Last updated: 15 July 2026

Privacy Policy

This Privacy Policy explains how Smart DRS Limited processes personal data when you use the DPP.GS platform, including the public Digital Product Passport viewer at dpp.gs, the B2B dashboard at admin.dpp.gs, our website smartdrs.com, the China-market site cn.dpp.gs, and related services (together, the "Service"). It is provided in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (GDPR).

1. Who we are (data controller)

The data controller responsible for personal data processed through the Service is:

Smart DRS Limited is part of the Sensoneo group, and the platform is operated on Sensoneo's infrastructure. Smart DRS Limited is the contracting entity and controller for the personal data described in this Policy.

Where we process personal data on behalf of a business customer (for example, personal data contained in the product passports that a customer uploads), the customer is the controller and we act as a processor. That processing is governed by our Data Processing Agreement rather than by this Policy.

2. What data we process and where it comes from

3. Purposes and legal bases

We process personal data for the following purposes and on the following legal bases under Article 6(1) GDPR:

PurposePersonal dataLegal basis
Providing and administering your account and the ServiceAccount/customer data, product/passport dataPerformance of a contract (Art. 6(1)(b))
Publishing public Digital Product Passports as instructed by customersProduct/passport data (may include responsible-person names)Performance of a contract with the customer; legal obligation of the customer under ESPR/related law
Billing, invoicing and processing paymentsBilling details, payment metadataPerformance of a contract (Art. 6(1)(b)); legal obligation for tax/accounting (Art. 6(1)(c))
Security, abuse prevention and fraud preventionAccess logs, IP, user-agentLegitimate interests (Art. 6(1)(f))
Product and usage analytics to improve the ServiceAccess logs; analytics eventsLegitimate interests (Plausible, cookieless); consent for Google Analytics (Art. 6(1)(a))
Responding to support requests and enquiriesContact-form submissionsLegitimate interests / steps prior to a contract (Art. 6(1)(b)/(f))
Non-essential cookies and marketingCookie/analytics identifiersConsent (Art. 6(1)(a))
Complying with legal obligationsAccount, billing and tax recordsLegal obligation (Art. 6(1)(c))

Where we rely on legitimate interests, we have carried out a balancing assessment; you may request further information at [email protected].

4. Sub-processors and recipients

We use carefully selected service providers ("sub-processors") who process personal data on our behalf under written data-processing agreements. We do not sell personal data.

ProviderRoleLocationSafeguard
Hetzner Online GmbHHosting and S3 object storageEU (Germany, Finland) and a US edge node (Ashburn, Virginia)EU processing; SCCs + supplementary measures for US edge node
StripePayment processing (EUR)EU / USASCCs / EU-US Data Privacy Framework
Twilio SendGridTransactional email deliveryUSASCCs
CloudflareCDN, DNS, DDoS protection, TLSEU / USA (global edge)SCCs
Google (Tag Manager / Analytics)Web analytics — only with consentEU / USASCCs / EU-US Data Privacy Framework
Plausible AnalyticsCookieless, aggregate web analyticsEUEU-hosted; no personal data / no consent required

5. International transfers

The Service operates a US edge node in Ashburn, Virginia. As a result, some personal data may be processed in the United States. In addition, certain sub-processors (Stripe, Twilio SendGrid, Google and Cloudflare) may transfer personal data to the USA or other third countries.

Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards under Chapter V GDPR — principally the European Commission's Standard Contractual Clauses (SCCs) together with supplementary technical and organisational measures, and, where applicable, certification under the EU-US Data Privacy Framework. You may request a copy of the relevant safeguards at [email protected].

6. Retention

When a retention period ends, personal data is deleted or irreversibly anonymised.

7. Your rights

Subject to the conditions in the GDPR (Articles 15-22), you have the right to:

To exercise any of these rights, contact [email protected]. We will respond within one month, as required by law. If the personal data concerns a product passport uploaded by one of our business customers, we act as a processor and will refer your request to the relevant customer (the controller).

8. Cookies

We use essential cookies (session, your consent choice, and a language-preference cookie set on .dpp.gs) that do not require consent, and — only after you opt in — Google Tag Manager and Google Analytics. Our Plausible analytics is cookieless. For full details, see our Cookie Policy.

9. Children

The Service is a business-to-business platform intended for manufacturers, importers and other economic operators. It is not directed at children and we do not knowingly collect personal data from children.

10. Security

We implement appropriate technical and organisational measures to protect personal data, including encryption in transit (TLS), hashing of passwords, access controls and role-based authorisation, isolated production and staging environments, encrypted backups, and monitoring and logging. No method of transmission or storage is completely secure, but we continually review and improve our safeguards.

11. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date at the top reflects the latest version. Where changes are material, we will notify account holders by email or through the dashboard.

12. Contact and complaints

For any privacy question, contact [email protected]. If you believe our processing infringes data protection law, you have the right to lodge a complaint with our lead supervisory authority:

You may also complain to the supervisory authority in your own EU/EEA country of residence or work.