Privacy Policy

At DPP Report, the security and confidentiality of your data is our primary commitment. Explore how we manage and protect your digital assets.

Last Updated: May 19, 2026

1. Scope and Data Controller

At DPP Report ("Company", "We", "Our"), protecting your personal data and ensuring confidentiality is a fundamental priority. We fully comply with the European Union General Data Protection Regulation ("GDPR"), California Consumer Privacy Act ("CCPA"), and other applicable global data privacy frameworks. This Privacy Policy outlines the types of information we collect, the purposes of processing, storage conditions, and user rights for brand operators, consumers performing Digital Product Passport (DPP) verifications, and subsequent ownership transfer recipients.

Our platform establishes immutable, blockchain-secured digital twins for high-value physical goods. By verifying ownership, authenticating origins, and preserving lifecycle histories, we facilitate decentralized digital trust. We maintain strict organizational and technical security measures to preserve data confidentiality.

2. Types of Data We Collect

Depending on your interaction with the platform, we collect and manage the following classifications of personal and institutional data:

  • Identity and Contact Information: Full name, verified email addresses, mobile numbers, and business details of brand representatives or end consumers.
  • Corporate Verification Documents: Tax certificates, commercial gazettes, signature circulars, and official operating certificates uploaded by brands for anti-counterfeiting verification.
  • Product and Certificate Metadata: Brand names, model numbers, GTIN/EAN barcodes, TARIC customs classifications, eco-footprint indicators (carbon footprints, recycled percentages, water parameters), and circularity disassembly directives.
  • Transaction and Ownership Logs: Cryptographically generated passport IDs, timestamps, public verification addresses, transaction states, and historic owner confirmations.
  • Technical and Analytical Data: Coded IP addresses, geo-location statistics (at a country/city boundary level), user agent descriptors, interaction logs, and structural cookies.

3. Purposes and Legal Bases for Processing

All processing activities are legally justified under standard GDPR mechanisms, including contract execution, legal compliances, explicit consent, and corporate legitimate interests:

Data Category Purpose of Processing Legal Basis (GDPR Art. 6)
Identity & Contact Account provisioning, multi-factor verification flows, support ticket resolution. Contractual Necessity (Art. 6/1-b)
Corporate Documents Mitigating brand fraud, verifying registered businesses, network protection. Legitimate Interests (Art. 6/1-f)
Transaction Records Enabling cryptographically secured secondary transfers, provenance logging. Performance of Contract (Art. 6/1-b)
Technical Analytics Spatio-temporal analysis of fake scan triggers, parallel imports prevention. Legitimate Interests (Art. 6/1-f)

4. Blockchain Integrity & DPP Security

DPP Report utilizes distributed ledger technology (Blockchain) to guarantee product authenticity. By design, block structures are immutable and irreversible. Therefore, to respect modern privacy principles:

Crucial Disclosure

Personal data—such as customer names, physical coordinates, and electronic mail—are never stored on the public blockchain. We only publish cryptographically secured hashes and decentralized IDs (DIDs) on-chain. All identifiable profiles remain in secure, isolated databases, ensuring that rights to be forgotten can be fully executed.

5. Third-Party Data Disclosures

We never trade, lease, or distribute your personal details to advertising networks. Sharing is strictly limited to supporting entities, technical integrators, or regulatory enforcement bodies:

  • Infrastructure Providers: Encrypted hosting services, authentication microservices (SMTP, SMS gateways), and geo-distribution relays.
  • Regulatory & Legal Authorities: Providing data in response to subpoenas, warrants, or court orders if compelled by governing legislation.
  • Ownership Transfer Recipients: Disclosing minimal state confirmations (e.g. transfer availability status) to participating nodes to achieve consensus during exchange.

6. Data Retention & Destruction Policies

We store personal profiles only as long as necessary to fulfill operational scopes, respect legal compliance limits, and maintain structural system backups:

  • Active brand accounts and associated inventory lists remain hosted for the duration of the corporate contract. Closed account data is permanently purged or anonymized following a 10-year legal preservation window.
  • Verification timestamps and scanning telemetry logs are maintained for a maximum of 2 years for fraud analysis.
  • Rejected corporate tax validation documents are permanently cleared from cache storage within 6 months of rejection.

7. User Rights and Application Guides

Under GDPR Chapter 3 and standard privacy laws, individuals maintain comprehensive controls over their personal records:

  • Right of Access & Rectification: Accessing the records we hold and requesting immediate corrections to inaccurate or incomplete files.
  • Right to Erasure (Forgetfulness): Requesting that we permanently expunge your data if processing is no longer required.
  • Right to Data Portability: Receiving a clean copy of your transactional history in a structured, machine-readable format.
  • Right to Object: Opposing automatic algorithmic profiling or analytics activities.

To exercise these rights, submit your structured inquiry to our Data Protection Officer at contact@dpp.report. We will respond and execute your valid requests free of charge within 30 days.

8. Cookie Management Guidelines

DPP Report utilizes primary, first-party cookie elements to establish safe navigation and save basic user variables:

  • Preferences: We save a dedicated cookie (`dppreport_lang`) for 30 days to store your language preferences so you don't need to manually toggle languages on each visit.
  • Security: Session identifiers that protect login statuses and neutralize CSRF threat attempts.

Users can control, delete, or deny cookies at a browser level. However, rejecting functional cookies will degrade performance and block login sequences.