Privacy Policy

1. Introduction

PassportPro, operated by Velvet Development ("we", "our", "us"), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you:

• Visit our website at passportpro.app (the "Website")
• Install and use our Shopify application for creating and managing Digital Product Passports (the "App")
• Access public Digital Product Passport pages hosted at pp-code.org (the "Public Resolver")

This policy applies to all users worldwide, with specific sections addressing rights under the EU General Data Protection Regulation (GDPR), the UK GDPR, the ePrivacy Directive, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

Data Controller: Velvet Development — support@velvetdevelopment.com

2. Information We Collect

2.1 Website Visitors (passportpro.app)

When you visit our Website, we may collect:

• Analytics Data (with consent): Through Google Tag Manager and Google Analytics, we collect anonymized page views, session duration, referral sources, approximate geographic location (country/city level from IP), device type, browser type, and operating system. This data is only collected after you provide cookie consent.
• Server Logs: Standard web server access logs including IP addresses, timestamps, requested URLs, HTTP status codes, and user agent strings. These are retained for security and operational purposes.

2.2 Shop Information (App Users)

• Shopify Store Data: We collect and store your Shopify store domain, shop ID, access tokens (encrypted), and shop metadata necessary to provide authentication and service functionality.
• Subscription Data: We process billing information through Shopify's billing API including subscription status, trial periods, and payment history. We do not directly store credit card information.

2.3 Product Passport Data

• Product Information: Product identifiers, variant details, product images (resized to 150×150 WebP format), and links to your Shopify products.
• Digital Product Passports: All information you enter into product passports including manufacturer details, material composition, substances of concern, environmental footprint data, durability metrics, repairability information, recyclability data, compliance certifications, and any other fields you populate.
• Print Run Snapshots: Immutable snapshots of product passports at the time of QR code generation for traceability purposes. These snapshots are retained to ensure printed QR codes continue to resolve correctly.
• Amendment Records: Append-only correction records for any updates made to print runs, including field-by-field change history with timestamps.

2.4 Library Records

• Manufacturers: Company names, legal identifiers (GLN), addresses, contact information, geographic coordinates, and uploaded certifications or documentation.
• Materials: Material names, types, sustainability attributes (recycled content, bio-based percentages), origin countries, and certification information.
• Substances: Chemical names, CAS numbers, EC numbers, hazard classifications, and safe handling instructions.

2.5 Public Resolver (pp-code.org)

• Access Logs: When consumers scan QR codes and access public passport pages, we collect standard web server logs including IP addresses, browser types, access timestamps, and referring URLs. This data is used solely for security, fraud prevention, and service improvement.
• No Consumer Profiles: We do not track individual consumer identities or create user profiles from QR code scans. Scan analytics are aggregated and anonymized. Public passport pages do not require registration, login, or submission of personal data.

3. Legal Basis for Processing (GDPR)

Under the GDPR, we process personal data on the following legal bases:

4. How We Use Your Information

• Service Provision: To provide and maintain PassportPro's core functionality, including passport creation, library management, print run generation, QR code hosting, and the public resolver system.
• Authentication and Authorization: To authenticate your Shopify store, validate your subscription status, and enforce access controls.
• Billing: To process subscription payments, manage trial periods, and handle cancellations through Shopify's billing system.
• Data Integrity and Regulatory Compliance: To maintain immutable print run snapshots ensuring that printed QR codes always resolve to accurate, traceable information as required by EU ESPR regulations.
• Service Improvement: To analyze anonymized usage patterns, identify bugs, improve performance, and develop new features.
• Customer Support: To respond to your support requests, troubleshoot technical issues, and provide assistance.
• Security: To detect, prevent, and respond to fraud, abuse, security incidents, and other harmful activities.
• Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests, including Shopify's mandatory compliance webhooks (customer data requests, customer redaction, shop redaction).

5. Cookies and Tracking Technologies

5.1 Website Cookies

Our website uses the following categories of cookies:

5.2 Cookie Consent

In accordance with the EU ePrivacy Directive and GDPR, analytics cookies are only set after you explicitly consent via our cookie banner. You can withdraw consent at any time by clearing your browser cookies or clicking the cookie settings link in our footer.

5.3 Shopify App Cookies

The embedded Shopify App uses session cookies managed by Shopify for authentication purposes. These are strictly necessary and do not require separate consent.

6. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data or business information to third parties. We may share your information only in these limited circumstances:

6.1 Service Providers

• Shopify Inc.: Platform integration, authentication, billing, and product data synchronization. Shopify's privacy policy: shopify.com/legal/privacy
• Vercel Inc.: Application hosting and edge network (SOC 2 Type II compliant).
• Supabase Inc.: PostgreSQL database hosting with encryption at rest (SOC 2 Type II compliant).
• Google LLC: Analytics data processing via Google Tag Manager and Google Analytics (only with user consent). Google's privacy policy: policies.google.com/privacy
• Mapbox Inc.: Geographic coordinate processing for interactive maps on public passport pages.

All sub-processors operate under Data Processing Agreements (DPAs) and are bound by confidentiality obligations.

6.2 Legal Requirements

We may disclose your information if required by law or in good faith belief that such action is necessary to:

• Comply with legal obligations, court orders, or governmental requests
• Investigate potential violations of our policies
• Protect the safety, rights, or property of PassportPro, our users, or the public
• Defend against legal liability or claims

6.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice in the application before your information becomes subject to a different privacy policy.

7. Public Data and Digital Product Passports

Important Notice: Digital Product Passports created with PassportPro are intended to be publicly accessible to comply with EU ESPR regulations. When you create a passport and generate a QR code, the following information becomes publicly available at pp-code.org:

• All product passport fields you populate (manufacturer, materials, environmental data, etc.)
• Print run snapshots and amendment histories
• Product images you associate with passports
• Manufacturer, material, and substance information linked to published passports

Do not include confidential, proprietary, or sensitive business information in passport fields that you do not wish to be publicly disclosed. Passport pages are indexed by search engines and accessible to anyone with the QR code link. This is by design for consumer transparency and regulatory compliance.

8. Data Security

• Encryption: Data in transit is encrypted via TLS/SSL. Sensitive data at rest, including access tokens, is encrypted in our database.
• Access Controls: Role-based access controls and multi-factor authentication for system and database access.
• Secure Infrastructure: Vercel and Supabase both maintain SOC 2 Type II compliance and comprehensive security programs.
• Immutable Audit Trails: Print run snapshots and amendments are stored in append-only structures to prevent tampering and ensure data integrity.

While we strive to protect your information using commercially reasonable means, no method of transmission or electronic storage is 100% secure. We cannot guarantee absolute security.

9. Data Retention

9.1 Active Subscription

While you maintain an active subscription, we retain all shop information, library records, passports, and print runs to provide continuous service.

9.2 Archived Accounts

When you cancel your subscription or uninstall the app, you may be offered an optional one-time Archive Fee to preserve your published passports and print run QR codes for continued operation. This keeps published passports active and QR codes resolvable indefinitely in read-only mode.

9.3 Data Deletion (If Archive Is Declined)

If you decline the archive option, all your data will be permanently deleted after 30 days from the cancellation date. This includes all shop information, library records, product passports, print runs, and associated data. After deletion, QR codes will no longer resolve. This action is irreversible.

9.4 Website Analytics Data

Google Analytics data is retained according to Google's data retention settings (default: 14 months). Server logs are retained for up to 90 days.

9.5 Backup and Legal Hold

Deleted data may persist in backup systems for up to 90 days. Data subject to legal holds, ongoing investigations, or disputes is retained until the matter is resolved.

10. Your Privacy Rights

10.1 GDPR Rights (EU/EEA/UK Users)

Under the General Data Protection Regulation, you have the right to:

• Access: Request confirmation of what personal data we hold about you and obtain a copy.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("Right to Be Forgotten"): Request deletion of your personal data. Note: This does not apply to print run snapshots retained for regulatory compliance and consumer protection.
• Restriction of Processing: Request that we limit how we use your data.
• Data Portability: Receive your data in a structured, machine-readable format.
• Object: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Where processing is based on consent, withdraw it at any time without affecting lawfulness of prior processing.
• Lodge a Complaint: File a complaint with your local data protection authority.

10.2 CCPA/CPRA Rights (California Residents)

• Right to Know: Request information about categories and specific pieces of personal information we've collected, sources, purposes, and third parties we share it with.
• Right to Delete: Request deletion of your personal information (subject to exceptions for regulatory data).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale/Sharing: We do not sell or share (for cross-context behavioral advertising) personal information.
• Right to Non-Discrimination: You will not receive discriminatory treatment for exercising your privacy rights.

10.3 Other Jurisdictions

If you are located in other jurisdictions with data protection laws (e.g., Brazil's LGPD, Canada's PIPEDA, Australia's Privacy Act), you may have similar rights. Contact us to exercise any applicable rights.

10.4 Exercising Your Rights

To exercise any of these rights, email us at support@velvetdevelopment.com. We will respond within 30 days (GDPR) or 45 days (CCPA). We may verify your identity through your Shopify store credentials before processing requests.

11. International Data Transfers

PassportPro may transfer and process your information in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Processing within countries with adequate protection under GDPR
• EU-U.S. Data Privacy Framework compliance where applicable

12. Children's Privacy

PassportPro is a business-to-business application intended for Shopify merchants and their authorized staff. Our service is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware of inadvertent collection, we will delete it promptly.

13. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. We honor DNT signals by not loading analytics cookies when a DNT signal is detected, consistent with our consent-based approach.

14. Third-Party Links

Our Website and App may contain links to third-party websites (Shopify, Google, etc.). We are not responsible for their privacy practices. We encourage you to read the privacy policies of any third-party services you interact with.

15. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service features. When we make material changes, we will:

• Update the "Last updated" date at the top of this policy
• Notify you via email to your registered shop contact email
• Display a prominent notice in the PassportPro admin interface

Continued use of our services after changes constitutes acceptance of the updated policy.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices:

• Email: support@velvetdevelopment.com
• Data Protection Inquiries: support@velvetdevelopment.com