1. Introduction
LandedCost.co ("we", "us", "our") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data when you use our platform at landedcost.co and related services.
We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the Data Protection Act 2018. If you have any questions about this policy, please contact us at hello@landedcost.co.
2. Information We Collect
We collect the following categories of personal data:
Account Information
Name, email address, and password (securely hashed by Supabase Auth) when you create an account. Authentication is handled via email and password through Supabase Auth. We may also collect your company name and job title if provided.
Business Data
Shipment details, product information, cost data, supplier information, and other data you enter while using the platform. This data belongs to you and is processed solely to provide the service. Your data is isolated from other users via Row Level Security (RLS) policies on our database.
Payment Information
If you subscribe to a paid plan, payment is processed by Stripe. We do not store your full card number, CVV, or other sensitive payment details on our servers. Stripe may collect billing address and payment method details as described in their privacy policy.
Usage & Analytics Data
We use PostHog (proxied through our own domain via /ingest/) to collect anonymised usage data including pages visited, feature usage patterns, and performance metrics. PostHog data is used solely to improve the platform. IP addresses may be collected but are not used for tracking individual users.
Cookies & Local Storage
We use cookies for authentication session management (Supabase Auth tokens), analytics (PostHog), and user preferences. Essential cookies are required for the platform to function. Analytics cookies help us understand how the platform is used. See Section 13 below for full cookie details.
3. Legal Basis for Processing
We process your personal data on the following legal bases under UK GDPR and EU GDPR:
- •Contract performance — Processing necessary to provide the platform services you have signed up for, including account management, cost calculations, payment processing, and data storage.
- •Legitimate interests — Improving and securing our platform, analysing usage patterns (via PostHog analytics), preventing fraud, and communicating service updates.
- •Legal obligation — Complying with applicable laws, regulations, and lawful requests from authorities.
- •Consent — Where required, such as for marketing communications or non-essential cookies. You may withdraw consent at any time.
4. How We Use Your Information
- •Providing and maintaining the platform, including landed cost calculations, exchange rate lookups (via frankfurter.app), and report generation.
- •Authenticating your identity via Supabase Auth and managing your account.
- •Processing subscription payments via Stripe.
- •Sending transactional emails (account verification, password resets, security alerts) via our custom SMTP service from hello@landedcost.co.
- •Analysing platform usage via PostHog to improve features, fix bugs, and optimise performance.
- •Protecting against unauthorised access, fraud, and abuse through rate limiting and input validation.
- •Complying with legal obligations and responding to lawful requests.
We do not sell, rent, or share your personal data or business data with third parties for marketing purposes.
5. Third-Party Service Providers
We use the following third-party services to operate the platform. These providers process data on our behalf under data processing agreements where applicable:
| Provider | Purpose | Data Processed |
|---|---|---|
| Supabase | Authentication (email+password) & PostgreSQL database hosting | Account credentials (hashed), all platform data |
| Vercel | Application hosting & CDN | IP address, request logs |
| Stripe | Payment processing & subscription management | Billing details, payment method, transaction history |
| PostHog | Product analytics (proxied via /ingest/) | Anonymised usage events, page views, feature interactions |
| frankfurter.app | Exchange rate data (European Central Bank source) | No personal data sent — public API for currency rates |
| Custom SMTP | Transactional email delivery (hello@landedcost.co) | Email address, message content |
6. Data Storage & Security
Your data is stored securely using industry-standard measures:
- •All data transmitted between your browser and our servers is encrypted using TLS (HTTPS).
- •Database storage is encrypted at rest on Supabase-hosted PostgreSQL with SSL connections enforced.
- •Passwords are hashed using bcrypt via Supabase Auth and are never stored in plaintext.
- •Row Level Security (RLS) policies ensure each user can only access their own data at the database level.
- •Database access is restricted to a dedicated application role with minimum required privileges.
- •API endpoints are protected by rate limiting, Zod input validation, and authentication checks.
- •Payment data is handled entirely by Stripe and never touches our servers.
7. Your Rights
Under UK GDPR and EU GDPR, you have the following rights regarding your personal data:
- •Right of access — Request a copy of the personal data we hold about you.
- •Right to rectification — Request correction of inaccurate personal data. You can update most information directly from your Settings page.
- •Right to erasure — Request deletion of your personal data. Account deletion permanently removes your data within 30 days.
- •Right to data portability — Request your data in a structured, machine-readable format. You can export your shipment and product data as CSV at any time from the dashboard.
- •Right to restrict processing — Request that we limit how we process your data in certain circumstances.
- •Right to object — Object to processing based on legitimate interests or for direct marketing purposes.
- •Right to withdraw consent — Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please email hello@landedcost.co. We will respond to your request within one month, as required by law. This period may be extended by two further months for complex requests, in which case we will inform you.
You also have the right to lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, contact your national data protection authority.
8. Data Retention
- •Active accounts — We retain your data for as long as your account remains active and as necessary to provide the platform services.
- •Deleted accounts — When you delete your account, all personal data and business data is permanently removed from our systems within 30 days. Backups containing deleted data are purged within 90 days.
- •Analytics data — PostHog usage data is retained for up to 12 months and then automatically deleted.
- •Server logs — Automatically collected request logs are retained for up to 90 days for security and diagnostic purposes, then permanently deleted.
- •Payment records — Transaction records may be retained by Stripe in accordance with their data retention policy and applicable financial regulations.
- •Legal obligations — We may retain certain data for longer periods where required by law (e.g., financial records for tax or regulatory compliance).
9. International Data Transfers
Our infrastructure providers (Supabase, Vercel, Stripe, PostHog) may process data outside the United Kingdom and European Economic Area. Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner and the European Commission, or transfers to countries with an adequacy decision.
10. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay via email.
11. Children's Privacy
Our platform is designed for business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@landedcost.co and we will promptly delete it.
12. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of any material changes by email or by posting a prominent notice on the platform. The "Last updated" date at the top of this policy indicates when it was last revised. We encourage you to review this policy periodically.
13. Cookies
We use the following types of cookies:
Essential Cookies
Supabase Auth session tokens required for authentication and secure access to the platform. These cannot be disabled as the platform will not function without them.
Analytics Cookies
PostHog analytics cookies (proxied via /ingest/) used to understand how the platform is used and to improve the user experience. These collect anonymised usage data.
Payment Cookies
Stripe may set cookies for fraud prevention and payment processing purposes when you interact with payment forms.
14. Contact Us
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your data, please contact us:
- •Email: hello@landedcost.co
- •Website: landedcost.co
- •Contact form: Contact page
See also: Terms of Service · Cookie Policy