Last updated: 15 July 2026
Privacy Policy
This Privacy Policy explains how Smart DRS Limited processes personal data when you use the DPP.GS platform, including the public Digital Product Passport viewer at dpp.gs, the B2B dashboard at admin.dpp.gs, our website smartdrs.com, the China-market site cn.dpp.gs, and related services (together, the "Service"). It is provided in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR).
1. Who we are (data controller)
The data controller responsible for personal data processed through the Service is:
- Smart DRS Limited (company no. 790140)
- 70 Sir John Rogerson's Quay, Dublin 2, Ireland
- Data protection contact: [email protected]
- General contact: [email protected]
Smart DRS Limited is part of the Sensoneo group, and the platform is operated on Sensoneo's infrastructure. Smart DRS Limited is the contracting entity and controller for the personal data described in this Policy.
Where we process personal data on behalf of a business customer (for example, personal data contained in the product passports that a customer uploads), the customer is the controller and we act as a processor. That processing is governed by our Data Processing Agreement rather than by this Policy.
2. What data we process and where it comes from
- Account and customer data — name, business email address, company name, GS1 company prefix, hashed password, API keys, and billing details. Collected directly from you when you register and use the dashboard.
- Product and passport data — information uploaded by customers to create Digital Product Passports, which may include the names and contact details of responsible persons or economic operators. Provided by our business customers.
- Technical and access logs — IP address, user-agent, and pages accessed (stored in our
dpp_access_log). Collected automatically when you interact with the Service. - Payment data — subscription and billing information. Card and payment-instrument data are handled directly by Stripe and never touch our servers.
- Support and contact-form submissions — the content of messages you send us, including your name and email. Provided directly by you.
3. Purposes and legal bases
We process personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:
| Purpose | Personal data | Legal basis |
|---|---|---|
| Providing and administering your account and the Service | Account/customer data, product/passport data | Performance of a contract (Art. 6(1)(b)) |
| Publishing public Digital Product Passports as instructed by customers | Product/passport data (may include responsible-person names) | Performance of a contract with the customer; legal obligation of the customer under ESPR/related law |
| Billing, invoicing and processing payments | Billing details, payment metadata | Performance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting (Art. 6(1)(c)) |
| Security, abuse prevention and fraud prevention | Access logs, IP, user-agent | Legitimate interests (Art. 6(1)(f)) |
| Product and usage analytics to improve the Service | Access logs; analytics events | Legitimate interests (Plausible, cookieless); consent for Google Analytics (Art. 6(1)(a)) |
| Responding to support requests and enquiries | Contact-form submissions | Legitimate interests / steps prior to a contract (Art. 6(1)(b)/(f)) |
| Non-essential cookies and marketing | Cookie/analytics identifiers | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Account, billing and tax records | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interests, we have carried out a balancing assessment; you may request further information at [email protected].
4. Sub-processors and recipients
We use carefully selected service providers ("sub-processors") who process personal data on our behalf under written data-processing agreements. We do not sell personal data.
| Provider | Role | Location | Safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Hosting and S3 object storage | EU (Germany, Finland) and a US edge node (Ashburn, Virginia) | EU processing; SCCs + supplementary measures for US edge node |
| Stripe | Payment processing (EUR) | EU / USA | SCCs / EU-US Data Privacy Framework |
| Twilio SendGrid | Transactional email delivery | USA | SCCs |
| Cloudflare | CDN, DNS, DDoS protection, TLS | EU / USA (global edge) | SCCs |
| Google (Tag Manager / Analytics) | Web analytics — only with consent | EU / USA | SCCs / EU-US Data Privacy Framework |
| Plausible Analytics | Cookieless, aggregate web analytics | EU | EU-hosted; no personal data / no consent required |
5. International transfers
The Service operates a US edge node in Ashburn, Virginia. As a result, some personal data may be processed in the United States. In addition, certain sub-processors (Stripe, Twilio SendGrid, Google and Cloudflare) may transfer personal data to the USA or other third countries.
Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards under Chapter V GDPR — principally the European Commission's Standard Contractual Clauses (SCCs) together with supplementary technical and organisational measures, and, where applicable, certification under the EU-US Data Privacy Framework. You may request a copy of the relevant safeguards at [email protected].
6. Retention
- Account and customer data — retained for the life of the account and for up to 10 years after account closure to comply with legal, tax and accounting obligations and to resolve disputes.
- Access logs — retained for approximately 12 months.
- Backups — held on a rolling 35-day cycle and then overwritten or deleted.
- Product/passport data — retained according to customer instructions under the DPA; note that public passports may need to remain available for the regulatory lifetime of the product.
When a retention period ends, personal data is deleted or irreversibly anonymised.
7. Your rights
Subject to the conditions in the GDPR (Articles 15-22), you have the right to:
- access your personal data;
- rectify inaccurate or incomplete data;
- erasure ("right to be forgotten");
- restrict processing;
- data portability;
- object to processing based on legitimate interests;
- withdraw consent at any time (without affecting processing carried out before withdrawal);
- lodge a complaint with a supervisory authority.
To exercise any of these rights, contact [email protected]. We will respond within one month, as required by law. If the personal data concerns a product passport uploaded by one of our business customers, we act as a processor and will refer your request to the relevant customer (the controller).
8. Cookies
We use essential cookies (session, your consent choice, and a language-preference cookie set on .dpp.gs) that do not require consent, and — only after you opt in — Google Tag Manager and Google Analytics. Our Plausible analytics is cookieless. For full details, see our Cookie Policy.
9. Children
The Service is a business-to-business platform intended for manufacturers, importers and other economic operators. It is not directed at children and we do not knowingly collect personal data from children.
10. Security
We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), hashing of passwords, access controls and role-based authorisation, isolated production and staging environments, encrypted backups, and monitoring and logging. No method of transmission or storage is completely secure, but we continually review and improve our safeguards.
11. Changes to this Policy
We may update this Policy from time to time. The "Last updated" date at the top reflects the latest version. Where changes are material, we will notify account holders by email or through the dashboard.
12. Contact and complaints
For any privacy question, contact [email protected]. If you believe our processing infringes data protection law, you have the right to lodge a complaint with our lead supervisory authority:
- Data Protection Commission (DPC), Ireland — dataprotection.ie
You may also complain to the supervisory authority in your own EU/EEA country of residence or work.