Legal

Privacy Policy

Last updated: March 5, 2026

1. Introduction

This Privacy Policy explains how Traceable Digital ("Traceable", "we", "us", or "our") collects, uses, stores, shares, and protects personal data when you use our website at traceable.digital and our Digital Product Passport platform at app.traceable.digital (together, the "Service").

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the ePrivacy Directive 2002/58/EC, and all applicable data protection legislation.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organisation, you confirm that you are authorised to accept this Privacy Policy on that organisation's behalf.

2. Data Controller

The data controller responsible for your personal data is:

Traceable Digital
Registered address: To be confirmed upon company registration
Privacy enquiries: privacy@traceable.digital
Legal enquiries: legal@traceable.digital

If we appoint a Data Protection Officer in the future, their contact details will be published here and communicated to the relevant supervisory authority.

3. What Data We Collect

We collect and process the following categories of personal data depending on how you interact with our Service:

3.1 Account Data

When you create an account on the platform, we collect:

  • Full name
  • Email address
  • Password (stored as a cryptographic hash, never in plain text)
  • Company name and registered address
  • VAT identification number (where applicable)
  • Economic operator type (manufacturer, importer, distributor, authorised representative)
  • Job title or role within the organisation
  • Phone number (optional)

3.2 Product and Digital Product Passport Data

When you use the platform to create Digital Product Passports, you provide product-related data including:

  • Product model information, specifications, and technical attributes
  • Manufacturer and economic operator details associated with each product
  • Battery passport data (chemistry, capacity, carbon footprint, recycled content, performance data)
  • Textile passport data (fibre composition, environmental footprint, durability, supply chain mapping)
  • Tyre passport data (labelling data, abrasion rate, recycled content)
  • Electronics passport data (energy efficiency, repairability, hazardous substances)
  • Compliance documentation, test reports, and certifications
  • Product identifiers (GTIN, batch numbers, serial numbers)
  • GS1 Digital Link data and QR code generation records

Product data may include personal data where the manufacturer or economic operator is a sole trader or where contact details of individual representatives are included within the passport.

3.3 Supplier Data

When you use the supplier portal or invite suppliers to provide data, we collect:

  • Supplier company name and registered address
  • Supplier contact person name and email address
  • Supply chain data (raw material origins, certifications, due diligence documentation)
  • Component and material specifications provided by suppliers

3.4 Compliance Data

To support compliance scoring and regulatory readiness, we process:

  • Compliance scores and completion status for each product passport
  • Audit trail records (who entered or modified which data, and when)
  • EU Declaration of Conformity references
  • Regulatory deadline tracking data

3.5 Documents Uploaded for AI Processing

When you use our AI Document Intelligence feature, you may upload documents such as test reports, certifications, safety data sheets, bills of materials, and technical specifications. These documents may contain personal data (such as names of signatories, laboratory contacts, or certifying officer details). See Section 6 for details on how AI processing works.

3.6 Usage and Technical Data

When you access the Service, we automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Device type
  • Pages visited, features used, and actions taken within the platform
  • Referring URL
  • Date and time of access
  • Session duration

3.7 Communication Data

When you contact us, submit a form, book a demo, or subscribe to communications, we collect:

  • Name and email address
  • Company name
  • Message content
  • Demo booking details (via Calendly)
  • Newsletter and communication preferences

3.8 Payment Data

When you subscribe to a paid plan, payment processing is handled by Stripe. We do not store your full credit card number, CVV, or bank account details on our servers. We receive and store:

  • Stripe customer identifier
  • Subscription plan and billing cycle
  • Last four digits of payment card (for display purposes)
  • Billing address
  • Invoice and payment history

3.9 Cookies and Analytics Data

We use cookies and similar technologies as described in our Cookie Policy. Analytics data is collected through Google Tag Manager and Microsoft Clarity to understand how visitors use the website and improve the Service.

4. Legal Bases for Processing

Under Article 6(1) of the GDPR, we process your personal data on the following legal bases:

4.1 Performance of a Contract (Article 6(1)(b))

We process your account data, product data, supplier data, compliance data, and payment data as necessary to perform our contract with you — specifically, to provide the Digital Product Passport platform, enable you to create and manage passports, generate QR codes, run compliance scoring, and process your subscription payments.

4.2 Legitimate Interests (Article 6(1)(f))

We process certain data based on our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include:

  • Improving and optimising the Service, including analysing usage patterns and feature adoption
  • Ensuring the security, integrity, and availability of the platform
  • Detecting, preventing, and addressing fraud, abuse, or security incidents
  • Sending service-related communications (e.g. regulatory deadline reminders, product updates, security notices)
  • Understanding website traffic and conversion to improve our marketing effectiveness
  • Maintaining audit trails for platform integrity and dispute resolution

4.3 Consent (Article 6(1)(a))

We rely on your consent for:

  • Placing non-essential cookies and analytics trackers (Google Tag Manager, Microsoft Clarity)
  • Sending marketing communications, newsletters, and promotional content
  • Processing documents through AI Document Intelligence when you voluntarily upload them

You may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

4.4 Legal Obligation (Article 6(1)(c))

We process certain data where required by law, including:

  • Retaining invoicing and financial records as required by applicable tax and accounting regulations
  • Responding to valid legal requests from courts, law enforcement, or regulatory authorities
  • Fulfilling obligations under anti-money laundering or sanctions regulations, where applicable

5. How We Use Your Data

We use your personal data for the following purposes:

5.1 Providing the Digital Product Passport Service

  • Creating and managing your user account and organisational workspace
  • Enabling you to create, edit, publish, and manage Digital Product Passports across all supported product categories (batteries, textiles, tyres, electronics)
  • Generating GS1 Digital Link QR codes linked to your published passports
  • Running compliance scoring against applicable EU regulations
  • Maintaining audit trails of all data entries and modifications
  • Facilitating supplier data requests and collection through the supplier portal
  • Providing verifier portal access for authorised third parties
  • Providing API access for programmatic passport management
  • Enabling white-label platform instances for consultancies and associations

5.2 AI Document Intelligence

Processing documents uploaded by you to extract structured data for populating Digital Product Passport fields. See Section 6 for full details.

5.3 Payment Processing

  • Processing subscription payments and managing billing through Stripe
  • Generating invoices and maintaining financial records

5.4 Analytics and Service Improvement

  • Analysing how the website and platform are used to improve features, usability, and performance
  • Understanding traffic sources and conversion patterns
  • Identifying and resolving technical issues

5.5 Communications

  • Sending transactional emails (account confirmations, password resets, invoice receipts)
  • Sending service notifications (regulatory deadline reminders, compliance alerts, platform updates)
  • Sending marketing communications (with your consent, via Resend)
  • Responding to your enquiries and support requests

5.6 Security and Fraud Prevention

  • Detecting and preventing unauthorised access, abuse, or fraudulent activity
  • Enforcing our Terms of Service and Acceptable Use Policy
  • Managing bot protection and form spam prevention through Cloudflare Turnstile

6. AI Document Intelligence

Our platform includes an AI Document Intelligence feature that allows you to upload documents (such as test reports, certifications, safety data sheets, and bills of materials) to automatically extract structured data for populating Digital Product Passport fields.

6.1 How It Works

  • You voluntarily upload a document to the platform.
  • The document content is sent to a third-party AI model provider (Anthropic) via a secure, encrypted API connection for processing.
  • The AI model extracts structured data points relevant to the applicable product passport template.
  • Extracted data is returned to the platform and presented to you for review before being saved to the passport.
  • You retain full control: extracted data is not saved to any passport field until you explicitly confirm and approve it.

6.2 Data Handling and Training

  • Your uploaded documents and their contents are not used to train, fine-tune, or improve any AI model.
  • Documents are processed solely for the purpose of extracting data for your Digital Product Passport.
  • Our AI provider (Anthropic) processes data under a zero-data-retention API agreement and does not use API inputs or outputs for model training.
  • Uploaded documents are stored on our EU-hosted infrastructure and are not retained by the AI provider after processing is complete.

6.3 Your Responsibilities

When uploading documents for AI processing, you are responsible for ensuring that you have the right to share the document contents and that the upload complies with any confidentiality obligations you may have with third parties. Do not upload documents containing sensitive personal data (such as health data or biometric data) unless strictly necessary for passport compliance.

7. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share personal data only in the following circumstances:

7.1 Subprocessors

We use a limited number of third-party service providers ("subprocessors") who process personal data on our behalf and under our instructions. Each subprocessor is bound by a data processing agreement that requires them to protect your data to the same standard as this Privacy Policy. A current list of our subprocessors, including their purpose and location, is available at our Subprocessors page.

Our primary subprocessors include:

Subprocessor Purpose Location
Cloudflare CDN, DDoS protection, DNS, bot management (Turnstile), web analytics Global (US headquartered)
Resend Transactional and marketing email delivery United States (SCCs in place)
Google (Tag Manager) Tag management and analytics orchestration US
Microsoft (Clarity) Session recording and heatmap analytics US
Calendly Demo and meeting scheduling US
Stripe Payment processing and subscription management US (EU data processing available)
Anthropic AI document processing (data extraction from uploaded documents) US

7.2 Published Digital Product Passports

When you publish a Digital Product Passport, certain data within that passport becomes publicly accessible by design — this is the regulatory purpose of the DPP. Published passport data may include manufacturer identity, product specifications, compliance declarations, and other data points required by the applicable EU regulation. You control when a passport is published and can unpublish it at any time.

7.3 Supplier Portal

When you invite suppliers to provide data through the supplier portal, we share your company name and the specific data request with the invited supplier. Suppliers only see the data fields they are asked to provide and do not have access to your full passport or account data.

7.4 Verifier Portal

Authorised verifiers (such as market surveillance authorities or notified bodies) may access published passport data through the verifier portal. Access is limited to data points that are designated as publicly accessible or verifier-accessible under the applicable regulation.

7.5 White-Label Instances

If you access the platform through a white-label instance operated by a consultancy or industry association, that partner organisation may have administrative access to your account and passport data as part of the service they provide to you. The partner organisation acts as a data controller or joint controller for their relationship with you and should provide their own privacy notice.

7.6 Law Enforcement and Legal Requirements

We may disclose your personal data if required to do so by law, or if we believe in good faith that such disclosure is necessary to:

  • Comply with a legal obligation, court order, or lawful request from a public authority
  • Protect and defend the rights, property, or safety of Traceable Digital, our users, or the public
  • Detect, prevent, or address fraud, security, or technical issues

Where legally permitted, we will notify you before disclosing your data in response to a law enforcement request.

7.7 Business Transfers

In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Service before your personal data is transferred and becomes subject to a different privacy policy.

8. International Data Transfers

The Traceable Digital platform and all primary data storage are hosted in the European Union, specifically in Ireland. Your account data, product passport data, supplier data, and compliance data are stored and processed within the EU.

However, some of our subprocessors are headquartered in or operate from the United States. Where personal data is transferred outside the European Economic Area (EEA), we ensure adequate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • EU-U.S. Data Privacy Framework: Where the recipient has been certified under the EU-U.S. Data Privacy Framework, which has been recognised as providing adequate protection by the European Commission (Adequacy Decision of 10 July 2023).
  • Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) as the transfer mechanism, supplemented by additional technical and organisational measures where appropriate.

You may request a copy of the relevant transfer safeguards by contacting us at privacy@traceable.digital.

9. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following retention periods apply:

Data Category Retention Period
Account data Duration of account plus 30 days after deletion request, to allow for recovery if the deletion was accidental
Product passport data Duration of account. Published passports may be retained for up to 10 years after publication to meet regulatory record-keeping requirements under EU Battery Regulation and ESPR
Supplier data Duration of the associated product passport, or until the data is no longer needed for supply chain traceability
Compliance and audit trail data Duration of account plus 10 years, to support regulatory audit and due diligence evidence requirements
Uploaded documents (AI processing) Duration of account. You may delete uploaded documents at any time from within the platform
Payment and invoicing data 10 years after the end of the financial year in which the transaction occurred, as required by applicable tax and accounting regulations
Usage and analytics data 26 months from collection, then aggregated or deleted
Marketing consent records Until consent is withdrawn, plus 3 years to demonstrate compliance with consent requirements
Contact form submissions 2 years from submission
Server and security logs 90 days

When data is no longer required, it is securely deleted or irreversibly anonymised so that it can no longer be associated with you.

10. Your Rights Under the GDPR

Under the GDPR, you have the following rights in relation to your personal data. You may exercise any of these rights by contacting us at the email addresses listed below.

10.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we are processing your personal data, and to request a copy of that data along with information about how it is being processed.

10.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data. You can update most account information directly within the platform settings.

10.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you withdraw consent, or where there is no overriding legitimate ground for processing. Please note that we may be unable to delete data that is required for regulatory record-keeping purposes (such as published passport audit trails or financial records).

10.4 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller. Product passport data can be exported in JSON-LD format directly from the platform.

10.5 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, if you contest the accuracy of the data or if you have objected to processing pending verification of our legitimate grounds.

10.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests (Article 6(1)(f)). Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms. You have an absolute right to object to processing of your personal data for direct marketing purposes at any time.

10.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. You can withdraw consent for marketing communications by using the unsubscribe link in any email, or by contacting us directly.

10.8 Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a data protection supervisory authority if you believe that our processing of your personal data infringes the GDPR. You may lodge a complaint with the supervisory authority in your country of residence, your place of work, or the place of the alleged infringement.

10.9 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@traceable.digital. We will respond to your request within 30 days as required by the GDPR. If we need to extend this period (by up to an additional 60 days for complex or numerous requests), we will inform you within the initial 30-day period and explain the reason for the extension. We may ask you to verify your identity before processing your request.

11. Children's Privacy

The Service is designed for business use by professionals acting on behalf of commercial organisations. It is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete that data as promptly as possible. If you believe that a child under 16 has provided personal data to us, please contact us immediately.

12. Security Measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage, in accordance with Article 32 of the GDPR. These measures include:

  • Encryption of data in transit using TLS 1.2 or higher for all connections
  • Encryption of data at rest for stored data
  • Password hashing using industry-standard cryptographic algorithms (passwords are never stored in plain text)
  • Role-based access controls within the platform
  • EU-hosted infrastructure (Ireland) with Cloudflare DDoS protection and web application firewall
  • Regular security assessments and vulnerability monitoring
  • Secure API connections (HTTPS only) for all third-party integrations
  • Audit logging of all data access and modifications within the platform
  • Automated backups with encrypted storage
  • Incident response procedures for identifying and addressing security breaches

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents in accordance with our obligations under Articles 33 and 34 of the GDPR.

13. Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you, as described in Article 22 of the GDPR.

Compliance scoring within the platform is based on objective data completeness checks against regulatory requirements. It is an informational tool to help you assess passport completeness and does not constitute a legal determination of compliance or non-compliance. All compliance scores are subject to your own review and interpretation.

AI Document Intelligence extracts data from uploaded documents and presents it to you for manual review and approval. No data is automatically saved to a passport without your explicit confirmation.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or business operations. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify registered users by email at least 30 days before material changes take effect
  • Post a prominent notice on the platform if the changes affect how we process your data

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after any changes constitutes acceptance of the updated Privacy Policy. If you do not agree with any changes, you should stop using the Service and request deletion of your account.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:

Privacy enquiries:
privacy@traceable.digital

Legal enquiries:
legal@traceable.digital

General enquiries:
contact@traceable.digital

We aim to respond to all privacy-related enquiries within 5 business days and to all formal data subject requests within 30 days as required by the GDPR.