DPP Agent

Privacy Policy for DPP Agent

Last Updated: 2026-06-08

DPP Agent ("we", "us", "our") is operated by BlippaCo AB, Sweden. This Privacy Policy explains what data we collect when you use dppagent.com and the related services (the "Service"), why we collect it, who we share it with, and what rights you have.

We follow the EU General Data Protection Regulation (GDPR), Swedish data-protection law and the EU Digital Product Passport regulations (ESPR Art. 11, EN 18216–18223).


1. Who is the data controller

BlippaCo AB, Sweden. Contact: legal@blippa.com.

For Digital Product Passports issued on behalf of a brand, the brand is the data controller for the passport content, and DPP Agent is a data processor under a written data processing agreement.

2. What information we collect

2.1 From operators and tenant administrators

When you sign up to manage one or more DPPs:

2.2 From end consumers who scan a Digital Product Passport

When a consumer scans a QR code or opens a passport URL, our resolver writes one row per scan to dpp_scan_events. The fields stored are:

We do not set tracking cookies on the consumer-facing passport pages and we do not store the IP address, geolocation below country/region level, fingerprint, or any consumer identifier.

If the brand has opted in by configuring a Google Analytics 4 Measurement ID on their tenant, the consumer's browser also fires a dpp_scan event to that brand's own GA4 property. We anonymise the IP address before it reaches GA4 (anonymize_ip: true). Whether or not GA4 is enabled is solely the brand's decision and runs under their privacy policy, not ours.

2.3 Automatically collected technical data

Standard server logs (request URL, response status, timestamp), kept for operational and security purposes only.

3. Why we use it (legal basis under GDPR)

4. AI processing

DPP Agent uses Google Gemini 2.5 Flash to:

We send the content of the public brand pages we scrape to Google's API. We do not send the email, name or other personal data of the operator. The strict response schema we use is configured to refuse fabricated data; a human always confirms before any AI suggestion is written to the passport.

5. Who we share data with

We do not sell personal data. We do not run advertising networks on DPP pages.

6. International transfers

When a vendor processes data outside the EEA (notably Google), we rely on the EU–US Data Privacy Framework and standard contractual clauses.

7. Retention

8. Your rights

You have the right to:

Write to legal@blippa.com to exercise any of these rights. We respond within 30 days.

9. Children

DPP Agent is a B2B service. We do not knowingly collect data from anyone under 16.

10. Cookies

The operator console at /light and the customer app at /app use a single Supabase Auth session cookie to keep you signed in. We do not set advertising or analytics cookies on the consumer-facing passport pages.

If a brand enables Google Analytics 4, GA4's cookies run under that brand's domain and policy, not ours.

11. Changes

We will update this policy when the Service changes materially. The "Last Updated" date at the top reflects the most recent revision. Significant changes will be communicated to operator accounts by email.


Contact: BlippaCo AB, legal@blippa.com