SetraPass
GDPR compliant

Privacy Policy

Last updated: 27th June 2026

1. Introduction

This Privacy Policy explains how SetraPass (“we”, “us”, “our”) collects, uses, and protects personal data when you use our Digital Product Passport (DPP) platform and website. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

2. Data Controller

SetraPass

3. Our Role: Controller and Processor

Because SetraPass is a DPP platform, our role under the GDPR depends on the data in question:

  • As a controller — for account and identity data of Economic Operators, their team members, and people who contact us (for example, registration details and contact-form submissions).
  • As a processor — for the product data that Economic Operators enter into their Digital Product Passports. The Economic Operator is the controller of that content and decides what is published. This processing is governed by a Data Processing Agreement (DPA).

Note that certain DPP fields are public by design to meet the transparency requirements of the EU Ecodesign for Sustainable Products Regulation (ESPR). Operators should avoid placing personal data in public passport fields.

4. Personal Data We Collect

  • Account data: name, work email, password (hashed), company details, and role.
  • Contact / lead data: name, email, company, country, and the message you send us.
  • Usage and technical data: log data, IP address, device/browser information, and diagnostic data used to operate and secure the service.
  • Communications: records of your correspondence with our support team.

6. Sub-processors and Recipients

We share personal data only with service providers that help us run the platform, under appropriate data-processing agreements. Our current sub-processors are:

ProviderPurposeLocation
SupabaseDatabase, authentication, and file storageEU (Frankfurt, Germany)
VercelApplication hosting and content deliveryEU region
SentryError monitoring and performance diagnosticsEU region
[Email/SMTP provider]Transactional and notification emails[EU region]

7. International Data Transfers

We host and process personal data within the European Union (our primary database and storage are located in Frankfurt, Germany). Where any transfer outside the European Economic Area is necessary, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.

8. Data Retention

We keep personal data only for as long as necessary for the purposes described above:

  • Account data: for the life of the account and then [retention period, e.g. 30–90 days] after closure.
  • Lead / contact data: [retention period, e.g. up to 24 months] unless you ask us to delete it sooner.
  • Logs and diagnostics: [retention period, e.g. up to 12 months].

9. Your Rights

Subject to the conditions in the GDPR, you have the following rights:

  • Access: Obtain a copy of the personal data we hold about you.
  • Rectification: Correct inaccurate or incomplete data.
  • Erasure: Request deletion of your data (“right to be forgotten”).
  • Restriction: Limit how we process your data in certain cases.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Withdraw consent at any time, without affecting prior processing.

To exercise any of these rights, contact us at privacy@setrapass.com. You also have the right to lodge a complaint with your local data protection supervisory authority.

10. Data Security

We apply appropriate technical and organisational measures to protect personal data, including encryption in transit, row-level security and access controls, hashed credentials, and audit logging. No method of transmission or storage is completely secure, but we work to protect your data and review our measures regularly.

11. Cookies and Similar Technologies

We use strictly necessary cookies to operate the platform (for example, to keep you signed in).

12. Automated Decision-Making

We do not make decisions producing legal or similarly significant effects based solely on automated processing, including profiling.

13. Children

The platform is intended for businesses and is not directed at children. We do not knowingly collect personal data from children.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version here and revise the “Last updated” date above. Material changes will be communicated where required.

15. Contact Us

For any questions about this Privacy Policy or how we handle your data, contact us at privacy@setrapass.com or via our contact page.