Privacy Policy

This Privacy Policy explains how TextilePass ("we", "us") collects, uses, shares, and protects personal data when you use our platform, websites, and related services (the "Service").

For personal data processed about your own account and use of the Service, TextilePass acts as a data controller. For product and supply-chain data you upload about your business and partners, TextilePass generally acts as a data processor on your behalf.

We collect the following categories of data:

• Account data — name, work email, organisation details, and role, provided at sign-up and onboarding;
• Customer Content — product, material, supply-chain, certificate, and impact data you submit to build passports;
• Billing data — subscription plan and payment metadata, processed by our payment provider (we do not store full card numbers);
• Usage data — log data, device and browser information, and analytics about how the Service is used;
• Communications — messages you send us, including contact-form submissions and support requests.

We use personal data to:

• Provide, maintain, secure, and improve the Service;
• Authenticate users and manage accounts and subscriptions;
• Generate and publish Digital Product Passports as you instruct;
• Process payments and send service, billing, and security communications;
• Respond to enquiries and provide customer support;
• Comply with legal obligations and enforce our Terms of Service.

Where the GDPR applies, we process personal data on the following legal bases: performance of a contract (to provide the Service you signed up for); legitimate interests (to secure, analyse, and improve the Service); consent (where required, for example certain analytics or marketing); and compliance with legal obligations.

We rely on a small set of trusted providers to operate the Service. They process data only on our instructions and under appropriate data-protection agreements:

• Supabase — authentication and primary database, with row-level security;
• Vercel — application hosting and edge content delivery;
• Resend — transactional and notification email delivery;
• Mistral AI — AI extraction of fields from documents you choose to upload;
• Our payment processor — subscription billing and invoicing.

Application data is hosted within the European Union. Where a provider processes data outside the EU, we rely on appropriate safeguards such as Standard Contractual Clauses.

Published Digital Product Passport pages are intentionally public and accessible to anyone with the QR code or link. Only data you choose to publish is shown. Do not place confidential personal data in fields intended for public passport display.

We do not sell personal data. We share data only with the sub-processors listed above, with parties you explicitly authorise (such as suppliers you invite into your supply chain), and where required by law or to protect our rights and the safety of users.

We retain personal data for as long as your account is active and as needed to provide the Service. After account closure, we delete or anonymise personal data within a reasonable period, except where retention is required for legal, accounting, or security purposes. Published passport pages may be retained to preserve the integrity of QR codes already in circulation.

Subject to applicable law, you have the right to:

• Access the personal data we hold about you;
• Request correction of inaccurate or incomplete data;
• Request erasure of your personal data;
• Object to or restrict certain processing;
• Receive your data in a portable format;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with your local data-protection authority.

You can exercise many of these rights directly in the Service via Settings, or by contacting us.

We use technical and organisational measures to protect personal data, including encryption in transit, row-level security on our database, scoped access controls, and least-privilege practices. No system is perfectly secure; we encourage you to use a strong, unique password and to keep your credentials confidential.

We use strictly necessary cookies to operate the Service (for example, to keep you signed in) and may use limited analytics to understand and improve usage. Where required by law, we request consent for non-essential cookies.

We may update this Privacy Policy from time to time. We will post the revised policy with an updated "Last updated" date and, where changes are material, provide additional notice.

For privacy questions or to exercise your rights, contact us through our contact page at /contact.