1. Introduction

This Privacy Policy explains how ClarosDPP, also referred to as Claros Digital Product Passport, "we", "us", or "our", collects, uses, stores, shares, protects, exports, and deletes personal data when you use our website, Digital Product Passport platform, dashboard, public passport viewer, APIs, QR-code passport links, repository, documentation, support channels, and related services.

ClarosDPP is a business-to-business SaaS platform for creating, managing, maintaining, releasing, verifying, and publicly sharing Digital Product Passports. A Digital Product Passport may act as a structured digital identity or digital twin for a product, product model, batch, item, battery, component, facility, or related compliance object. The platform helps companies organise product, material, technical, sustainability, lifecycle, compliance, repair, recycling, facility, economic operator, data-carrier, signature, and evidence information into a digital passport structure.

This Privacy Policy is intended for a European business environment and is written with the General Data Protection Regulation, EU data governance expectations, Digital Product Passport requirements, and data portability principles in mind. It should be read together with our Terms of Service, any Order Form, Data Processing Agreement, Cookie Policy, security documentation, and other written agreement between us and the customer.

2. Important distinction between Customer Data and personal data

Most information processed in ClarosDPP is business, product, technical, regulatory, compliance, environmental, operational, or lifecycle data. Much of this information may not identify a natural person. However, some information in the platform may still be personal data, for example user account details, business contact details, profile fields, facility contact details, audit logs linked to a user, login records, support messages, invitation records, scan metadata, IP addresses in server logs, or personal information included by a customer in passport fields or uploaded files.

ClarosDPP does not claim ownership over customer product data, company data, passport data, uploaded files, repository files, compliance evidence, passport history, released passport data, or other Customer Data. Customers remain responsible for and retain ownership of the data they upload, create, import, publish, maintain, export, or delete through the Service.

We process Customer Data only to provide, operate, secure, maintain, support, improve, export, delete, migrate, or legally protect the Service, or as otherwise instructed by the customer or required by law. We do not sell Customer Data, and we do not use Customer Data for our own unrelated commercial purposes.

3. Who this Privacy Policy applies to

This Privacy Policy applies to website visitors, demo requesters, customer administrators, invited users, platform users, API users, public viewers of Digital Product Passports, people who scan QR codes or other data carriers, supplier or facility contacts whose information may be included in customer-submitted data, support contacts, prospects, vendors, and business partners.

This Privacy Policy does not replace any privacy notice that our customers may need to provide to their own employees, suppliers, customers, contractors, facility contacts, or other individuals. Where a customer uploads, imports, or publishes personal data through the platform, the customer is normally responsible for deciding whether that data should be processed, whether it should be public, and what lawful basis applies.

4. Our role as controller and processor

We act as a controller when we decide why and how personal data is processed. This includes personal data used for our website, account creation, authentication, user management, customer relationship management, billing, security, service analytics, support, legal compliance, and business communications.

We act as a processor when we process personal data on behalf of a customer inside the ClarosDPP platform. This may include personal data contained in Digital Product Passports, uploaded files, repository records, facility records, audit logs, workflow records, scan records, API imports, exports, messages, notifications, and customer-configured integrations. In this situation, the customer is normally the controller and we process the personal data according to the customer’s documented instructions, our agreement with the customer, and any applicable Data Processing Agreement.

If a customer uses the platform to publish public passport data, the customer decides what data is made public. We provide the technical platform for publishing, serving, verifying, and maintaining that passport data.

5. Personal data we collect and process

We process account and user profile data such as name, business email address, company association, role, permission level, account status, first name, last name, phone number, job title, bio, avatar URL, preferred language, default reviewer or approver settings, two-factor authentication status, creation date, update date, and last login information.

We process authentication and security data such as password hashes, password reset tokens, invitation tokens, OTP verification data in hashed form, session cookies, JWT session tokens, session version values, SSO identity metadata, API key prefixes and hashes, failed login counters, rate-limit records, security events, user agent data, request metadata, and audit logs.

We process company and business account data such as company name, company ID, economic operator identifiers, company settings, company DPP policies, enabled passport types, facility identifiers, facility display names, facility metadata, access permissions, user roles, API key settings, and account configuration.

We process Digital Product Passport data created, imported, edited, released, revised, archived, or published by customers. This may include DPP identifiers, product IDs, unique product identifiers, passport type, granularity, model name, version number, release status, compliance profile, content specification IDs, carrier policy, carrier authenticity, economic operator ID, facility ID, dynamic passport fields, product data, material data, technical data, battery data, sustainability data, circularity data, repair data, recycling data, documentation, attachments, public metadata, signatures, verifiable credential data, DID-related data, and version history.

We process repository and file data such as folder names, filenames, display names, file metadata, MIME type, file size, storage key, storage provider, file URL, public attachment ID, upload date, update date, and deletion records. Uploaded files may include certificates, technical documents, compliance evidence, manuals, images, symbols, CSV, JSON, XML, spreadsheets, PDFs, and other documents selected by the customer. These files may contain personal data if the customer includes it.

We process public viewer, QR-code, data-carrier, and API data when someone accesses a public passport page or API route. This may include the requested DPP ID, product ID, public URL, public representation format, timestamp, user agent, referrer, scan event, carrier-verification event, security event, and server log information such as IP address where captured by the hosting or security environment.

We process workflow, message, and notification data such as reviewer and approver assignments, workflow history, backlog items, conversation membership, message content, notification title, notification message, action URL, read status, and related passport references.

We process support and communication data such as name, email address, company name, message contents, support requests, issue descriptions, diagnostic information, attachments, and communication history.

If paid services are used, we may process billing and commercial data such as billing contact details, company address, VAT or tax information, invoice details, payment status, subscription details, order details, and limited payment metadata. We do not intentionally store full payment card details unless expressly stated; payment processing may be handled by a payment provider under its own terms and privacy notice.

6. Sources of personal data

We collect personal data directly from users when they create an account, accept an invitation, register, log in, complete 2FA, reset a password, update a profile, request a demo, contact us, use the dashboard, create a passport, upload files, publish passport data, configure company settings, send messages, or use API features.

We receive personal data from customer administrators when they invite users, assign roles, configure company access, add facilities, manage users, create API keys, upload repository files, import passport records, or configure integrations.

We receive personal data from customer-controlled systems if the customer connects or imports data from external sources such as ERP, PLM, compliance systems, supplier systems, document repositories, identity providers, or another Digital Product Passport service.

We also collect some personal data automatically when people visit the website, access public passport pages, scan QR codes, call APIs, or interact with the platform.

7. Purposes and lawful bases

We process personal data to provide the Service, create and manage user accounts, authenticate users, maintain secure sessions, support invitation and password reset flows, manage companies and users, assign permissions, operate role-based access, create and maintain Digital Product Passports, publish public passport pages, provide public and private API access, store files, maintain repository records, manage workflows, provide audit trails, generate and verify signatures, maintain passport history, handle QR/data-carrier scan events, provide support, send service communications, manage billing, protect the platform, prevent abuse, troubleshoot issues, comply with legal obligations, and improve reliability.

Where GDPR applies, we rely on different lawful bases depending on the processing activity. We may process personal data because it is necessary to perform a contract or take steps before entering into a contract, for example to provide the SaaS platform, create accounts, authenticate users, manage subscriptions, deliver support, and administer customer access.

We may process personal data because we have legitimate interests, for example to secure the Service, prevent fraud and abuse, maintain audit logs, troubleshoot errors, improve reliability, respond to business enquiries, manage customer relationships, understand business use of the Service, and protect our legal rights. We balance these interests against the rights and freedoms of individuals.

We may process personal data to comply with legal obligations, for example accounting, tax, regulatory, court, supervisory authority, security, or legal preservation obligations.

We may process personal data based on consent where required, for example for certain cookies, marketing communications, or customer-controlled publication of personal data where consent is the appropriate lawful basis.

When we act as a processor, we process personal data on the customer’s documented instructions and according to the applicable agreement.

8. Customer responsibility for data entered into the platform

Customers decide what company, product, supplier, facility, compliance, technical, lifecycle, repository, and passport data they upload, import, create, publish, maintain, export, or delete in the Service. Customers are responsible for ensuring that Customer Data is accurate, lawful, not misleading, and suitable for the intended Digital Product Passport use case.

Customers should avoid adding unnecessary personal data to passport fields, public passport pages, QR-code destinations, repository files, attachments, public APIs, DID documents, signatures, certificates, or facility records. Customers should not upload or publish special-category personal data, highly sensitive personal data, or private personal information unless it is necessary, lawful, covered by appropriate notices and agreements, and technically appropriate for the Service.

Where Customer Data contains personal data about employees, suppliers, contractors, facility contacts, or other individuals, the customer is normally responsible for informing those individuals, identifying the lawful basis, responding to their rights requests, and deciding whether the information should be public, restricted, confidential, internal, exported, or deleted.

9. Public Digital Product Passports

The Service allows customers to publish Digital Product Passports through public pages, QR-code links, public API routes, data carriers, DID documents, JSON or JSON-LD representations, signatures, verifiable credentials, and other machine-readable formats. Public passport data may be accessed by consumers, business customers, suppliers, regulators, market surveillance authorities, repairers, recyclers, auditors, search engines, crawlers, competitors, AI systems, and other third parties.

Customers should treat publication of a Digital Product Passport as an intentional disclosure of the selected passport content. We cannot control what third parties do after they access public passport data. Public passport data may be copied, downloaded, cached, indexed, archived, redistributed, analysed, or combined with other information by third parties.

Customers should not publish personal data in a Digital Product Passport unless it is necessary, lawful, proportionate, and suitable for public disclosure. Customer end-user personal data should not be stored in a Digital Product Passport unless a valid lawful basis exists and the data is appropriate for the public or controlled audience intended by the customer.

10. Public scans, QR codes, and data carriers

The Service may allow customers to generate or validate QR codes and other data-carrier information for passports. When a public passport is scanned or accessed, we may record scan-related and security-related metadata such as the DPP ID, timestamp, user agent, referrer, public route, and related security or carrier-verification event.

We use this information to serve the public passport, support scan statistics, detect abuse, support anti-counterfeiting review, monitor system health, troubleshoot issues, and protect the integrity of the passport system.

We do not intentionally use scan metadata to identify individual consumers unless this is necessary for security, abuse prevention, legal compliance, or a customer-configured authenticated access flow.

11. Repository files and attachments

Customers may use the repository and attachment features to upload, organise, link, or publish documents and images. Repository data is company-scoped and protected by authentication and role-based access, except where a customer intentionally makes a file or attachment public through passport publication, public attachment links, or public file access features.

When a customer deletes an uploaded repository file using the repository delete function, the active repository record and associated storage object are intended to be deleted. External file references are removed from the repository rather than deleted from the external source. Some residual information may remain in backups, audit logs, security logs, passport history, public handover records, or legal records where retention is required or technically necessary.

Customers are responsible for checking that uploaded files do not contain unnecessary personal data, confidential information, trade secrets, or third-party data that should not be uploaded or published.

12. Data ownership, export, portability, and migration

Customers retain ownership of Customer Data. We do not own the customer’s company data, passport data, product data, uploaded files, repository files, compliance evidence, or business records.

If a customer wants to stop using ClarosDPP or move to another Digital Product Passport provider, we will make reasonable efforts to return or export Customer Data in a usable format and support basic migration in line with the applicable agreement. Basic migration support may include reasonable export support, access to available data exports, and reasonable cooperation to help the customer retrieve its data.

If the customer requests complex, custom, time-consuming, technically unusual, or economically burdensome migration support beyond standard export or basic cooperation, we may handle that work under a separate written arrangement and may invoice the customer for the additional effort. The details should be agreed in the applicable Order Form, statement of work, or written agreement.

We do not retain Customer Data after termination for our own unrelated commercial use. However, limited copies may remain for a restricted period in backups, audit logs, security records, legal records, accounting records, public passport continuity records, or regulatory records where required or justified.

13. Deletion, deactivation, and retention limits

Users may update certain profile information in the platform. Customer administrators may change roles, deactivate users, revoke access, revoke sessions, revoke API keys, delete repository files, remove folders where permitted, and delete or update passport records where the Service supports it.

User deactivation is not always the same as deletion. Deactivation may disable the user’s access while keeping limited account, audit, history, or security records. This is important for traceability, access-control history, compliance, and security investigation.

Passport deletion may remove or mark a passport as deleted in active views, but some passport-related information may remain in registry records, version history, archived snapshots, audit logs, signatures, backup records, security events, public handover records, or legal records where needed for integrity, compliance, product lifecycle continuity, dispute resolution, security, or regulatory reasons.

Audit logs and audit anchors may be retained to preserve security and integrity records. They may not be editable or deletable through normal user functions because they exist to document actions taken in the platform.

Where we act as processor, we delete or return personal data according to the customer’s documented instructions, the applicable agreement, and applicable law. Where we act as controller, we delete or anonymise personal data when it is no longer needed for the purposes described in this Privacy Policy, unless we need to keep it for legal, security, accounting, regulatory, contractual, backup, audit, or dispute-resolution reasons.

14. Retention periods

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, unless a longer period is required or permitted by law, contract, security needs, audit requirements, backup practices, Digital Product Passport continuity needs, or regulatory requirements.

Account and profile data is generally retained while the user account or customer company account is active and for a reasonable period afterwards for administration, security, support, audit, and legal purposes. Authentication data, session data, invitation tokens, password reset records, OTP records, rate-limit records, and API key records are retained for the period needed to operate and secure those features.

Customer DPP content is generally retained for the customer subscription period and any agreed retention, export, migration, backup, public continuity, or regulatory period. Released, signed, archived, public, or history passport records may need to be retained for product lifecycle, audit, verification, legal, or regulatory reasons.

Repository files are retained until deleted by the customer or until the relevant company account is deleted, subject to backups, audit records, public attachments, legal obligations, and any agreed retention rules. Billing and tax records are retained as required by accounting and tax law. Support and communication records are retained for the period needed to provide support, maintain business records, and resolve disputes. Marketing data is retained until it is no longer needed or until consent is withdrawn or an opt-out is processed.

15. How we share personal data

We may share personal data with customer administrators and authorised users within the relevant company account. For example, administrators may see user names, emails, roles, profile information, access status, activity records, audit records, and access settings.

We may share public Digital Product Passport data with anyone who accesses the relevant public page, QR-code link, API endpoint, DID document, signature, verifiable credential, public file, or machine-readable passport representation.

We may share personal data with service providers and subprocessors that help us host, store, secure, monitor, support, analyse, communicate, invoice, or operate the Service. These may include hosting providers, database providers, object storage providers, email providers, identity and SSO providers, analytics providers, payment providers, support tools, logging tools, security tools, infrastructure providers, and professional advisers. Where required, we use contractual protections with these service providers.

We may share personal data with customer-configured integrations. If a customer connects ClarosDPP to another system, data may flow to or from that system according to the customer’s configuration and the third party’s terms.

We may disclose personal data if required to comply with law, enforce our agreements, respond to lawful requests from courts, regulators, supervisory authorities, or public authorities, protect rights and safety, investigate fraud or abuse, prevent security incidents, or defend legal claims.

If we are involved in a merger, acquisition, financing, restructuring, sale of assets, or similar business transaction, personal data may be transferred as part of that transaction, subject to appropriate confidentiality and data protection safeguards.

16. International transfers

We aim to handle personal data in a way that is suitable for customers operating in Europe. However, we or our service providers may process personal data in countries outside the country where the customer or user is located.

Where GDPR applies and personal data is transferred outside the European Economic Area or another protected jurisdiction, we use appropriate safeguards where required. These may include an adequacy decision, Standard Contractual Clauses, a Data Processing Agreement, transfer risk assessments, encryption, access controls, and other contractual, technical, and organisational measures.

17. Security

We use technical and organisational measures designed to protect personal data and Customer Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, abuse, and fraud.

These measures may include password hashing, password policy enforcement, OTP hashing, token-based authentication, session cookies, session revocation, optional two-factor authentication, SSO support, rate limiting, account lockout controls, role-based access control, company-scoped permissions, API key hashing, access grants, audit logging, security event logging, app-mediated public attachment IDs, storage-key controls, file path validation, passport signing, public-key verification, HTTPS in production, backup procedures, monitoring, logging, and incident response processes.

No online service can be guaranteed to be completely secure. Customers and users are responsible for using strong passwords, protecting credentials, limiting administrator access, reviewing user permissions, removing users who no longer need access, configuring public passport data carefully, protecting API keys, and notifying us promptly of suspected unauthorised access or security incidents.

18. Personal data breaches

If we become aware of a personal data breach affecting personal data for which we are controller, we will assess the incident and notify affected individuals or supervisory authorities where required by applicable law.

If we become aware of a personal data breach affecting personal data that we process as processor for a customer, we will notify the customer without undue delay and provide reasonable information and assistance as required by applicable law and the Data Processing Agreement.

19. Cookies and similar technologies

We may use cookies, local storage, session storage, pixels, SDKs, and similar technologies to operate the website and Service, keep users signed in, secure sessions, remember preferences, store consent choices, prevent fraud and abuse, measure performance, diagnose errors, understand usage, and support analytics or marketing where legally permitted.

Strictly necessary cookies are used to provide core website, login, security, and service functionality. Preference cookies may remember settings such as language, region, or display preferences. Analytics cookies help us understand how visitors use the website and Service. Marketing cookies, if used, help measure campaigns or understand conversions.

Where consent is required by law, we will ask for consent before setting non-essential cookies. Users may manage cookies through our cookie banner, cookie settings tool, or browser settings. Blocking strictly necessary cookies may cause parts of the website or Service, including login and dashboard features, to stop working correctly.

20. Analytics, improvement, and AI

We may use aggregated, anonymised, or de-identified information to understand usage, improve reliability, troubleshoot issues, develop features, improve security, and analyse performance.

We do not intentionally use Customer Data or customer DPP content containing personal data to train public AI models unless this is clearly disclosed, legally permitted, and agreed where required. If we introduce AI-assisted features in the future, we will describe the relevant processing, safeguards, and customer controls where required.

21. Automated decision-making

We do not intentionally use personal data for solely automated decisions that produce legal effects or similarly significant effects on individuals.

We may use automated tools for authentication, security, rate limiting, fraud prevention, access control, abuse detection, system monitoring, and service reliability. These tools are used to protect the Service and do not make decisions intended to create legal or similarly significant effects for individuals.

22. Special-category and sensitive personal data

The Service is not designed to collect or process special-category personal data under GDPR, such as health data, biometric data, genetic data, political opinions, religious beliefs, trade union membership, or data about sex life or sexual orientation.

The Service is also not intended for national identification numbers, passport numbers, private financial account details, criminal offence data, medical records, or other highly sensitive personal data unless expressly agreed in writing and supported by an appropriate legal basis, security assessment, and contractual terms.

Customers must not include unnecessary sensitive personal data in Digital Product Passports, uploaded files, public pages, public APIs, repository files, attachments, messages, or support requests.

23. Children

The Service is intended for business and professional use. It is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us so that we can take appropriate action.

24. Your data protection rights

Where applicable law gives you rights over your personal data, you may have the right to request access to your personal data, correction of inaccurate or incomplete personal data, deletion of personal data, restriction of processing, objection to processing based on legitimate interests, objection to direct marketing, portability of personal data, withdrawal of consent where processing is based on consent, and the right to lodge a complaint with a supervisory authority.

These rights are subject to legal conditions and exceptions. For example, we may need to keep certain information for security, audit, legal, tax, contractual, regulatory, backup, public passport continuity, or dispute-resolution reasons.

If your request relates to personal data controlled by one of our customers, we may refer the request to that customer or act according to the customer’s instructions. We may need to verify your identity before responding to a request.

25. How to exercise your rights

To exercise privacy rights or ask questions about this Privacy Policy, contact us at:

If you are an employee, supplier, contractor, facility contact, or representative of one of our customers and your personal data appears in that customer’s company account, repository, or Digital Product Passport content, you may also contact that customer directly because the customer may be the controller of that data.

If you are located in the European Economic Area, you may also contact your local data protection supervisory authority. If the relevant authority is in Sweden, this is the Swedish Authority for Privacy Protection, Integritetsskyddsmyndigheten.

26. Marketing communications

We may send marketing communications where permitted by law. You can opt out of marketing emails by using the unsubscribe link in the email or by contacting us.

Even if you opt out of marketing messages, we may still send service, security, legal, billing, account, support, or administrative messages where necessary.

27. Third-party links and integrations

The website and Service may link to third-party websites, standards bodies, regulators, documentation, public registries, customer systems, integration providers, payment providers, identity providers, or external file locations.

We are not responsible for the privacy practices of third parties. Customers and users should review the privacy notices and terms of third-party services before using them or connecting them to ClarosDPP.

28. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements, security practices, subprocessors, cookies, data flows, or business operations.

The updated version will be posted with a new "Last updated" date. If changes are material, we may provide additional notice by email, in-app notice, website notice, or another appropriate method.

29. Contact

For privacy questions, data protection requests, security concerns, or questions about how personal data is handled in ClarosDPP, contact: