Privacy Policy
Last updated: 27th June 2026
1. Introduction
This Privacy Policy explains how SetraPass (“we”, “us”, “our”) collects, uses, and protects personal data when you use our Digital Product Passport (DPP) platform and website. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).
2. Data Controller
SetraPass
3. Our Role: Controller and Processor
Because SetraPass is a DPP platform, our role under the GDPR depends on the data in question:
- As a controller — for account and identity data of Economic Operators, their team members, and people who contact us (for example, registration details and contact-form submissions).
- As a processor — for the product data that Economic Operators enter into their Digital Product Passports. The Economic Operator is the controller of that content and decides what is published. This processing is governed by a Data Processing Agreement (DPA).
Note that certain DPP fields are public by design to meet the transparency requirements of the EU Ecodesign for Sustainable Products Regulation (ESPR). Operators should avoid placing personal data in public passport fields.
4. Personal Data We Collect
- Account data: name, work email, password (hashed), company details, and role.
- Contact / lead data: name, email, company, country, and the message you send us.
- Usage and technical data: log data, IP address, device/browser information, and diagnostic data used to operate and secure the service.
- Communications: records of your correspondence with our support team.
5. Purposes and Legal Bases (Art. 6 GDPR)
- Provide the service — performance of a contract (Art. 6(1)(b)).
- Respond to enquiries / leads — legitimate interests or steps prior to a contract (Art. 6(1)(f) / (b)).
- Security, fraud prevention, and service improvement — legitimate interests (Art. 6(1)(f)).
- Legal and regulatory compliance — legal obligation (Art. 6(1)(c)).
- Marketing communications (where applicable) — consent (Art. 6(1)(a)).
6. Sub-processors and Recipients
We share personal data only with service providers that help us run the platform, under appropriate data-processing agreements. Our current sub-processors are:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and file storage | EU (Frankfurt, Germany) |
| Vercel | Application hosting and content delivery | EU region |
| Sentry | Error monitoring and performance diagnostics | EU region |
| [Email/SMTP provider] | Transactional and notification emails | [EU region] |
7. International Data Transfers
We host and process personal data within the European Union (our primary database and storage are located in Frankfurt, Germany). Where any transfer outside the European Economic Area is necessary, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
8. Data Retention
We keep personal data only for as long as necessary for the purposes described above:
- Account data: for the life of the account and then [retention period, e.g. 30–90 days] after closure.
- Lead / contact data: [retention period, e.g. up to 24 months] unless you ask us to delete it sooner.
- Logs and diagnostics: [retention period, e.g. up to 12 months].
9. Your Rights
Subject to the conditions in the GDPR, you have the following rights:
- Access: Obtain a copy of the personal data we hold about you.
- Rectification: Correct inaccurate or incomplete data.
- Erasure: Request deletion of your data (“right to be forgotten”).
- Restriction: Limit how we process your data in certain cases.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent at any time, without affecting prior processing.
To exercise any of these rights, contact us at privacy@setrapass.com. You also have the right to lodge a complaint with your local data protection supervisory authority.
10. Data Security
We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, row-level security and access controls, hashed credentials, and audit logging. No method of transmission or storage is completely secure, but we work to protect your data and review our measures regularly.
12. Automated Decision-Making
We do not make decisions producing legal or similarly significant effects based solely on automated processing, including profiling.
13. Children
The platform is intended for businesses and is not directed at children. We do not knowingly collect personal data from children.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will post the updated version here and revise the “Last updated” date above. Material changes will be communicated where required.
15. Contact Us
For any questions about this Privacy Policy or how we handle your data, contact us at privacy@setrapass.com or via our contact page.
