1. Controller

The controller responsible for the processing of personal data on this platform is AuraDPP GmbH(hereinafter "AuraDPP", "we", "us"). You can reach us at [email protected].

2. Data We Collect

We collect the following categories of personal data:

Category	Data	Purpose	Legal Basis
Account data	Name, email address	Account creation, authentication	Art. 6(1)(b) GDPR – contract
Product data	Product names, descriptions, images	Digital Product Passport creation	Art. 6(1)(b) GDPR – contract
Usage data	IP address, browser, device, pages visited	Security, analytics, service improvement	Art. 6(1)(f) GDPR – legitimate interest
QR scan data	Scan timestamp, device type, country (anonymized)	Analytics for merchants	Art. 6(1)(f) GDPR – legitimate interest
Payment data	Billing address, payment method (tokenized)	Subscription billing	Art. 6(1)(b) GDPR – contract

3. Data Storage & Infrastructure

AuraDPP uses Google Cloud Platform infrastructure with data centers located in the European Union (Belgium, Frankfurt). All data is stored and processed within the EU. Google Cloud is certified under ISO 27001, SOC 2 Type II, and has signed EU Standard Contractual Clauses (SCCs) as required by GDPR Article 46.

We do not transfer personal data to third countries outside the EU/EEA without appropriate safeguards. Where sub-processors are located outside the EU (e.g., Stripe for payment processing), we rely on Standard Contractual Clauses and the EU-US Data Privacy Framework.

4. Data Retention

We retain personal data only as long as necessary for the purposes described above or as required by law. Account data is deleted within 30 days of account deletion. QR scan analytics are retained for 24 months in anonymized form. Payment records are retained for 10 years as required by EU tax law.

5. Your Rights (GDPR)

Under the GDPR, you have the following rights:

Right of access (Art. 15) – Request a copy of your personal data
Right to rectification (Art. 16) – Correct inaccurate data
Right to erasure (Art. 17) – Request deletion of your data
Right to data portability (Art. 20) – Receive your data in a machine-readable format
Right to object (Art. 21) – Object to processing based on legitimate interest
Right to lodge a complaint – With your national supervisory authority

To exercise any of these rights, contact us at [email protected]. We respond within 30 days.

6. Cookies

We use strictly necessary session cookies for authentication. We do not use tracking cookies or third-party advertising cookies. Our analytics are privacy-friendly and do not require cookie consent.

7. Contact & Data Protection Officer

For all data protection inquiries: [email protected]

You have the right to lodge a complaint with your national data protection authority. In Austria: Datenschutzbehörde (dsb.gv.at). In Germany: BfDI (bfdi.bund.de).

Privacy Policy