Privacy Policy for DPP Agent
Last Updated: 2026-06-08
DPP Agent ("we", "us", "our") is operated by BlippaCo AB, Sweden. This Privacy Policy explains what data we collect when you use dppagent.com and the related services (the "Service"), why we collect it, who we share it with, and what rights you have.
We follow the EU General Data Protection Regulation (GDPR), Swedish data-protection law and the EU Digital Product Passport regulations (ESPR Art. 11, EN 18216–18223).
1. Who is the data controller
BlippaCo AB, Sweden. Contact: legal@blippa.com.
For Digital Product Passports issued on behalf of a brand, the brand is the data controller for the passport content, and DPP Agent is a data processor under a written data processing agreement.
2. What information we collect
2.1 From operators and tenant administrators
When you sign up to manage one or more DPPs:
- Account information: email address (used as your sign-in identity via Supabase Auth magic link or Google OAuth), and any name or profile picture your identity provider returns.
- Brand information you provide: brand name, website URL, country, economic operator ID, logo, and any product data you upload, paste or AI-extract.
- Audit data: invitation history, role changes, tenant edits.
2.2 From end consumers who scan a Digital Product Passport
When a consumer scans a QR code or opens a passport URL, our resolver writes one row per scan to dpp_scan_events. The fields stored are:
- Country (ISO 3166-1 alpha-2) and region (ISO 3166-2), derived from headers our hosting provider Vercel injects. We do not store the raw IP address.
- Device class (mobile, tablet, desktop, bot), derived from the User-Agent header.
- Referer host (e.g.
slack.com), if the browser shared one. - First language tag from the Accept-Language header (e.g.
en-GB). - Scheme (e.g.
01GTIN,vin,battery). - Timestamp.
We do not set tracking cookies on the consumer-facing passport pages and we do not store the IP address, geolocation below country/region level, fingerprint, or any consumer identifier.
If the brand has opted in by configuring a Google Analytics 4 Measurement ID on their tenant, the consumer's browser also fires a dpp_scan event to that brand's own GA4 property. We anonymise the IP address before it reaches GA4 (anonymize_ip: true). Whether or not GA4 is enabled is solely the brand's decision and runs under their privacy policy, not ours.
2.3 Automatically collected technical data
Standard server logs (request URL, response status, timestamp), kept for operational and security purposes only.
3. Why we use it (legal basis under GDPR)
- Operate the Service — perform the contract with you (Art. 6(1)(b)).
- Authenticate and authorize you — perform the contract with you (Art. 6(1)(b)).
- Show you scan analytics for your own DPPs — perform the contract with you (Art. 6(1)(b)).
- Detect technical platform stack on the brand website during onboarding — legitimate interest in delivering an accurate import flow (Art. 6(1)(f)). Only public information is fingerprinted.
- Comply with EU regulations — legal obligation (Art. 6(1)(c)). EN 18221 requires versioned archival of passport content; we retain that data for the lifetime of the passport.
- Security and fraud prevention — legitimate interest (Art. 6(1)(f)).
4. AI processing
DPP Agent uses Google Gemini 2.5 Flash to:
- Suggest ESPR field values from brand websites during onboarding.
- Extract product data from sitemap URLs when standard structured-data extraction returns nothing (Tier 3 fallback).
- Score and propose field mappings inside the admin AI Suggest flow.
We send the content of the public brand pages we scrape to Google's API. We do not send the email, name or other personal data of the operator. The strict response schema we use is configured to refuse fabricated data; a human always confirms before any AI suggestion is written to the passport.
5. Who we share data with
- Supabase — database, authentication, storage. EU-hosted, GDPR DPA in place.
- Vercel — hosting and edge runtime for the Service. GDPR DPA in place.
- Google (Gemini API) — AI processing as described in §4.
- Google Workspace / Identity Platform — if you sign in with Google.
- Stripe — payment processing if you subscribe to a paid plan. We never store full payment card details.
- The tenant's chosen Google Analytics 4 property — if and only if the brand has set a Measurement ID. The data goes directly from the consumer's browser to GA4.
We do not sell personal data. We do not run advertising networks on DPP pages.
6. International transfers
When a vendor processes data outside the EEA (notably Google), we rely on the EU–US Data Privacy Framework and standard contractual clauses.
7. Retention
- Operator accounts: kept while your account is active; deleted within 30 days after you delete the account (or sooner on request).
- Passport content: retained for the lifetime of the passport plus the period EN 18221 requires (at least 10 years for textiles; product-specific for other categories). Even when you delete a tenant, archived passport headers remain accessible to authorities and the backup-host per EN 18219 §4.2.
- Scan analytics events: 24 months rolling window, then aggregated and de-identified.
- Server logs: 30 days.
8. Your rights
You have the right to:
- access the personal data we hold about you,
- correct inaccurate data,
- delete data we no longer need (except passport content we are legally required to archive),
- restrict or object to processing,
- export your data,
- complain to the Swedish data-protection authority (Integritetsskyddsmyndigheten, imy.se).
Write to legal@blippa.com to exercise any of these rights. We respond within 30 days.
9. Children
DPP Agent is a B2B service. We do not knowingly collect data from anyone under 16.
10. Cookies
The operator console at /light and the customer app at /app use a single Supabase Auth session cookie to keep you signed in. We do not set advertising or analytics cookies on the consumer-facing passport pages.
If a brand enables Google Analytics 4, GA4's cookies run under that brand's domain and policy, not ours.
11. Changes
We will update this policy when the Service changes materially. The "Last Updated" date at the top reflects the most recent revision. Significant changes will be communicated to operator accounts by email.
Contact: BlippaCo AB, legal@blippa.com