隐私政策
最后更新:2026-02-08
PassportCraft LLC Effective Date: February 8, 2026 Last Updated: March 2, 2026
1. Who We Are
PassportCraft LLC ("PassportCraft," "we," "us," or "our") is a Delaware, USA limited liability company that operates a Software-as-a-Service (SaaS) platform for creating and hosting Digital Product Passports (DPPs) under the EU Ecodesign for Sustainable Products Regulation (ESPR).
| Detail | Information |
|---|---|
| Entity | PassportCraft LLC |
| Registered Address | [PLACEHOLDER — Delaware registered address] |
| Website | https://passportcraft.com |
| Primary Contact | hello@passportcraft.com |
| Data Protection Contact | privacy@passportcraft.com |
| EU Representative | [PLACEHOLDER — An EU-based representative will be designated pursuant to Art. 27 GDPR before commercial launch. Contact details will be published here once appointed.] |
1.1 Our Role in Data Processing
PassportCraft acts in two distinct data-processing capacities:
- Data Controller — for personal data we collect and process for our own purposes, including website analytics, marketing, account management, billing, and customer support.
- Data Processor — for personal data our customers upload to the platform as part of their Digital Product Passports (e.g., product specifications, supplier information, compliance documentation). In this capacity, we process data solely on our customers' instructions and in accordance with a separate Data Processing Agreement (DPA).
This Privacy Policy primarily addresses our activities as a Data Controller. Our processing activities as a Data Processor are governed by the DPA agreed with each customer.
2. What Data We Collect
We collect and process the following categories of personal data:
2.1 Account Data
Data you provide when creating an account or contacting us.
| Data Element | Examples |
|---|---|
| Identity information | Full name, job title |
| Contact information | Email address, phone number |
| Company information | Company name, company address, VAT number |
| Account credentials | Email, hashed password |
| Billing information | Billing address, billing contact |
2.2 Product and DPP Data (Processed as Data Processor)
Data our customers upload to create Digital Product Passports. This may include:
| Data Element | Examples |
|---|---|
| Product specifications | Materials, composition, origin, certifications |
| Supplier information | Supplier names, contact details, facility addresses |
| Compliance documentation | Test reports, certificates, audit records |
Important: We process this data solely as a Data Processor on behalf of our customers. Our customers are the Data Controllers for their DPP data and are responsible for ensuring they have a lawful basis to share any personal data contained within it. We do not use DPP data for our own purposes.
Special categories of data: We do not collect or process special categories of personal data as defined under Art. 9 GDPR (e.g., health data, biometric data, racial or ethnic origin, political opinions, religious beliefs). Customers are prohibited from uploading special category data to the platform.
2.3 Usage Data
Data collected automatically when you use our website or platform.
| Data Element | Examples |
|---|---|
| Device information | Browser type and version, operating system, device type |
| Connection data | IP address (anonymized where technically feasible), ISP |
| Interaction data | Pages visited, features used, click patterns, session duration |
| Referral data | Referring URL, search terms, campaign parameters |
2.4 Communication Data
Data generated through your interactions with us.
| Data Element | Examples |
|---|---|
| Support inquiries | Tickets, chat messages, support emails |
| Correspondence | Emails, contact form submissions |
| Feedback | Surveys, product feedback, feature requests |
2.5 Payment Data
Data required for processing payments.
| Data Element | Examples |
|---|---|
| Transaction data | Invoice amounts, payment dates, subscription tier |
| Payment method metadata | Card type, last four digits, expiration date |
| Billing records | Invoices, receipts, credit notes |
Important: We do not store full credit card numbers, CVVs, or other sensitive payment credentials. All payment processing is handled by our payment processor, Stripe, which is certified PCI DSS Level 1.
2.6 Website Visitor Data
Data collected from visitors to passportcraft.com who may not have an account.
| Data Element | Examples |
|---|---|
| Cookie data | See our Cookie Policy for details |
| Newsletter subscription | Email address |
| Form submissions | Name, email, company name (from contact or readiness checker forms) |
| Technical data | IP address, browser fingerprint characteristics |
3. Legal Basis for Processing (GDPR Art. 6)
We process personal data only where we have a valid legal basis under the General Data Protection Regulation (GDPR). The table below maps each processing activity to its legal basis.
3.1 Consent — Art. 6(1)(a)
| Processing Activity | Description |
|---|---|
| Newsletter and marketing emails | Sending product updates, regulatory news, and promotional content to subscribers |
| Non-essential cookies | Placing analytics and marketing cookies on your device (see Cookie Policy) |
| Analytics data collection | Collecting behavioral data via Google Analytics for product and content improvement |
| Webinar registration | Processing your data for webinar sign-ups and follow-up communications |
You may withdraw your consent at any time without affecting the lawfulness of processing that occurred before withdrawal. To withdraw consent, use the unsubscribe link in any marketing email, adjust your cookie preferences on our website, or contact privacy@passportcraft.com.
3.2 Performance of a Contract — Art. 6(1)(b)
| Processing Activity | Description |
|---|---|
| Account creation and management | Creating, maintaining, and administering your PassportCraft account |
| Service delivery | Providing access to the DPP platform and its features |
| Payment processing | Processing subscription payments and managing billing |
| Customer support | Responding to support requests, troubleshooting issues |
| Platform communications | Sending transactional emails (account confirmations, password resets, service notifications) |
3.3 Legal Obligation — Art. 6(1)(c)
| Processing Activity | Description |
|---|---|
| Tax and accounting records | Retaining invoices, payment records, and financial data as required by applicable tax law |
| Regulatory compliance | Responding to legally binding requests from courts, law enforcement, or regulatory authorities |
| Fraud prevention | Detecting and preventing fraudulent transactions as required under payment services regulations |
3.4 Legitimate Interest — Art. 6(1)(f)
| Processing Activity | Legitimate Interest | Balancing Consideration |
|---|---|---|
| Security monitoring | Protecting our platform, systems, and users from security threats | Minimal privacy impact; limited to technical metadata |
| Fraud detection and prevention | Safeguarding financial transactions and platform integrity | Processing limited to transactional patterns; no profiling |
| Service improvement | Analyzing aggregated usage patterns to improve features and performance | Data aggregated and anonymized where possible |
| Server log processing | Maintaining system reliability and diagnosing technical issues | Logs retained for a limited period (30 days) and access-restricted |
| Business analytics | Understanding platform usage at an aggregate level for business planning | Analysis performed on anonymized or aggregated data |
You have the right to object to processing based on legitimate interest at any time (see Section 9).
4. How We Use Your Data
We use the personal data we collect for the following purposes:
4.1 Providing and Operating Our Service
- Creating and managing your account
- Enabling you to create, edit, host, and share Digital Product Passports
- Generating and hosting QR codes linked to your DPP pages
- Processing your payments and managing your subscription
- Providing technical support and resolving service issues
4.2 Communicating with You
- Sending transactional emails about your account or service (e.g., payment confirmations, security alerts, feature changes)
- Responding to inquiries submitted through contact forms, email, or support channels
- Sending marketing communications and newsletter content (only with your consent)
4.3 Improving Our Service
- Analyzing aggregated usage data to understand how our platform is used
- Identifying technical issues and improving platform performance
- Developing new features based on usage patterns and feedback
- Conducting A/B testing for user interface improvements
4.4 Ensuring Security and Compliance
- Monitoring for unauthorized access, fraud, and security threats
- Maintaining server and application logs for incident investigation
- Complying with legal and regulatory obligations
- Enforcing our Terms of Service
4.5 Marketing and Business Development
- Sending newsletter updates about ESPR regulations, DPP compliance, and product news (consent-based only)
- Analyzing website traffic sources and marketing campaign performance (consent-based only)
5. Data Sharing and Processors
We do not sell personal data. We share personal data only with the categories of recipients and specific processors described below, and only to the extent necessary for the stated purposes.
5.1 Sub-Processors
The following third-party service providers process personal data on our behalf:
| Processor | Purpose | Data Processed | Location | Transfer Safeguard |
|---|---|---|---|---|
| Vercel Inc. | Website and platform hosting, edge delivery, serverless functions | All platform data in transit and at rest, server logs, IP addresses | USA (San Francisco) / global edge network | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| Resend Inc. | Transactional and marketing email delivery | Email addresses, names, email content | USA | Standard Contractual Clauses (SCCs) |
| Google LLC | Product and website analytics | Anonymized usage data, device info, interaction events, IP address (anonymized) | USA | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs) |
| Supabase Inc. | Database hosting, user authentication, file storage | Account data, DPP data, authentication tokens, uploaded files | USA (company) — data hosted in EU region (Frankfurt, Germany) | Data stored in EU; Standard Contractual Clauses (SCCs) for company access |
| Stripe Inc. | Payment processing (PCI DSS Level 1 certified) | Payment method metadata, billing information, transaction records | USA / Ireland | EU-US Data Privacy Framework (DPF); Standard Contractual Clauses (SCCs); Irish entity for EU operations |
5.2 Other Recipients
We may share personal data with the following categories of recipients:
| Recipient Category | Purpose | Legal Basis |
|---|---|---|
| Law enforcement and government authorities | Responding to legally binding requests (subpoenas, court orders) | Art. 6(1)(c) — legal obligation |
| Professional advisors | Legal, accounting, and tax advisory services | Art. 6(1)(f) — legitimate interest |
| Business successors | In connection with a merger, acquisition, or asset sale (you would be notified) | Art. 6(1)(f) — legitimate interest |
We will never share your personal data with third parties for their own marketing purposes.
5.3 Sub-Processor Changes
We maintain a current list of sub-processors on our website. We will notify customers of any new sub-processors at least 30 days before they begin processing personal data, giving customers the opportunity to object.
6. International Data Transfers
PassportCraft is based in the United States. When you use our service from the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data may be transferred to countries outside these regions.
6.1 Transfer Mechanisms
We rely on the following legal mechanisms to ensure an adequate level of data protection for international transfers:
| Mechanism | Description |
|---|---|
| EU-US Data Privacy Framework (DPF) | Where our processors are certified under the DPF, we rely on this adequacy decision (adopted by the European Commission on 10 July 2023) as the primary transfer mechanism. |
| Standard Contractual Clauses (SCCs) | We execute the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with all processors that receive personal data outside the EEA and are not covered by an adequacy decision. |
| Supplementary Measures | Where required by the risk assessment, we implement supplementary technical and organizational measures, including encryption in transit and at rest, access controls, and data minimization. |
6.2 Data Hosting
For our SaaS platform (Phase 2 onward), customer DPP data is hosted in the EU region (Frankfurt, Germany) via Supabase's EU infrastructure. Website visitor data processed through analytics and hosting providers may be transferred to the USA under the safeguards described above.
6.3 Transfer Impact Assessments
We conduct Transfer Impact Assessments (TIAs) for all data transfers to countries not covered by an EU adequacy decision, in line with EDPB Recommendations 01/2020. You may request a copy of the relevant TIA by contacting privacy@passportcraft.com.
7. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. The table below sets out our specific retention periods.
| Data Category | Retention Period | Justification |
|---|---|---|
| Account data (name, email, company, credentials) | Duration of active account + 30 days after account deletion | Necessary for service delivery; 30-day buffer allows account recovery and final data export |
| DPP data (product specs, supplier info, compliance docs) | Duration of active subscription + 30-day export window after termination | Customers need time to export their data; deleted after export window closes |
| Payment and billing records (invoices, transaction records, receipts) | 7 years from end of fiscal year in which transaction occurred | Required by US tax law (IRS), EU VAT Directive (2006/112/EC), and applicable accounting regulations |
| Analytics data (usage events, interaction data) | 12 months from collection | Sufficient for trend analysis and service improvement; automatically purged |
| Server and application logs (access logs, error logs, IP addresses) | 30 days | Necessary for security monitoring, incident investigation, and performance diagnostics |
| Newsletter and marketing data (email address, preferences) | Until unsubscribe or consent withdrawal | Deleted within 30 days of unsubscribe request |
| Support communications (tickets, emails, chat transcripts) | 3 years from resolution | Retained for quality assurance, dispute resolution, and pattern analysis |
| Contact form submissions | 12 months from submission | Retained to follow up on inquiries and measure response quality |
| Cookie data | See Cookie Policy | Varies by cookie type |
7.1 Deletion Process
When a retention period expires or you request deletion:
- Active data is deleted or anonymized within 30 days.
- Data in backups is overwritten through the normal backup rotation cycle, which does not exceed 90 days.
- We may retain anonymized, aggregated data indefinitely for statistical purposes, provided it cannot be used to identify any individual.
7.2 Legal Holds
Retention periods may be extended if we are required to preserve data due to pending or anticipated litigation, regulatory investigation, or a valid legal hold request.
8. Cookies and Tracking Technologies
We use cookies and similar technologies on our website. For full details about the cookies we use, their purposes, and how to manage your preferences, please see our Cookie Policy.
In summary:
- Essential cookies are required for the website to function and cannot be disabled.
- Analytics cookies (Google Analytics) are set by default to help us understand how visitors use our site. You can decline them via the cookie consent banner.
- Marketing cookies are only placed with your consent and help us measure the effectiveness of our marketing efforts.
You can manage your cookie preferences at any time through the cookie settings panel accessible from any page of our website.
9. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data under the General Data Protection Regulation (GDPR) and equivalent local laws.
| Right | GDPR Article | Description |
|---|---|---|
| Right of Access | Art. 15 | You have the right to request a copy of the personal data we hold about you, along with information about how we process it. |
| Right to Rectification | Art. 16 | You have the right to request correction of inaccurate personal data or completion of incomplete data. |
| Right to Erasure ("Right to be Forgotten") | Art. 17 | You have the right to request deletion of your personal data where there is no compelling reason for us to continue processing it. |
| Right to Restriction of Processing | Art. 18 | You have the right to request that we restrict processing of your data in certain circumstances (e.g., while we verify accuracy). |
| Right to Data Portability | Art. 20 | You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and to transmit it to another controller. |
| Right to Object | Art. 21 | You have the right to object to processing based on legitimate interest (Art. 6(1)(f)). We will cease processing unless we can demonstrate compelling legitimate grounds. You have an absolute right to object to direct marketing. |
| Right to Withdraw Consent | Art. 7(3) | Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal. |
| Right Not to be Subject to Automated Decision-Making | Art. 22 | See Section 11 below. |
9.1 How to Exercise Your Rights
To exercise any of your rights, contact us at:
- Email: privacy@passportcraft.com
- Subject line: Include "Data Subject Request" and the specific right you wish to exercise.
9.2 Verification
We may need to verify your identity before processing your request. We will ask you to confirm information we already hold to authenticate your request without collecting additional personal data.
9.3 Response Time
We will respond to your request within 30 days of receipt. If your request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days. We will inform you of any extension and the reasons for it within the initial 30-day period.
9.4 Fees
We process data subject requests free of charge. If requests are manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee based on administrative costs or refuse the request, providing our reasons.
9.5 Right to Lodge a Complaint
If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with a supervisory authority. You may complain to the supervisory authority in your EU/EEA Member State of residence, your place of work, or the place of the alleged infringement.
A list of EU/EEA supervisory authorities is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
10. Children's Privacy
Our service is directed at businesses and professionals. We do not knowingly collect or solicit personal data from anyone under the age of 18. If you are under 18, do not use our service or provide any personal data to us. If we become aware that we have collected personal data from a child under 18, we will delete that information promptly. If you believe we have collected data from a child under 18, please contact us at privacy@passportcraft.com.
11. Automated Decision-Making and Profiling
We do not use automated decision-making or profiling that produces legal effects or similarly significantly affects you, as described in Art. 22 GDPR. All decisions that may affect your account, service access, or contractual relationship are made by humans.
12. California Privacy Rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with specific rights regarding your personal information.
12.1 Categories of Personal Information
We collect the categories of personal information described in Section 2 of this Privacy Policy. In the preceding 12 months, we have collected the following CCPA categories:
| CCPA Category | Examples | Collected |
|---|---|---|
| Identifiers | Name, email, IP address, account ID | Yes |
| Commercial information | Subscription records, billing history | Yes |
| Internet or electronic network activity | Browsing history, interaction data, search history | Yes |
| Professional or employment-related information | Job title, company name | Yes |
| Geolocation data | IP-based approximate location | Yes |
12.2 Your California Rights
| Right | Description |
|---|---|
| Right to Know | You can request the categories and specific pieces of personal information we have collected about you. |
| Right to Delete | You can request deletion of personal information we have collected from you, subject to certain exceptions. |
| Right to Correct | You can request correction of inaccurate personal information. |
| Right to Opt-Out of Sale/Sharing | We do not sell or share (as defined by CCPA) your personal information. No opt-out is necessary. |
| Right to Non-Discrimination | We will not discriminate against you for exercising your privacy rights. |
12.3 How to Exercise Your California Rights
Submit requests to privacy@passportcraft.com with the subject line "California Privacy Request." We will verify your identity and respond within 45 days.
12.4 Do Not Sell or Share
We do not sell personal information. We do not share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA.
12.5 Authorized Agent
You may designate an authorized agent to submit requests on your behalf. We will require the agent to provide proof of written authorization and may require you to verify your identity directly.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
13.1 How We Notify You
| Type of Change | Notification Method |
|---|---|
| Material changes (new data categories, new processors, changes to legal basis, changes to your rights) | Email notification to your registered email address at least 30 days before the changes take effect, plus a prominent notice on our website |
| Non-material changes (clarifications, formatting, updated contact details) | Updated "Last Updated" date on this page |
13.2 Your Options
If you disagree with a material change, you may close your account before the change takes effect. Continued use of our service after the effective date of a material change constitutes acceptance of the updated Privacy Policy.
14. Contact Us
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how we handle your personal data, please contact us:
| Contact Method | Details |
|---|---|
| Data Protection Inquiries | privacy@passportcraft.com |
| General Inquiries | hello@passportcraft.com |
| Postal Address | PassportCraft LLC, [PLACEHOLDER — registered address] |
| EU Representative | [PLACEHOLDER — to be appointed pursuant to Art. 27 GDPR] |
We aim to resolve all data protection inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority (see Section 9.5).
Appendix A: Glossary
| Term | Definition |
|---|---|
| Data Controller | The entity that determines the purposes and means of processing personal data. |
| Data Processor | The entity that processes personal data on behalf of a Data Controller. |
| DPA | Data Processing Agreement — a contract governing how a processor handles data on behalf of a controller. |
| DPP | Digital Product Passport — a structured dataset containing sustainability and compliance information about a product, as defined under the EU ESPR. |
| EEA | European Economic Area — the EU Member States plus Iceland, Liechtenstein, and Norway. |
| ESPR | Ecodesign for Sustainable Products Regulation — EU Regulation 2024/1781. |
| GDPR | General Data Protection Regulation — EU Regulation 2016/679. |
| Personal Data | Any information relating to an identified or identifiable natural person. |
| SCCs | Standard Contractual Clauses — pre-approved contractual terms for transferring personal data outside the EEA. |
| Sub-Processor | A third-party processor engaged by a processor (PassportCraft) to process personal data on behalf of the controller (customer). |