Privacy Policy

Last updated: June 12, 2026

This Privacy Policy explains how eFile CPSC ("we", "us") collects, uses, and protects information when you use our website and our CPSC eFiling service (the "Service").

Information we collect

Account information — your name, email address, company name, and role, provided when an account is created for you or when you accept an invitation.
CPSC credentials — the CPSC eFiling API token and secret your company connects so we can file on your behalf. These are encrypted at rest with keys bound to your company and are never shown back, shared, or used for any other company's filings.
Compliance data — the products, factories, lab test reports (including uploaded PDFs), and certificates you add to the Service.
Demo and contact requests — the name, company, email, phone, and message you submit through our demo or contact forms.
Security and usage logs — sign-in events, IP address, browser type, and an audit trail of actions taken in your account.

How we use it

To operate the Service: reading your lab reports, preparing certificates, and filing them to the CPSC eFiling registry at your direction.
To secure accounts: two-factor authentication, brute-force protection, and audit logging.
To respond to demo and support requests.
We do not sell your data, and we do not use one company's data for any other company.

Data isolation

The Service is multi-tenant by design: every record is scoped to your company, credentials are encrypted with company-bound keys, and no customer can access another customer's data. Our staff do not have standing access to your data; any support access is explicit, time-limited, and audit-logged.

Where data lives; sharing

The Service runs on Cloudflare's global infrastructure, with data processed and stored in the United States. Uploaded PDFs are stored in private object storage; structured data is stored in our database. We share data only with: (a) the U.S. Consumer Product Safety Commission's eFiling system, at your direction; (b) the customs broker or other recipients your company designates; and (c) service providers that help us run the Service (currently Cloudflare for hosting/storage and Resend for transactional email), each bound to use it only to provide their service to us. We maintain a current sub-processor list. We do not sell or rent personal information, and we do not share it for cross-context advertising.

Security

We protect data with industry-standard measures: TLS encryption in transit, encryption at rest, company-bound encryption keys for CPSC credentials, mandatory two-factor authentication, brute-force lockouts, strict tenant isolation enforced in code and verified by automated tests, and audit logging. See our Security & Trust page for the full picture, including our responsible-disclosure policy. No system is perfectly secure; if we learn of a breach affecting your data, we will notify your account email without undue delay and as required by law.

International data transfers

The Service is operated from and hosted in the United States, and your data is transferred to and processed there. Where applicable data-protection law requires safeguards for international transfers — for example, for customers in the EEA, the United Kingdom, or Switzerland — we rely on appropriate transfer mechanisms such as the European Commission's standard contractual clauses (and the UK and Swiss equivalents), which we will enter into with your company on request as part of its agreement with us.

Legal disclosures

We may disclose information if required by law, subpoena, or court order, to enforce our Terms of Service, or to protect the rights, safety, or property of our users, the public, or the Service. If eFile CPSC is involved in a merger, acquisition, or sale of assets, your data may be transferred as part of that transaction under the same protections in this policy, and we will notify you of any change in ownership.

Cookies

We use only essential cookies: a signed session cookie that keeps you logged in and an optional "remember this device" cookie for two-factor authentication. We do not use advertising or cross-site tracking cookies.

Retention and deletion

We keep your data while your account is active. You can delete products, reports, and uploaded PDFs at any time from the app. If your company stops using the Service, contact us and we will delete your company's data, including stored credentials, except where we must retain records to comply with law, resolve disputes, or enforce agreements (security and audit logs are retained for a limited period for these purposes).

Your choices and rights

You can update your account details, rotate your CPSC credentials, change your password, and regenerate backup codes at any time in Settings. Depending on where you live, you may have rights to access, correct, delete, or receive a copy of your personal information; to exercise them, contact us and we will respond as required by applicable law. We will not discriminate against you for exercising these rights.

Children

The Service is a business tool and is not directed to children. We do not knowingly collect personal information from anyone under 16; if you believe a child has provided us information, contact us and we will delete it.

Changes

If we make material changes to this policy, we will update this page and the date above and, where appropriate, notify your account email.

Contact

Questions about this policy? Contact us.