Privacy Policy

Last updated: May 4, 2026

LC Pilot (“we”, “us”) is operated by LC Pilot, PO Box 134, Inglefield IN 47618, United States. This policy explains what personal data we collect, why, who we share it with, how long we keep it, and the rights you have.

Information We Collect

Anonymous use of the calculator

You can use the public landed-cost calculator without an account. Calculation inputs are processed server-side and not associated with any identity beyond standard request logs (IP address, user agent, timestamp) retained for security and rate-limiting purposes.

Account holders

When you create an account we collect your email address and full name. If you sign up via Google we additionally receive your Google account ID and profile photo URL. If you subscribe to a paid plan, payment processing is handled by Stripe — we never receive or store full card numbers (Stripe Radar may collect IP, browser fingerprint, and device data for fraud-prevention; see Stripe’s policy).

Shopify integration

If you connect a Shopify store, we receive product data (titles, descriptions, prices, variants, images, inventory levels) needed to compute landed cost and margin, plus the store’s domain, plan name, and an OAuth access token. We do not receive customer or order data. We register the three GDPR-mandated webhooks (customers/data_request, customers/redact, shop/redact) and act on them within 30 days of receipt.

Backend data we hold about your activity

We store the following categories of data tied to your account so the product can function:

• Saved calculations — every save you make: HS code, country of origin, costs, margins, the full tariff-line breakdown, and any AliExpress URL you pasted.
• Saved products / price alerts — AliExpress products you bookmark or set price thresholds on.
• Tariff alerts & notifications — alert subscriptions you create plus the email-delivery records.
• Shopify product snapshots and import history — for users with a connected store.
• Affiliate-click attribution log — when you click an outbound “Buy on AliExpress” link, we record the product ID, click context (calculator, concierge, dashboard, etc.), the calculated landed cost at that moment, and the timestamp. Used for commission attribution and product scoring.
• HS-code feedback / classification cache — short-text feedback you submit on classifications, plus a cache of past AI classifications keyed on product description hash.
• Email-drip state — which onboarding emails you’ve received, when, and your unsubscribe status.
• Audit log — security-relevant events (logins, password resets, billing events, account deletion). Each event records your user ID, IP address, user agent, the action, and a timestamp. Used for fraud prevention and incident forensics.
• Anonymous-usage tables & cache — request and rate-limit counters keyed by IP for unauthenticated traffic; AliExpress search and product caches that may include product URLs you pasted.

Cookies, analytics, and similar technologies

We use first-party analytics to understand how the calculator is used:

• Google Analytics 4 (Measurement ID G-XWERWV38CC) — page paths, referrer, anonymized IP-derived approximate location, user agent, and event interactions. We use Google Consent Mode v2: by default, analytics cookies are denied until you accept on the cookie banner. We do not run advertising features (ad personalization, ad user data, ad storage) — those are denied unconditionally.
• Vercel Analytics — privacy-preserving page-view metrics from our hosting provider. Loaded only after you accept analytics on the cookie banner.
• Authentication and security cookies — set by Supabase Auth and our session middleware. Required for the site to function; not affected by the analytics toggle.
• Stripe billing cookies — set during checkout and customer-portal sessions by Stripe (third-party).
• Shopify session cookies — set when you launch the embedded admin from your Shopify store (third-party).

You can change your analytics preference anytime at Your Privacy Choices.

How We Use Your Information

We use your information to operate LC Pilot: storing your calculation history, classifying products via AI, computing landed costs and tariff alerts, processing payments, sending account/billing/onboarding email, attributing affiliate commissions, and detecting and preventing abuse. We do not use your data for advertising, profiling, or third-party marketing.

Sub-Processors

We share limited data with the following service providers to operate LC Pilot. Each is bound by its own privacy and data-processing terms:

• Supabase (United States, AWS) — PostgreSQL database + authentication. All account data lives here. Supabase Privacy Policy.
• Vercel (United States) — hosts the web application; processes all inbound requests; provides Vercel Analytics. Standard request logs (IP, user agent, path) retained for operational use. Vercel Privacy Policy.
• Stripe (United States) — subscription billing. Stripe receives name, email, billing address, payment-method details, IP, browser fingerprint, and device data for fraud prevention (Stripe Radar). We never receive full card numbers. Stripe Privacy Policy.
• OpenAI (United States) — HS-code classification + AI Concierge. Product titles, descriptions, and full Concierge conversation context sent during a session. Per OpenAI’s API policy, data submitted via the API is not used to train models and retained for up to 30 days for abuse monitoring, then deleted. OpenAI Privacy | API Data Usage.
• Google (Analytics) (United States, EU) — Google Analytics 4 receives page-view + event data after you accept analytics cookies. We have IP anonymization and Consent Mode v2 enabled; advertising features (ad personalization, ad user data) are off. Google Privacy Policy.
• AliExpress (Alibaba Group) (China / Singapore) — when you click a Buy CTA, you are redirected to AliExpress and the click is logged via Alibaba’s affiliate platform. AliExpress independently controls what data they collect on their site. AliExpress Privacy.
• Resend (United States) — transactional and onboarding email (welcome, alerts, receipts). Resend receives your email address and message content. Resend Privacy Policy.
• Upstash (United States) — Redis caching for rate-limit counters and tariff-rate caching. No identifying account data is stored in Upstash. Upstash Privacy.
• Shopify (Canada) — when you install via the Shopify App Store, Shopify shares your store domain, plan, and an OAuth token scoped to product/listing data. Shopify Privacy.
• USITC (United States, public agency) — anonymous HS-code lookups against the public Harmonized Tariff Schedule API. No account data is sent.

We do not sell your personal information, and we do not share data with these sub-processors for any purpose other than operating LC Pilot on your behalf.

International Data Transfers

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data is transferred to the United States and other countries where our sub-processors operate. We rely on the European Commission’s Standard Contractual Clauses (SCCs) and our sub-processors’ Data Processing Addenda as our transfer mechanism. We do not engage in any onward transfer outside this set of providers.

Data Retention

We retain personal data only for as long as necessary to operate the service, to comply with legal obligations, or to resolve disputes. Specific retention windows:

• Saved calculations, products, alerts: while account is active; permanently deleted within 14 days of account deletion.
• Audit log (security events): 180 days, then deleted. Severity-tagged “critical” events retained up to 2 years.
• Affiliate click log: up to 18 months for commission reconciliation, then deleted or aggregated to anonymous totals.
• HS-classification cache: 90 days per cache row.
• AliExpress product/search cache: up to 7 days.
• Email-drip state: hard-deleted on account deletion.
• Stripe payment records: retained by Stripe for at least 7 years (US tax-record requirements).
• Data sent to OpenAI: retained by OpenAI for up to 30 days per their API policy.

Your Rights

Depending on your location, you have rights under the EU/UK GDPR, the California CCPA/CPRA, and similar state laws (Virginia, Colorado, Connecticut, Utah). You may:

• Access / export your data anytime (Settings → Export My Data, or via /api/profile/export when signed in).
• Correct or restrict your data — edit name/email in Settings, or email support@lcpilot.com.
• Delete your account immediately from Settings → Delete Account. Deletion revokes sub-processor access tokens and removes all account data within 14 days.
• Opt out of analytics via the cookie banner or at Your Privacy Choices.
• Lodge a complaint with your local supervisory authority. EU/UK residents: your national DPA. California: California Privacy Protection Agency.

We respond to all access/deletion requests within 14 days. We will not deny service, charge a different price, or provide a different level of service if you exercise any of these rights (CCPA non-discrimination).

California Privacy Rights (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act and California Privacy Rights Act. We affirm:

• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.
• We honor Global Privacy Control (GPC) signals automatically — if your browser sends a GPC signal, we treat it as an opt-out request.
• You may exercise any CCPA right via support@lcpilot.com or Your Privacy Choices.

Children Under 13 (COPPA)

LC Pilot is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided us with personal information, please contact us at support@lcpilot.com and we will promptly delete it. The service is intended for users 18 years of age or older per our Terms of Service.

Do Not Track

We do not currently respond to browser-level “Do Not Track” signals because there is no industry consensus on how to interpret them. We do honor the GPC signal as an opt-out from sale/sharing under California law (described above).

Data Security & Breach Notification

Your data is stored with industry-standard encryption at rest and in transit (HTTPS / TLS 1.2+), row-level security policies, and principle-of-least-privilege access controls. In the event of a personal-data breach affecting your data, we will notify you and the relevant supervisory authorities within 72 hours of confirming the breach, as required by GDPR Article 33 and applicable US state breach-notification laws.

Changes to This Policy

We may update this policy from time to time to reflect changes in the service or legal requirements. Material changes will be communicated via email to active account holders and reflected in the “Last updated” date at the top.

Contact

For privacy questions, requests under GDPR/CCPA, or any other data-related inquiry, contact us at support@lcpilot.com or by mail at LC Pilot, PO Box 134, Inglefield IN 47618, USA.