Techport
Result Architecture Evaluation Whitepaper
§ Legal
Privacy Policy

Privacy Policy.

Last updated: 19 April 2026

1. Introduction and Scope

TECHPORT TECHNOLOGIES LTD (“Techport”, “we”, “us”, “our”) is committed to the protection of personal data processed through the Legacy customs declarations platform (“the Platform”). This Privacy Policy sets out how we collect, process, store, and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR, as retained under the Data Protection Act 2018) and, where applicable to EU-based data subjects, the European Union General Data Protection Regulation (EU GDPR, Regulation 2016/679).

This Policy applies to all personal data processed in connection with the Platform, whether relating to account holders, their employees, or third parties whose data appears in trade documentation (consignors, consignees, declarants, representatives, and other parties to international trade transactions).

2. Data Controller

Data ControllerTECHPORT TECHNOLOGIES LTD
Company Number16868193
AddressOffice 157 Conductor, 8 Westfield Avenue, London E20 1NW, United Kingdom
General Enquiriesonboarding@techport.uk
Technical / Data Protectiontechnical@techport.uk
Phone+44 208 191 0609

3. Roles and Responsibilities

Techport operates in a dual capacity depending on the category of data processed:

  • Data Controller: For personal data relating to account registration, user authentication, Platform usage, and commercial relationships. We determine the purposes and means of processing this data.
  • Data Processor: For personal data contained within customs declarations and supporting trade documentation submitted by users. Users (as data controllers for their clients’ data) instruct us to process this data for the specific purpose of preparing, validating, and submitting customs declarations to HMRC.

Where we act as processor, we process personal data solely in accordance with the documented instructions of the controller and maintain appropriate data processing agreements in compliance with Article 28 UK GDPR / Article 28 EU GDPR.

4. Categories of Personal Data Collected

4.1 Account and Authentication Data

  • Full name, professional title, and role
  • Business email address and telephone number
  • Organisation name, registration number, and registered address
  • EORI number and customs intermediary licence details
  • Encrypted authentication credentials
  • Multi-factor authentication tokens

4.2 Declaration and Trade Data

Personal data processed within the three-layer architecture:

  • Extraction Layer: Names, addresses, and identification numbers of importers, exporters, consignors, consignees, and representatives as extracted from uploaded trade documents (invoices, bills of lading, packing lists, certificates of origin, AWBs)
  • Assembly Layer: EORI numbers, declarant identities, representative authorisation references, and contact details as assembled into CDS-compliant XML data elements
  • Provenance Layer: Attribution records linking each data element to its source document, confidence score, broker decision, and assembly rule. Provenance records may reference named individuals where their identity is a component of the declaration

4.3 Technical and Operational Data

  • IP addresses, device identifiers, and browser characteristics
  • Session identifiers and authentication timestamps
  • Platform interaction logs (pages accessed, features used, declarations processed)
  • Error logs and diagnostic data
  • Security event logs (login attempts, permission changes, data access records)

5. Purposes and Legal Bases for Processing

We process personal data for the following purposes, relying on the indicated legal bases under Article 6(1) UK GDPR / EU GDPR:

  • Performance of Contract (Article 6(1)(b)): Providing the Platform service, processing declarations, managing user accounts, and delivering evaluation access as agreed
  • Legal Obligation (Article 6(1)(c)): Compliance with UK customs regulations (including HMRC record-keeping requirements under the Customs Act 2018), anti-money laundering regulations, tax obligations, and data protection law
  • Legitimate Interests (Article 6(1)(f)): Platform security and integrity, fraud detection and prevention, service improvement and performance optimisation, and protection of Techport’s legal rights. We have conducted legitimate interest assessments for each such processing activity and concluded that our interests do not override data subjects’ fundamental rights
  • Consent (Article 6(1)(a)): Where required for specific processing activities not covered by the above bases, including optional communications and participation in research programmes. Consent may be withdrawn at any time without affecting the lawfulness of processing carried out prior to withdrawal

6. HMRC CDS Data Flows

A core function of the Platform is the submission of customs declarations to HMRC via the Customs Declaration Service (CDS) API. This involves the following data flows:

  • Outbound to HMRC: Assembled XML declarations containing personal data (declarant identity, EORI, representative details, consignor/consignee information) are transmitted to HMRC CDS via encrypted API connection. This transmission constitutes disclosure to a public authority for the purpose of customs administration.
  • Inbound from HMRC: HMRC responses (acceptance notifications, MRN allocation, rejection reasons, route notifications, and query requests) are received and stored within the Platform. These responses may contain or reference personal data.
  • Record retention: Both submitted declarations and HMRC responses are retained for the statutory period (minimum seven years) as required by UK customs record-keeping obligations.

The legal basis for HMRC data sharing is legal obligation (compliance with customs legislation) and performance of contract (the service you have engaged us to perform).

7. Data Sharing and Recipients

We disclose personal data to the following categories of recipients:

  • HM Revenue & Customs (HMRC): Customs declaration data submitted via CDS API in discharge of customs obligations
  • Infrastructure Providers: Cloud hosting and infrastructure services (processing on our behalf under data processing agreements with appropriate technical and organisational safeguards)
  • Professional Advisors: Legal counsel, auditors, and regulatory consultants where necessary for compliance, dispute resolution, or regulatory engagement
  • Regulatory and Law Enforcement Authorities: Where required by law, court order, or regulatory demand, or where necessary to protect Techport’s legal rights

We do not sell, rent, or trade personal data. We do not share personal data with third parties for their independent marketing purposes.

8. Cross-Border Data Transfers (UK-EU)

The Platform serves users established in both the United Kingdom and EU member states. Personal data may be transferred between UK and EU jurisdictions in the course of service delivery.

EU to UK transfers: The European Commission adopted an adequacy decision for the United Kingdom on 28 June 2021 (Commission Implementing Decision (EU) 2021/1772), renewed on 27 June 2025, recognising that the UK provides an adequate level of data protection. Transfers of personal data from the EU/EEA to the UK are conducted in reliance on this adequacy decision.

UK to EU transfers: The UK Government recognises EEA member states as providing adequate protection for personal data under UK GDPR. No additional transfer mechanism is required for UK-to-EU transfers.

Supplementary safeguards: Notwithstanding adequacy decisions, we implement supplementary technical and organisational measures including encryption in transit and at rest, access controls, and contractual commitments with all sub-processors to ensure the continued protection of transferred data.

Data is not transferred to jurisdictions outside the UK and EU/EEA unless strictly necessary, and where such transfer occurs, it is subject to appropriate safeguards including standard contractual clauses (SCCs) or binding corporate rules.

9. Data Retention

We retain personal data for no longer than necessary to fulfil the purposes for which it was collected, subject to mandatory retention obligations under UK customs regulations:

  • Customs declaration records and provenance data: Seven years from the date of declaration submission, as required by HMRC record-keeping obligations under the Customs Act 2018 and associated regulations
  • Supporting trade documentation: Seven years, aligned with declaration retention to enable retrospective audit and compliance verification
  • Account and registration data: Duration of the active account relationship plus two years following account closure, to address post-termination queries and obligations
  • Technical and security logs: Twelve months for operational and security purposes, or longer where required for ongoing investigation or regulatory compliance
  • Provenance and audit records: Co-terminus with declaration retention (seven years), as these records form an integral part of the regulatory compliance archive

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised.

10. Data Security

We implement technical and organisational measures appropriate to the risk, including:

  • Encryption of data in transit (TLS 1.2 minimum, TLS 1.3 preferred) and at rest (AES-256)
  • Role-based access controls with principle of least privilege
  • Multi-factor authentication for all administrative and broker accounts
  • Immutable audit logging of all data access, modification, and deletion events
  • Regular vulnerability assessments and penetration testing
  • Incident response procedures aligned with NCSC guidance
  • Secure development practices including code review and dependency scanning
  • Physical security controls at data centre facilities

Further detail on our security posture is available in our Security Policy.

11. Your Rights

Under UK GDPR and (where applicable) EU GDPR, you have the following rights in respect of your personal data:

  • Right of Access (Article 15): To obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data together with supplementary information about the processing
  • Right to Rectification (Article 16): To have inaccurate personal data corrected and incomplete data completed
  • Right to Erasure (Article 17): To request deletion of your personal data, subject to overriding legal obligations (including customs record-keeping requirements that may prevent erasure of declaration-related data during the statutory retention period)
  • Right to Restriction (Article 18): To request limitation of processing in specified circumstances
  • Right to Data Portability (Article 20): To receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller
  • Right to Object (Article 21): To object to processing carried out on the basis of legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests
  • Rights relating to automated decision-making (Article 22): The Platform does not make decisions based solely on automated processing that produce legal effects or similarly significant effects on individuals. Extraction confidence scores inform but do not determine outcomes; human review is required before submission.

To exercise any of these rights, contact us at technical@techport.uk. We will respond within one month of receiving your request, or within two months where the request is complex, in accordance with statutory timescales. We may request verification of identity before processing your request.

12. Cookies and Session Management

The Platform uses strictly necessary cookies for authentication, session management, and security purposes. These cookies are essential for the Platform to function and cannot be disabled without rendering the Service inoperable. No analytics, advertising, or third-party tracking cookies are deployed.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our processing activities, legal requirements, or regulatory guidance. Material changes will be communicated by updating this page and revising the “Last updated” date. Where changes are significant, we will endeavour to notify registered users directly via email.

We encourage you to review this Policy periodically. Continued use of the Platform following publication of a revised Policy constitutes acknowledgement of the changes.

14. Contact and Data Protection Enquiries

For questions about this Privacy Policy, to exercise your data subject rights, or to raise any concern about our data processing practices:

General Enquiriesonboarding@techport.uk
Data Protectiontechnical@techport.uk
Phone+44 208 191 0609
AddressOffice 157 Conductor, 8 Westfield Avenue, London E20 1NW, United Kingdom

15. Supervisory Authority

If you are not satisfied with our response to a data protection concern, or if you believe our processing of your personal data infringes applicable data protection law, you have the right to lodge a complaint with the relevant supervisory authority:

UK Supervisory AuthorityInformation Commissioner’s Office (ICO)
ICO Websiteico.org.uk
ICO Phone0303 123 1113

EU-based data subjects may alternatively lodge a complaint with the supervisory authority in their member state of habitual residence, place of work, or place of the alleged infringement.

Legacy.
Techport Technologies Limited United Kingdom
onboarding@techport.uk

Model

  • Economics
  • Legislation
  • Audit

Evidence

  • 9,250 preparations
  • Architecture
  • Evaluation phases

Company

  • Whitepaper
  • Terms
  • Privacy
  • Security

Access

  • Register
  • Request access
  • Eligibility
© 2026 Techport Technologies Limited. All rights reserved.
Evaluation · Rev. 2026.04 · Admission limited