1. Data Controller
Passo.digital ("Passo", "we", "us") operates the passo.digital website and SaaS platform for creating EU Digital Product Passports (DPPs). For data protection inquiries, contact us at info@cohoinvest.org.
Data controller: Coho invest, s.r.o., Kunínova 1722, Prague 4, Chodov, Czech Republic. Registration number: 28459369, VAT ID: CZ28459369.
2. Data We Collect
2.1 Account Data
When you register, we collect your email address and password (hashed). If you sign in with Google OAuth, we receive your name, email, and profile picture from Google.
2.2 Digital Product Passport Data
When creating DPPs, you provide product information including: product name, description, category, materials and composition percentages, country of origin, production details, manufacturer/GPSR information, and optionally a product photo.
2.3 Payment Data
Payments are processed by Stripe. We do not store credit card numbers. We store your Stripe customer ID, subscription ID, and plan tier for service provisioning. Stripe may process payments via credit card, SEPA Direct Debit, Apple Pay, or Google Pay.
2.4 Usage Data
We track QR code scan counts per DPP for analytics displayed in your dashboard. We do not use third-party analytics tools or tracking cookies.
3. How We Use Your Data
- Provide and maintain the Passo service
- Generate and host Digital Product Passports
- Process subscription payments via Stripe
- Send transactional emails (subscription confirmations, payment failure alerts)
- Respond to support inquiries submitted via the contact form
- Generate AI-assisted product descriptions (when you opt in)
4. Data Hosting and Storage
All data is hosted within the European Union. Our database is hosted on Supabase (Frankfurt, Germany). Product images are stored in Supabase Storage (EU region). This ensures compliance with GDPR data residency requirements.
5. Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account data, DPP data, product images |
| Stripe | Payment processing | Email, payment method, subscription status |
| Resend | Transactional emails | Email address, email content |
| Google Gemini | AI description generation (opt-in) | Product name, category, photo (if provided) |
| Vercel | Application hosting | Request logs (IP address, user agent) |
6. Cookies
We use only functional cookies essential for the service to operate. These include authentication session tokens (managed by Supabase) and locale preference storage. We do not use analytics, tracking, or marketing cookies. See our Cookie Policy for details.
7. Your Rights Under GDPR
As an EU resident, you have the right to:
- Access: Request a copy of your personal data
- Rectification: Correct inaccurate personal data
- Erasure: Request deletion of your account and data
- Portability: Export your DPP data in a structured format
- Restriction: Restrict processing of your data
- Objection: Object to processing based on legitimate interests
To exercise these rights, email us at info@cohoinvest.org. We will respond within 30 days.
8. Data Retention
- Active accounts: Data retained while your account is active
- Deleted DPPs: Soft-deleted with 30-day recovery window, then permanently removed
- Account deletion: 30-day grace period, then all data permanently deleted (including DPPs, manufacturer profiles, product images)
- Contact form messages: Not stored in our database; delivered via email only
9. Data Security
We implement appropriate technical measures including: HTTPS/TLS 1.3 on all connections, Row Level Security (RLS) on all database tables, hashed passwords, rate limiting on sensitive endpoints, and input validation on all user submissions.
10. Children
Passo is not intended for individuals under 16 years of age. We do not knowingly collect data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated revision date. Continued use of the service constitutes acceptance of the updated policy.
12. Contact
For privacy-related questions or to exercise your data rights, contact us at: info@cohoinvest.org
You also have the right to lodge a complaint with a supervisory authority. For Czech Republic residents: Office for Personal Data Protection (UOOU), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.