HC Customs is a UK post-clearance customs compliance platform designed for importers and customs brokers. It connects directly to HMRC CDS via OAuth2, allowing businesses to reconcile declarations, build audit defence evidence, track IP/OP inventory, and manage duty drawback claims.

How long does HMRC have to audit a customs declaration?

HMRC has up to 4 years to query any import declaration under post-clearance amendment rules. HC Customs retains your compliance evidence for the full 4-year audit window.

Does HC Customs integrate with HMRC CDS?

Yes. HC Customs connects directly to the HMRC Customs Declaration Service (CDS) via OAuth2, pulling live declaration data so you can reconcile every MRN against your own records in real time.

What is a Customs Clearance Instruction (CCI)?

A CCI is a structured PDF instruction issued to your customs agent specifying incoterm, customs value, commodity code, and procedure. HC Customs automatically checks whether the HMRC declaration matches what you instructed, creating an instant audit trail.

Privacy Policy — HC Customs Compliance Portal

1. Who We Are

HC Customs Ltd operates the HC Customs Compliance Portal ("the Portal"), a software-as-a-service platform designed to help UK importers, exporters and customs intermediaries manage post-clearance compliance, audit defence and HMRC correspondence. We are the data controller for personal data processed through the Portal.

Contact: For any data protection enquiries, please email privacy@hc-customs.com.

2. Data We Collect

Account data

Email address and authentication credentials used to sign in to the Portal. We use Supabase Auth; passwords are hashed and never stored in plain text.

Customs declaration data

MRNs, EORI numbers, procedure codes, customs values, goods descriptions, trader names, and other fields you enter or upload via OCR. This data may include personal details of traders and third parties.

HMRC CDS data

Report data you import from HMRC's Customs Declaration Service (CDS), including duty figures, VAT amounts, and declaration metadata.

Uploaded documents

Commercial invoices, packing lists, bills of lading, and other trade documents you upload for reconciliation and audit defence.

HMRC correspondence

Details of audit notifications, C18 demands, query letters and penalty notices you log in the Correspondence Tracker.

Usage and technical data

Log data, browser type, IP address, and interaction data collected automatically when you use the Portal.

3. How We Use Your Data

To provide and operate the Portal, including declaration management, audit defence scoring, CDS data reconciliation, and IP/OP inventory tracking
To process documents via AI-assisted OCR (using Anthropic's Claude API) to auto-populate declaration fields — documents are processed in real time and not stored by Anthropic beyond the API request
To generate compliance alerts and audit readiness reports
To send email notifications related to your account or compliance deadlines (where you have opted in)
To comply with our own legal obligations, including maintaining records for tax and audit purposes
To improve and develop the Portal based on anonymised usage analytics

4. Legal Basis for Processing

Processing Activity	Legal Basis (UK GDPR)
Operating the Portal and providing services	Contract (Art. 6(1)(b))
Compliance alert generation and audit scoring	Legitimate interests (Art. 6(1)(f))
AI-assisted OCR processing of uploaded documents	Contract / Legitimate interests
Sending service notifications	Contract / Consent
Fraud prevention and security monitoring	Legitimate interests
Improving the Portal via analytics	Legitimate interests (anonymised)

5. Data Sharing and Third Parties

We do not sell your data. We share data only with the following sub-processors:

Supabase

Database, authentication, and file storage

EU / AWS

Vercel

Application hosting and edge network

EU / USA

Anthropic

AI-assisted OCR — document content sent per request only

USA

We may also disclose data where required by law, including to HMRC, law enforcement, or courts in response to lawful requests.

6. Data Retention

We retain data in accordance with HMRC record-keeping requirements under Notice 12A and the Customs and Excise Management Act 1979:

Customs declaration records — 6 years from the date of customs clearance
Uploaded trade documents — 6 years from the related declaration date
Account and profile data — for the duration of your subscription plus 12 months
Technical logs — 90 days rolling

7. Your Rights

Under UK GDPR, you have the following rights:

Right of access

Request a copy of the personal data we hold about you

Right to rectification

Ask us to correct inaccurate or incomplete data

Right to erasure

Request deletion of your data where no legal obligation to retain it exists

Right to restrict processing

Ask us to pause processing in certain circumstances

Right to data portability

Receive your data in a structured, machine-readable format

Right to object

Object to processing based on legitimate interests

To exercise any right, email privacy@hc-customs.com. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Security

We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, AES-256 encryption at rest, Row Level Security (RLS) ensuring users can only access their own data, and regular security reviews. In the event of a personal data breach, we will notify you and the ICO as required by law.

9. Cookies

The Portal uses strictly necessary cookies for authentication (Supabase session cookies) and does not use third-party advertising or tracking cookies. No cookie consent banner is required for strictly necessary cookies under UK PECR.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via email or an in-portal notification at least 14 days before taking effect. Continued use of the Portal after that date constitutes acceptance.