Privacy Policy

Last Updated: January 12, 2026Effective Date: January 12, 2026

1. Introduction and Data Controller

LabelEU ("we," "us," "our," or the "Company") operates a Software-as-a-Service platform that enables businesses to create, manage, and publish Digital Product Passports (DPP) for compliance with the EU Ecodesign for Sustainable Products Regulation (ESPR) and related regulations.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our website at labeleu.app and our associated services (collectively, the "Service").

Data Controller:
LabelEU
Email: support@labeleu.app

We are committed to protecting your privacy and processing your personal data in accordance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and other applicable EU and member state data protection laws.

2. Personal Data We Collect

2.1 Account Information

When you create an account, we collect:

  • Email address
  • Name (first and last)
  • Profile picture (if provided via social login)
  • Organization name and details (if applicable)
  • Authentication credentials (managed securely by our authentication provider, Clerk)

2.2 Billing Information

When you subscribe to a paid plan, we collect:

  • Billing name and address
  • Payment method details (processed by Dodo Payments; we do not store full card numbers)
  • Transaction history and invoice records
  • VAT/Tax identification numbers (for business customers)

2.3 Product Data You Provide

When you create Digital Product Passports, you provide product information which may include:

  • Product names, SKUs, GTINs, and serial numbers
  • Manufacturer and importer information (company names, addresses)
  • Materials composition and sourcing information
  • Environmental impact data (carbon footprint, water usage)
  • Certifications and compliance documentation
  • Care instructions and recycling information

Important: You own your product data. We process it solely to provide the Service to you. See Section 5 of our Terms of Service for intellectual property provisions.

2.4 Usage and Technical Data

We automatically collect:

  • IP address (anonymized for analytics where possible)
  • Browser type, version, and language
  • Device type and operating system
  • Pages visited, features used, and time spent
  • Referral source
  • Error logs and performance data

2.5 Public Passport Scan Data

When consumers scan QR codes on published passports, we collect limited, non-identifying metadata for analytics (available to Scale tier subscribers):

  • Country and region (derived from IP, then IP discarded)
  • Device type (mobile, tablet, desktop)
  • Referrer domain (not full URL)
  • Timestamp of scan

We do not collect or store IP addresses of passport viewers. No personal data about consumers who scan your product QR codes is stored.

3. How We Use Your Data

We use your personal data for the following purposes:

3.1 Service Delivery

  • Creating and managing your account
  • Processing and storing your Digital Product Passports
  • Generating QR codes and public passport pages
  • Providing customer support
  • Processing payments and managing subscriptions

3.2 Service Improvement

  • Analyzing usage patterns to improve features
  • Identifying and fixing bugs and performance issues
  • Developing new features based on user needs

3.3 Communication

  • Sending transactional emails (account confirmations, password resets)
  • Sending service-related notifications (usage alerts, policy updates)
  • Sending product updates and newsletters (only with your consent; unsubscribe anytime)

3.4 Security and Compliance

  • Detecting and preventing fraud and abuse
  • Enforcing our Terms of Service
  • Complying with legal obligations
  • Maintaining audit logs for security purposes

5. Data Sharing and Third Parties

We share your personal data only as necessary to provide our Service. We do not sell your personal data.

5.1 Service Providers (Data Processors)

We use the following third-party service providers who process data on our behalf:

ProviderPurposeData ProcessedLocation
ClerkAuthenticationEmail, name, profile picture, auth tokensUSA (EU SCCs)
Dodo PaymentsPayment processingBilling details, transaction dataUSA (EU SCCs)
CloudflareHosting, CDN, DDoS protectionAll service data, IP addresses (transit)Global (EU data centers available)

All service providers are bound by Data Processing Agreements (DPAs) that comply with GDPR Article 28 requirements.

5.2 Public Passport Data

When you publish a Digital Product Passport, certain product information becomes publicly accessible via the passport's unique URL and QR code. This is the core functionality of the Service and is necessary to comply with EU ESPR requirements. You control which passports are published and can unpublish them at any time.

5.3 Legal Requirements

We may disclose your data when required by law, court order, or government request, or when necessary to protect our rights, safety, or property.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. We will notify you of any such change and any choices you may have regarding your data.

6. International Data Transfers

Our primary infrastructure is hosted on Cloudflare's global network, with data primarily processed in the European Union. However, some of our service providers are based in the United States.

For transfers to countries outside the EEA that do not have an adequacy decision from the European Commission, we rely on:

  • Standard Contractual Clauses (SCCs) - approved by the European Commission for data transfers
  • Supplementary measures - including encryption in transit and at rest, access controls, and contractual commitments from providers

You may request a copy of the applicable transfer mechanisms by contacting us at support@labeleu.app.

7. Data Retention

We retain your data for the following periods:

Data TypeRetention PeriodReason
Account dataDuration of account + 30 daysService provision and account recovery
Published passport data10 years from first publicationEU ESPR legal requirement for DPP accessibility
Draft passport dataDuration of account + 30 daysService provision
Billing and transaction records7 yearsTax and accounting legal requirements
Security audit logs2 yearsSecurity monitoring and incident response
Analytics data26 monthsService improvement
Cookie consent preferences12 monthsConsent management

Note on 10-year retention: The EU ESPR requires that Digital Product Passports remain accessible for 10 years after the last unit of a product is placed on the market. When you publish a passport, we are legally obligated to maintain this data even if you cancel your subscription. This is a regulatory requirement, not a business decision. You may mark passports as "end-of-life" but they will remain accessible per the regulation.

8. Your Rights Under GDPR

As a data subject in the European Economic Area, you have the following rights:

  • Right of Access (Art. 15) - Request a copy of the personal data we hold about you
  • Right to Rectification (Art. 16) - Request correction of inaccurate personal data
  • Right to Erasure (Art. 17) - Request deletion of your personal data (subject to legal retention requirements)
  • Right to Restriction (Art. 18) - Request that we limit processing of your data
  • Right to Data Portability (Art. 20) - Receive your data in a structured, machine-readable format
  • Right to Object (Art. 21) - Object to processing based on legitimate interests
  • Right to Withdraw Consent - Withdraw consent at any time (for consent-based processing)
  • Right to Lodge a Complaint - File a complaint with your local Data Protection Authority

How to Exercise Your Rights

To exercise any of these rights, contact us at support@labeleu.app. We will respond within 30 days. We may request verification of your identity before processing requests.

Limitations

Please note that certain rights may be limited where we have legal obligations to retain data (such as the 10-year EU ESPR requirement for published passports) or where exemptions apply.

Data Export

You can export your product data at any time from within your dashboard in CSV format. This supports your right to data portability.

9. Cookies and Tracking Technologies

9.1 Cookie Categories

We use the following categories of cookies:

Strictly Necessary Cookies

These cookies are essential for the Service to function and cannot be disabled. They include:

  • Authentication cookies (Clerk) - Maintain your logged-in session
  • Security cookies - CSRF protection and fraud prevention
  • Cookie consent preferences - Remember your cookie choices

Analytics Cookies (Optional)

With your consent, we use analytics cookies to understand how you use our Service. These help us improve features and user experience. We do not use third-party advertising cookies.

9.2 Managing Cookies

When you first visit our site, you'll see a cookie banner where you can accept or reject optional cookies. You can change your preferences at any time by clicking "Cookie settings" in the footer or by clearing your browser cookies.

You can also configure your browser to block all cookies, but this may prevent you from signing in to the Service.

9.3 Third-Party Cookies

Our authentication provider (Clerk) and payment processor (Dodo Payments) may set their own cookies when you interact with their services. These are governed by their respective privacy policies linked in Section 5.

10. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit - All data transmitted via HTTPS/TLS
  • Encryption at rest - Database encryption for stored data
  • Access controls - Role-based access, principle of least privilege
  • Security headers - Content Security Policy, HSTS, and other protections
  • DDoS protection - Cloudflare network protection
  • Audit logging - Monitoring of security-relevant events
  • Regular security reviews - Ongoing assessment of security posture

Despite these measures, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to support@labeleu.app.

11. Children's Privacy

LabelEU is a business-to-business service. We do not knowingly collect personal data from children under 16 years of age. If you believe a child has provided us with personal data, please contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

Material changes: For significant changes that affect your rights or how we use your data, we will notify you by email (to the address associated with your account) at least 30 days before the changes take effect.

Minor changes: For clarifications or non-material updates, we will update the "Last Updated" date at the top of this page.

Your continued use of the Service after any changes indicates acceptance of the updated policy. If you do not agree with changes, you may close your account.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us:

Privacy Inquiries: support@labeleu.app

General Support: support@labeleu.app

Supervisory Authority:
If you are unsatisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority. A list of EU DPAs can be found at edpb.europa.eu.

Terms of ServiceContactHome

We use cookies

LabelEU uses essential cookies for sign-in and security. With your permission, we may also use optional analytics cookies to improve the product.

Learn more