Privacy Policy

Last updated: [DATE]

Template notice. This is a template, not legal advice. Complete every [PLACEHOLDER] and have a UK/EU data-protection solicitor review it before publishing.

This Privacy Policy explains how [COMPANY LEGAL NAME] ("we", "us") collects and uses personal data when you use dppespr.com (the "Service"). We process personal data in accordance with the UK GDPR, the EU GDPR and the Data Protection Act 2018.

1. Who we are

Data controller: [COMPANY LEGAL NAME], [REGISTERED ADDRESS]. ICO registration number: [ICO NUMBER]. Data protection contact: [PRIVACY EMAIL].

2. Controller and processor roles

For account and billing data and passport scan analytics, we act as a data controller. For personal data that our customers include within their product passports or support messages, our customers are the controller and we act as a processor on their behalf under our agreement with them.

3. What we collect

Category	Examples
Account data	Company name, email address, hashed password, VAT/EORI number, subscription tier and status
Passport content	Product, material, certificate, supply-chain, environmental and custom-attribute data you submit (may contain personal data if you include it)
Support data	Ticket subjects and messages you send us
Scan analytics	When a passport QR is opened: IP address, approximate location (city/region/country), device type, operating system, browser and timestamp
Demo enquiries	Name, corporate email and company name submitted to request a demo
Payment data	Processed by our payment providers; we receive transaction status and identifiers but do not store full card numbers
Technical/security	Server logs and security-related metadata

4. How and why we use it (lawful bases)

To provide the Service (accounts, passports, hosting, QR resolution) — performance of a contract.
Scan analytics, security, fraud prevention and service improvement — our legitimate interests (and our customers' legitimate interests) in understanding passport usage and protecting the platform.
Payments and renewals — performance of a contract and compliance with legal obligations.
Communications (transactional emails such as password resets and demo links) — performance of a contract and legitimate interests.
Legal and accounting obligations — compliance with a legal obligation.

Where we rely on legitimate interests, you may object (see section 8).

5. AI processing

Certain features (certificate extraction, compliance audit, circularity text, environmental scoring) send the relevant product and document text to our AI provider, [OpenAI], for processing. Do not submit personal data into these features unless necessary. [OpenAI] processes this data under its own terms and as our sub-processor.

6. Sharing and sub-processors

We share personal data with service providers who help us run the Service, including:

Provider	Purpose	Location
[HOSTING PROVIDER]	Server hosting and storage	[REGION]
[OpenAI]	AI features	United States
Revolut / PayPal	Payment processing	[REGION]
Content delivery networks (unpkg, Cloudflare, Tailwind CDN)	Serving front-end libraries; may process IP addresses	Global

Location data is derived locally on our servers using an on-device geolocation database; we do not send scan IP addresses to a third-party geolocation service. We do not sell personal data.

7. International transfers

Some providers (e.g. [OpenAI]) are located outside the UK/EEA. Where personal data is transferred internationally, we rely on appropriate safeguards such as the UK International Data Transfer Agreement / Addendum or EU Standard Contractual Clauses. [Confirm with each provider.]

8. Your rights

Subject to applicable law, you have the right to access, rectify, erase, restrict or object to processing, to data portability, and to withdraw consent where processing is based on consent. To exercise these rights contact [PRIVACY EMAIL]. Where we act as a processor for passport/support data, requests from individuals are directed to the relevant customer (controller). You may also complain to the UK Information Commissioner's Office (ico.org.uk) or your local supervisory authority.

9. Retention

Data	Retention
Passport content	For the duration of the subscription, plus a 90-day grace period after lapse or cancellation, then deleted
Account data	Deleted within [90] days of account closure (subject to legal-retention exceptions)
Scan analytics	Retained for [14 months], then deleted or anonymised
Support tickets	[24 months] from resolution
Invoicing / tax records	Up to 6 years, or as otherwise required by applicable Bulgarian and UK accounting / tax law
Backups	Daily backups retained approximately [35 days] then overwritten

10. Security

We use technical and organisational measures including encryption in transit (HTTPS), hashed passwords (bcrypt), access controls, rate limiting and routine backups. No system is completely secure; we cannot guarantee absolute security.

11. Children

The Service is intended for businesses and is not directed at children.

12. Changes

We may update this policy and will post the new version here with an updated date; material changes will be notified.

13. Contact

[COMPANY LEGAL NAME], [REGISTERED ADDRESS]. Email: [PRIVACY EMAIL].