Skip to main content

Privacy Policy

GDPR Compliant Last updated: May 10, 2026 ยท Effective: May 10, 2026

AI Group LTD ("we", "us", "D-Pass") operates the D-Pass Digital Product Passport platform at d-pass.eu. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679).

1. Data Controller

AI Group LTD

Registered in the Republic of Bulgaria

Email: legal@d-pass.eu

Data Protection contact: privacy@d-pass.eu

2. What Data We Collect

โ–ธ
Account data โ€” email address, full name, hashed password, company name, and your tenant's region and plan.
โ–ธ
Usage data โ€” audit log entries (actions performed, timestamps), IP addresses, and browser user-agent strings.
โ–ธ
DPP content โ€” product information you enter into the platform. You own this data; we process it only to provide the service.
โ–ธ
Payment data โ€” billing is handled by Stripe. We receive only transaction confirmation and invoice details. We never store card numbers.
โ–ธ
Contact form โ€” name, email, company, and message when you reach out to us.

3. Legal Basis for Processing

Processing purpose GDPR basis
Account creation and platform accessArt. 6(1)(b) โ€” Contract performance
Billing and invoicingArt. 6(1)(b) โ€” Contract performance
Security audit logsArt. 6(1)(f) โ€” Legitimate interest
Product improvement and analyticsArt. 6(1)(f) โ€” Legitimate interest
Marketing communicationsArt. 6(1)(a) โ€” Consent

4. Your Rights Under GDPR

You have the following rights regarding your personal data. To exercise any of these rights, contact us at privacy@d-pass.eu. We will respond within 30 days.

Right of access

Request a copy of all data we hold about you.

Right to rectification

Request correction of inaccurate personal data.

Right to erasure

Request deletion of your data ('right to be forgotten').

Right to restriction

Request that we limit how we use your data.

Right to portability

Receive your data in a machine-readable format.

Right to object

Object to processing based on legitimate interest.

5. Data Retention

We retain personal data for as long as your account is active or as required by law. Specific retention periods:

  • โ–ธ Audit logs โ€” 5 years (EU regulatory traceability requirements)
  • โ–ธ Account data โ€” until account deletion, then anonymised within 90 days
  • โ–ธ Access requests โ€” 3 years after resolution
  • โ–ธ DPP data โ€” retained for the full product lifecycle as legally required

6. Cookies

We use strictly necessary cookies for authentication only. We do not use tracking, profiling, analytics, or marketing cookies of any kind.

See our Cookie Policy for full details.

7. Third-Party Processors

Processor Purpose Location
Hetzner CloudHosting & storageGermany ๐Ÿ‡ฉ๐Ÿ‡ช
StripePayment processingEU (Dublin)
ResendTransactional emailEU region
CloudflareCDN, DDoS protectionEU PoPs

8. International Transfers

All personal data is stored and processed within the European Union. We do not transfer data to third countries outside the EU/EEA without appropriate safeguards.

9. Changes to This Policy

We may update this Privacy Policy. We will notify registered users of material changes via email. Continued use of the platform after notification constitutes acceptance.

Questions about your data?

Contact our data protection team โ€” we respond within 30 days.

privacy@d-pass.eu