Privacy Policy
AI Group LTD ("we", "us", "D-Pass") operates the D-Pass Digital Product Passport platform at d-pass.eu. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).
1. Data Controller
AI Group LTD
Registered in the Republic of Bulgaria
Email: legal@d-pass.eu
Data Protection contact: privacy@d-pass.eu
2. What Data We Collect
3. Legal Basis for Processing
| Processing purpose | GDPR basis |
|---|---|
| Account creation and platform access | Art. 6(1)(b) โ Contract performance |
| Billing and invoicing | Art. 6(1)(b) โ Contract performance |
| Security audit logs | Art. 6(1)(f) โ Legitimate interest |
| Product improvement and analytics | Art. 6(1)(f) โ Legitimate interest |
| Marketing communications | Art. 6(1)(a) โ Consent |
4. Your Rights Under GDPR
You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@d-pass.eu. We will respond within 30 days.
Right of access
Request a copy of all data we hold about you.
Right to rectification
Request correction of inaccurate personal data.
Right to erasure
Request deletion of your data ('right to be forgotten').
Right to restriction
Request that we limit how we use your data.
Right to portability
Receive your data in a machine-readable format.
Right to object
Object to processing based on legitimate interest.
5. Data Retention
We retain personal data for as long as your account is active or as required by law. Specific retention periods:
- โธ Audit logs โ 5 years (EU regulatory traceability requirements)
- โธ Account data โ until account deletion, then anonymised within 90 days
- โธ Access requests โ 3 years after resolution
- โธ DPP data โ retained for the full product lifecycle as legally required
6. Cookies
We use strictly necessary cookies for authentication only. We do not use tracking, profiling, analytics, or marketing cookies of any kind.
See our Cookie Policy for full details.
7. Third-Party Processors
| Processor | Purpose | Location |
|---|---|---|
| Hetzner Cloud | Hosting & storage | Germany ๐ฉ๐ช |
| Stripe | Payment processing | EU (Dublin) |
| Resend | Transactional email | EU region |
| Cloudflare | CDN, DDoS protection | EU PoPs |
8. International Transfers
All personal data is stored and processed within the European Union. We do not transfer data to third countries outside the EU/EEA without appropriate safeguards.
9. Changes to This Policy
We may update this Privacy Policy. We will notify registered users of material changes via email. Continued use of the platform after notification constitutes acceptance.
Questions about your data?
Contact our data protection team โ we respond within 30 days.