Privacy Policy

1. Data Controller

Passportly Pty Ltd ("Passportly", "we", "us") is the data controller for personal data collected via the Platform. For EU data processing enquiries, contact us at privacy@passportly.io.

2. Data We Collect

Account data: Name, email address, organisation name, billing address, phone number (optional).

Billing data: Processed by Stripe. We store your Stripe customer ID and last four digits of your payment card. We do not store full card details.

Product data: Product names, descriptions, materials, manufacturing details, certifications, and other data you enter into DPPs. This is business data about your products, not personal data about individuals.

Usage data: Page views on hosted DPP pages (anonymised), feature usage within the dashboard, API call logs.

3. Legal Basis (GDPR Art. 6)

Contract performance: Processing your account and product data to deliver the service you subscribed to.

Legitimate interest: Usage analytics to improve the Platform, prevent abuse, and ensure security.

Consent: Marketing communications (opt-in only; you can withdraw at any time).

4. How We Use Your Data

• Providing and operating the Platform
• Processing payments via Stripe
• Calculating Environmental Cost scores via the Ecobalyse API (French government)
• Verifying certificates against OEKO-TEX and GOTS databases
• Generating product stories via the Anthropic API (Claude Haiku)
• Hosting and serving published DPP pages
• Communicating with you about your account and service updates

5. Data Sharing

We share data with the following third-party processors:

• Stripe — Payment processing (PCI DSS compliant)
• Ecobalyse API — Environmental impact calculation (French government service; product data only, no personal data)
• Anthropic — AI story generation (product data only, no personal data)
• OEKO-TEX / GOTS — Certificate verification (certificate numbers only)

We do not sell personal data. We do not share data with advertisers.

6. Data Hosting & Transfers

The Platform is hosted within the European Union. If any sub-processor is located outside the EU, transfers are conducted under Standard Contractual Clauses (SCCs) or equivalent safeguards as required by GDPR Chapter V.

7. Data Retention

Account and product data is retained for the duration of your subscription plus 30 days. After account deletion, all data is permanently removed within 30 days. Billing records are retained for 7 years as required by tax law.

8. Your Rights (GDPR Articles 15-22)

You have the right to:

• Access — Request a copy of your personal data
• Rectification — Correct inaccurate data
• Erasure — Request deletion ("right to be forgotten")
• Data portability — Export your data in a machine-readable format (JSON)
• Restriction — Limit processing in certain circumstances
• Object — Object to processing based on legitimate interest

To exercise these rights, email privacy@passportly.io. We will respond within 30 days.

9. Published DPP Pages

Published DPP pages display product data (not personal data) and are publicly accessible by design. QR codes link to these pages. View counts are recorded anonymously without cookies or tracking pixels.

10. Cookies

The Platform uses only essential cookies for session management and CSRF protection. We do not use analytics cookies, advertising cookies, or third-party tracking. No cookie consent banner is required under ePrivacy rules as only strictly necessary cookies are used.

11. Data Breach Notification

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR Article 33.

12. Data Processing Agreement

For enterprise customers who require a formal Data Processing Agreement (DPA), contact legal@passportly.io.

13. Changes to This Policy

We will notify you of material changes via email at least 30 days before they take effect.

14. Supervisory Authority

You have the right to lodge a complaint with a supervisory authority in your EU member state if you believe your data rights have been violated.

15. Contact

For privacy enquiries: privacy@passportly.io

For general enquiries: hello@passportly.io