Last updated: April 5, 2026
RefundDesk is a document preparation tool for licensed customs brokers, operated by RefundDesk. This policy explains what information we collect when you use RefundDesk, how we use it, and what rights you have over your data.
RefundDesk is built for licensed customs brokers filing IEEPA tariff refund protests under 19 U.S.C. §1514. The data you upload to RefundDesk includes commercial entry data belonging to your clients — importers of record. By using RefundDesk you represent that you are authorized to handle that data on your clients' behalf.
Account information: When you create an account we collect your name, business email address, and company EIN. Your company EIN is optional but recommended — it is used to identify your brokerage in generated protest filings.
Entry data: You upload CSV files containing customs entry data including entry numbers, entry dates, liquidation status, HTS codes, and duty amounts paid. This data belongs to your clients and is processed solely to generate protest filings on their behalf.
Generated documents: RefundDesk generates protest packets and entry schedule CSVs on your behalf. These are stored on secure servers and are available for download during your active account period.
Attestation records: When you attest to a filing batch your IP address, timestamp, and user agent string are captured as a compliance record. This record is immutable once created.
Usage data: We collect standard web analytics data including pages visited, time on site, device type, and referral source through Google Analytics.
To provide the service: Account information, entry data, and attestation records are used to generate CBP-compliant protest filings on your behalf.
To communicate with you: Your business email address is used to send account-related communications including password resets and filing confirmations. We use Resend to deliver these emails.
To understand how the product is used: We use Google Analytics to measure website traffic and user engagement. This data is aggregated and does not identify individual users.
To maintain compliance records: Attestation records including your IP address and timestamp are retained as immutable compliance documentation tied to each filing batch.
We do not sell your data. We do not use your data for advertising. We do not share your clients' entry data with any third party except as required to operate the service.
Account information: Retained for the lifetime of your account and deleted within 30 days of account closure upon request.
Uploaded CSV files and generated documents: Retained for the duration of your active account. Upon account closure, data is deleted within 30 days upon written request to privacy@crossborderos.net.
Attestation records: Retained indefinitely as immutable compliance documentation. These records cannot be deleted as they serve as the legal record of your attestation.
Usage data: Google Analytics data is retained for 14 months per Google's default retention settings.
Amazon Web Services (AWS): Our application and database run on AWS infrastructure. AWS stores all account data, entry data, generated documents, and attestation records on servers located in the United States.
Resend: We use Resend to deliver transactional emails including password resets and account confirmations. Resend receives your business email address solely for the purpose of delivering these messages.
Google Analytics: We use Google Analytics to measure website traffic and user engagement on our landing page. Google Analytics collects standard web analytics data including pages visited, time on site, device type, browser, approximate location, and referral source. You can opt out at tools.google.com/dlpage/gaoptout.
We do not use advertising networks, data brokers, or marketing platforms. We do not sell or share your data with any third party beyond those listed above.
If you are a California resident, the California Consumer Privacy Act (CCPA) gives you the following rights:
We will respond to verifiable requests within 45 days. We will not discriminate against you for exercising your privacy rights.
RefundDesk is operated from the United States. If you are accessing RefundDesk from outside the United States — including from Canada, Mexico, the European Union, Japan, or Australia — your data will be transferred to and processed in the United States.
We respect applicable privacy frameworks including GDPR, CCPA, PIPEDA, and LFPDPPP. Regardless of your location, you may exercise the following rights by contacting us at privacy@crossborderos.net:
We will respond to all verifiable requests within 45 days.
Essential cookies: Required for the application to function. These include your session cookie which keeps you logged in. These cannot be disabled without breaking the application.
Analytics cookies: We use Google Analytics which sets cookies to measure website traffic and user behavior on our landing page. These cookies collect anonymized data and do not identify you personally. You can opt out at tools.google.com/dlpage/gaoptout or by declining cookies when prompted.
We do not use advertising cookies, retargeting cookies, or any tracking technology beyond those listed above.
For privacy-related requests, questions, or concerns contact us at:
privacy@crossborderos.net
CrossBorder OS
San Francisco, California
United States
We will respond to all inquiries within 45 days.