Legal Document

Privacy Policy

This policy explains what data TracePath collects, why we collect it, and how we protect it — in full compliance with the EU General Data Protection Regulation (GDPR).

Effective: January 2025 Regulation: GDPR (EU) 2016/679 Controller: TracePath Technologies
Section 1

Who We Are

TracePath Technologies is a B2B SaaS provider of Digital Product Passport (DPP) infrastructure. We are a Data Processor under GDPR. Our customers (brands) are the Data Controllers responsible for the personal data they input into the platform.
No Consumer Data Collection: TracePath does not collect personal data from consumers who scan QR codes. Public passport pages contain only product data declared by the brand — no tracking, no cookies, no analytics on consumer scans beyond a GDPR-safe aggregate scan count.
Section 2

Data We Collect

Account Registration Data
When you create an account: your name, company name, work email address, industry sector, and chosen password (stored as a bcrypt hash — never in plain text).
Audit Log Data (Legal Basis: ESPR)
At the moment of account creation and each DPP publication, TracePath records your IP address, precise timestamp, and the version of the Terms & Conditions accepted. This is required for legal defensibility under GDPR Art. 6(1)(f) and ESPR traceability requirements.
Product & Supplier Data
Data you enter about your products, supply chain, and factories. This is B2B business data — not personal data — and is your responsibility as Data Controller.
Payment Data
Billing is processed by Paddle. TracePath does not store card numbers or full payment details. We receive only subscription status and invoice references.
Section 3

How We Use Your Data

Service Delivery
To create and manage your workspace, authenticate your sessions, render your DPP pages, and generate QR codes.
Legal Compliance & Audit Integrity
To maintain audit logs of T&C acceptance and DPP publication events as required by ESPR and GDPR accountability principles.
Communications
To send transactional emails (email verification, subscription invoices). Marketing emails only if you have opted in via our newsletter.
Section 4

Legal Basis for Processing

Contract (Art. 6(1)(b))
Processing necessary to deliver the SaaS service you signed up for.
Legitimate Interest (Art. 6(1)(f))
Recording IP address and timestamp at T&C acceptance and DPP publication for legal defensibility.
Consent (Art. 6(1)(a))
Newsletter subscription — only for users who have explicitly opted in. You may unsubscribe at any time.
Section 5

Data Retention

Active Account Data
Retained for the duration of your subscription plus a 30-day grace period after termination for final data export.
Audit Logs (T&C Acceptance & Publications)
Retained for 10 years to match ESPR traceability requirements, even after account closure.
Deleted Account Data
After the 30-day grace period, product and supplier data is permanently deleted. Only minimal audit logs are retained as described above.
Section 6

Your Rights Under GDPR

As a data subject, you have the following rights. To exercise any of these, contact us at the address below.
🔍 Right of Access
Request a copy of all personal data we hold about you.
✏️ Right to Rectification
Correct inaccurate or incomplete personal data.
🗑️ Right to Erasure
Request deletion of your data (subject to legal retention obligations).
📥 Data Portability
Export your data in machine-readable JSON format at any time.
⛔ Right to Object
Object to processing based on legitimate interest.
🔒 Right to Restrict
Request restriction of processing in certain circumstances.
Section 7

Data Security

Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Passwords are hashed using bcrypt — never stored in plain text.
No Cookies on Public Pages
Public DPP pages (accessible by consumers scanning QR codes) do not set any cookies and do not use tracking scripts. No cookie banner or consent is required for those pages.
Section 8

Third-Party Sub-Processors

Paddle (Billing)
Subscription management and payment processing. Paddle acts as Merchant of Record. See Paddle Privacy Policy.
Email Service
Transactional emails (verification, invoices) are sent via our email infrastructure. We do not share your email with marketing platforms without explicit consent.
No Analytics or Advertising
TracePath does not use Google Analytics, Facebook Pixel, or any advertising tracking technologies.

AI Translation: This page is translated for your convenience. The original version is in English.

POWERED BY