Polityka prywatności

Ostatnia aktualizacja: 6 marca 2026

PassportEU ("we," "us," or "our") operates the passporteu.app website and the PassportEU platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our Service. We are committed to protecting your privacy and handling your data in an open and transparent manner in compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

By accessing or using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

1. Information We Collect

We collect information in the following ways:

1.1 Information You Provide Directly

  • Account Information: When you create an account, we collect your email address, password (stored in hashed form), company name, and optionally your full name and phone number.
  • Billing Information: When you subscribe to a paid plan, payment information (credit card number, billing address) is collected and processed directly by our payment processor, Stripe. We do not store your full payment card details on our servers.
  • Contact Information: When you contact us via email or our contact form, we collect the information you provide, including your name, email address, company name, and the content of your message.
  • Product Passport Data: Information you enter when creating Digital Product Passports, including product descriptions, material compositions, certifications, supply chain details, carbon footprint data, repairability scores, and other sustainability-related information.

1.2 Information Collected from Third-Party Platforms

  • E-Commerce Platform Data: When you connect your e-commerce store (currently Shopify; WooCommerce, PrestaShop, Shopware, and Magento coming soon), we sync product data including product titles, descriptions, images, variants, SKUs, prices, and inventory information. We access only the data necessary to provide the Service.

1.3 Information Collected Automatically

  • Log Data: Our servers automatically record information when you access the Service, including your IP address, browser type and version, operating system, referring URLs, pages visited, and the date and time of your visit.
  • Device Information: We collect information about the device you use to access the Service, including device type, screen resolution, and unique device identifiers.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the Service: To create your account, sync your product data, generate Digital Product Passports, create QR codes, and publish public DPP pages.
  • AI-Powered Features: To provide AI-assisted translations of product passport content into EU languages using the Claude AI API (provided by Anthropic). Product data sent for translation is processed in accordance with Anthropic's data processing terms and is not used to train AI models.
  • Payment Processing: To process your subscription payments and manage your billing through Stripe.
  • Communication: To send you transactional emails (account verification, password resets, billing notifications, product updates) via Resend, our email service provider.
  • Compliance and Reporting: To generate compliance dashboards and reports showing the status of your product passports.
  • Security: To detect, prevent, and address fraud, unauthorized access, and other security issues.
  • Improvement: To analyze usage patterns, diagnose technical issues, and improve the functionality and user experience of the Service.
  • Legal Compliance: To comply with applicable laws, regulations, and legal processes.

3. Data Processing (GDPR Legal Bases)

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds as defined in Article 6:

  • Performance of a Contract (Article 6(1)(b)): Processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This applies to account creation, product data synchronization, DPP generation, and payment processing.
  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate interests, provided these interests are not overridden by your rights and freedoms. This applies to service improvement, analytics, fraud prevention, and security monitoring.
  • Consent (Article 6(1)(a)): Where we rely on your consent, you have the right to withdraw it at any time. This applies to optional marketing communications and non-essential cookies.
  • Legal Obligation (Article 6(1)(c)): Processing is necessary for compliance with a legal obligation to which we are subject. This applies to tax and financial record-keeping, and responding to lawful data access requests.

4. Data Sharing and Third Parties

We do not sell your personal data. We share your data with the following categories of third-party service providers, strictly as necessary to provide and improve the Service:

  • Stripe (Payment Processing): We use Stripe to process subscription payments. When you enter payment information, it is transmitted directly to Stripe and subject to Stripe's privacy policy (https://stripe.com/privacy). We receive only a token and limited billing details (last four digits of card, card type, expiration date) from Stripe.
  • Resend (Email Delivery): We use Resend to send transactional and service-related emails. Resend processes your email address and email content on our behalf. Resend's privacy policy is available at https://resend.com/legal/privacy-policy.
  • Anthropic / Claude AI (AI Translation): We use the Claude AI API by Anthropic to provide AI-assisted translations of product passport fields. Product data submitted for translation is processed by Anthropic in accordance with their API data usage policy. Anthropic does not use API inputs to train their models. Anthropic's privacy policy is available at https://www.anthropic.com/privacy.
  • Hosting and Infrastructure Providers: We use cloud hosting services to store and serve the Service. All data is hosted on servers located in the European Union or in jurisdictions that provide an adequate level of data protection as determined by the European Commission.
  • E-Commerce Platforms: When you connect your store, we exchange data with the respective platform (currently Shopify; WooCommerce, PrestaShop, Shopware, and Magento coming soon) via their official APIs, limited to the scope you authorize during the connection process.

We may also disclose your information if required by law, regulation, legal process, or governmental request, or to protect our rights, privacy, safety, or property, or that of our users or the public.

5. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

  • Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 encryption.
  • Authentication: Passwords are hashed using industry-standard algorithms (bcrypt). Authentication tokens (JWT) are signed and have limited expiration times.
  • Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis. We employ role-based access controls and audit logging.
  • Infrastructure Security: Our servers are hosted in secure, SOC 2-compliant data centers within the European Union. We perform regular security assessments and vulnerability scans.
  • Incident Response: We maintain an incident response plan and will notify affected users and relevant supervisory authorities of any personal data breach within 72 hours as required by GDPR Article 33.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the Internet or method of electronic storage is 100% secure, and we cannot guarantee absolute security.

6. Your Rights

Under the GDPR and applicable data protection laws, you have the following rights regarding your personal data:

  • Right of Access (Article 15): You have the right to request a copy of the personal data we hold about you.
  • Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data or completion of incomplete data.
  • Right to Erasure (Article 17): You have the right to request deletion of your personal data, subject to certain legal exceptions (e.g., data required for legal compliance).
  • Right to Restriction of Processing (Article 18): You have the right to request that we restrict the processing of your personal data under certain circumstances.
  • Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
  • Right to Object (Article 21): You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes.
  • Right to Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before the withdrawal.
  • Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

To exercise any of these rights, please contact us at support@passporteu.app. We will respond to your request within 30 days.

7. Cookies and Tracking

We use cookies and similar technologies to operate and improve the Service. The cookies we use are:

  • Essential Cookies: These cookies are strictly necessary for the Service to function. They include authentication cookies (JWT tokens) that keep you signed in, session cookies, and CSRF protection tokens. These cookies cannot be disabled without impairing the Service.
  • Preference Cookies: These cookies remember your settings, such as language preference and display options, to provide a personalized experience.

We do not use third-party advertising cookies or tracking pixels. We do not participate in cross-site tracking or behavioral advertising. We do not use Google Analytics or similar third-party analytics platforms that track individual users across sites.

8. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy:

  • Account Data: Retained for the duration of your account. Upon account deletion, your personal data is deleted or anonymized within 30 days, except where retention is required by law.
  • Product and DPP Data: Product data and Digital Product Passport data are retained for the duration of your subscription. Upon cancellation, this data is retained for 90 days to allow for reactivation, after which it is permanently deleted.
  • Billing Records: Retained for a minimum of 7 years to comply with tax and financial reporting obligations.
  • Server Logs: Automatically deleted after 90 days.
  • Public DPP Pages: DPP pages that have been published and accessed via QR codes remain available for the duration of your active subscription. Public pages are taken offline within 30 days of subscription cancellation.
  • Communication Records: Support and contact form communications are retained for up to 2 years after the last interaction.

9. International Data Transfers

Your personal data is primarily stored and processed within the European Union. In cases where data is transferred to third-party service providers located outside the EU/EEA (such as Stripe and Anthropic, which are based in the United States), we ensure that appropriate safeguards are in place, including:

  • EU-U.S. Data Privacy Framework certification of the recipient.
  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Binding Corporate Rules where applicable.
  • Adequacy decisions by the European Commission for the recipient's jurisdiction.

You may request a copy of the safeguards we have in place for international data transfers by contacting us at support@passporteu.app.

10. Children's Privacy

Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected personal data from a child under 16 without parental consent, we will take steps to delete that information promptly. If you believe that we may have collected information from a child under 16, please contact us at support@passporteu.app.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable laws. When we make material changes, we will notify you by posting the updated policy on this page with a new "Last updated" date. For significant changes that affect your rights, we will also notify you via email at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your data.

12. Contact Us

If you have questions or concerns about this Privacy Policy, your personal data, or wish to exercise any of your data protection rights, please contact us:

For GDPR-related inquiries or to contact our Data Protection Officer, please email support@passporteu.app with the subject line "GDPR Request."

Effective date: March 6, 2026