Who is the controller.

Contenza K/S (CVR 43349023), Denmark, is the controller for personal data processed on this service. Contact the team through the form on /contact for anything privacy-related.

What we collect.

  • Account data — email address, tier, authentication timestamps.
  • Passport content — product and manufacturer details you enter to publish a Digital Product Passport. This is primarily business data, but includes a contact email per Annex III.
  • Usage data — scan events on public passport URLs (country-level geolocation derived from IP, user-agent category). We do not store raw IP addresses beyond the request log window.
  • Billing data — customer ID and subscription status from Stripe. Card data never touches our servers.

Lawful bases.

  • Contract (Art. 6(1)(b)) for account creation, authentication, and delivering the service.
  • Legal obligation (Art. 6(1)(c)) for invoicing and tax records.
  • Legitimate interests (Art. 6(1)(f)) for security monitoring and aggregate scan analytics — balanced against the minimal personal data involved.

Scan-event analytics on public passports.

When a visitor scans the QR code on a published Digital Product Passport and loads /p/{code}, we record a coarse scan event. The data captured per event is intentionally minimal: an ISO-3166 alpha-2 country code derived from the request header our edge proxy attaches, a device-class bucket (mobile, tablet, desktop, bot) parsed from the User-Agent string, and the response Accept type (HTML versus JSON-LD). We do not store raw IP addresses, full User-Agent strings, browser fingerprints, or cookies tied to scan events.

The legal basis for this processing is legitimate interests under Article 6(1)(f) of the GDPR. Our interest is operating and improving the service, demonstrating EU regulatory traceability for our customers, and detecting abuse. Because the data captured is coarse and never linked to an identifiable individual, we have assessed that the visitor's rights and freedoms are not overridden. We do not use this data for advertising, profiling, or sale.

Under Article 21 of the GDPR you have the right to object at any time to scan-event processing. To object, contact us through /contact identifying the country and approximate timeframe of the scans you wish to be removed; we will purge the matching rows within 30 days. Because no personal data is stored alongside the country code, identification is by self-attestation rather than authenticated lookup.

Marketing page-view analytics.

A small set of public compliance pages — currently /compliance/faq, /compliance/matrix, /continuity, and /security — record an equivalent coarse page view per request. The data captured per view is the request path, the resolved language (so EN / DE / DA / FR / IT / ES / PL traffic on the same path can be distinguished in aggregate), the same ISO-3166 alpha-2 country code from the request header our edge proxy attaches, and the same device-class bucket (mobile, tablet, desktop, bot). No raw IP, no full User-Agent string, no cookies, no fingerprinting.

The legal basis is the same as for scan-event analytics — Article 6(1)(f) of the GDPR, legitimate interests. The data informs editorial maintenance of the compliance surface (e.g., is the matrix being read in DE, do procurement teams reach the security page) without identifying the visitor. The same Article 21 objection mechanism applies; contact us via the form above and we will purge the matching rows within 30 days.

Retention.

We keep data only for as long as it is needed:

  • Account data — while your account is active, plus 30 days after deletion to absorb accidental-delete support requests.
  • Invoices — 5 years after issue, per Danish bookkeeping law.
  • Scan events — rolling 24 months, then aggregated into monthly counts and the raw rows discarded.
  • Magic-link tokens — purged on use, or 15 minutes after issue, whichever is sooner.
  • Published passports — retained for the regulatory lifetime of the product (Article 10(4) of the Ecodesign for Sustainable Products Regulation prohibits deletion while the passport is in service).

Your rights.

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You can exercise any right by contacting us — no account or login required if you can identify the data you are asking about.

If you believe we have mishandled your data you have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet).

Data residency.

All personal data is stored on EU-resident infrastructure. Where a sub-processor operates outside the EU, transfers rely on the European Commission's Standard Contractual Clauses. The full register is at /sub-processors.

Children.

The service is sold to businesses and is not directed at people under 18. We do not knowingly collect data from children.

Changes.

Material changes are announced by email to account holders at least 30 days before taking effect. Minor clarifications are published here with an updated date at the top of the page.

Questions on this policy? Use the contact form — or email the team through the details on the contact page.