Legal
Privacy Policy
PassPer is a brand of AutoNMS (Reg. No. HE477557), registered in Cyprus. We are committed to protecting your personal data and processing it in compliance with the General Data Protection Regulation (GDPR) and applicable EU privacy law.
1. Who we are
Data controller: AutoNMS (Reg. No. HE477557), Cyprus. Contact: privacy@passper.eu.
2. Data we collect
Account data
When you register, we collect your email address, name, and organisation details. This is necessary to provide the service.
Product passport data
We store the product data you upload to create Digital Product Passports. This data is processed on your behalf as a data processor. You are the data controller for that content.
Usage data
We collect logs of API calls, page views, and feature usage to operate, secure, and improve the platform. Logs are retained for 90 days.
Cookies
We use a single session cookie (dp_token) for authentication. We do not use third-party tracking or advertising cookies.
3. How we use your data
- To provide and maintain the PassPer service
- To send transactional emails (account verification, password reset, team invites, supplier requests)
- To comply with our legal obligations under EU Battery Regulation 2023/1542 and ESPR
- To detect and prevent fraud and abuse
We do not sell your data. We do not use your data for advertising.
4. Legal basis for processing
- Contract performance — processing account data to deliver the service you signed up for
- Legitimate interests — security monitoring, abuse prevention, product improvement
- Legal obligation — retaining records required by EU regulation
5. Data storage and transfers
All data is stored on servers located within the European Union (Germany). We do not transfer personal data outside the EU/EEA unless required by law.
Sub-processors we use (all EU/EEA or adequate-country only): Hetzner (infrastructure), Postmark (transactional email, EU data residency), Stripe (payment processing, Privacy Shield successor SCCs).
6. Data retention
Account data is retained while your account is active and for 30 days after deletion. Product passport data (required by EU regulation) is retained for the battery's useful life plus the statutory post-end-of-life period, as mandated by Regulation 2023/1542. Billing records are retained for 7 years per applicable tax law.
7. Your rights
Under GDPR, you have the right to access, correct, delete, restrict, or port your data, and to object to processing. To exercise any right, email privacy@passper.eu. We will respond within 30 days. If you are unsatisfied, you may lodge a complaint with your national data protection authority.
8. Security
We use TLS 1.3 in transit, bcrypt password hashing, and row-level tenant isolation. Access to production data is restricted to authorised personnel. We perform regular security reviews.
9. Changes to this policy
We will notify registered users of material changes by email at least 30 days before they take effect.
10. Contact
Privacy enquiries: privacy@passper.eu
General: hello@passper.eu