1. Who we are
LandedHQ is operated by LandedHQ Ltd, a company registered in Northern Ireland (Company No. NI741237), with a registered office at 294 The Hollows, Craigavon BT66 7WW.
LandedHQ Ltd is the data controller for the personal data you provide when using this website and the LandedHQ service. This means we determine how and why your personal data is processed.
We are registered with the Information Commissioner's Office (ICO). Our ICO registration number will be displayed here once registration is complete.
If you have any questions about how we handle your personal data, contact us at privacy@landedhq.co.uk.
2. What data we collect
2.1 Account information
When you create a LandedHQ account, we collect:
- Your email address
- Your full name (optional at signup, may be added in Settings)
- Your business name (optional)
- Your password (stored as a one-way cryptographic hash — we cannot see your actual password)
2.2 Product and calculation data
When you use the LandedHQ calculator or save products to your library, we store:
- Product names, SKUs, descriptions, and categories you enter
- Supplier names and origin countries you provide
- Costs, quantities, and selling prices you enter
- Calculated duty rates and landed costs (results of calculations)
- Commodity codes associated with your products
This data belongs to you. It is used solely to operate the service — to show you your product library, generate reports, and send you rate-change alerts. We do not use it for any commercial profiling or advertising purpose.
2.3 Payment information
When you purchase a subscription, payment is processed by Stripe, Inc. We do not see or store your full card number, CVV, or other sensitive payment details. Stripe shares with us only your billing name, address, and a masked card reference (e.g. •••• 4242) for display in your account.
2.4 Usage data
We collect information about how you use LandedHQ, including:
- Pages visited and features used
- Date and time of access
- Browser type and version
- Operating system
- IP address (used for security and fraud prevention, not for identification or advertising)
2.5 Communications
When you contact us by email or reply to a system email, we retain that correspondence to help us respond and to improve the service.
2.6 Data you do not provide
We do not collect any special category data (health, ethnicity, political views, etc.). We do not collect data from children — the LandedHQ service is intended for business use by people aged 18 and over.
3. Why we process your data — lawful basis
| Purpose | Data used | Lawful basis |
|---|---|---|
| Creating and managing your account | Email, name, password | Contract performance |
| Providing the calculator and product library | Product data, costs, calculations | Contract performance |
| Processing subscription payments | Billing details (via Stripe) | Contract performance |
| Sending transactional emails (receipts, alerts, password resets) | Email address | Contract performance |
| Sending marketing emails (weekly summaries, product updates) | Email address | Legitimate interest / consent |
| Detecting and preventing fraud and abuse | IP address, usage data | Legitimate interest |
| Complying with legal obligations (e.g. tax records) | Billing records | Legal obligation |
| Improving the product and understanding usage patterns | Anonymised usage data | Legitimate interest |
Legitimate interest: Where we rely on legitimate interest as our lawful basis, we have assessed that our interest does not override your rights and freedoms. You can object to processing based on legitimate interest at any time — see Section 6.
4. Third parties we share data with
We do not sell your personal data. We share it only with the following service providers who process it on our behalf:
| Provider | Purpose | Location | Privacy policy |
|---|---|---|---|
| Supabase Inc. | Database and authentication hosting | EU (AWS Frankfurt) | supabase.com/privacy |
| Stripe, Inc. | Payment processing and subscription management | USA (EU data stored in EU) | stripe.com/gb/privacy |
| Anthropic, PBC | AI commodity code suggestions (your product description is sent to generate code suggestions) | USA | anthropic.com/privacy |
| Resend Inc. | Transactional email delivery | USA (EU data stored in EU) | resend.com/privacy |
| Railway Corp. | API server hosting | USA | railway.app/legal/privacy |
| Netlify, Inc. | Website hosting | USA (edge nodes globally) | netlify.com/privacy |
We may also disclose personal data if required to do so by law, by a court order, or to protect the rights and safety of LandedHQ, our users, or the public. We will notify you of any such disclosure where we are legally permitted to do so.
5. How long we keep your data
| Data type | Retention period | Reason |
|---|---|---|
| Account information (email, name) | Duration of account + 30 days after deletion request | Contract performance; time to action deletion |
| Product and calculation data | Duration of account | Needed to provide the service |
| Billing records and invoices | 7 years after transaction | Legal obligation (HMRC accounting records) |
| Support communications | 3 years | Legitimate interest (dispute resolution) |
| Usage/analytics data | 24 months (anonymised after 12 months) | Product improvement |
| Security logs (IP, access logs) | 90 days | Security monitoring and fraud prevention |
When you delete your account, we delete your personal data within 30 days except where we are required to retain it for legal reasons (primarily billing records). Anonymised, aggregated data derived from your usage (e.g. "X% of users calculate products from China") may be retained indefinitely as it cannot identify you.
6. Your rights under UK GDPR
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights:
Right of access
You can request a copy of all personal data we hold about you. We will respond within 30 days. In most cases you can access much of your data directly from your LandedHQ account settings.
Right to rectification
If any data we hold about you is inaccurate or incomplete, you have the right to have it corrected. You can update your name, email, and business name directly in Settings.
Right to erasure ("right to be forgotten")
You can request that we delete all personal data we hold about you. We will comply within 30 days except where we are required to retain data by law (e.g. billing records). You can initiate account deletion in Settings → Security → Delete my account.
Right to restrict processing
In certain circumstances (e.g. if you contest the accuracy of data we hold), you can request that we restrict how we use your data while the issue is resolved.
Right to data portability
You can request a machine-readable export of the personal data you have provided to us. Contact us at privacy@landedhq.co.uk.
Right to object
You have the right to object to processing based on legitimate interest, including direct marketing. You can unsubscribe from marketing emails using the link in any email we send, or in Settings → Notifications.
Rights related to automated decision-making
We do not make automated decisions that produce legal or similarly significant effects about you. Our AI commodity code suggestions are recommendations only — you remain in full control of any classification decisions.
How to exercise your rights
To exercise any of the above rights, email us at privacy@landedhq.co.uk with the subject line "Data Subject Request". We will respond within 30 days. We may ask you to verify your identity before processing the request.
Right to lodge a complaint
If you believe we have not handled your personal data lawfully, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
We would appreciate the opportunity to address your concern before you contact the ICO — please contact us first at privacy@landedhq.co.uk.
7. Security
We take reasonable technical and organisational measures to protect your personal data, including:
- All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
- Passwords are hashed using bcrypt — we cannot see your password
- Database access is restricted by row-level security policies — you can only access your own data
- Payment data is handled entirely by Stripe — we do not store card details
- Access to production systems is restricted to authorised personnel only
No method of transmission over the internet or electronic storage is 100% secure. If we become aware of a data breach that is likely to affect your rights, we will notify you and the ICO as required by UK GDPR.
8. Cookies
We use cookies and similar technologies on our website. For full details, see our Cookie Policy. You can manage your cookie preferences using the cookie consent banner on your first visit to the site.
9. International data transfers
Some of our service providers (including Anthropic and Railway) are based in the United States. When we transfer your personal data outside the UK, we ensure appropriate safeguards are in place, including:
- UK International Data Transfer Agreements (UK IDTAs), or
- The UK's adequacy regulations for countries the UK has approved, or
- Standard Contractual Clauses (SCCs) approved by the ICO
Where Supabase and Resend store EU/UK data within the EU, no international transfer occurs. You can request details of the specific transfer mechanisms we use by contacting privacy@landedhq.co.uk.
10. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address associated with your account) and update the "Last updated" date at the top of this page. We will give you at least 14 days' notice before material changes take effect, during which you may close your account if you do not agree with the changes.
Your continued use of LandedHQ after the effective date of any changes constitutes your acceptance of the updated policy.
11. Contact us
For any privacy-related questions, data subject requests, or concerns:
- Email: privacy@landedhq.co.uk
We aim to respond to all enquiries within 5 business days and to all formal data subject requests within 30 days.