Who is the controller.

Contenza K/S (CVR 43349023), Denmark, is the controller for personal data processed on this service. Contact the team through the form on /contact for anything privacy-related.

What we collect.

  • Account data — email address, tier, authentication timestamps.
  • Passport content — product and manufacturer details you enter to publish a Digital Product Passport. This is primarily business data, but includes a contact email per Annex III.
  • Usage data — scan events on public passport URLs (country-level geolocation derived from IP, user-agent category). We do not store raw IP addresses beyond the request log window.
  • Billing data — customer ID and subscription status from Stripe. Card data never touches our servers.

Lawful bases.

  • Contract (Art. 6(1)(b)) for account creation, authentication, and delivering the service.
  • Legal obligation (Art. 6(1)(c)) for invoicing and tax records.
  • Legitimate interests (Art. 6(1)(f)) for security monitoring and aggregate scan analytics — balanced against the minimal personal data involved.

Retention.

We keep data only for as long as it is needed:

  • Account data — while your account is active, plus 30 days after deletion to absorb accidental-delete support requests.
  • Invoices — 5 years after issue, per Danish bookkeeping law.
  • Scan events — rolling 24 months, then aggregated into monthly counts and the raw rows discarded.
  • Magic-link tokens — purged on use, or 15 minutes after issue, whichever is sooner.
  • Published passports — retained for the regulatory lifetime of the product (Article 10(4) of the Ecodesign for Sustainable Products Regulation prohibits deletion while the passport is in service).

Your rights.

Under the GDPR you have the right to access, rectify, erase, restrict, port, and object to processing of your personal data. You can exercise any right by contacting us — no account or login required if you can identify the data you are asking about.

If you believe we have mishandled your data you have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet).

Data residency.

All personal data is stored on EU-resident infrastructure. Where a sub-processor operates outside the EU, transfers rely on the European Commission's Standard Contractual Clauses. The full register is at /sub-processors.

Children.

The service is sold to businesses and is not directed at people under 18. We do not knowingly collect data from children.

Changes.

Material changes are announced by email to account holders at least 30 days before taking effect. Minor clarifications are published here with an updated date at the top of the page.

Questions on this policy? Use the contact form — or email the team through the details on the contact page.