Privacy.

1 · Who we are

The data controller is Digikamu Oy, Helsinki, Finland. Contact: open the chat assistant in the corner of any page and click Email us; the message reaches us directly. We don't have a separate DPO; for GDPR requests, the founder is the contact point.

2 · What data we collect

We try to collect as little as possible. The categories below are everything we collect today.

• Account data — email address, hashed password (or magic-link tokens), and a workspace name when you sign up.
• Workspace data — company name, business ID, country, optional VAT/EORI, optional public contact and registered address. These appear on your public passport pages when you choose to publish.
• Product / passport data — the product names, materials, photos, and other ESPR fields you enter. This is published only when you set a passport to Active.
• Scan data — aggregate, anonymous scan counts on your published passports (country-level, no IP storage, no cookies). Used to show you weekly scan totals.
• Billing data — handled entirely by Stripe. We store only the Stripe customer ID and subscription state; we never see or store card details.
• Operational logs — Vercel keeps short-lived access logs for security and reliability. Sentry stores application errors (no request bodies). Both retain data for 30–90 days.

3 · What we don't collect

• No advertising cookies. No third-party trackers.
• No Google Analytics, no Meta pixel, no LinkedIn insight tag.
• No reading of your inbox, files, or anything outside the app.
• No sale of personal data to anyone — ever. (We don't even have a business model that would let us.)

4 · Where it's stored

Your data does not leave the EU.

• Database & file storage: Supabase, Frankfurt (Germany).
• Web hosting & edge: Vercel, EU regions.
• Transactional email: Resend, EU.
• Error tracking: Sentry. (Sentry stores logs in the US; we strip request bodies and PII before sending. If you prefer not to have errors logged at all, email us and we can disable it for your account.)
• Billing: Stripe (Ireland).
• AI assistance: Anthropic. When you use the AI-fill flow, the text or image you provided is sent to Anthropic's API (US-hosted) to generate the draft. Anthropic does not train on API traffic. We don't send your data to Anthropic outside that explicit feature use.

5 · Cookies

We use only strictly necessary cookies — the session cookie that keeps you logged in, and a CSRF protection cookie. No analytics cookies. No advertising cookies. Vercel Web Analytics is cookieless. Because we use only strictly necessary cookies, no consent banner is required under the ePrivacy Directive.

6 · Legal basis for processing

• Contract (GDPR Art. 6(1)(b)) — account data, workspace data, product data are processed to deliver the service you signed up for.
• Legal obligation (Art. 6(1)(c)) — billing records retained for Finnish accounting law (6 years).
• Legitimate interest (Art. 6(1)(f)) — operational logs and error tracking, narrowly scoped, to keep the service available and secure.

7 · How long we keep it

• Account & workspace data: while your account is active and for 30 days after deletion (recoverable on request).
• Passport data: kept while the passport is Active, Pending, or Inactive (in the grace window). Deleting a passport removes it from the database and storage immediately.
• Billing records: 6 years (Finnish accounting law).
• Operational logs: 30–90 days, then automatically purged by the provider.

8 · Your rights under GDPR

You can ask us to:

• Access — a copy of the data we hold about you.
• Rectify — fix anything that's wrong.
• Erase — delete your data (subject to retention obligations above).
• Restrict — pause processing while a complaint is resolved.
• Object — to processing based on legitimate interest.
• Portability — receive your data in a structured, machine-readable format.

Open the chat assistant on any productpasses.com page and click Email us to send your request through to the team. We respond within 30 days. If you're not satisfied, you can lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.

9 · Public passport data

Anything you publish on a passport page (product details, materials, your company name as a maker) becomes public at productpasses.com/p/<slug>. That's the point — DPP is about consumer-visible traceability. Deactivating a passport ends public visibility within the grace window; deleting it removes the data entirely.

10 · Children

productpasses.com is a business tool. We don't knowingly create accounts for anyone under 16. If you believe a child has created an account, email us and we'll delete it.

11 · Changes

When we update this page meaningfully, we'll bump the “last updated” date and notify existing customers by email. Cosmetic edits don't trigger a notification.

12 · Plain-English summary

We collect what we need to run your account. We store it in the EU. We don't sell it, don't track you across the web, don't set advertising cookies. You can delete your data whenever you want. Questions: ask the chat assistant on any page; if the bot can't answer, “Email us” in the chat routes to a human.