Last updated: 17 November 2025

Controller: DigiProPass Ltd (trading as “DigiProPass”)

Registered address: 124 City Road, London, EC1V 2NX

Privacy contact: support@digipropass.com

Data protection supervisory authority: For EU users: your local supervisory authority

DigiProPass is committed to complying with the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK-GDPR), and the Data Protection Act 2018.

This Privacy Policy explains how we process personal data as a controller under these laws.

1. What Personal Data We Collect

DigiProPass collects only the personal data necessary to provide our Digital Product Passport (DPP) platform, support our customers, and meet legal and regulatory obligations.

Data provided by brands (our customers)

We collect standard business and account information, including contact details, company registration data, billing details, account credentials, and user-role assignments. We also process designated product-owner contacts who manage DPP-related product data.

Data collected when consumers scan or interact with a DPP

When a consumer scans a QR code or accesses a DPP portal, we collect interaction metadata such as scan time, QR identifier, product ID, IP address, device and browser information, language preferences, referral URL, and—only when explicitly enabled—approximate geolocation.
If consumers choose to engage in optional services (e.g., repair registration, warranty, resale listings, or newsletters), they may provide contact details or other voluntary information.

Website and marketing data

We collect cookies, analytics identifiers, contact-form messages, and marketing preferences according to consent.

Support and transactional data

We process support tickets, communication logs, and financial records. Payment card details are handled securely by our payment processor; we retain only partial data (e.g., last four digits) and transaction references.

2. Legal Bases for Processing (EU/UK GDPR)

We process personal data using the following lawful bases:

• Contract performance – delivering the DPP Service, managing accounts, enabling product access, and handling billing.

• Legal obligation – complying with regulatory requirements (including ESPR/DPP rules), accounting laws, and lawful requests.

• Legitimate interests – enhancing platform security, detecting fraud, improving our Service, and supporting non-invasive analytics. Data subjects may object to these activities.

• Consent – required for marketing emails, non-essential cookies, and any optional features that involve direct consumer engagement.

3. How We Use Personal Data

We use personal data to:

• Operate, deliver, and maintain the DigiProPass platform.

• Present product information to consumers and support repair, resale, recycling, and warranty workflows.

• Comply with regulatory audits and retention obligations under ESPR and other laws.

• Secure the Service, detect fraud, and resolve technical issues.

• Administer billing, invoicing, and financial compliance.

• Communicate service-related updates and marketing messages when consent is given.

• Produce aggregated and anonymized analytics that do not identify individuals and may be shared to improve the Service or inform partners.

4. Data Retention

We retain personal data only as long as necessary for operational, legal, and security requirements.

• Account and contract data: retained for the duration of the account plus 7 years for tax and legal obligations.

• DPP scan logs and interaction metadata: retained for 24 months by default; certain product-lifecycle data may be kept longer where required by law.

• Marketing data: retained until consent is withdrawn.

• Support and transactional data: retained according to legal and financial rules (typically 7 years).

Consumers may request deletion of their personal data except where retention is legally required.

5. Sharing and Disclosures

Personal data may be shared with:

• Authorised processors: hosting partners, cloud infrastructure providers, analytics services, email delivery tools, payment processors, and other vendors operating under strict contracts and security controls.

• Brand customers: when consumers engage with a specific brand’s DPP (e.g., submit a repair request), we share the necessary data with that brand.

• Regulators and authorities: when legally required.

• Acquirers: in the event of a merger, acquisition, or company reorganization.

DigiProPass never sells personal data.

6. International Data Transfers

Where personal data is transferred outside the EEA or UK, DigiProPass uses GDPR-approved safeguards such as EU SCCs, UK IDTA, adequacy decisions, TIAs, encryption, and access controls.

7. Security Measures

We use technical and organisational safeguards to protect personal data, including:

• Encryption in transit (TLS) and, where feasible, at rest

• Role-based access controls

• Continuous monitoring and logging

• Regular security audits and vulnerability management

• Annual penetration testing

• Incident response procedures and 72-hour breach notification obligations under GDPR

Our subprocessors undergo security evaluations before onboarding.

8. Cookies and Tracking Technologies

We use essential cookies for platform functionality and optional analytics or marketing cookies based on user consent.

9. Your Rights Under GDPR/UK-GDPR

Users have the right to:

• Access their personal data

• Correct inaccurate data

• Request deletion (subject to lawful obligations)

• Restrict or object to processing

• Port their data to another provider

• Withdraw consent at any time for consent-based processing

To exercise these rights, contact: support@digipropass.com. We respond within one calendar month.

10. Children’s Privacy

Our Service is not intended for children. For jurisdictions where consent age varies (13–16), we comply with local laws. If you believe a child has submitted personal data, contact us so we can delete it where appropriate.

11. Third-Party Links

Some features or pages may link to external services. These providers have their own privacy policies, and DigiProPass is not responsible for their practices.

12. Product Data vs Confidential Business Information

To protect commercial confidentiality, DigiProPass separates public-facing product data (composition, care, repair instructions) from sensitive supplier data. Brands can control visibility through access settings and encryption to ensure only authorised users or regulators can view restricted information.

13. Changes to This Policy

We may update this Privacy Policy. Material changes will be posted with an updated “Last Updated” date and, where required, direct notification.

14. Contact Us

For privacy inquiries or GDPR rights requests:
📧 support@digipropass.com