PASSR PRIVACY POLICY
Last updated: June 2026 Version: 1.0
1. Introduction and Data Controller Identity
This Privacy Policy explains how Passr (“Passr”, “we”, “us”, “our”), operated by Hisako Technologies OÜ, collects, uses, stores, and protects your personal data when you use our website at passr.eu and our platform at app.passr.eu (collectively, the “Service”).
We take your privacy seriously. This policy is written in plain language so you understand exactly what happens to your data.
Data Controller: Hisako Technologies OÜ Operating as: Passr Website: passr.eu Contact: privacy@passr.eu
EU Representative: As a company providing services to EU residents, we are in the process of establishing our Estonian OÜ legal entity to serve as our EU legal representative. Until that registration is complete, you may contact us directly at privacy@passr.eu for any privacy-related matters. We will respond within 72 hours.
2. What Data We Collect and Why
We collect only the data we need to provide the Service. Here is a complete breakdown:
2.1 Account and Authentication Data
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Email address | Account creation, login, communications | Contract performance (Art. 6(1)(b) GDPR) | Duration of account + 30 days after deletion |
| Password (hashed, never stored in plain text) | Authentication | Contract performance | Duration of account |
| Account creation date and time | Security, audit log | Legitimate interest (Art. 6(1)(f) GDPR) | Duration of account + 30 days |
| Login history (timestamp, IP address) | Security, fraud prevention | Legitimate interest | 90 days |
2.2 Brand and Company Data
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Brand name | Service delivery | Contract performance | Duration of account + 30 days |
| VAT number | Legal compliance, invoicing | Legal obligation (Art. 6(1)(c) GDPR) | 7 years (tax law requirement) |
| Company logo | Platform personalisation | Contract performance | Duration of account + 30 days |
| Country of registration | Service delivery, tax calculation | Contract performance | Duration of account + 30 days |
2.3 Product and Compliance Data
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Product names, SKUs, GTINs | Service delivery | Contract performance | Duration of account + 30 days |
| Material composition data | Service delivery | Contract performance | Duration of account + 30 days |
| Supply chain origin data | Service delivery | Contract performance | Duration of account + 30 days |
| PFAS and chemical safety data | Service delivery | Contract performance | Duration of account + 30 days |
| Uploaded PDF certificates and lab reports | Service delivery | Contract performance | Duration of account + 30 days |
Note: Product and compliance data is business data, not personal data in most cases. However, where it contains information that could identify individuals (for example, a named contact at a supplier facility), it is treated as personal data and protected accordingly.
2.4 Team Member Data
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Team member email addresses | Access management, invitations | Contract performance | Duration of account + 30 days |
| Role assignments | Access control | Contract performance | Duration of account + 30 days |
| Invitation timestamps | Audit log | Legitimate interest | Duration of account + 30 days |
2.5 Passport Scan Event Data
When a consumer scans a public Digital Product Passport QR code at verify.passr.eu, we record:
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Timestamp of scan | Analytics reporting to brand | Legitimate interest | 24 months |
| Country derived from IP address (country-level only, not precise location) | Geographic analytics | Legitimate interest | 24 months |
| Device type (mobile/desktop, derived from user agent) | Analytics | Legitimate interest | 24 months |
We do not store the full IP address of consumers scanning passports. We extract the country and discard the IP immediately. We do not track individual consumers across multiple scans.
2.6 Billing and Payment Data
We use Dodo Payments as our payment processor and Merchant of Record. We do not store your payment card details on our systems.
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Subscription tier | Service delivery | Contract performance | Duration of account |
| Billing email | Invoicing | Contract performance + Legal obligation | 7 years |
| Invoice records | Legal compliance | Legal obligation | 7 years |
| Subscription status and history | Service management | Contract performance | Duration of account + 7 years |
2.7 Communications Data
| Data | Purpose | Legal Basis | Retention |
|---|---|---|---|
| Support emails sent to us | Responding to your request | Legitimate interest | 2 years |
| Waitlist email addresses | Communicating about access | Consent (Art. 6(1)(a) GDPR) | Until you unsubscribe or request deletion |
2.8 Website Analytics
We use Plausible Analytics, a privacy-first analytics tool, on passr.eu. Plausible does not use cookies, does not track individuals across sites, and does not collect personal data. It records only aggregate statistics such as page views and referrer sources. No consent is required for Plausible under GDPR because it does not process personal data.
We use Posthog (EU Cloud) for product analytics within the app.passr.eu application. Posthog may collect:
- Feature usage events (which parts of the application you use)
- Session information (not recording)
- Browser and device type
Posthog analytics within the app are subject to your consent choice during onboarding.
3. How We Use Your Data
We use your data only for the following purposes:
- Providing the Service: Processing your product compliance data, generating Digital Product Passports, providing the dashboard and all platform features
- Account management: Creating and maintaining your account, managing team access, processing subscription changes
- Communications: Sending transactional emails (compliance alerts, certificate expiry warnings, invoice receipts, account notifications). We do not send marketing emails without your explicit consent.
- Security: Detecting and preventing fraud, unauthorized access, and abuse
- Legal compliance: Meeting our obligations under GDPR, tax law, and applicable regulations
- Service improvement: Understanding how the platform is used in aggregate (never individual profiling) to improve features
What we do not do:
- We do not sell your data to any third party
- We do not use your compliance data to train AI models
- We do not share your data with competitors
- We do not use your data for advertising purposes
- We do not build profiles on individual consumers who scan passports
4. Who We Share Your Data With
We share your data only with the third-party service providers necessary to operate the platform. These are our sub-processors:
| Processor | Service | Location | Data Processed | Their Privacy Policy |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage | EU (Frankfurt, Germany) | All platform data | View Policy |
| Vercel Inc. | Hosting and content delivery | EU region (when configured) | Request logs, application code execution | View Policy |
| Resend Inc. | Transactional email delivery | United States (Standard Contractual Clauses apply) | Email addresses, email content | View Policy |
| Dodo Payments | Payment processing and Merchant of Record | — | Billing information | View Policy |
| Sentry | Error monitoring and logging | EU (when EU region selected) | Error logs, anonymised technical data | View Policy |
| Plausible Analytics | Website analytics | EU (Estonia) | Aggregate website statistics only (no personal data) | View Policy |
| Posthog | Product analytics | EU Cloud | Feature usage events | View Policy |
We require all sub-processors to:
- Process data only for the specific purpose we have engaged them for
- Maintain appropriate technical and organisational security measures
- Comply with GDPR requirements
- Not sub-process data without our written authorisation
We will notify you at least 30 days before adding any new sub-processor that processes your personal data.
For transfers of personal data outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Article 46(2)(c).
5. Data Security
We implement the following technical and organisational measures to protect your data:
Technical measures:
- All data transmitted between your browser and our servers is encrypted using TLS 1.3
- All data stored in our database is encrypted at rest using AES-256 encryption
- Database row-level security ensures that each brand can only access its own data — even a bug in our application code cannot expose one brand’s data to another
- Authentication uses short-lived JSON Web Tokens (1-hour expiry) stored in httpOnly cookies, which cannot be accessed by JavaScript and are protected against cross-site scripting attacks
- File uploads (lab reports, certificates) are stored with UUID-based paths and signed URLs that expire — files are not publicly guessable
- All API endpoints require authentication. Rate limiting is applied to prevent brute-force attacks.
Organisational measures:
- Access to production data is restricted to essential personnel only
- We follow a minimum-necessary-access principle for all internal systems
- We maintain an incident response procedure (see Section 9)
No security measure is 100% effective. If you believe your account has been compromised, contact us immediately at privacy@passr.eu.
6. Your Rights Under GDPR
If you are in the European Economic Area, you have the following rights regarding your personal data:
Right of Access (Article 15) You have the right to request a copy of all personal data we hold about you. We will provide this within 30 days of your request in a commonly used electronic format.
Right to Rectification (Article 16) If any personal data we hold about you is inaccurate or incomplete, you have the right to request correction. You can update most of your data directly in the platform settings.
Right to Erasure (Article 17) You have the right to request deletion of your personal data. You can delete your account from Settings → Brand Profile → Delete Account. This will permanently delete all your data from our systems within 30 days. Note: we may retain certain data where we have a legal obligation to do so (for example, invoice records for 7 years under tax law).
Right to Restriction of Processing (Article 18) You have the right to request that we limit how we process your data in certain circumstances, for example if you contest the accuracy of the data while we verify it.
Right to Data Portability (Article 20) You have the right to receive your data in a structured, commonly used, machine-readable format. You can download your complete data archive at any time from Settings → Data & Export → Download Full Legal Archive.
Right to Object (Article 21) You have the right to object to processing based on legitimate interests. If you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Article 7) Where we process data based on your consent (such as analytics cookies or marketing emails), you can withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
How to exercise your rights: Email privacy@passr.eu with the subject line “GDPR Request — [Right you are exercising]”. We will respond within 30 days. We may ask you to verify your identity before processing the request.
Right to lodge a complaint: If you are unhappy with how we handle your data, you have the right to lodge a complaint with your national data protection authority. In the EU, you can find your national authority at: edpb.europa.eu/about-edpb/about-edpb/members_en
7. Cookies
We use a minimal number of cookies. Here is a complete list:
| Cookie Name | Provider | Type | Purpose | Duration | Can You Opt Out? |
|---|---|---|---|---|---|
| sb-access-token | Supabase | Strictly Necessary | Maintains your login session. Without this cookie, you cannot stay logged in. | Session (expires when you close browser or after 1 hour of inactivity) | No — this cookie is essential for the service to function |
| sb-refresh-token | Supabase | Strictly Necessary | Automatically refreshes your login session so you do not need to log in repeatedly | 1 year | No — this cookie is essential for the service to function |
| passr_cookie_consent | Passr | Strictly Necessary | Stores your cookie consent preference | 1 year | No — this stores your own preference |
| ph_* (multiple) | Posthog | Analytics | Records which features you use within the platform to help us improve the product | 1 year | Yes — select “Necessary Only” in our cookie consent banner |
We do not use advertising cookies. We do not use third-party tracking cookies. We do not use fingerprinting.
Managing cookies: You can manage cookies through your browser settings. Note that disabling the Supabase session cookies will prevent you from logging into the platform.
For more information, see our Cookie Policy at passr.eu/legal/cookies.
8. Data Retention
We retain your data for as long as your account is active. When you close your account:
- All product data, compliance data, and uploaded files are deleted within 30 days
- You have a 30-day window after cancellation to download your data archive before deletion
- Account metadata is deleted within 30 days
- Invoice and billing records are retained for 7 years as required by tax law
- Anonymised aggregate analytics data (scan counts, usage statistics) may be retained indefinitely as it cannot be linked to you
When you delete an individual product or certificate within the platform, that data is permanently deleted immediately.
9. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (as required by GDPR Article 33)
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms (as required by GDPR Article 34)
- Provide information about the nature of the breach, likely consequences, and measures taken or proposed
To report a suspected security vulnerability, contact privacy@passr.eu with the subject line “Security Vulnerability Report”.
10. Children’s Privacy
The Passr platform is a professional B2B tool intended for use by business operators. It is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, contact privacy@passr.eu and we will delete it immediately.
11. Changes to This Privacy Policy
We will notify you of material changes to this Privacy Policy by:
- Sending an email to the address associated with your account at least 30 days before the change takes effect
- Displaying a prominent notice on the platform
- Updating the “Last updated” date at the top of this page
Your continued use of the Service after the effective date of changes constitutes acceptance of the revised policy. If you do not agree to the changes, you may close your account before they take effect.
12. Contact
For any questions about this Privacy Policy or to exercise your rights:
Email: privacy@passr.eu Response time: We aim to respond within 72 hours. GDPR requests are handled within 30 days.
For general enquiries: hello@passr.eu