Privacybeleid

Laatst bijgewerkt: 2026-06-25

PassportCraft LLC Effective Date: February 8, 2026 Last Updated: June 25, 2026


Privacy at a Glance

This is a short summary to help you find what matters most. It is not a substitute for the full policy below — each point links to the detailed section that governs.

  • Who we are: PassportCraft LLC, a New York (USA) company providing a Digital Product Passport platform; we act as both a Data Controller and a Data Processor (see Section 1).
  • What we collect: account and billing details, product/DPP data uploaded by our customers, usage and website data, and limited technical data when someone scans a published passport (see Section 2).
  • Why we use it (legal basis): to provide and bill for the service, to communicate with you, for security and legal compliance, and — where you have consented — for analytics (see Section 3). We do not send marketing emails or build a marketing list.
  • Who we share it with: vetted sub-processors (such as our hosting, email, analytics, and payment providers) and, where required, advisors and authorities; we do not sell your personal data (see Section 5).
  • Your rights: access, rectification, erasure, portability, objection, and more, for individuals in the EEA, the UK, and Switzerland, plus equivalent rights for US state residents (see Section 9 and Section 12).
  • How to contact us or complain: email privacy@passportcraft.com or our EU representative (see Section 16); you may also lodge a complaint with a supervisory authority (see Section 9.5).

1. Who We Are

PassportCraft LLC ("PassportCraft," "we," "us," or "our") is a New York, USA limited liability company that operates a Software-as-a-Service (SaaS) platform for creating and hosting Digital Product Passports (DPPs) under the EU Ecodesign for Sustainable Products Regulation (ESPR).

DetailInformation
EntityPassportCraft LLC
Registered Address418 Broadway, Ste N, Albany, NY 12207, USA
Websitehttps://passportcraft.com
Primary Contacthello@passportcraft.com
Data Protection Contactprivacy@passportcraft.com
EU / UK RepresentativeWe have appointed DataRep (Data Protection Representative Limited, trading as DataRep) as our Data Protection Representative under Art. 27 EU GDPR (EU/EEA) and the UK GDPR / Data Protection Act 2018 (UK). Individuals in the EEA and the UK can contact DataRep directly — see Section 16.

1.1 Our Role in Data Processing

PassportCraft acts in two distinct data-processing capacities:

  • Data Controller — for personal data we collect and process for our own purposes, including website analytics, account management, billing, and customer support.
  • Data Processor — for personal data our customers upload to the platform as part of their Digital Product Passports (e.g., product specifications, supplier information, compliance documentation). In this capacity, we process data solely on our customers' instructions and in accordance with a separate Data Processing Agreement (DPA).

This Privacy Policy primarily addresses our activities as a Data Controller. Our processing activities as a Data Processor are governed by the DPA agreed with each customer.


2. What Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

Data you provide when creating an account or contacting us.

Data ElementExamples
Identity informationFull name, job title
Contact informationEmail address, phone number
Company informationCompany name, company address, VAT number
Account credentialsEmail, hashed password
Billing informationBilling address, billing contact

Where you are an EU/EEA business customer, we collect your VAT identification number to determine the correct VAT treatment of your subscription and to issue compliant invoices (including, where applicable, applying the reverse-charge mechanism for intra-EU business-to-business supplies). The invoicing terms that apply to your VAT identification number are set out in our Terms of Service.

2.2 Product and DPP Data (Processed as Data Processor)

Data our customers upload to create Digital Product Passports. This may include:

Data ElementExamples
Product specificationsMaterials, composition, origin, certifications
Supplier informationSupplier names, contact details, facility addresses
Compliance documentationTest reports, certificates, audit records

Important: We process this data solely as a Data Processor on behalf of our customers. Our customers are the Data Controllers for their DPP data and are responsible for ensuring they have a lawful basis to share any personal data contained within it. We do not use DPP data for our own purposes.

Special categories of data: We do not collect or process special categories of personal data as defined under Art. 9 GDPR (e.g., health data, biometric data, racial or ethnic origin, political opinions, religious beliefs). Customers are prohibited from uploading special category data to the platform.

2.3 Usage Data

Data collected automatically when you use our website or platform.

Data ElementExamples
Device informationBrowser type and version, operating system, device type
Connection dataIP address (anonymized where technically feasible), ISP
Interaction dataPages visited, features used, click patterns, session duration
Referral dataReferring URL, search terms, campaign parameters

2.4 Communication Data

Data generated through your interactions with us.

Data ElementExamples
Support inquiriesTickets, chat messages, support emails
CorrespondenceEmails, contact form submissions
FeedbackSurveys, product feedback, feature requests

2.5 Payment Data

Data required for processing payments.

Data ElementExamples
Transaction dataInvoice amounts, payment dates, subscription tier
Payment method metadataCard type, last four digits, expiration date
Billing recordsInvoices, receipts, credit notes

Important: We do not store full credit card numbers, CVVs, or other sensitive payment credentials. All payment processing is handled by our payment processor, Stripe, which is certified PCI DSS Level 1.

2.6 Website Visitor Data

Data collected from visitors to passportcraft.com who may not have an account.

Data ElementExamples
Cookie dataSee our Cookie Policy for details
Form submissionsName, email, company name (from contact or readiness checker forms)
Technical dataIP address, browser fingerprint characteristics

2.7 Data We Collect From Other Sources

Most of the personal data we hold is provided directly by you (Sections 2.1, 2.2, 2.4, 2.5, 2.6) or collected automatically when you use our website or platform (Sections 2.3, 2.6). In addition, we receive a limited set of personal data indirectly, from the following sources:

SourceData ElementPurpose
Single sign-on providers (Google, Microsoft)Authentication and profile identifiers passed to us when a user chooses to sign in with Google or Microsoft — typically email address, display name, and a provider account/profile identifierAuthenticating the user and creating or linking the account (cross-referenced to the Google and Microsoft entries in Section 5.1)
Other users (team invitations)The email address of a colleague that an account administrator chooses to invite to their organizationSending the invitation email and provisioning access if the invitee accepts. The inviting user represents that they are authorized to share that email address; the invitee receives this transparency information under Art. 14 GDPR through this policy

We do not purchase personal data from data brokers, and we do not enrich your data using marketing, referral, or third-party data-enhancement services. Where we collect personal data from a source other than you directly, we process it on the legal bases set out in Section 3 and provide the transparency information required by Art. 14 GDPR through this Privacy Policy.

2.8 Data Collected When You Scan a Digital Product Passport

This section is addressed to consumers and other members of the public who view or scan a publicly hosted Digital Product Passport (DPP) page — for example, by scanning a QR code on a product. It does not concern brands or account holders.

When a published DPP page is viewed, we record a limited set of technical data about the visit so that we can produce aggregate scan analytics. We collect:

Data ElementExamples
Device typeA coarse device type (e.g., mobile, tablet, desktop), derived in memory from your browser's User-Agent. The User-Agent string itself is not stored.
Approximate locationApproximate country, region, and city derived from your network connection
Event metadataThe timestamp of the view and the passport that was viewed

Who is responsible. For this scan analytics, PassportCraft acts as a Data Controller, because we determine the purposes and means of this processing. This is distinct from the Data Processor role we hold for the DPP content that the publishing brand supplies (see Section 1.1). The product information shown on the passport page is supplied and controlled by the brand that publishes it, not by PassportCraft.

Purpose. We use this data to generate aggregate scan analytics — such as the number of views and the approximate regions and device types of viewers — which we make available to the brand that published the passport and use to operate, secure, and improve the Service. We do not use this data to identify you, to build a profile of you, or to serve you advertising.

Legal basis. We process this data on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in measuring engagement with DPP pages, providing analytics to the publishing brand, and operating and improving the Service. We have weighed this interest against your interests and rights: the data is limited to coarse technical metadata (approximate location and device type), we do not store your IP address, any IP-derived identifier, or your browser's User-Agent string, and the analytics we produce are aggregated, which we consider a minimal privacy impact. This analytics processing does not store information on, or read information from, your device beyond what is strictly necessary to display the page you requested, so it does not place analytics cookies on your device.

Retention. We retain this scan data for 12 months from collection, consistent with the analytics retention period in Section 7, after which it is purged.

Your rights and how to contact us. Because we do not hold your name, your IP address, your browser's User-Agent, or any other identifier that could re-identify you, we are generally unable to associate a particular scan with a particular individual. To the extent this data relates to you, the rights described in Section 9 (for individuals in the EEA, the UK, or Switzerland) and Section 12 (for US residents) apply, and you may contact us at privacy@passportcraft.com.

How this information reaches you (Art. 13 GDPR). As we cannot proactively reach an anonymous visitor, the information required under Art. 13 GDPR about this scan analytics is provided here, in this Privacy Policy, which is published at https://passportcraft.com/privacy. The published passport page itself currently identifies PassportCraft as its host (it carries a "Powered by PassportCraft" mark), and we are adding a direct link from that mark to this Privacy Policy so that visitors can reach this notice from the page. Until that link is in place, the descriptions of this processing in this Privacy Policy — not any text on the passport page itself — are what govern; the product information shown on the passport page is supplied and controlled by the publishing brand (see Section 1.1), and the brand remains responsible for any separate notice it chooses to present about its own content.


We process personal data only where we have a valid legal basis under the General Data Protection Regulation (GDPR). The table below maps each processing activity to its legal basis.

Processing ActivityDescription
Non-essential cookiesPlacing analytics cookies on your device (see Cookie Policy)
Analytics data collectionCollecting behavioral data via Google Analytics for product and content improvement

You may withdraw your consent at any time without affecting the lawfulness of processing that occurred before withdrawal. To withdraw consent, adjust your cookie preferences on our website or contact privacy@passportcraft.com.

3.2 Performance of a Contract — Art. 6(1)(b)

Processing ActivityDescription
Account creation and managementCreating, maintaining, and administering your PassportCraft account
Service deliveryProviding access to the DPP platform and its features
Payment processingProcessing subscription payments and managing billing
Customer supportResponding to support requests, troubleshooting issues
Platform communicationsSending transactional emails (account confirmations, password resets, service notifications)
Trial and account service noticesSending notifications about trial status and account service conditions (see Section 4.6)
Processing ActivityDescription
Tax and accounting recordsRetaining invoices, payment records, and financial data as required by applicable tax law
Regulatory complianceResponding to legally binding requests from courts, law enforcement, or regulatory authorities
Fraud preventionDetecting and preventing fraudulent transactions as required under payment services regulations

3.4 Legitimate Interest — Art. 6(1)(f)

Processing ActivityLegitimate InterestBalancing Consideration
Security monitoringProtecting our platform, systems, and users from security threatsMinimal privacy impact; limited to technical metadata
Fraud detection and preventionSafeguarding financial transactions and platform integrityProcessing limited to transactional patterns; no profiling
Service improvementAnalyzing aggregated usage patterns to improve features and performanceData aggregated and anonymized where possible
Server log processingMaintaining system reliability and diagnosing technical issuesLogs retained for a limited period (30 days) and access-restricted
Business analyticsUnderstanding platform usage at an aggregate level for business planningAnalysis performed on anonymized or aggregated data
Onboarding and product emailsHelping account holders get value from the service (welcome and milestone emails; see Section 4.6)One-click unsubscribe included in every message; resubscription available at any time

You have the right to object to processing based on legitimate interest at any time (see Section 9).


4. How We Use Your Data

We use the personal data we collect for the following purposes:

4.1 Providing and Operating Our Service

  • Creating and managing your account
  • Enabling you to create, edit, host, and share Digital Product Passports
  • Generating and hosting QR codes linked to your DPP pages
  • Processing your payments and managing your subscription
  • Providing technical support and resolving service issues

4.2 Communicating with You

  • Sending transactional emails about your account or service (e.g., payment confirmations, security alerts, feature changes)
  • Responding to inquiries submitted through contact forms, email, or support channels

4.3 Improving Our Service

  • Analyzing aggregated usage data to understand how our platform is used
  • Identifying technical issues and improving platform performance
  • Developing new features based on usage patterns and feedback
  • Conducting A/B testing for user interface improvements

4.4 Ensuring Security and Compliance

  • Monitoring for unauthorized access, fraud, and security threats
  • Maintaining server and application logs for incident investigation
  • Complying with legal and regulatory obligations
  • Enforcing our Terms of Service

4.5 Website Analytics and Attribution

  • Analyzing website traffic sources and referral/campaign attribution to understand how visitors find us (consent-based, via Google Analytics only)

We do not send marketing or promotional emails and do not maintain a marketing mailing list.

4.6 Lifecycle Product Emails

We send automated service and product emails to account owners throughout the lifecycle of their PassportCraft subscription. These emails fall into two categories:

Onboarding and product emails — a welcome email on account creation, and milestone emails tied to the state of the account (for example, a prompt to create or publish a first product passport). These are sent on the basis of our legitimate interest (Art. 6(1)(f) GDPR) in helping account holders get value from the service they have signed up for. Every such email contains a one-click unsubscribe link; once unsubscribed, the account owner may resubscribe at any time via the link on the unsubscribe confirmation page.

Trial and account service notices — notifications relating to the status of a trial subscription (for example, a notice that a trial is approaching its end). These are sent on the basis of performance of the contract (Art. 6(1)(b) GDPR), because they concern the service terms the account holder has accepted. As service-essential communications, they are not subject to the marketing opt-out described above.

To prevent duplicate sends, we maintain a send log recording which lifecycle email was sent to which organization (identified by organization ID), the recipient email address, and the timestamp of the send. This log is deleted together with the organization's account; residual copies in encrypted backups are overwritten through the normal backup rotation cycle (see Section 7.1).

Lifecycle emails are delivered via Resend Inc., our email delivery sub-processor (see Section 5.1). No separate Resend entry is needed for lifecycle emails — the existing Resend engagement covers this processing.


5. Data Sharing and Processors

We do not sell personal data. We share personal data only with the categories of recipients and specific processors described below, and only to the extent necessary for the stated purposes.

5.1 Sub-Processors

The following third-party service providers process personal data on our behalf:

ProcessorPurposeData ProcessedLocationTransfer Safeguard
Vercel Inc.Website and platform hosting, edge delivery, serverless functionsPlatform data in transit, edge cache, server logs, and IP addresses (durable customer and DPP data is stored at rest by Supabase in the EU)USA (San Francisco) / global edge networkEU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs)
Resend Inc.Transactional and notification email delivery (account, lifecycle, and contact-form notifications)Email addresses, names, email contentUSAStandard Contractual Clauses (SCCs)
Google LLCWebsite and product analytics (Google Analytics 4); optional "Sign in with Google" authenticationAnonymized usage data, device info, interaction events, IP address (anonymized); authentication identifiers for users choosing Google sign-inUSAEU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs)
Supabase Inc.Database hosting, user authentication, file storageAccount data, DPP data, authentication tokens, uploaded filesUSA (company) — data hosted in the EU (Ireland, AWS eu-west-1)Data stored in EU; Standard Contractual Clauses (SCCs) for company access
Stripe Inc.Payment processing (PCI DSS Level 1 certified)Payment method metadata, billing information, transaction recordsUSA / IrelandEU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs); Irish entity for EU operations
OpenAI, L.L.C.AI-assisted content features (e.g., sustainability-claim rewriting, care-symbol suggestions)Text submitted by users to AI features (e.g., product descriptions, draft claims)USAStandard Contractual Clauses (SCCs); OpenAI does not use data submitted via its API to train its models by default
Microsoft CorporationOptional "Sign in with Microsoft" authentication (Microsoft Entra ID)Authentication identifiers (email, name) for users choosing Microsoft sign-inUSA / EUEU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs)

5.2 Other Recipients

We may share personal data with the following categories of recipients:

Recipient CategoryPurposeLegal Basis
Law enforcement and government authoritiesResponding to legally binding requests (subpoenas, court orders)Art. 6(1)(c) — legal obligation
Professional advisorsLegal, accounting, and tax advisory servicesArt. 6(1)(f) — legitimate interest
Business successorsIn connection with a merger, acquisition, or asset sale (you would be notified)Art. 6(1)(f) — legitimate interest

We will never share your personal data with third parties for their own marketing purposes.

5.3 Sub-Processor Changes

We maintain a current list of sub-processors on our website. We will notify customers of any new sub-processors at least 30 days before they begin processing personal data, giving customers the opportunity to object.

5.4 AI-Assisted Features

Certain optional features of our platform use artificial intelligence to assist you — for example, rewriting sustainability claims or suggesting care symbols. When you use these features, the text you submit is sent to our AI sub-processor, OpenAI, to generate a suggestion. We use AI only to transform the content you provide, and AI output is presented as a suggestion that you review and edit before it is published. OpenAI does not use data submitted through its API to train its models by default, and we do not use your content to train our own models. AI features are not used to make automated decisions that produce legal or similarly significant effects (see Section 11).


6. International Data Transfers

PassportCraft is based in the United States. When you use our service from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to countries outside these regions.

6.1 Transfer Mechanisms

We rely on the following legal mechanisms to ensure an adequate level of data protection for international transfers:

MechanismDescription
EU-US Data Privacy Framework (DPF)Where our processors are certified under the DPF, we rely on this adequacy decision (adopted by the European Commission on 10 July 2023) as the primary transfer mechanism.
Standard Contractual Clauses (SCCs)We execute the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all processors that receive personal data outside the EEA and are not covered by an adequacy decision.
Supplementary MeasuresWhere required by the risk assessment, we implement supplementary technical and organizational measures, including encryption in transit and at rest, access controls, and data minimization.

PassportCraft is not itself self-certified under the EU-US Data Privacy Framework. Our reliance on the DPF flows through the individually DPF-certified sub-processors identified in Section 5.1 (currently Vercel, Google, Stripe, and Microsoft), each of which is subject to oversight by the U.S. Federal Trade Commission and offers its own independent recourse mechanism under the Framework. For any sub-processor that is not covered by an adequacy decision, we rely on the Standard Contractual Clauses described above.

6.2 Data Hosting

Customer account and DPP data is hosted in the EU (Ireland; AWS region eu-west-1) via Supabase's EU infrastructure. Website visitor data processed through analytics and hosting providers may be transferred to the USA under the safeguards described above.

6.3 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for all data transfers to countries not covered by an EU adequacy decision, in line with EDPB Recommendations 01/2020. You may request a copy of the relevant TIA by contacting privacy@passportcraft.com.


7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The table below sets out our specific retention periods.

Data CategoryRetention PeriodJustification
Account data (name, email, company, credentials)Duration of active account + 30 days after account deletionNecessary for service delivery; 30-day buffer allows account recovery and final data export
DPP data (product specs, supplier info, compliance docs)Duration of active subscription + 30-day export window after terminationCustomers need time to export their data; deleted after export window closes
Payment and billing records (invoices, transaction records, receipts)7 years from end of fiscal year in which transaction occurredRequired by US tax law (IRS), EU VAT Directive (2006/112/EC), and applicable accounting regulations
Analytics data (usage events, interaction data)12 months from collectionSufficient for trend analysis and service improvement; automatically purged
DPP scan data (approximate location, device type, timestamp; see Section 2.8)12 months from collectionAligned with the analytics retention period; automatically purged
Server and application logs (access logs, error logs, IP addresses)30 daysNecessary for security monitoring, incident investigation, and performance diagnostics
Lifecycle email send log (organization ID, recipient email, email key, timestamp)Duration of active account; deleted with the accountRetained to prevent duplicate sends; removed immediately on account deletion
Support communications (tickets, emails, chat transcripts)3 years from resolutionRetained for quality assurance, dispute resolution, and pattern analysis
Contact form submissions12 months from submissionRetained to follow up on inquiries and measure response quality
Cookie dataSee Cookie PolicyVaries by cookie type

Analytics retention and cookie lifetime. The 12-month analytics retention period above refers to the server-side analytics data we hold. It is distinct from the lifetime of any analytics cookie stored in your browser: the Google Analytics _ga cookie has a browser-side expiry of up to two years (as listed in our Cookie Policy), which is the expiry of the device-side identifier, not the period for which we retain the underlying analytics data.

7.1 Deletion Process

When a retention period expires or you request deletion:

  1. Active data is deleted or anonymized within 30 days.
  2. Data in backups is overwritten through the normal backup rotation cycle, which does not exceed 90 days.
  3. We may retain anonymized, aggregated data indefinitely for statistical purposes, provided it cannot be used to identify any individual.

Retention periods may be extended if we are required to preserve data due to pending or anticipated litigation, regulatory investigation, or a valid legal hold request.


8. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. For full details about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.

In summary:

  • Essential cookies are required for the website to function and cannot be disabled.
  • Analytics cookies (Google Analytics) are set by default to help us understand how visitors use our site. You can decline them via the cookie consent banner.

We do not use marketing, advertising, or social-media tracking cookies.

You can manage your cookie preferences at any time through the cookie settings panel accessible from any page of our website.

8.1 Do Not Track and Global Privacy Control Signals

Some browsers and extensions can transmit a "Do Not Track" (DNT) signal or a Global Privacy Control (GPC) signal that communicates a user's privacy preference. We treat these signals as follows:

  • Sale and sharing of personal information. As explained in Section 12.4, we do not sell personal information and we do not share personal information for cross-context behavioral advertising. Because there is no such activity to opt out of, no GPC-driven opt-out of sale or sharing is required, and where we are legally required to honor the Global Privacy Control as an opt-out of sale/sharing, that preference is already satisfied by our no-sale, no-share posture.
  • Cookies and analytics. Our analytics layer honors DNT and GPC signals. When your browser or extension transmits either signal, our analytics initialize in a "denied" state and no analytics cookies (such as Google Analytics _ga cookies) are placed or read on your device, regardless of region or any prior cookie consent banner selection. This signal-based behavior operates independently of the on-screen banner; you can also use the cookie consent banner or the cookie settings panel described above to decline non-essential cookies at any time.

9. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data under the General Data Protection Regulation (GDPR) and equivalent local laws.

RightGDPR ArticleDescription
Right of AccessArt. 15You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
Right to RectificationArt. 16You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to Erasure ("Right to be Forgotten")Art. 17You have the right to request deletion of your personal data where there is no compelling reason for us to continue processing it.
Right to Restriction of ProcessingArt. 18You have the right to request that we restrict processing of your data in certain circumstances (e.g., while we verify accuracy).
Right to Data PortabilityArt. 20You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller.
Right to ObjectArt. 21You have the right to object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds. You have an absolute right to object to direct marketing.
Right to Withdraw ConsentArt. 7(3)Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
Right Not to be Subject to Automated Decision-MakingArt. 22See Section 11 below.

9.1 How to Exercise Your Rights

To exercise any of your rights, contact us at:

9.2 Verification

We may need to verify your identity before processing your request. We will ask you to confirm information we already hold to authenticate your request without collecting additional personal data.

9.3 Response Time

We will respond to your request within 30 days of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days. We will inform you of any extension and the reasons for it within the initial 30-day period.

9.4 Fees

We process data subject requests free of charge. If requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee based on administrative costs or refuse the request, providing our reasons.

9.5 Right to Lodge a Complaint

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. You may complain to the supervisory authority in your EU/EEA Member State of residence, your place of work, or the place of the alleged infringement.

A list of EU/EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9.6 Authorized Agents

You may use an authorized agent to submit a privacy rights request on your behalf under any framework this Privacy Policy covers (GDPR, the CCPA/CPRA, and other applicable US state privacy laws). We will ask the agent to provide proof of your written authorization, and we may still take reasonable steps to verify the identity of the individual whose data is the subject of the request before we act on it.


10. Children's Privacy

Our service is directed at businesses and professionals. We do not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, do not use our service or provide any personal data to us. If we become aware that we have collected personal data from a child under 18, we will delete that information promptly. If you believe we have collected data from a child under 18, please contact us at privacy@passportcraft.com.


11. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you, as described in Art. 22 GDPR. All decisions that may affect your account, service access, or contractual relationship are made by humans.


12. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.

12.1 Categories of Personal Information

We collect the categories of personal information described in Section 2 of this Privacy Policy. In the preceding 12 months, we have collected the following CCPA categories, from the sources, for the business or commercial purposes, and disclosed to the categories of recipients set out below.

CCPA CategoryExamplesCollectedSourcesBusiness/Commercial PurposeCategories of Recipients (for a business purpose)
IdentifiersName, email, IP address, account IDYesDirectly from you; automatically; from single sign-on providers (Section 2.7)Service delivery and account management; security and fraud prevention; communicationsSub-processors (Section 5.1); professional advisors; law enforcement / authorities (Section 5.2)
Commercial informationSubscription records, billing historyYesDirectly from you; automatically (transaction events)Billing and payment processing; service deliveryStripe and other sub-processors (Section 5.1); professional advisors; authorities (Section 5.2)
Internet or electronic network activityBrowsing history, interaction data, search historyYesAutomatically (via our website and platform)Analytics and service improvement; security monitoringAnalytics sub-processor (Google, Section 5.1)
Professional or employment-related informationJob title, company nameYesDirectly from you; from single sign-on providers (Section 2.7)Service delivery and account management; communicationsSub-processors (Section 5.1); professional advisors (Section 5.2)
Geolocation dataIP-based approximate locationYesAutomatically (derived from IP address)Security monitoring; analyticsHosting and analytics sub-processors (Section 5.1)

We have not sold or shared (as those terms are defined under the CCPA/CPRA) any of these categories of personal information in the preceding 12 months; see Sections 12.2 and 12.4. We do not collect or process sensitive personal information for the purpose of inferring characteristics about a consumer.

12.2 Your California Rights

RightDescription
Right to KnowYou can request the categories and specific pieces of personal information we have collected about you.
Right to DeleteYou can request deletion of personal information we have collected from you, subject to certain exceptions.
Right to CorrectYou can request correction of inaccurate personal information.
Right to Opt-Out of Sale/SharingWe do not sell or share (as defined by CCPA) your personal information. No opt-out is necessary.
Right to Non-DiscriminationWe will not discriminate against you for exercising your privacy rights.

12.3 How to Exercise Your California Rights

Submit requests to privacy@passportcraft.com with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.

12.4 Do Not Sell or Share

We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.

12.5 Authorized Agent

You may designate an authorized agent to submit California requests on your behalf. Our authorized-agent process is the same one that applies to all privacy rights requests and is described in Section 9.6: we require the agent to provide proof of written authorization and may require you to verify your identity directly.

12.6 Other US State Privacy Rights

A growing number of US states have enacted comprehensive consumer privacy laws (for example, Virginia, Colorado, Connecticut, Texas, and Oregon, among others). If you are a resident of a US state with such a law, you have, to the extent the applicable law grants them, the rights to:

  • Access / know the personal information we have collected about you;
  • Correct inaccurate personal information;
  • Delete personal information we have collected from you, subject to legal exceptions;
  • Portability — obtain a copy of your personal information in a portable, readily usable format; and
  • Opt out of the sale of personal information, of targeted advertising, and of profiling that produces legal or similarly significant effects.

As explained in Section 12.4, we do not sell personal information, and we do not share it for cross-context behavioral advertising or targeted advertising. We also do not use profiling to make automated decisions that produce legal or similarly significant effects (see Section 11). Because we do not engage in these activities, the related opt-out rights are already satisfied; you do not need to take any action.

To exercise any of these rights, contact us at privacy@passportcraft.com with the subject line "US State Privacy Request" and tell us which state you reside in and which right you wish to exercise. We verify requests as described in Section 9.2, you may use an authorized agent as described in Section 9.6, and we will not discriminate against you for exercising your rights.

12.7 Appeals

If we decline to act on a privacy rights request you have made under a US state privacy law, you may appeal that decision. To appeal, email privacy@passportcraft.com with "Appeal" in the subject line within the time allowed by your state's law. We will review the appeal and respond within the period required by the applicable law (generally 45 or 60 days), explaining the action we have taken or declined to take and the reasons for our decision. Where your state's law provides for it, we will also tell you how to submit a complaint to your state Attorney General. (If you are in the EEA, the United Kingdom, or Switzerland, the equivalent escalation route is the right to lodge a complaint with a supervisory authority described in Section 9.5.)


13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

13.1 How We Notify You

Type of ChangeNotification Method
Material changes (new data categories, new processors, changes to legal basis, changes to your rights)Email notification to your registered email address at least 30 days before the changes take effect, plus a prominent notice on our website
Non-material changes (clarifications, formatting, updated contact details)Updated "Last Updated" date on this page

13.2 Your Options

If you disagree with a material change, you may close your account before the change takes effect. Continued use of our service after the effective date of a material change constitutes acceptance of the updated Privacy Policy.


14. Data Security

We maintain technical and organizational measures appropriate to the risk, designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, consistent with Art. 32 GDPR. These measures include, depending on the nature of the data and the processing:

MeasureDescription
Encryption in transitPersonal data is encrypted in transit using TLS.
Encryption at restPersonal data stored by our infrastructure providers is encrypted at rest.
Access controlsRole-based, least-privilege access controls limit access to personal data to those who need it; administrative access is restricted.
Credential protectionAccount passwords are stored using salted, hashed values; we never store passwords in plaintext. Single sign-on via Google or Microsoft is supported.
Security and network monitoringWe log and monitor security-relevant events to detect and investigate potential incidents.
Certified infrastructureWe build on established infrastructure providers — Vercel (hosting and edge delivery), Supabase with data hosted in the EU (Ireland, AWS eu-west-1), and Stripe (PCI DSS Level 1) — that maintain their own security programs.
Dependency and vulnerability monitoringWe perform periodic monitoring of our software dependencies and known vulnerabilities and apply security updates on a risk-prioritized basis.
Data minimizationWe collect and retain only the personal data necessary for the purposes described in this Privacy Policy (see Section 7).

We do not currently hold a SOC 2 or ISO 27001 certification, and formal independent penetration testing is on our security roadmap rather than a current practice; we will update this section as our security program matures.

Despite these measures, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. If you have reason to believe that your interaction with us is no longer secure, please contact us at privacy@passportcraft.com.


15. Data Breach Notification

If a personal data breach occurs, we will respond in accordance with our obligations under the GDPR and other applicable law.

  • As a Data Controller (for the personal data described in Section 1.1 that we process for our own purposes), where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay. Where required, we will also notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 and Art. 34 GDPR.
  • As a Data Processor (for customer DPP data, as described in Section 1.1), where we become aware of a breach affecting personal data we process on behalf of a customer, we will notify the affected customer (the controller) without undue delay and, where feasible, within 72 hours of becoming aware, so that the customer can meet its own notification obligations. The specifics of this processor-side commitment are set out in the Data Processing Agreement (DPA) agreed with each customer.

These timeframes reflect the statutory standards under the GDPR (notification to affected individuals "without undue delay"; to a supervisory authority or affected customer "without undue delay and, where feasible, within 72 hours" of becoming aware). The specific terms of our processor-side commitment are set out in Article 9 of the DPA, which governs.


16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:

Contact MethodDetails
Data Protection Inquiriesprivacy@passportcraft.com
General Inquirieshello@passportcraft.com
Postal AddressPassportCraft LLC, 418 Broadway, Ste N, Albany, NY 12207, USA
EU / UK RepresentativeDataRep (Data Protection Representative Limited) — our appointed representative under Art. 27 EU GDPR (EEA) and the UK GDPR / Data Protection Act 2018 (UK). Contact details below.

Contacting our EU/UK Representative (DataRep). If you are located in the EEA or the UK, you may contact our appointed Data Protection Representative, Data Protection Representative Limited (trading as DataRep), about our processing of your personal data:

  • by email at datarequest@datarep.com, quoting "PassportCraft LLC" in the subject line;
  • via the online request form at www.datarep.com/data-request; or
  • by post to "DataRep" at any of its local offices across the EEA and the UK (registered office: 77 Camden Street Lower, Dublin D02 XE80, Ireland). Please mark all correspondence for the attention of DataRep, not PassportCraft LLC, or it may not reach them.

For questions about the PassportCraft product or your account, please contact us directly at privacy@passportcraft.com rather than DataRep.

PassportCraft is not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR and has not appointed one; our designated contact for all data protection matters is our privacy team at privacy@passportcraft.com.

We aim to resolve all data protection inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority (see Section 9.5).


Appendix A: Glossary

TermDefinition
Data ControllerThe entity that determines the purposes and means of processing personal data.
Data ProcessorThe entity that processes personal data on behalf of a Data Controller.
DPAData Processing Agreement — a contract governing how a processor handles data on behalf of a controller.
DPPDigital Product Passport — a structured dataset containing sustainability and compliance information about a product, as defined under the EU ESPR.
EEAEuropean Economic Area — the EU Member States plus Iceland, Liechtenstein, and Norway.
ESPREcodesign for Sustainable Products Regulation — EU Regulation 2024/1781.
GDPRGeneral Data Protection Regulation — EU Regulation 2016/679.
Personal DataAny information relating to an identified or identifiable natural person.
SCCsStandard Contractual Clauses — pre-approved contractual terms for transferring personal data outside the EEA.
Sub-ProcessorA third-party processor engaged by a processor (PassportCraft) to process personal data on behalf of the controller (customer).
Privacybeleid | PassportCraft