI providers are accessed through their respective commercial service interfaces. Data transmitted through these interfaces is subject to each provider's data usage policies, which generally provide that service inputs and outputs are not used to train models.

7.2 Regulatory Reference Infrastructure

The Service uses a cloud-hosted regulatory reference system to store and retrieve regulatory compliance data from official U.S. Bureau of Industry and Security (BIS) documents. This infrastructure contains only regulatory text and structured compliance reference entries. No Personal Data is stored in or transmitted to this system. When a classification or license determination is requested, the product description is used to retrieve relevant regulatory text. The retrieval process uses mathematical representations that do not contain readable personal information and cannot be reversed to reconstruct the original text.

7.3 Hosting and Infrastructure

• Web Hosting: The Service is hosted on managed hosting infrastructure. The hosting provider processes data as necessary to deliver hosting services, including storage of application files, database records, and log files.
• Email Delivery: Transactional emails (registration confirmations, password resets, security alerts) are sent through email delivery infrastructure providers.

All third-party providers are selected with consideration for their data protection practices and are engaged under terms that require appropriate security measures and limit data use to the purposes of providing services to us.

8. Logging and Security Monitoring

The Service operates a structured, domain-segregated logging and security monitoring framework designed to preserve system integrity, ensure audit traceability, detect abuse, and maintain compliance-grade operational visibility.

8.1 Purpose of Logging

We generate and maintain structured logs for tracking service execution and system lifecycle events; monitoring authentication activity and session lifecycle events; detecting unauthorized access attempts or suspicious behavior; enforcing rate limiting and abuse-prevention mechanisms; recording classification and license determination workflow metadata; capturing system errors and operational anomalies; and maintaining security audit trails for forensic and compliance purposes.

8.2 Data Minimization in Logs

Logging systems are designed to minimize sensitive data exposure. Logs do not store plaintext passwords; authentication tokens or session secrets; full AI analytical content or complete AI-generated response content; service credentials; or complete product descriptions submitted by users. Credential data is stored using secure cryptographic hashing separate from logging systems.

8.3 Domain Segregation

Logging domains are logically separated. Security events, classification lifecycle events, session events, and general service activity are recorded in distinct structured log categories to support controlled access, audit review, and forensic analysis.

8.4 Automated Monitoring

The platform includes automated monitoring processes that evaluate system health, error patterns, classification escalation rates, and infrastructure conditions. These monitoring mechanisms operate in a read-only capacity and are used exclusively for detecting anomalies, preventing service disruption, and identifying potential security risks.

9. Sharing and Disclosure

We do not sell, rent, or trade Personal Data. We do not share Personal Data for cross-context behavioral advertising.

We disclose Personal Data only where necessary to operate the Service, comply with legal obligations, protect legitimate interests, or facilitate business operations under appropriate safeguards.

9.1 Service Providers (Data Processors)

We may share limited Personal Data with third-party service providers that perform services on our behalf, including cloud hosting and infrastructure providers; AI processing service providers (as detailed in Section 7); email delivery infrastructure providers; and analytics service providers (where consent is provided). These providers process Personal Data only under contractual safeguards and are authorized to use data solely for the purpose of providing services to us.

9.2 Legal and Regulatory Disclosure

We may disclose Personal Data where required to comply with applicable law, regulation, court order, or lawful governmental request; enforce our Terms of Service or other agreements; investigate fraud, security incidents, or regulatory violations; or protect the rights, property, or safety of users, the Company, or the public.

9.3 Business Transfers

In the event of a merger, acquisition, restructuring, financing, asset sale, or other corporate transaction, Personal Data may be transferred to a successor entity. Any such transfer will remain subject to appropriate confidentiality and data protection safeguards. Where required by applicable law, we will provide notice to affected users prior to any such transfer.

9.4 Aggregated or De-Identified Data

We may use and disclose aggregated or de-identified information that does not identify individual users for analytics, research, performance monitoring, or reporting purposes.

10. International Data Transfers

The Service may involve the transfer, storage, or processing of Personal Data outside of your country of residence, including to the United States and other jurisdictions where our infrastructure providers and AI service providers operate.

10.1 Cross-Border Processing

Personal Data may be processed on servers located in the United States, European Union, and other jurisdictions. When AI processing is invoked, product description data is transmitted to the active AI provider's infrastructure, which may be located in a different jurisdiction from yours.

10.2 Safeguards for International Transfers

Where required under the GDPR, UK GDPR, or similar regulations, we rely on lawful transfer mechanisms including Standard Contractual Clauses (SCCs) approved by the European Commission; data processing agreements with appropriate confidentiality and security commitments; adequacy decisions where applicable; and additional contractual and technical safeguards where necessary.

10.3 User Acknowledgment

By using the Service, you acknowledge that your information may be transferred to and processed in countries outside your jurisdiction, subject to the safeguards described in this section. If you would like additional information regarding international data transfer safeguards, you may contact us at the address provided in Section 21.

11. Data Retention

We retain Personal Data only for as long as necessary to fulfill the purposes described in this Privacy Policy. Retention periods vary depending on the category of data and the nature of processing.

When Personal Data is no longer required for the purposes described above, we will securely delete, anonymize, or restrict access to such data in accordance with our internal retention policies and applicable legal requirements.

12. Data Security Measures

We implement appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, alteration, disclosure, loss, or misuse.

12.1 Technical Safeguards

• Encrypted data transmission using HTTPS/TLS for all connections
• Secure session management with server-side validation and strict session configuration
• Industry-standard cryptographic password hashing
• Cross-site request forgery (CSRF) protection on all state-changing requests
• Input sanitization controls on all user-submitted data
• Rate limiting and automated IP-based protective mechanisms
• Structured, domain-segregated logging for audit traceability
• Controlled AI processing with automated consistency verification
• Separation of public-facing application layer and private backend infrastructure
• Security headers (HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy)

12.2 Access Controls

Restricted server-level access to sensitive infrastructure, configuration, and log resources. Private data resources are not accessible via public interfaces. Role-based administrative access. Read-only monitoring systems for operational health assessment.

12.3 Data Minimization

The Service is designed to minimize unnecessary data collection and segregate operational domains. Only the minimum data necessary is transmitted to AI providers (product descriptions and regulatory reference text; never account data, IP addresses, or session identifiers). Temporary processing data is automatically deleted upon completion. Logging systems exclude sensitive credential data, full AI analytical content, and complete response bodies.

12.4 Incident Response

In the event of a security incident involving Personal Data, we will investigate promptly and take appropriate remedial action. Where required by applicable law (including the GDPR 72-hour notification requirement), affected users and relevant supervisory authorities will be notified within the required statutory timeframes.

While we implement commercially reasonable safeguards, no method of electronic transmission or storage can be guaranteed to be completely secure. Users are responsible for maintaining the confidentiality of their account credentials and notifying us of any suspected unauthorized access.

13. Cookies and Tracking Technologies

13.1 Essential Cookies

The Service uses the following essential cookies that are required for platform functionality and security. These cookies cannot be disabled without impairing the Service:

• Session Cookie: Maintains your authenticated session. Expires when you close your browser or after server-defined session timeout.
• CSRF Token: Protects against cross-site request forgery attacks. Regenerated per session.

13.2 Analytics Cookies

We may use analytics cookies to understand how users interact with the Service. Analytics cookies are deployed only where consent is required and obtained under applicable law. You may control non-essential cookies through your browser settings or through consent preferences where a consent mechanism is presented.

13.3 No Third-Party Advertising Cookies

The Service does not use third-party advertising cookies, tracking pixels for advertising purposes, or cross-site tracking technologies. The Service is designed for regulatory compliance assistance, not advertising-based profiling.

14. Your Rights Under the GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or another jurisdiction where the GDPR or equivalent data protection laws apply, you may have the following rights, subject to applicable legal limitations:

14.1 Right of Access

You have the right to request confirmation as to whether we process your Personal Data and, where applicable, obtain a copy of the Personal Data we hold about you.

14.2 Right to Rectification

You have the right to request correction of inaccurate Personal Data or completion of incomplete Personal Data.

14.3 Right to Erasure

You may request deletion of your Personal Data where the data is no longer necessary for the purposes for which it was collected; you withdraw consent and no other legal basis applies; you object to processing and there are no overriding legitimate grounds; the data has been processed unlawfully; or deletion is required to comply with a legal obligation. This right is subject to exceptions, including where retention is necessary for legal compliance, security logging, or defense of legal claims.

14.4 Right to Restrict Processing

You may request that we restrict the processing of your Personal Data in certain circumstances, including while a dispute regarding accuracy or lawfulness is being resolved.

14.5 Right to Data Portability

Where processing is based on consent or contractual necessity and carried out by automated means, you may request to receive your Personal Data in a structured, commonly used, and machine-readable format.

14.6 Right to Object

You may object to processing based on legitimate interests. If you object, we will cease processing unless we demonstrate compelling legitimate grounds or where processing is required for legal claims.

14.7 Right to Withdraw Consent

Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

14.8 Rights Related to Automated Decision-Making

The Service does not engage in solely automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 GDPR. AI-generated outputs are advisory and subject to user review. You may contact us if you have concerns regarding automated processing.

14.9 Right to Lodge a Complaint

You have the right to lodge a complaint with your local data protection supervisory authority if you believe your Personal Data has been processed in violation of applicable law.

14.10 Exercising Your GDPR Rights

To exercise any of the above rights, please contact us at ask@eccn.help. We may require reasonable identity verification before responding. We will respond within 30 days as required by applicable law.

15. Your Rights Under the CCPA/CPRA

If you are a California resident, you may have specific privacy rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA). This section describes those rights and how to exercise them.

15.1 Right to Know

You have the right to request that we disclose the categories of Personal Data we collect; the categories of sources from which Personal Data is collected; the business or commercial purposes for collecting Personal Data; the categories of third parties with whom we share Personal Data; and the specific pieces of Personal Data we hold about you.

15.2 Right to Delete

You may request deletion of Personal Data we have collected about you, subject to certain exceptions where retention is necessary for completing transactions, detecting security incidents, complying with legal obligations, exercising or defending legal claims, or maintaining internal records for lawful business purposes.

15.3 Right to Correct

You may request correction of inaccurate Personal Data maintained about you.

15.4 Right to Opt-Out of Sale or Sharing

We do not sell Personal Data. We do not share Personal Data for cross-context behavioral advertising. Therefore, there is no requirement to submit a "Do Not Sell or Share My Personal Information" request.

15.5 Automated Decision-Making Technology (ADMT)

Effective January 1, 2026, the CCPA/CPRA includes provisions regarding Automated Decision-Making Technology. The Service uses AI-assisted processing to generate classification and license determination outputs as described in Section 6. These outputs are informational and advisory only; they do not produce legal effects, deny services, determine pricing, or make decisions about access to services. All AI-generated outputs require user review and independent judgment before application. You may request information about how the Service uses automated processing by contacting us at ask@eccn.help.

15.6 Right to Non-Discrimination

We will not discriminate against you for exercising any applicable privacy rights. Exercising your rights will not result in denial of services, different pricing, or reduced service functionality, except where deletion or restriction of data makes continued service provision technically impossible.

15.7 Exercising California Privacy Rights

To submit a request under California privacy laws, please contact us at ask@eccn.help. We may require reasonable identity verification. We will respond within the timeframes required by applicable California law (generally within 45 days).

16. Additional Jurisdiction-Specific Rights

16.1 Brazilian General Data Protection Law (LGPD)

If you are located in Brazil, you have rights under the Lei Geral de Proteção de Dados (LGPD), including the rights to confirmation and access, correction, anonymization or deletion, data portability, information about shared data, revocation of consent, and the right to petition the Autoridade Nacional de Proteção de Dados (ANPD). To exercise these rights, contact us at ask@eccn.help.

16.2 Canadian Privacy Law (PIPEDA)

If you are located in Canada, your Personal Data may be protected under the Personal Information Protection and Electronic Documents Act (PIPEDA) or equivalent provincial legislation. You have rights of access, correction, and the right to withdraw consent for non-essential processing. To exercise these rights, contact us at ask@eccn.help.

16.3 Indian Digital Personal Data Protection Act (DPDPA)

If you are located in India, you may have rights under the Digital Personal Data Protection Act, 2023, as its provisions become effective. These include rights of access, correction, erasure, and grievance redressal. We will update this section as implementing rules are published. Contact ask@eccn.help for inquiries.

16.4 Other U.S. State Privacy Laws

Residents of U.S. states with comprehensive privacy legislation (including but not limited to Virginia, Colorado, Connecticut, Utah, Oregon, Texas, Montana, Iowa, Indiana, Tennessee, Kentucky, Rhode Island, and other states with privacy laws effective on or before January 1, 2026) may have similar rights to access, delete, correct, and opt out of the sale of Personal Data. We do not sell Personal Data and do not engage in targeted advertising. To exercise any applicable state privacy rights, contact us at ask@eccn.help.

17. Do Not Track and Opt-Out Preference Signals

Some web browsers and devices transmit "Do Not Track" (DNT) signals or Global Privacy Control (GPC) signals to websites.

The Service does not engage in cross-context behavioral tracking or sell Personal Data. Where we detect a GPC or equivalent universal opt-out preference signal, we will honor that signal as an opt-out of the sale or sharing of Personal Data, consistent with applicable state privacy laws, including the CCPA/CPRA. As the Service does not sell or share Personal Data for advertising purposes, this signal does not change our processing practices but is acknowledged and respected as required.

Users may manage cookie preferences through browser settings. Essential cookies required for authentication, security enforcement, and core platform functionality cannot be disabled without impairing the Service.

18. Children's Privacy

The Service is intended for use by professionals, exporters, manufacturers, compliance practitioners, and other individuals engaged in trade and regulatory activities. It is not directed to children.

We do not knowingly collect, solicit, or process Personal Data from individuals under the age of 18 (or the applicable age of digital consent in your jurisdiction, such as 16 under the GDPR or 13 under COPPA). If you are under the applicable age, you may not use or access the Service.

If we become aware that Personal Data has been collected from a child without appropriate authorization, we will take reasonable steps to delete such information promptly. If you believe that a child may have provided Personal Data through the Service, please contact us at ask@eccn.help.

19. Account Deletion and Data Removal

You may request deletion of your account at any time through the authenticated dashboard or by contacting us at ask@eccn.help.

19.1 Deletion Process

Account deletion requests are subject to identity verification and confirmation safeguards. Once confirmed, your account status will be transitioned to a deletion state; active sessions will be terminated; access to the dashboard and tools will be revoked; and account credentials will be disabled.

19.2 Data Removal Scope

Upon confirmed deletion, Personal Data associated with your account will be removed, anonymized, or restricted from active processing within 90 days, except where retention is required for legal or regulatory compliance obligations; security logging and fraud prevention; defense of legal claims; resolution of disputes; or internal audit or compliance documentation related to export control records.

19.3 Classification and Compliance Records

Certain classification records and license determination records may be retained in restricted, de-identified form for audit traceability and legal defense purposes, as described in the Data Retention section. Where retained, these records are anonymized or pseudonymized to remove direct personal identifiers.

19.4 Log and Security Records

Structured system logs are not automatically erased upon account deletion where retention is required for legitimate security or legal purposes. These logs are maintained under restricted access and retention controls and are subject to periodic review and rotation.

20. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, security practices, or business operations.

When we make material changes, we will update the "Last updated" date at the top of this page. Where required by applicable law, we will provide additional notice through email notification to registered users or a prominent notice on the Service. We will not make retroactive material changes to how we handle previously collected Personal Data without providing notice and, where required, obtaining consent.

Continued use of the Service after an updated Privacy Policy becomes effective constitutes acknowledgment of the revised terms, to the extent permitted by applicable law.

21. Contact Information

If you have questions about this Privacy Policy, wish to exercise any privacy rights, or have concerns about how your Personal Data is processed, please contact us:

ECCN.help
Email: ask@eccn.help
Website: https://eccn.help

We will make reasonable efforts to respond to privacy-related inquiries within the timeframes required by applicable law. Where identity verification is necessary, we may request reasonable documentation to confirm your identity before processing your request.

Privacy Policy  |  ECCN.help  |  Last updated: March 16, 2026